Checkpoint: Object Filler and Object Dumper (ofiller)

This article offers a download of Martin Hoz’s (Checkpoint SE) Ofiller tool and describes basic usage.

The package software can be downloaded here:

ofiller_v2.4.tgz

There is full documentation in the package but a quick look at page 53 of the manual yields the following:

odumper -f file [-p file] -o file [-d] [-html] [-v]
-f specifies the path to the objects (Objects_5_0.C or objects.C) file you want to process
-p specifies the path to the rulebases (rulebases_5_0.fws) file you want to process - Optional
-o specified the path to the output formatted file you want to have
-d tells the program to also print the default objects - Optional
-html formats the output to HTML (instead of default CSV format) - Optional
file is a valid filename - such as output.txt, output.html or objects.C
Required parameters: -f and -o

** Important ** – Run this on copies of the files and not against the files on the live firewall!

  • To dump objects only:

odumper -f copy_of_Objects_5_0.C -o my_objects.csv

  • To dump rules only:

odumper -p Copy_of_rulebases_5_0.fws -o my_rules.csv

  • To dump both rules and objects to the same file:

odumper -f copy_of_Objects_5_0.C -p Copy_of_rulebases_5_0.fws -o my_objects_and_rules.csv

 

Note: If you are dumping these to re-import on another management centre then dump rules and objects individually as per the first two examples.

Checkpoint: Smartcenter Migration Tools – R65, R70, R71, R75, R76, R77

This page will be updated as new tools become available; please note that you need valid usercentre credentials to download the files.

R77 Migration Tools –  Gaia / SecurePlatform / Linux / Windows / Solaris

R76 Migration Tools – Windows / SecurePlatform / RHEL / Gaia / IPSO 6 / Solaris

R75 Migration Tools – Windows / SecurePlatform / Linux / IPSO 6 / Solaris

 

CheckPoint: Delete Multiple Policies Via CLI

Delete Multiple Policies Via CLI

Deleting policy packages through the dashboard works fine but when you have 136 to delete it can take a long time. This article describes how to automate this via the CLI for a swift solution.

Using putty to access the Smartcenter:

1. Export all the policies to .pol files just in case:

[Expert@firewall] cp_merge export_policy

Successfully exported policy collection 'policy1'.
Successfully exported policy collection 'policy2'.
Successfully exported policy collection 'policy3'.

2. List all the policies into a file:

[Expert@firewall] cp_merge list_policy -s localhost | cut -d "'" -f 2 > policies.txt

This copies the policy names into a file named policies.txt and gets rid of any preceding or trailing characters.

3. Read in the file line by line and perform a delete_policy on it.

First of all, issue a “cpstop” command to stop the Checkpoint services on the management centre.

[Expert@firewall]# cpstop

[Expert@firewall]# while read line; do cp_merge delete_policy -s localhost -u admin -p password -n "$line"; done < policies.txt

The output will look something like this:
Successfully deleted policy collection 'policy1'.
Successfully deleted policy collection 'policy2'.
Successfully deleted policy collection 'policy3'.

Details for cp_merge:

[Expert@firewall]# cp_merge -help
This is Check Point Database Merge tool NG Build NGX (R65) – Build 423.

Usage:
cp_merge merge_objects [-s <db server>] [-u <user> | -c <certificate file>] [-p <password>] -d <input directory> [-t]

cp_merge export_policy [-s <db server>] [-u <user> | -c <certificate file>] [-p <password>] [-n <package name> | -l <policy name> [-f <output file>]] [-d <output directory>] [-r]

cp_merge import_policy [-s <db server>] [-u <user> | -c <certificate file>] [-p <password>] [-n <package name>] [-d <input directory>] -f <input file> [-v]

cp_merge delete_policy [-s <db server>] [-u <user> | -c <certificate file>] [-p <password>] -n <package name>

cp_merge list_policy [-s <db server>] [-u <user> | -c <certificate file>] [-p <password>]

cp_merge restore_policy [-s <db server>] [-u <user> | -c <certificate file>] [-p <password>] [-n <package name>] [-d <input directory>] -f <input file> -v

cp_merge delimited_policy [-s <db server>] [-u <user> | -c <certificate_file>] [-p <password>] [-l <policyname>] [-f <file name>]  [-a export | import_new | import_override | import_append ] [-k security | nat | all ]

Run cp_merge -help for detailed usage

-s <server>            specify database server IP / name
-c <certificate file>  path to certificate file
-u <user>              database administrator user name
-p <password>          user's password
-d <directory>         specify working directory
-help                  print this summary

Objects Merge options:
-t                                      test mode - does not save

Policy Export options:
-n <package name>      policy package to export
-l <policy name>       export policy package which <policy name> belongs to.
-r                     remove the original policy from the repository
-f <file name>         specify output file name (default: <policy name>.pol)
(If both '-n' and '-l' are omitted all policies are exported)

Policy Import options:
-f <file name>         specify input file name
-v                     override existing policy if found
-n <policy name>       rename policy to <policy name> when importing

Policy Restore options:
-f <file name>         specify input file name
-v                     override existing policy if found
-n <policy name>       rename policy to <policy name> when importing
Note: Restore will work only when run locally on managment server.

Policy Delete options:
-n <policy name>       policy to delete

Delimited Policy Import/Export options:
-a export                 export policy
import_new             import a new policy
import_override        imported policy will replace current
import_append          imported policy's rules will be appended to current
-l <policy name>          policy to export to/from
-f <file name>            file to export to/from
-k security | nat | all   types of policy to operate on
Note: security policy file is file_name.sec, NaT policy file is file_name.nat.