Hosting and Security
This page will be updated as new tools become available; please note that you need valid usercentre credentials to download the files.
R77 Migration Tools – Gaia / SecurePlatform / Linux / Windows / Solaris
R76 Migration Tools – Windows / SecurePlatform / RHEL / Gaia / IPSO 6 / Solaris
R75 Migration Tools – Windows / SecurePlatform / Linux / IPSO 6 / Solaris
Deleting policy packages through the dashboard works fine but when you have 136 to delete it can take a long time. This article describes how to automate this via the CLI for a swift solution.
Using putty to access the Smartcenter:
[Expert@firewall] cp_merge export_policy
Successfully exported policy collection 'policy1'.
Successfully exported policy collection 'policy2'.
Successfully exported policy collection 'policy3'.
[Expert@firewall] cp_merge list_policy -s localhost | cut -d "'" -f 2 > policies.txt
This copies the policy names into a file named policies.txt and gets rid of any preceding or trailing characters.
First of all, issue a “cpstop” command to stop the Checkpoint services on the management centre.
[Expert@firewall]# cpstop
[Expert@firewall]# while read line; do cp_merge delete_policy -s localhost -u admin -p password -n "$line"; done < policies.txt
The output will look something like this:
Successfully deleted policy collection 'policy1'.
Successfully deleted policy collection 'policy2'.
Successfully deleted policy collection 'policy3'.
[Expert@firewall]# cp_merge -help
This is Check Point Database Merge tool NG Build NGX (R65) – Build 423.
Usage:
cp_merge merge_objects [-s <db server>] [-u <user> | -c <certificate file>] [-p <password>] -d <input directory> [-t]
cp_merge export_policy [-s <db server>] [-u <user> | -c <certificate file>] [-p <password>] [-n <package name> | -l <policy name> [-f <output file>]] [-d <output directory>] [-r]
cp_merge import_policy [-s <db server>] [-u <user> | -c <certificate file>] [-p <password>] [-n <package name>] [-d <input directory>] -f <input file> [-v]
cp_merge delete_policy [-s <db server>] [-u <user> | -c <certificate file>] [-p <password>] -n <package name>
cp_merge list_policy [-s <db server>] [-u <user> | -c <certificate file>] [-p <password>]
cp_merge restore_policy [-s <db server>] [-u <user> | -c <certificate file>] [-p <password>] [-n <package name>] [-d <input directory>] -f <input file> -v
cp_merge delimited_policy [-s <db server>] [-u <user> | -c <certificate_file>] [-p <password>] [-l <policyname>] [-f <file name>] [-a export | import_new | import_override | import_append ] [-k security | nat | all ]
Run cp_merge -help for detailed usage
-s <server> specify database server IP / name
-c <certificate file> path to certificate file
-u <user> database administrator user name
-p <password> user's password
-d <directory> specify working directory
-help print this summary
Objects Merge options:
-t test mode - does not save
Policy Export options:
-n <package name> policy package to export
-l <policy name> export policy package which <policy name> belongs to.
-r remove the original policy from the repository
-f <file name> specify output file name (default: <policy name>.pol)
(If both '-n' and '-l' are omitted all policies are exported)
Policy Import options:
-f <file name> specify input file name
-v override existing policy if found
-n <policy name> rename policy to <policy name> when importing
Policy Restore options:
-f <file name> specify input file name
-v override existing policy if found
-n <policy name> rename policy to <policy name> when importing
Note: Restore will work only when run locally on managment server.
Policy Delete options:
-n <policy name> policy to delete
Delimited Policy Import/Export options:
-a export export policy
import_new import a new policy
import_override imported policy will replace current
import_append imported policy's rules will be appended to current
-l <policy name> policy to export to/from
-f <file name> file to export to/from
-k security | nat | all types of policy to operate on
Note: security policy file is file_name.sec, NaT policy file is file_name.nat.
This is an attempt to try and find a good way of monitoring and logging what is going on in the HA module. It’s a work-in-progress, please feel free to contribute.
The first script and alert below uses a custom alert for a trigger and writes to a log file in the /var/tmp/clusterxl_alert directory on the smartcenter. Using the cron job, a daily email can be sent with the day’s alerts summary. This was posted to CPUG by yheffen – https://www.cpug.org/forums/clustering-security-gateway-ha-clusterxl/9992-ha-failover-log-files.html. Originally written using the korn shell, it works equally well in bash.
#!/bin/bash
DIR="/var/tmp/clusterxl_alert"
DAILY_LOG="$DIR/alert_daily.log"
LOG="$DIR/alert.log"
mklog () {
if [ ! -f "$1" ]; then
touch "$1"
chmod 644 "$1"
fi
}
mklog "$LOG"
while read ALERT; do
echo "$ALERT" >> "$DAILY_LOG"
echo "$ALERT" >> "$LOG"
done
The path to the script is one of the “UserDefined scripts” defined in the “Policy> Global Properties> Log and Alert> Alert Commands” window. Then in the cluster object’s properties in the “ClusterXL” window, specify this User Defined Alert down in the “Tracking” section.
