This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
HeikoAnkenbrand
Champion Champion
Champion
‎2022-08-23 11:26 AM

Show Ruleset and Objects on the Gateway (Emergency Recovery)

I had an emergency case at the customer that the management server (virtual server under VMWARE) was encrypted by an encryption trojan. The VMWare datastore was encrypted and also the virtual management server. Thus, the management server became unusable. Unfortunately, there was no backup, snapshot or "mirate server export" of the management server.

The big question was, can we reconstruct the policy and the corresponding objects on the gateway.

I found an interesting way to show the currently running policy and objects on the gateway.

Show layer structure:

 

db_tool -p /opt/CPsuite-R81.10/fw1/state/local/FW1 get_layers

 

Show  installed ruleset:

 

db_tool -p /opt/CPsuite-R81.10/fw1/state/local/FW1 get_rules

 

Show all installed objects and object settings:

 

db_tool -p /opt/CPsuite-R81.10/fw1/state/local/FW1 get_rules |grep UUID | awk '{split($0,a,":"); print a[2]}' | uniq | awk ' { cmd="db_tool -p /opt/CPsuite-R81.10/fw1/state/local/FW1 get_object -u "$1;system(cmd)}'

 

Show IP spoofing settings:

 

ifconfig -a |grep -B 1 inet |grep encap| awk '{print $1}' | grep -v lo | grep -v ":" | grep -v ^lo | xargs -I % sh -c 'echo %;echo -n " VIP "; cphaprob -a if |grep %|grep -v U|grep -v D | cut -c16-| tr -d "\r\n" ;echo;echo -n " IP ";ifconfig % | grep "inet addr" | cut -d ":" -f 2 | cut -d " " -f 1;echo -n " Mask " ;ifconfig % | sed -rn "2s/ .*:(.*)$/\1/p";echo -en " ANTISPOOFING ENABLED:\t";more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep has_addr_info | cut -c17- | tr \) " " |sort -n| uniq ; echo -en " ANTISPOOFING MODE:\t"; if [ `more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep monitor_only | cut -c16- | tr \) " " |sort -n| uniq| grep -o false` ]; then echo "PREVENT"; else echo "DETECT"; fi; echo -en " ANTISPOOFING TOPO:\t"; if [ `more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep external | cut -c12- | tr \) " " |sort -n| uniq| grep -o true` ]; then echo "External"; else echo "Internal"; fi;echo " ADDRESS SPOOFING NETWORKS:";more $FWDIR/state/local/FW1/local.set | grep -A 30 %|grep ": (\""|sort -n| uniq |tr \(\)\<\>\:\" \ ;echo " "'

 

PS:

I am working on a script that will automatically generate the appropriate policy and objects in management CLI (mgmt_cli) format. Thus, the policy can be imported to the management server very quickly.

Give me a little more time for this script.

The big question is, does Check Point already have a script for this case?

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
(2)
21 Replies
Danny
Champion Champion
Champion
‎2022-08-23 12:04 PM

Repost plus some additions of what @deniskr posted 2 weeks ago here.

TAC / PS have developed a CP-internal method to recover the security policy from a gateway. Ask them for help in such cases.

0 Kudos
_Val_
Admin
Admin
‎2022-08-24 03:07 AM

Heiko, could you elaborate about "encrypted by a trojan"? Was it a VM, and the VM server got encrypted? I hardly believe a trojan could do anything on the HW-based Gaia server in the first place...

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2022-08-24 12:44 PM
In response to _Val_

YES, the encryption trojan has encrypted the complete VMWare datastore. This meant that all virtual machines could no longer be used. The management server was also affected because it was also virtual system.

I have corrected this in the text above

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
_Val_
Admin
Admin
‎2022-08-25 04:00 AM
In response to HeikoAnkenbrand

Understood, thanks for clarifying.

0 Kudos
CheckPointerXL
Advisor
Advisor
‎2023-05-26 05:30 AM

Hi all,

i've a similar problem. The management server got corrupted after a VMware upgrade and no backup/snapshot.

I can access gaia system but it seems that a ton of linux commands and clish shell are corrupted too (unable to use).

So i was thinking about two fix:

- Try to extract the database from the OS to a new deployed management to test a migrate server (this command it doesn't work on corrupted VM). Anyone is able to identify in which folder/partition the database it is located?

- Try to fix the corrupted system: no access to clish so i cannot perform, for example, a software upgrade... any idea?

