One-liner for Address Spoofing Troubleshooting

Danny · ‎2018-06-21

🏆 Code Hub Contribution of the Year 2019!
📌 Available as SmartConsole Extension.
👍 Endorsed by Check Point Support!

One-liner (Bash) to show a summary about each gateway interfaces' calculated topology and address spoofing setting.
In expert mode run:

echo;tput bold;if [[ `$CPDIR/bin/cpprod_util FwIsFirewallModule 2>/dev/null` != *'1'* ]];then echo ' Not a firewall gateway!';tput sgr0;echo;elif [[ `grep $(echo -n :[[:space:]]\(;grep $(hostname)$ /etc/hosts|cut -f1 -d' ') $FWDIR/state/local/FW1/local.set|wc -l` == "0" ]] && ([[ $INSTANCE_VSID == '0' ]] || [[ $INSTANCE_VSID == '' ]]);then echo ' Main IP of '$(hostname)' doesn`t match it`s management interface IP!';tput sgr0;echo;else echo -n ' Interface Topology ';tput sgr0;echo -n '> ';tput bold;tput setaf 1;if [[ -n "$vsname" ]] && [[ $vsname != *'unavail'* ]];then echo $vsname' (ID: '$INSTANCE_VSID')';else hostname;fi;tput sgr0;echo -n ' ';printf '%.s-' {1..80};echo;egrep -B1 $'ifindex|:ipaddr|\(\x22<[0-9]|objtype|has_addr_info|:monitor_only|:external' $FWDIR/state/local/FW1/local.set|sed -n "/$(if [[ -n "$vsname" ]] && [[ $vsname != *'unavail'* ]] && [[ $INSTANCE_VSID != '0' ]];then echo $vsname;else grep `hostname`$ /etc/hosts|cut -f1 -d' ';fi)*$/,\$ p"|tail -n +3|sed 's/[\x22\t()<>]//g'|sed 's/--//g'|sed '$!N;s/\n:ipaddr6/ IPv6/;P;D'|sed '/IPv6/!s/://g'|sed 's/interface_topology/\tCalculated Interface Topology/g'|sed '0,/ifindex 0/{/ifindex 0/d;}'|sed '/ifindex 0/q'|sed '/spoof\|scan/d'|sed 's/has_addr_info true/\tAddress Spoofing Protection: Enabled/g'|sed 's/has_addr_info false/\tAddress Spoofing Protection: Disabled/g'|sed -e '/Prot/{n;d}'|sed '$!N;s/\nmonitor_only true/ (Detect Mode)/;P;D'|sed '$!N;s/\nmonitor_only false/ (Prevent Mode)/;P;D'|sed '$!N;s/\nexternal false/ - Internal Interface/;P;D'|sed '$!N;s/\nexternal true/ - External Interface/;P;D'|sed '/objtype/q'|tac|sed '/ifindex 0/I,+2 d'|sed '/Address/,$!d'|tac|sed '/ifindex/d'|sed 's/,/ -/g'|sed '$!N;s/\nipaddr/ >/;P;D'|sed '/ - /s/^ /\t/'|egrep -C 9999 --color=auto $'>|IPv6|External|Disabled|Detect';echo;fi

The One-liner is IPv4 and IPv6 compatible, works on clustered and single gateway environments also within VSX, shows all interface types configured in your firewall object within SmartDashboad, colors specific words of the output for easier identification of important settings, adds additional information regarding Address Spoofing setting and mode as well as the topology type of each interface and is of course completely integrated within our ccc script.

Thanks to Tim Hall's preliminary work in this thread.
Thanks to Norbert Bohusch for IPv6 support and testing.
Thanks to Kaspars Zibarts, Bob Zimmerman, Jan Kleinhans for VSX support and testing.
Thanks to Anthony Joubaire for support and testing multiple installation targets.

Danny · ‎2019-08-09

On all non-VSX firewalls I tested (R80.20 & R80.30) $vsname returns:

[Expert@fw:0]# echo $vsname
<name unavailable>

Therefore the VSX path isn't taken on non-VSX firewalls and the One-liner works on all non-VSX firewalls I tested (many!).

