CheckPoint: Delete Multiple Policies Via CLI

Delete Multiple Policies Via CLI

Deleting policy packages through the dashboard works fine but when you have 136 to delete it can take a long time. This article describes how to automate this via the CLI for a swift solution.

Using putty to access the Smartcenter:

1. Export all the policies to .pol files just in case:

[Expert@firewall] cp_merge export_policy

Successfully exported policy collection 'policy1'.
Successfully exported policy collection 'policy2'.
Successfully exported policy collection 'policy3'.

2. List all the policies into a file:

[Expert@firewall] cp_merge list_policy -s localhost | cut -d "'" -f 2 > policies.txt

This copies the policy names into a file named policies.txt and gets rid of any preceding or trailing characters.

3. Read in the file line by line and perform a delete_policy on it.

First of all, issue a “cpstop” command to stop the Checkpoint services on the management centre.

[Expert@firewall]# cpstop

[Expert@firewall]# while read line; do cp_merge delete_policy -s localhost -u admin -p password -n "$line"; done < policies.txt

The output will look something like this:
Successfully deleted policy collection 'policy1'.
Successfully deleted policy collection 'policy2'.
Successfully deleted policy collection 'policy3'.

Details for cp_merge:

[Expert@firewall]# cp_merge -help
This is Check Point Database Merge tool NG Build NGX (R65) – Build 423.

Usage:
cp_merge merge_objects [-s <db server>] [-u <user> | -c <certificate file>] [-p <password>] -d <input directory> [-t]

cp_merge export_policy [-s <db server>] [-u <user> | -c <certificate file>] [-p <password>] [-n <package name> | -l <policy name> [-f <output file>]] [-d <output directory>] [-r]

cp_merge import_policy [-s <db server>] [-u <user> | -c <certificate file>] [-p <password>] [-n <package name>] [-d <input directory>] -f <input file> [-v]

cp_merge delete_policy [-s <db server>] [-u <user> | -c <certificate file>] [-p <password>] -n <package name>

cp_merge list_policy [-s <db server>] [-u <user> | -c <certificate file>] [-p <password>]

cp_merge restore_policy [-s <db server>] [-u <user> | -c <certificate file>] [-p <password>] [-n <package name>] [-d <input directory>] -f <input file> -v

cp_merge delimited_policy [-s <db server>] [-u <user> | -c <certificate_file>] [-p <password>] [-l <policyname>] [-f <file name>]  [-a export | import_new | import_override | import_append ] [-k security | nat | all ]

Run cp_merge -help for detailed usage

-s <server>            specify database server IP / name
-c <certificate file>  path to certificate file
-u <user>              database administrator user name
-p <password>          user's password
-d <directory>         specify working directory
-help                  print this summary

Objects Merge options:
-t                                      test mode - does not save

Policy Export options:
-n <package name>      policy package to export
-l <policy name>       export policy package which <policy name> belongs to.
-r                     remove the original policy from the repository
-f <file name>         specify output file name (default: <policy name>.pol)
(If both '-n' and '-l' are omitted all policies are exported)

Policy Import options:
-f <file name>         specify input file name
-v                     override existing policy if found
-n <policy name>       rename policy to <policy name> when importing

Policy Restore options:
-f <file name>         specify input file name
-v                     override existing policy if found
-n <policy name>       rename policy to <policy name> when importing
Note: Restore will work only when run locally on managment server.

Policy Delete options:
-n <policy name>       policy to delete

Delimited Policy Import/Export options:
-a export                 export policy
import_new             import a new policy
import_override        imported policy will replace current
import_append          imported policy's rules will be appended to current
-l <policy name>          policy to export to/from
-f <file name>            file to export to/from
-k security | nat | all   types of policy to operate on
Note: security policy file is file_name.sec, NaT policy file is file_name.nat.

Checkpoint: Error – “Unable to get idle-time workstation locking policy”

Now this may well be due to the situation discussed in sk88760 where the fresh install of R75.45 is missing some plugins, in which case you need to install them manually as follows:

  1. Change to the packages directory:
    [expert@fw]# cd /sysimg/CPwrapper/linux/MiniWrapper
  2. Run the install script:
    [expert@fw]# ./UnixInstallScript
  3. At the end of the installation, reboot the machine:
    [expert@HostName]# reboot
  4. For Security Management Server running on Windows, install the “Management Enhancement” plugin:
    C:\Program Files\CheckPoint\CPMgmtrfes\bin\uacRunner.exe -p PICPmgmtrfes -install

** BUT **

It may also be because you’re trying to open an R75.40 server with the R75.45 dashboard client !!!

Checkpoint: Bypass The First Time Configuration Wizard on Appliances

I had cause to revert a CheckPoint appliance to its factory image today of R75.40. In itself, no biggie – open a console connection, Ctrl-S to access the setup menu and choose factory default image. Log in to the webUI and complete the first time wizard.

Having encountered the Firefox “xslProcessor.transformDocument is not a function” error – still a known issue in R75.40 –  I logged in with IE 10. Unfortunately this went only as far as allowing me to log in and the actual wizard interface never appeared – this is an intermittent issue for me and seems to depend on the current price of fish.

Anyways .. the easiest thing to do (imho) is to:

Bypass The First Time Configuration Wizard

The following will prevent the the “First Time Configuration Wizard” from starting automatically.

Secure Platform:

  • Login to Expert mode and create the following file:

[expert@fw]# touch /opt/spwm/conf/wizard_accepted

  • Reboot the appliance
  • You now need to run sysconfig and go through all the steps of “Product Configuration” – only then can you access the “Product Installation” – obviously necessary for a working appliance!

Gaia:

The process is similair on Gaia – log in and create the file.

[expert@fw]# touch /etc/.wizard_accepted

There is no reboot required for Gaia

** Note: Login credentials remain unchanged **

Running the First Time Configuration Wizard again

Easy – delete the files which were created above!