0 Kudos
the_rock
Legend
Legend
‎2023-05-26 05:55 AM
In response to CheckPointerXL

Im pretty sure below is all database related on mgmt server

$CPDIR/database folder

Andy

 

[Expert@QUANTUM-MANAGEMENT:0]# cd /opt/CPshrd-R81.20/database/
[Expert@QUANTUM-MANAGEMENT:0]# ls
CPCoreUploader
EntMgr_BC_DB.xml
EntMgr_DB.xml
EntMgr_DB.xml.org
ICA_QUANTUM-MANAGEMENT_a2n_net_uhsukv_ac03fe.crl
cpdiag
cpeps
cpeps_verification
cprid
downloads
entitlement_status_collector_db.C
entitlement_status_collector_db.C.backup
fingerprints.txt
postgresql
[Expert@QUANTUM-MANAGEMENT:0]#

CheckPointerXL
Advisor
Advisor
‎2023-05-26 05:57 AM
In response to the_rock

i will try to move that folder on a new mgmt and to test a migrate server on it

thanks !

the_rock
Legend
Legend
‎2023-05-26 05:59 AM
In response to CheckPointerXL

Also, attached a file that describes a process building new mgmt from scratch (old school method). Never tried in R80+, but I bet it still works.

Andy

Preview file
5 KB
0 Kudos
_Val_
Admin
Admin
‎2023-05-26 06:43 AM
In response to the_rock

No, it will not. The procedure is incomplete, and only works for R7x and below. 

the_rock
Legend
Legend
‎2023-05-26 06:50 AM
In response to _Val_

Good to know!

0 Kudos
Luc_Cormorand
Employee Employee
Employee
‎2024-01-23 12:50 PM
In response to the_rock

Check Point PS Team develops a tool that is able to rebuild mgmt from gateway with some limitations...Name is SmartRescuer.

Contact your local CP Sale or SE...At least contact Miser Val that will forward us the request.

 

0 Kudos
the_rock
Legend
Legend
‎2024-01-23 01:00 PM
In response to Luc_Cormorand

Never heard of it...its for R80+ versions?

Andy

0 Kudos
Luc_Cormorand
Employee Employee
Employee
‎2024-01-23 01:03 PM
In response to the_rock

we developped in the past for R77.x but we also developped for R80.x as well.

It is a service not a free tool but helped already many customers.

0 Kudos
the_rock
Legend
Legend
‎2024-01-23 01:06 PM
In response to Luc_Cormorand

I figured its not free, otherwise, Im sure I would have seen it on support site lol

Personally, I always tell the customers to generate VM snapshot if they use vmware for mgmt or if its open server, then have recent backup and snapshot too, you never know. Broken management server is pretty bad situation.

Cheers,

Andy

0 Kudos
Luc_Cormorand
Employee Employee
Employee
‎2024-01-23 01:14 PM
In response to the_rock

And you are fully right...Check Point provides so many ways to backup the management database...However, just last year, we were contacted more than 20 times to restore management from gateway.

I am happy to develop the "useless" tool...until the next time a customer will see the usefulness of this service.

0 Kudos
the_rock
Legend
Legend
‎2024-01-23 01:17 PM
In response to Luc_Cormorand

I never said it was useless LOL

I cant comment on it at all, as the only way for me to make judgment is if I saw how it works myself, thats it. If it helped 20 customers, I would say thats really good!

Best,

Andy

0 Kudos
Luc_Cormorand
Employee Employee
Employee
‎2024-01-23 01:21 PM
In response to the_rock

We said "internally it is an useless tool"....But we are happy to see it is not so useless 🙂

One day I will show you the tool...in the meantim, if you have some customers that did not follow your recommendations, please ping me.

regards

0 Kudos
the_rock
Legend
Legend
‎2024-01-23 01:24 PM
In response to Luc_Cormorand

Thats good to know! No, personally, my company would not need it, as we have people who been around CP products real long time.

But, I would like to see how it works one day...I love to learn new things.

Best,

Andy

0 Kudos
MartinOles
Participant
‎2024-01-24 03:27 AM

I am in similar situation, management server is gone, gateways fortunately are still working. Commands works like charm, thank you for them, I am able to "reconstruct" rulebase, objects used and antispoofing.

Is it also possible to extract also NAT rules?

Thank you.

0 Kudos
Luc_Cormorand
Employee Employee
Employee
‎2024-01-24 03:44 AM
In response to MartinOles

It is not possible to rebuild sms at 100% but CP Professional Services SmartRescuer retrieves rules, objects, services, domain objects, VPN communities (but not in details it is one of big limitations) etc... etc... and Nat rules of courses.

Luc_Cormorand
Employee Employee
Employee
‎2024-01-31 12:36 AM
In response to Luc_Cormorand

FYI Check Point Professional services Smart Rescuer service communication can be seen here:

https://www.linkedin.com/feed/update/urn:li:activity:7158356881852248064/

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events