I also just tested an initial login on a VSX firewall and right after system boot it shows:

[Expert@VSX:0]# echo $vsname
VSX

I take your concern very seriously and added

[[ -n $vsname ]]

as additional check to verify if $vsname is actually set. Does this fit your demand?

Bob_Zimmerman · ‎2019-08-09

From some quick testing, it looks like there would need to be quotes around $vsname, like so:

if [ -n "$vsname" ]

It looks like the test is actually NOT ("is this a string" AND "is this zero characters"). An unset variable isn't a string, so the "is this a string" is false, so the 'not' turns the test as a whole true. Putting the variable in quotes causes it to be inserted into a string, so the comparison works (NOT(true AND true) => false).

As for the rest, very strange! It definitely isn't set immediately on login on any system I have:

[Expert@MyFW-01:0 DOWN]# fw ver
This is Check Point's software version R80.20 - Build 047
[Expert@MyFW-01:0 DOWN]# echo $vsname

[Expert@MyFW-01:0 DOWN]# vsx stat   
VSX Gateway Status
==================
Name:            MyFW-01
Access Control Policy: VS0
Installed at:     7Apr2019 01:23:45
Threat Prevention Policy: <No Policy>
SIC Status:      Trust

Number of Virtual Systems allowed by license:          10
Virtual Systems [active / configured]:                  3 / 3    
Virtual Routers and Switches [active / configured]:     2 / 2    
Total connections [current / limit]:                  124 / 2020400
[Expert@MyFW-01:0 DOWN]# vsenv 0
Context is set to Virtual Device MyFW-01 (ID 0).
[Expert@MyFW-01:0 DOWN]# echo $vsname
MyFW-01
[Expert@MyFW-01:0 DOWN]#

The first firewall is pre-production, but here are three more of various versions and types:

[Expert@AnotherFW-01 ACTIVE]# fw ver
This is Check Point's software version R80.20 - Build 100
[Expert@AnotherFW-01 ACTIVE]# echo $vsname

[Expert@AnotherFW-01 ACTIVE]# vsx stat
 VSX is not supported on this platform

[Expert@AnotherFW-01 ACTIVE]#

[Expert@ThirdFW-01 Active]# fw ver
This is Check Point's software version R77.30 - Build 048
[Expert@ThirdFW-01 Active]# echo $vsname

[Expert@ThirdFW-01 Active]# vsx stat
 VSX is not supported on this platform

[Expert@ThirdFW-01 Active]#

[Expert@FourthFW-01:0 Active]# fw ver
This is Check Point's software version R77.30 - Build 104
[Expert@FourthFW-01:0 Active]# echo $vsname

[Expert@FourthFW-01:0 Active]# vsx stat
VSX Gateway Status
==================
Name:            FourthFW-01
Security Policy: VS0
Installed at:    27Nov2018 12:34:56
SIC Status:      Trust

Number of Virtual Systems allowed by license:          10
Virtual Systems [active / configured]:                  7 / 7    
Virtual Routers and Switches [active / configured]:     1 / 1    
Total connections [current / limit]:                 7978 / 300100
[Expert@FourthFW-01:0 Active]# vsenv 0
Context is set to Virtual Device FourthFW-01 (ID 0).
[Expert@FourthFW-01:0 Active]# echo $vsname
FourthFW-01
[Expert@FourthFW-01:0 Active]#

Danny · ‎2019-08-09

I see. I added the quotes your mentioned plus a check to verify that $vsname is not empty.

[[ ! -z '$vsname' ]]

Bob_Zimmerman · ‎2019-08-09

These are both actually the same test:

[[ -n '$vsname' ]] && [[ ! -z '$vsname' ]]

Only one should be needed. Either should be true in case of VSX with $vsname set.

Either should also be false in case of non-VSX or my apparently-weird VSX boxes. I will have to dig into bash startup some time to figure out what my system is doing differently.

Deeper in the script, there appears to be another problem which I don't yet have a good idea how to solve. After the modifications to the tests, I'm able to get the expected output on one cluster member, but the other outputs the data for both members. That seems suboptimal, and it's what I was researching just before I posted to the other thread and had to work on other tasks.

The problem is the schema for the local.set file is private, so Check Point could change the ordering of the key(value) pairs within a given nesting level at any time. Or the process which generates the file could just spit them out differently due to a race. The obvious solution would be to work based on the nesting level, but like I said in the other thread, my awk-fu is weak. I'm not sure how to end the pattern space after the second closing parenthesis alone on a line.