Cron job code:
0 5 * * * [ -f /var/tmp/clusterxl_alert/alert_daily.log ] && mailx -s "ClusterXL Alerts" me@example.com < /var/tmp/clusterxl_alert/alert_daily.log && rm /var/tmp/clusterxl_alert/alert_daily.log
This next script, which is very quick and dirty, monitors the interfaces using the “cpaprobstat -a if”. It polls every 2 seconds and writes the result to a file (ha_poll.txt) and compares the result against a reference file (ha_ref.txt) which is created when the script is run initially. If a difference is found, it is logged to the ha_alert.log file. There are better ways to do this but as I said, it’s quick and dirty 🙂
#!/bin/bash
# variables
DIR="/var/tmp"
REFERENCE="$DIR/ha_ref.txt"
POLLED="$DIR/ha_polled.txt"
LOG="$DIR/ha_alert.log"
# functions
mkref () {
echo `cphaprob -a if` > $REFERENCE
}
mkpoll () {
echo `cphaprob -a if` > $POLLED
}
# main process
# make reference file
mkref
echo "Entering polling loop, use ctrl-c or"
echo "\"kill \$(pgrep ${0##*/})\" from a different terminal to exit"
echo
# Poll every 2 seconds and compare until ctrl-c.
# If status changes log and then make new reference data
while true; do
mkpoll
DIFF=$(diff $REFERENCE $POLLED)
if [ "$DIFF" != "" ]; then
echo "Change logged to $LOG"
echo "" >> $LOG
echo $DIFF >> $LOG
mkref
sleep 2
fi
done
Running this as admin in expert mode with an ampersand keeps the process running in the background even if the terminal is disconnected:
[expert@gw]# ./ha_monitor.sh &
One issue here is that if an interface is down, “cphaprob -a if” shows the number of seconds it has been down for:
[Expert@gw]# cphaprob -a if Required interfaces: 4 Required secured interfaces: 2 eth0 UP sync(secured), multicast eth1 Inbound: DOWN (4.7 secs) Outbound: DOWN (5 secs) sync(secured), multicast eth2 UP non sync(non secured), multicast eth3 UP non sync(non secured), multicast
It will therefore see a discrepancy on every poll as the seconds number increases and will create a log entry every 2 seconds until the interface comes back up. Like I said, quick, dirty and a work-in-progress 🙂
New script now:
#!/bin/bash
# variables
HOSTNAME=`hostname`
DIR="/var/tmp"
LOG=$DIR"/"$HOSTNAME"_hamon.log"
# functions
mkref () {
echo "Making new reference .." >> $LOG
REFERENCE="`cphaprob stat`"
echo "Done" >> $LOG
echo "" >> $LOG
}
mkpoll () {
POLLED="`cphaprob stat`"
}
getAndLogVals () {
CPHAPROBSTAT=`cphaprob stat`
CPHAPROBLIST=`cphaprob list | grep -v "Time since" | grep -v "Registration number" | grep -v "Timeout: none"`
CPHAPROBAIF=`cphaprob -a if`
echo "" >> $LOG
echo "cphaprob stat:" >> $LOG
echo "--------------" >> $LOG
echo "$CPHAPROBSTAT" >> $LOG
echo "" >> $LOG
echo "cphaprob list:" >> $LOG
echo "--------------" >> $LOG
echo "$CPHAPROBLIST" >> $LOG
echo "" >> $LOG
echo "cphaprob -a if:" >> $LOG
echo "---------------" >> $LOG
echo "$CPHAPROBAIF" >> $LOG
echo "" >> $LOG
}
# main []
if [ -f $LOG ]; then
echo "Removing old log file .."
`rm $LOG`
fi
echo "Starting logging at "`date` >> $LOG
echo "" >> $LOG
# Record original vals to the log
getAndLogVals
# get reference vals
mkref
echo "Monitoring Failover status, use ctrl-c or \"kill \$(pgrep ${0##*/})\" from a different terminal to exit"
# Poll continuously and compare until ctrl-c. If status changes, log and get new reference data
while true; do
mkpoll
if [ "$POLLED" != "$REFERENCE" ]; then
DIFF="$REFERENCE / $POLLED"
echo "" >> $LOG
echo "=============================================================================" >> $LOG
echo "" >> $LOG
echo `date` >> $LOG
echo "" >> $LOG
echo "HA Status Change detected, logged to $LOG"
echo "$DIFF" >> $LOG
echo "" >> $LOG
getAndLogVals
mkref
fi
done