Show Ruleset and Objects on the Gateway (Emergency...

HeikoAnkenbrand · ‎2022-08-23

I had an emergency case at the customer that the management server (virtual server under VMWARE) was encrypted by an encryption trojan. The VMWare datastore was encrypted and also the virtual management server. Thus, the management server became unusable. Unfortunately, there was no backup, snapshot or "mirate server export" of the management server.

The big question was, can we reconstruct the policy and the corresponding objects on the gateway.

I found an interesting way to show the currently running policy and objects on the gateway.

Show layer structure:

db_tool -p /opt/CPsuite-R81.10/fw1/state/local/FW1 get_layers

Show installed ruleset:

db_tool -p /opt/CPsuite-R81.10/fw1/state/local/FW1 get_rules

Show all installed objects and object settings:

db_tool -p /opt/CPsuite-R81.10/fw1/state/local/FW1 get_rules |grep UUID | awk '{split($0,a,":"); print a[2]}' | uniq | awk ' { cmd="db_tool -p /opt/CPsuite-R81.10/fw1/state/local/FW1 get_object -u "$1;system(cmd)}'

Show IP spoofing settings:

ifconfig -a |grep -B 1 inet |grep encap| awk '{print $1}' | grep -v lo | grep -v ":" | grep -v ^lo | xargs -I % sh -c 'echo %;echo -n " VIP "; cphaprob -a if |grep %|grep -v U|grep -v D | cut -c16-| tr -d "\r\n" ;echo;echo -n " IP ";ifconfig % | grep "inet addr" | cut -d ":" -f 2 | cut -d " " -f 1;echo -n " Mask " ;ifconfig % | sed -rn "2s/ .*:(.*)$/\1/p";echo -en " ANTISPOOFING ENABLED:\t";more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep has_addr_info | cut -c17- | tr \) " " |sort -n| uniq ; echo -en " ANTISPOOFING MODE:\t"; if [ `more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep monitor_only | cut -c16- | tr \) " " |sort -n| uniq| grep -o false` ]; then echo "PREVENT"; else echo "DETECT"; fi; echo -en " ANTISPOOFING TOPO:\t"; if [ `more $FWDIR/state/local/FW1/local.set |grep -A 30 % | grep external | cut -c12- | tr \) " " |sort -n| uniq| grep -o true` ]; then echo "External"; else echo "Internal"; fi;echo " ADDRESS SPOOFING NETWORKS:";more $FWDIR/state/local/FW1/local.set | grep -A 30 %|grep ": (\""|sort -n| uniq |tr \(\)\<\>\:\" \ ;echo " "'

PS:

I am working on a script that will automatically generate the appropriate policy and objects in management CLI (mgmt_cli) format. Thus, the policy can be imported to the management server very quickly.

Give me a little more time for this script.

The big question is, does Check Point already have a script for this case?

➜ CCSM Elite, CCME, CCTE

Danny · ‎2022-08-23

Repost plus some additions of what @deniskr posted 2 weeks ago here.

TAC / PS have developed a CP-internal method to recover the security policy from a gateway. Ask them for help in such cases.

_Val_ · ‎2022-08-24

Heiko, could you elaborate about "encrypted by a trojan"? Was it a VM, and the VM server got encrypted? I hardly believe a trojan could do anything on the HW-based Gaia server in the first place...

HeikoAnkenbrand · ‎2022-08-24

YES, the encryption trojan has encrypted the complete VMWare datastore. This meant that all virtual machines could no longer be used. The management server was also affected because it was also virtual system.

I have corrected this in the text above

➜ CCSM Elite, CCME, CCTE

_Val_ · ‎2022-08-25

Understood, thanks for clarifying.

Show Ruleset and Objects on the Gateway (Emergency Recovery)

Mobile Access Agent & Java

.def files installation in security gateways

Traffic from Gateway to Internet dropped (clear te...

Access Roles not synced

Hyperflow Under The Hood! Video, Slides, and Q&A

Are you a member of CheckMates?