Checkpoint: Smartcenter Migration Tools – R65, R70, R71, R75, R76, R77

This page will be updated as new tools become available; please note that you need valid usercentre credentials to download the files.

R77 Migration Tools –  Gaia / SecurePlatform / Linux / Windows / Solaris

R76 Migration Tools – Windows / SecurePlatform / RHEL / Gaia / IPSO 6 / Solaris

R75 Migration Tools – Windows / SecurePlatform / Linux / IPSO 6 / Solaris

 

CheckPoint: Delete Multiple Policies Via CLI

Delete Multiple Policies Via CLI

Deleting policy packages through the dashboard works fine but when you have 136 to delete it can take a long time. This article describes how to automate this via the CLI for a swift solution.

Using putty to access the Smartcenter:

1. Export all the policies to .pol files just in case:

[Expert@firewall] cp_merge export_policy

Successfully exported policy collection 'policy1'.
Successfully exported policy collection 'policy2'.
Successfully exported policy collection 'policy3'.

2. List all the policies into a file:

[Expert@firewall] cp_merge list_policy -s localhost | cut -d "'" -f 2 > policies.txt

This copies the policy names into a file named policies.txt and gets rid of any preceding or trailing characters.

3. Read in the file line by line and perform a delete_policy on it.

First of all, issue a “cpstop” command to stop the Checkpoint services on the management centre.

[Expert@firewall]# cpstop

[Expert@firewall]# while read line; do cp_merge delete_policy -s localhost -u admin -p password -n "$line"; done < policies.txt

The output will look something like this:
Successfully deleted policy collection 'policy1'.
Successfully deleted policy collection 'policy2'.
Successfully deleted policy collection 'policy3'.

Details for cp_merge:

[Expert@firewall]# cp_merge -help
This is Check Point Database Merge tool NG Build NGX (R65) – Build 423.

Usage:
cp_merge merge_objects [-s <db server>] [-u <user> | -c <certificate file>] [-p <password>] -d <input directory> [-t]

cp_merge export_policy [-s <db server>] [-u <user> | -c <certificate file>] [-p <password>] [-n <package name> | -l <policy name> [-f <output file>]] [-d <output directory>] [-r]

cp_merge import_policy [-s <db server>] [-u <user> | -c <certificate file>] [-p <password>] [-n <package name>] [-d <input directory>] -f <input file> [-v]

cp_merge delete_policy [-s <db server>] [-u <user> | -c <certificate file>] [-p <password>] -n <package name>

cp_merge list_policy [-s <db server>] [-u <user> | -c <certificate file>] [-p <password>]

cp_merge restore_policy [-s <db server>] [-u <user> | -c <certificate file>] [-p <password>] [-n <package name>] [-d <input directory>] -f <input file> -v

cp_merge delimited_policy [-s <db server>] [-u <user> | -c <certificate_file>] [-p <password>] [-l <policyname>] [-f <file name>]  [-a export | import_new | import_override | import_append ] [-k security | nat | all ]

Run cp_merge -help for detailed usage

-s <server>            specify database server IP / name
-c <certificate file>  path to certificate file
-u <user>              database administrator user name
-p <password>          user's password
-d <directory>         specify working directory
-help                  print this summary

Objects Merge options:
-t                                      test mode - does not save

Policy Export options:
-n <package name>      policy package to export
-l <policy name>       export policy package which <policy name> belongs to.
-r                     remove the original policy from the repository
-f <file name>         specify output file name (default: <policy name>.pol)
(If both '-n' and '-l' are omitted all policies are exported)

Policy Import options:
-f <file name>         specify input file name
-v                     override existing policy if found
-n <policy name>       rename policy to <policy name> when importing

Policy Restore options:
-f <file name>         specify input file name
-v                     override existing policy if found
-n <policy name>       rename policy to <policy name> when importing
Note: Restore will work only when run locally on managment server.

Policy Delete options:
-n <policy name>       policy to delete

Delimited Policy Import/Export options:
-a export                 export policy
import_new             import a new policy
import_override        imported policy will replace current
import_append          imported policy's rules will be appended to current
-l <policy name>          policy to export to/from
-f <file name>            file to export to/from
-k security | nat | all   types of policy to operate on
Note: security policy file is file_name.sec, NaT policy file is file_name.nat.

Checkpoint: Monitoring HA Failover – WIP

This is an attempt to try and find a good way of monitoring and logging what is going on in the HA module. It’s a work-in-progress, please feel free to contribute.

Smartcenter

The first script and alert below uses a custom alert for a trigger and writes to a log file in the /var/tmp/clusterxl_alert directory on the smartcenter. Using the cron job, a daily email can be sent with the day’s alerts summary. This was posted to CPUG by yheffen – https://www.cpug.org/forums/clustering-security-gateway-ha-clusterxl/9992-ha-failover-log-files.html. Originally written using the korn shell,  it works equally well in bash.