Danny · ‎2019-08-10

Thanks for testing. I remove the obsolete check and I'm glad that it works now for you.

As for the output of both cluster members on your other cluster node, the One-liner already tries to avoid that by deleting all ifindex entries from local.set except the one of the current system. To further optimize the check please send me the relevant local.set privately, so I can have a look.

Bob_Zimmerman · ‎2019-08-12

More weirdness. Turns out $vsname needs to be in quotes in the test. Apostrophes aren't enough:

if [[ -n "$vsname" ]] && [[ $vsname != *'unavail'* ]]

Not sure if the second test should also be quotes.

I should be able to send the relevant chunks of the local.set soon.

Danny · ‎2019-08-14

Thanks, code was improved.

Bob_Zimmerman · ‎2019-08-14

I can confirm the current version definitely works on my all-the-edge-cases R77.30 firewall. It also works for the current VS on my VSX R77.30 and VSX R80.10 firewalls.

Sven_Glock · ‎2019-08-21

Thanks for this cool one-liner, Danny!

I found one gateway where the script is not running:

It is a non-vsx gateway running R80.10 JHF 203.

All the output I get is:

Interface Topology > firewall
--------------------------------------------------------------------------------

I hope I will find some time for investigation...

Cheers

Sven

Hadi · ‎2019-08-14

Thanks Danny, Could you please post final revision?

Danny · ‎2019-08-21

@Hadi , you can always find the latest revision of my one-liner in my initial post of this thread.

Bob_Zimmerman · ‎2019-08-26

Ran into a bizarre issue. It seems in some environments, the main IP in the firewall object and the IP listed in the hosts file can be different. The IP in the hosts file aligns with the IP on the interface fed to

set management interface <interfaceName>

Meanwhile, the main IP can be any address. Technically, it doesn't even have to be an address the firewall has on an interface (though it's a really bad idea to use a main IP it doesn't own).

The script gets the anti spoofing configuration from the file local.set, which lists it under the main IP of the firewall object. Thus, the script as it is will fail in such environments. This is probably expected behavior. If you have this situation on your firewalls, you can work around it by replacing

$(if [[ -n "$vsname" ]] && [[ $vsname != *'unavail'* ]] && [[ $INSTANCE_VSID != '0' ]]; then echo $vsname; else grep `hostname` /etc/hosts | cut -f1 -d' '; fi)

with what you have set as the firewall's main IP. It will then work only on that firewall.

This is a workaround for administrative misconfiguration.

Sven_Glock · ‎2019-08-29

I have trouble with the same part of the oneliner, but your solution is not working for me. I will try to investigate...

Danny · ‎2019-08-31

Thanks @Bob_Zimmerman ,

I just added an error message for these situations to the one-liner.

David_Kozinn · ‎2019-10-10

Congratulations to @Danny on winning the award for this. I saw this mentioned in the Checkpoints email and tried it out. On the couple of VSX boxes I've used this on, I get "Main IP of myboxname-ch01-01 doesn`t match it`s management interface IP!". I spent a couple of minutes looking at the script to see what it's trying to check for but it wasn't obvious (to me). Could some kind soul let me know what the likely issue is so that I can investigate? Thanks.

Danny · ‎2019-10-10

HI @David_Kozinn ,

the main IP of your VS gateways is shown in SmartConsole under Gateways and Servers.

This should be the same IP that is configured within /etc/hosts for the specific VS. In your case this doesn't seem to match.

Paul_Warnagiris · ‎2020-04-21

Danny, I ran the one-liner for anti-spoofing and the only output that came back was

Interface Topology > Xxx-FW01

Any thoughts on why this may be? This was on a small client, maybe 100 users, 200 servers and 10 interfaces. I do have a much bigger client that is a mess and this script would come in handy.

Thanks,
Paul

Danny · ‎2020-04-21

My guess is you are using R80.40.

Paul_Warnagiris · ‎2020-04-21

Should have put that in my post. Sorry. Not 80.40. 80.10 JHF272.

Danny · ‎2020-04-21

PM me the hostname and $FWDIR/state/local/FW1/local.set file and I‘ll have a look.

