- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: Smart1 - Firewalls - Checkpoint extract info -...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Smart1 - Firewalls - Checkpoint extract info - Package - Routes
Hello CheckMates! good afternoon
I hope you are very well.
I have a doubt, of a FW or some Firewalls Checkpoints that you have to obtain the Package of policies, which have a SMART1 console Appliance and two FW in cluster.
Environment: SMART-1=====FW01--FW02
When entering in expert mode, in the SMART1:
1.- Is the Linux command cp valid ? is it copy or some other command ? to copy and move a file from one directory to another ? ?
2.- To get the Package, do you get it from the SMART1 CLI or from the firewalls ?
3.- For the routes netstat -nr > routes.txt, is this taken from the Firewalls or from the SMART1 ? this command executes from expert mode or Gaia Shell?
4.- If I connect for example with WinSCP to the Smart-1 or one of the Firewalls, can I remove, copy, move files without problems ?
5.- When I run these scripts, the package file that it generates, in which path is it placed ? in the same directory where I run it ?
6.- To update the version of I have to put the new version web_api_show_package-jar-with-dependencies.jar in the path: MDS_FWDIR/api/samples/lib/ then execute: only $MDS_FWDIR/scripts/web_api_show_package.sh or I need execute java -jar web_api_show_package-jar-with-dependencies.jar -v and then java -jar web_api_show_package-jar-with-dependencies.jar -k <PACKAGE NAME> -d <DOMAIN NAME>
Scripts:The Check Point Management Server also has a wrapper script so the tool can be run as $MDS_FWDIR/scripts/web_api_show_package.sh which in turn executes java -jar $MDS_FWDIR/api/samples/lib/web_api_show_package-jar-with-dependencies.jar
-Export Package ( Exporting Configuration )
https://github.com/CheckPointSW/ShowPolicyPackage
https://github.com/CheckPointSW/ShowPolicyPackage#examples
https://community.checkpoint.com/t5/API-CLI-Discussion/Enabling-web-api/td-p/32641
Thanks for your time, support, collaboration, and good vibes.
Best regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- In Expert Mode, cp works the same as it does on a regular Linux system.
- "To get the package" what precisely do you mean by this? In any case, you can only get the full details of the policy from the Smart-1. There is a command to retrieve the policy from the CLI of the gateways: db_tool -p $FWDIR/state/local/FW1 get_rules
- netstat can only be executed from expert mode as it is not a valid clish command. It works similar to a standard Linux system, i.e. only gets routes from the local system.
- You can use WinSCP. However, the user in question cannot have /etc/cli.sh as the default shell as that will not work.
- Believe it puts the output in current working directory.
- If you're using a different version of the Show Package Tool than is included in your installation, then I would execute it separately (i.e. not replace the existing installed version).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is a caveat. The command `db_tool -p $FWDIR/state/local/FW1 get_rules` only show the policy the gateway is supposed to have. If a policy installation failure occurs on the gateway it may not actually run that policy. But a nifty command to know about during policy install trouble shoooting.
And removing files at will is ... frowned upon. If you don't know what the purpose of a file is then just ripping it out is sort of like using the rm command in the wrong directory. It makes for some digital fireworks and a big mess. (Not something I would put on your resume.)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @PhoneBoy
Thanks for your comments.
I understand that users with admin-role have no problem to connect via scp to SMART1.
If I want to generate a particular user for this purpose I would have to execute:
R80>=
Example:
add user scpuser01 uid 2700 homedir /home/scpuser
set user scpuser realname Scpuser
add rba role scpRole domain-type System readwrite-features expert
add rba user scpuser roles scpRole
set user scpuser gid 100 shell /usr/bin/scponly
set user scpuser password
save config
According to this, the netstat command is valid for Gaia Clish Commands:
If you are asking me to pull/execute from checkpoint:, well from SMART-1 this:
java -jar web_api_show_package-jar-with-dependencies.jar -k <PACKAGE NAME>
So they tell me that it generates a tar.gz file that I have to get and deliver.
Thank you for your time and comments.
I remain attentive
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The Show Package Tool generates a tar.gz file because the output of this tool contains multiple things:
- HTML files with the policy in a human readable form (open index.html in your web browser)
- Multiple JSON files that contain the policy and objects extracted
- A log file
More details at: https://support.checkpoint.com/results/sk/sk120342
A .tar.gz file can be extracted using standard Linux commands (tar -xvfz) or using 7zip on Windows.
![](/skins/images/74119E49EB1AA30407316FFB9151D237/responsive_peak/images/icon_anonymous_message.png)