Günther W. Albrecht

Undocumented command to install policy on SMB unit

Discussion created by Günther W. Albrecht on Mar 6, 2018
Latest reply on May 30, 2018 by Günther W. Albrecht

This is a follow-up after reading Yuri Slobodyanyuk's blog on IT Security and Networking. He speaks of changes to .def files like crypt.def (e.g. for VPN Fine-Tuning) that are made on the SMS and installed on GW by polixy install. Now, SMB units have that files - crypt.def can be found there in /pfrm2.0/config2/fw1/lib/ and in /pfrm2.0/opt/fw1/lib/crypt.def.


As locally managed SMB units have no policy install, he speaks about reboot that would activate the new settings, but also, a much easier way is available (he says "not listed in any Checkpoint documentation", but you can find it in sk97949, sk100278 and sk108274) by issuing:

[Expert]# fw_configload

Now i just ask myself if this has been tested not only with crypt.def, but also with the further config files (see my comment here). I assume that /pfrm2.0/config2/fw1/lib/crypt.def has to be changed, but is that true ?


And the sk100278 gives two commands:

[Expert]# fw_configload
[Expert]# sfwd_restart

The second one should be different to a reboot, but what does happen here? Following sk97638, sfwd is not only the "small" FWD, but the SMB Main GW process:

  • Logging
  • Policy installation
  • VPN negotiation
  • Identity Awareness enforcement
  • UserCheck enforcement
  • etc.

Start and stop are documented as:

[Expert]# $FWDIR/bin/cpwd_admin stop -name SFWD
[Expert]# $FWDIR/bin/cpwd_admin start -name SFWD -path $FWDIR/bin/fw -command "fw sfwd"

Following sk113090, we can also use:

[Expert]# sfwd_stop
[Expert]# sfwd_start

So the restart command will use the two commands above as we know from other parts of the CP CLI .