Paul_Warnagiris · ‎2020-04-21

Amazingly good stuff. Thank you Danny! As we discussed on our PM I did not have the host name setup correctly in the "hosts and dns" tree branch of the Gaia OS. I used to do that religiously, but as the years went by it didn't seem to matter. I guess with everything getting back to scripting it matters again. Thank you for your help.

Paul

Luis_Miguel_Mig · ‎2021-03-05

First of all thanks so much for the script.

I have always been reluctant to use checkpoint ip spoofing because I didn't have visibility on the topology.

I think this visibility will help me to build confidence in this feature. However if you make changes, the script won't show you the topology before those changes get installed, right?

So the script will only show you the calculated topology after the fact I guess, no?

One thing I don't understand well is why do you have to decide between interfaces and routes to build the topology. I am thinking of enabling anti spoofing on the external interface in prevent mode and I would like to block outside anything that comes with internal ips (directly connected or via routes).

Although I understand it is a good idea to build dynamically the topology, is it possible to build it manually and let's say for example block all the private ips coming from outside?

MarNeu · ‎2022-09-08

Hi Danny,

I tried your script on my perimeter gateway but there is no output. The gateway is running R81.10 Take 61. Also another gateway with R81.10 Take 55 is not working.

[Expert@GW2:0]# fw ver
This is Check Point's software version R81.10 - Build 017
[Expert@GW2:0]# echo; tput bold; if [[ `$CPDIR/bin/cpprod_util FwIsFirewallModule 2>/dev/null` != *'1'* ]]; then echo ' Not a firewall gateway!'; tput sgr0; echo; elif [[ `grep $(grep $(hostname) /etc/hosts | cut -f1 -d' ') $FWDIR/state/local/FW1/local.set | wc -l` == "0" ]] && [[ $INSTANCE_VSID == '0' ]]; then echo ' Main IP of '$(hostname)' doesn`t match it`s management interface IP!'; tput sgr0; echo; else echo -n ' Interface Topology '; tput sgr0; echo -n '> '; tput bold; tput setaf 1; if [[ -n "$vsname" ]] && [[ $vsname != *'unavail'* ]]; then echo $vsname' (ID: '$INSTANCE_VSID')'; else hostname; fi; tput sgr0; echo -n ' '; printf '%.s-' {1..80}; echo; egrep -B1 $'ifindex|:ipaddr|\(\x22<[0-9]|objtype|has_addr_info|:monitor_only|:external' $FWDIR/state/local/FW1/local.set | sed -n "/$(if [[ -n "$vsname" ]] && [[ $vsname != *'unavail'* ]] && [[ $INSTANCE_VSID != '0' ]]; then echo $vsname; else grep `hostname` /etc/hosts | cut -f1 -d' '; fi)*$/,\$ p" | tail -n +3 | sed 's/[\x22\t()<>]//g' | sed 's/--//g' | sed '$!N;s/\n:ipaddr6/ IPv6/;P;D' | sed '/IPv6/!s/://g' | sed 's/interface_topology/\tCalculated Interface Topology/g' | sed '0,/ifindex 0/{/ifindex 0/d;}' | sed '/ifindex 0/q' | sed '/spoof\|scan/d' | sed 's/has_addr_info true/\tAddress Spoofing Protection: Enabled/g' | sed 's/has_addr_info false/\tAddress Spoofing Protection: Disabled/g' | sed -e '/Prot/{n;d}' | sed '$!N;s/\nmonitor_only true/ (Detect Mode)/;P;D' | sed '$!N;s/\nmonitor_only false/ (Prevent Mode)/;P;D' | sed '$!N;s/\nexternal false/ - Internal Interface/;P;D' | sed '$!N;s/\nexternal true/ - External Interface/;P;D' | sed '/objtype/q' | tac | sed '/ifindex 0/I,+2 d' | sed '/Address/,$!d' | tac | sed '/ifindex/d' | sed 's/,/ -/g' | sed '$!N;s/\nipaddr/ >/;P;D' | sed '/ - /s/^ /\t/' | egrep -C 9999 --color=auto $'>|IPv6|External|Disabled|Detect'; echo; fi

Interface Topology > GW2
--------------------------------------------------------------------------------

[Expert@GW2:0]#

On my only left R80.40 gateway is working as expected. Could you please check that?

