This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
HeikoAnkenbrand
MVP Diamond
MVP Diamond
‎2022-08-23 11:26 AM

Show Ruleset and Objects on the Gateway (Emergency Recovery)

I had an emergency case at the customer that the management server (virtual server under VMWARE) was encrypted by an encryption trojan. The VMWare datastore was encrypted and also the virtual management server. Thus, the management server became unusable. Unfortunately, there was no backup, snapshot or "mirate server export" of the management server.

The big question was, can we reconstruct the policy and the corresponding objects on the gateway.

I found an interesting way to show the currently running policy and objects on the gateway.

Show layer structure:

 

db_tool -p /opt/CPsuite-R81.10/fw1/state/local/FW1 get_layers

 

Show  installed ruleset:

 

db_tool -p /opt/CPsuite-R81.10/fw1/state/local/FW1 get_rules

 

Show all installed objects and object settings:

 

db_tool -p /opt/CPsuite-R81.10/fw1/state/local/FW1 get_rules |grep UUID | awk '{split($0,a,":"); print a[2]}' | uniq | awk ' { cmd="db_tool -p /opt/CPsuite-R81.10/fw1/state/local/FW1 get_object -u "$1;system(cmd)}'

 

Show IP spoofing settings:

 

ifconfig -a |grep -B 1 inet |grep encap| awk '{print $1}' | grep -v lo | grep -v ":" | grep -v ^lo | xargs -I % sh -c 'echo %;echo -n " VIP "; cphaprob -a if |grep %|grep -v U|grep -v D | cut -c16-| tr -d "\r\n" ;echo;echo -n " IP ";ifconfig % | grep "inet addr" | cut -d ":" -f 2 | cut -d " " -f 1;echo -n " Mask " ;ifconfig % | sed -rn "2s/ .*:(.*)$/\1/p";echo -en " ANTISPOOFING ENABLED:\t";more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep has_addr_info | cut -c17- | tr \) " " |sort -n| uniq ; echo -en " ANTISPOOFING MODE:\t"; if [ `more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep monitor_only | cut -c16- | tr \) " " |sort -n| uniq| grep -o false` ]; then echo "PREVENT"; else echo "DETECT"; fi; echo -en " ANTISPOOFING TOPO:\t"; if [ `more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep external | cut -c12- | tr \) " " |sort -n| uniq| grep -o true` ]; then echo "External"; else echo "Internal"; fi;echo " ADDRESS SPOOFING NETWORKS:";more $FWDIR/state/local/FW1/local.set | grep -A 30 %|grep ": (\""|sort -n| uniq |tr \(\)\<\>\:\" \ ;echo " "'

 

Version:
1.0                                first oneliner                               2022-08-25
2.0                                R82 and R82.10+ version           2026-01-27

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
(2)
21 Replies
This widget could not be displayed.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events