#!/bin/bash

DIR="/var/tmp/clusterxl_alert"
DAILY_LOG="$DIR/alert_daily.log"
LOG="$DIR/alert.log"

mklog () {
        if [ ! -f "$1" ]; then
                touch "$1"
                chmod 644 "$1"
        fi
}

mklog "$LOG"

while read ALERT; do
        echo "$ALERT" >> "$DAILY_LOG"
        echo "$ALERT" >> "$LOG"
done

The path to the script is one of the “UserDefined scripts” defined in the “Policy> Global Properties> Log and Alert> Alert Commands” window. Then in the cluster object’s properties in the “ClusterXL” window, specify this User Defined Alert down in the “Tracking” section.

Cron job code:

0 5 * * * [ -f /var/tmp/clusterxl_alert/alert_daily.log ] && mailx -s "ClusterXL Alerts" me@example.com < /var/tmp/clusterxl_alert/alert_daily.log && rm /var/tmp/clusterxl_alert/alert_daily.log

Security Gateway

This next script, which is very quick and dirty, monitors the interfaces using the “cpaprobstat -a if”. It polls every 2 seconds and writes the result to a file (ha_poll.txt) and compares the result against a reference file (ha_ref.txt) which is created when the script is run initially. If a difference is found, it is logged to the ha_alert.log file. There are better ways to do this but as I said, it’s quick and dirty 🙂

#!/bin/bash

# variables
DIR="/var/tmp"
REFERENCE="$DIR/ha_ref.txt"
POLLED="$DIR/ha_polled.txt"
LOG="$DIR/ha_alert.log"

# functions

mkref () {
	echo `cphaprob -a if` > $REFERENCE
}

mkpoll () {
	echo `cphaprob -a if` > $POLLED
}

# main process

# make reference file
mkref

echo "Entering polling loop, use ctrl-c or"
echo "\"kill \$(pgrep ${0##*/})\" from a different terminal to exit"
echo
# Poll every 2 seconds and compare until ctrl-c. 
# If status changes log and then make new reference data
while true; do
	mkpoll
	DIFF=$(diff $REFERENCE $POLLED)
	if [ "$DIFF" != "" ]; then
		echo "Change logged to $LOG"
		echo "" >> $LOG
		echo $DIFF >> $LOG
		mkref
		sleep 2
	fi
done

Running this as admin in expert mode with an ampersand keeps the process running in the background even if the terminal is disconnected:

[expert@gw]# ./ha_monitor.sh &

One issue here is that if an interface is down, “cphaprob -a if” shows the number of seconds it has been down for:

[Expert@gw]# cphaprob -a if

Required interfaces: 4
Required secured interfaces: 2

eth0 UP sync(secured), multicast
eth1 Inbound: DOWN (4.7 secs)  Outbound: DOWN (5 secs) sync(secured), multicast
eth2 UP non sync(non secured), multicast
eth3 UP non sync(non secured), multicast

It will therefore see a discrepancy on every poll as the seconds number increases and will create a log entry every 2 seconds until the interface comes back up. Like I said, quick, dirty and a work-in-progress 🙂

 

EDIT:

New script now:

#!/bin/bash

# variables
HOSTNAME=`hostname`
DIR="/var/tmp"
LOG=$DIR"/"$HOSTNAME"_hamon.log"

# functions

mkref () {
	echo "Making new reference  .." >> $LOG
	REFERENCE="`cphaprob stat`" 
	echo "Done" >> $LOG
	echo "" >> $LOG
}

mkpoll () {
	POLLED="`cphaprob stat`"
}

getAndLogVals () {
	CPHAPROBSTAT=`cphaprob stat`
	CPHAPROBLIST=`cphaprob list | grep -v "Time since" | grep -v "Registration number" | grep -v "Timeout: none"`
	CPHAPROBAIF=`cphaprob -a if`
	echo "" >> $LOG
	echo "cphaprob stat:" >> $LOG
	echo "--------------" >> $LOG
	echo "$CPHAPROBSTAT" >> $LOG
	echo "" >> $LOG
	echo "cphaprob list:" >> $LOG
	echo "--------------" >> $LOG
	echo "$CPHAPROBLIST" >> $LOG
	echo "" >> $LOG
	echo "cphaprob -a if:" >> $LOG
	echo "---------------" >> $LOG
	echo "$CPHAPROBAIF" >> $LOG
	echo "" >> $LOG
}

# main []

if [ -f $LOG ]; then
    echo "Removing old log file .."
	`rm $LOG`
fi

echo "Starting logging at "`date` >> $LOG
echo "" >> $LOG

# Record original vals to the log 
getAndLogVals

# get reference vals
mkref

echo "Monitoring Failover status, use ctrl-c or \"kill \$(pgrep ${0##*/})\" from a different terminal to exit"

# Poll continuously and compare until ctrl-c. If status changes, log and get new reference data
while true; do
	mkpoll
	if [ "$POLLED" != "$REFERENCE" ]; then
		DIFF="$REFERENCE / $POLLED"
		echo "" >> $LOG
		echo "=============================================================================" >> $LOG
		echo "" >> $LOG
		echo `date` >> $LOG
		echo "" >> $LOG
		echo "HA Status Change detected, logged to $LOG"
		echo "$DIFF" >> $LOG
		echo "" >> $LOG
		getAndLogVals
		mkref
	fi
done
Exit mobile version
%%footer%%