Thanks for your great work and best,

Markus

Danny · ‎2022-10-26

Please verify that your /etc/hosts is properly configured.
Hostname and IP address need to match the object name & main IP exactly as shown in the SmartConsole gateways & servers list.
This one-liner runs perfectly on R81.x gateways when they are properly configured.

ids · ‎2024-03-07

Hi @Danny

Idan from TAC here.

This script will not work in Non-VSX Maestro GW's, as well as VS0 in VSX Maestro.

The reason for that:

In Maestro, $(hostname) will always be assigned to the IP of the Sync interface and not the Management interface in /config/active and as result also in /etc/hosts.

Since each SGM has a different Sync IP (unlike other interfaces that have the same IP across all SGMs), the Sync interfaces are not included in FWDIR/state/local/FW1/local.set

So the portion of the script below will always return "true" in Maestro because it always equals to zero

[[ `grep $(echo -n :[[:space:]]\(;grep $(hostname)$ /etc/hosts|cut -f1 -d' ') $FWDIR/state/local/FW1/local.set|wc -l` == "0" ]]

It also effects this portion of the script:

sed -n "/$(if [[ -n "$vsname" ]] && [[ $vsname != *'unavail'* ]] && [[ $INSTANCE_VSID != '0' ]];then echo $vsname;else grep `hostname`$ /etc/hosts|cut -f1 -d' ';fi)*$/,\$ p"

So I recommend adding another conditional statement to the script, that checks if it is a Maestro, and then skip the portions I mentioned above.

Or simply running the script with these portions omitted, which will work just fine on Maestro - like this:

echo;tput bold;if [[ `$CPDIR/bin/cpprod_util FwIsFirewallModule 2>/dev/null` != *'1'* ]];then echo ' Not a firewall gateway!';tput sgr0;echo;else echo -n ' Interface Topology ';tput sgr0;echo -n '> ';tput bold;tput setaf 1;if [[ -n "$vsname" ]] && [[ $vsname != *'unavail'* ]];then echo $vsname' (ID: '$INSTANCE_VSID')';else hostname;fi;tput sgr0;echo -n ' ';printf '%.s-' {1..80};echo;egrep -B1 $'ifindex|:ipaddr|\(\x22<[0-9]|objtype|has_addr_info|:monitor_only|:external' $FWDIR/state/local/FW1/local.set|tail -n +3|sed 's/[\x22\t()<>]//g'|sed 's/--//g'|sed '$!N;s/\n:ipaddr6/ IPv6/;P;D'|sed '/IPv6/!s/://g'|sed 's/interface_topology/\tCalculated Interface Topology/g'|sed '0,/ifindex 0/{/ifindex 0/d;}'|sed '/ifindex 0/q'|sed '/spoof\|scan/d'|sed 's/has_addr_info true/\tAddress Spoofing Protection: Enabled/g'|sed 's/has_addr_info false/\tAddress Spoofing Protection: Disabled/g'|sed -e '/Prot/{n;d}'|sed '$!N;s/\nmonitor_only true/ (Detect Mode)/;P;D'|sed '$!N;s/\nmonitor_only false/ (Prevent Mode)/;P;D'|sed '$!N;s/\nexternal false/ - Internal Interface/;P;D'|sed '$!N;s/\nexternal true/ - External Interface/;P;D'|sed '/objtype/q'|tac|sed '/ifindex 0/I,+2 d'|sed '/Address/,$!d'|tac|sed '/ifindex/d'|sed 's/,/ -/g'|sed '$!N;s/\nipaddr/ >/;P;D'|sed '/ - /s/^ /\t/'|egrep -C 9999 --color=auto $'>|IPv6|External|Disabled|Detect';echo;fi

jean_mtrx · ‎2025-03-28

Good day all,

Has anyone encountered this issue before, when you run this one-liner to get the subnets/addresses that sits behind the interfaces. But they get the following error message as shown below:

Main IP of <firewall-hostname> doesn`t match it`s management interface IP!

Danny · ‎2025-04-01

@jean_mtrx : That's the expected behavior when the Main IP of your firewall, as shown in SmartConsole, doesn't match the IP address of your firewall's management interface.

Are you a member of CheckMates?