Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
CheckGatzMet
Contributor

Smart1 - Firewalls - Checkpoint extract info - Package - Routes

Hello CheckMates! good afternoon

I hope you are very well.

I have a doubt, of a FW or some Firewalls Checkpoints that you have to obtain the Package of policies, which have a SMART1 console Appliance and two FW in cluster.

Environment: SMART-1=====FW01--FW02

When entering in expert mode, in the SMART1:

1.- Is the Linux command cp valid ? is it copy or some other command ? to copy and move a file from one directory to another ? ?

2.- To get the Package, do you get it from the SMART1 CLI or from the firewalls ?

3.- For the routes netstat -nr > routes.txt, is this taken from the Firewalls or from the SMART1 ? this command executes from expert mode or Gaia Shell?

4.- If I connect for example with WinSCP to the Smart-1 or one of the Firewalls, can I remove, copy, move files without problems ?

5.- When I run these scripts, the package file that it generates, in which path is it placed ? in the same directory where I run it ?

6.- To update the version of I have to put the new version web_api_show_package-jar-with-dependencies.jar in the path: MDS_FWDIR/api/samples/lib/ then execute: only $MDS_FWDIR/scripts/web_api_show_package.sh or I need execute java -jar web_api_show_package-jar-with-dependencies.jar -v and then java -jar web_api_show_package-jar-with-dependencies.jar -k <PACKAGE NAME> -d <DOMAIN NAME>

 

Scripts:The Check Point Management Server also has a wrapper script so the tool can be run as $MDS_FWDIR/scripts/web_api_show_package.sh which in turn executes java -jar $MDS_FWDIR/api/samples/lib/web_api_show_package-jar-with-dependencies.jar

-Export Package ( Exporting Configuration )

https://github.com/CheckPointSW/ShowPolicyPackage

https://github.com/CheckPointSW/ShowPolicyPackage#examples

https://community.checkpoint.com/t5/API-CLI-Discussion/Enabling-web-api/td-p/32641

Thanks for your time, support, collaboration, and good vibes.

Best regards

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

  1. In Expert Mode, cp works the same as it does on a regular Linux system.
  2. "To get the package" what precisely do you mean by this? In any case, you can only get the full details of the policy from the Smart-1. There is a command to retrieve the policy from the CLI of the gateways: db_tool -p $FWDIR/state/local/FW1 get_rules
  3. netstat can only be executed from expert mode as it is not a valid clish command. It works similar to a standard Linux system, i.e. only gets routes from the local system.
  4.  You can use WinSCP. However, the user in question cannot have /etc/cli.sh as the default shell as that will not work.
  5. Believe it puts the output in current working directory.
  6. If you're using a different version of the Show Package Tool than is included in your installation, then I would execute it separately (i.e. not replace the existing installed version).
(1)
Hugo_vd_Kooij
Advisor

There is a caveat. The command `db_tool -p $FWDIR/state/local/FW1 get_rules` only show the policy the gateway is supposed to have. If a policy installation failure occurs on the gateway it may not actually run that policy. But a nifty command to know about during policy install trouble shoooting.

And removing files at will is ... frowned upon. If you don't know what the purpose of a file is then just ripping it out is sort of like using the rm command in the wrong directory. It makes for some digital fireworks and a big mess. (Not something I would put on your resume.)

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
(1)
CheckGatzMet
Contributor

Hello @PhoneBoy 

Thanks for your comments.

I understand that users with admin-role have no problem to connect via scp to SMART1.
If I want to generate a particular user for this purpose I would have to execute:
R80>=
Example:
add user scpuser01 uid 2700 homedir /home/scpuser
set user scpuser realname Scpuser
add rba role scpRole domain-type System readwrite-features expert
add rba user scpuser roles scpRole
set user scpuser gid 100 shell /usr/bin/scponly
set user scpuser password
save config‍‍‍‍‍‍‍‍‍‍‍‍‍‍

 

According to this, the netstat command is valid for Gaia Clish Commands:

https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_Gaia_AdminGuide/html_framese...

If you are asking me to pull/execute from checkpoint:, well from SMART-1 this:
java -jar web_api_show_package-jar-with-dependencies.jar -k <PACKAGE NAME>
So they tell me that it generates a tar.gz file that I have to get and deliver.

Thank you for your time and comments.

I remain attentive

Regards

0 Kudos
PhoneBoy
Admin
Admin

The Show Package Tool generates a tar.gz file because the output of this tool contains multiple things:

  • HTML files with the policy in a human readable form (open index.html in your web browser)
  • Multiple JSON files that contain the policy and objects extracted
  • A log file

More details at: https://support.checkpoint.com/results/sk/sk120342
A .tar.gz file can be extracted using standard Linux commands (tar -xvfz) or using 7zip on Windows.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events