How to reset SIC without restarting Check Point GW

The normal way of resetting SIC is to automatically restart Check Point services (cpstop;cpstart ). This requires a maintenance window for some environments.

In addition, since SIC was reset, the Security Gateway will load the ‘InitialPolicy’, which in some cases, mandates console access to the Security Gateway.

Note: This procedure is not supported on SMB appliances. In SMB, the SIC related process (CPD) is integrated into the FW process, so it cannot be restarted separately.

On the Security Gateway (not 61000), run these commands:

  1. [[email protected]]# cp_conf sic init New_Activation_Key norestart

  2. [[email protected]]# cpwd_admin stop -name CPD -path "$CPDIR/bin/cpd_admin" -command "cpd_admin stop"

  3. [[email protected]]# cpwd_admin start -name CPD -path "$CPDIR/bin/cpd" -command "cpd"

In 61k Security Gateway Mode:

  1. [[email protected]]# g_all cp_conf sic init New_Activation_Key norestart

  2. [[email protected]]# gexec -f -b all -c 'cpwd_admin stop -name CPD -path "$CPDIR/bin/cpd_admin" -command "cpd_admin stop"'

  3. [[email protected]]# gexec -f -b all -c 'cpwd_admin start -name CPD -path "$CPDIR/bin/cpd" -command "cpd"'

In SmartDashboard:

  1. Click on the Security Gateway object.
  2. Click on ‘Communication‘.
  3. Click ‘Reset‘ and confirm.
  4. Enter the New_Activation_Key (that was used in the ‘cp_conf sic init ...‘ command on Security Gateway).
  5. Click on ‘Initialize‘.
  6. Install policy, if needed.

HOWTO: Change Postfix configuration for Threat Emulation MTA

How to change Postfix configuration for Threat Emulation MTA

Non-Delivery Configuration:

  1. Connect to command line on Security Gateway (over SSH, or console).
  2. Log in to Expert mode.
  3. Backup the /opt/postfix/etc/postfix/main.cf file:[[email protected]]# cp /opt/postfix/etc/postfix/main.cf /opt/postfix/etc/postfix/main.cf_ORG
  4. Edit the /opt/postfix/etc/postfix/main.cf file:[[email protected]]# vi /opt/postfix/etc/postfix/main.cf
  5. Add the desired parameters. notify_classes = bounce, resource, softwareRefer to official Postfix Configuration Parameters page.
  6. Save the changes in the file and exit from Vi editor.
  7. In SmartDashboard, install the Threat Prevention policy.

Check Point Firewall – Connection Table Analysis

# fw tab -t connections -u > /var/log/connstat_Connections_Table.txt

C:\Users\Windows7\Desktop>connStat.exe -help

Usage: connStat -f
[-a|-c|-s|-r|-l|-p|-d|-n ] -a Show all flags -c Connection state info -s Top X Services used -r Top X Rule used -l Top X Least Used Rules -d Top Clients and Servers -i Interfaces connection directions -p Top Protocols -n Specify X

C:\Users\Windows7\Desktop>connStat.exe -f connstat_Connections_Table.txt -a
Total Number of connections: 2058
============================
Started:        271
Established:    951
Closed:         186
Half Closed:    650

Top 10 Services:
================
Service: 443    Hits: 1101 Rules: 19,4
Service: 80     Hits: 439 Rules: 19,4
Service: 53     Hits: 253 Rules: 17,4,18
Service: 8014   Hits: 105 Rules: 5,12
Service: 5228   Hits: 57 Rules: 19
Service: 25     Hits: 24 Rules: 4,0
Service: 49154  Hits: 12 Rules: 4,12
Service: 3389   Hits: 10 Rules: 5,12
Service: 18192  Hits: 9 Rules: 0
Service: 5223   Hits: 7 Rules: 19

Top 10 Rules:
=============
Rule: 19        Hits: 1573       --this rule should be moved higher--
Rule: 17        Hits: 148
Rule: 04        Hits: 85
Rule: 05        Hits: 74
Rule: 18        Hits: 71
Rule: 12        Hits: 60
Rule: 00        Hits: 38
Rule: 07        Hits: 3
Rule: 03        Hits: 3
Rule: 01        Hits: 3

Top 10 Least Used Rules:
========================
Rule: 01        Hits: 3
Rule: 03        Hits: 3
Rule: 07        Hits: 3
Rule: 00        Hits: 38
Rule: 12        Hits: 60
Rule: 18        Hits: 71
Rule: 05        Hits: 74
Rule: 04        Hits: 85
Rule: 17        Hits: 148
Rule: 19        Hits: 1573

Top 10 Clients:
===============
Client: x.x.x.x     Hits: 184
Client: x.x.x.x    Hits: 158
Client: x.x.x.x      Hits: 150
Client: x.x.x.x    Hits: 117
Client: x.x.x.x    Hits: 99
Client: x.x.x.x    Hits: 89
Client: x.x.x.x    Hits: 82
Client: x.x.x.x    Hits: 68
Client: x.x.x.x     Hits: 66
Client: x.x.x.x    Hits: 63

Top 10 Servers:
===============
Server: x.x.x.x   Hits: 179
Server: x.x.x.x     Hits: 105
Server: x.x.x.x  Hits: 89
Server: x.x.x.x      Hits: 44
Server: x.x.x.x   Hits: 40
Server: x.x.x.x   Hits: 38
Server: x.x.x.x   Hits: 28
Server: x.x.x.x    Hits: 24
Server: x.x.x.x  Hits: 23
Server: x.x.x.x      Hits: 23

Interface Directions (fw ctl if list):
======================================
IF direction: in 06,06 -> out 01,01     Hits: 836
IF direction: in 02,02 -> out 05,05     Hits: 792
IF direction: in 02,02 -> out 05,01     Hits: 176
IF direction: in 01,01 -> out 06,06     Hits: 77
IF direction: in 04,04 -> out 06,06     Hits: 50
IF direction: in 00,00 -> out 01,01     Hits: 36
IF direction: in 00,00 -> out 06,06     Hits: 34
IF direction: in 01,01 -> out 00,00     Hits: 23
IF direction: in 06,06 -> out 04,04     Hits: 16
IF direction: in 06,00 -> out 00,01     Hits: 7

Top Protocols:
==============
Protocol: tcp   Hits: 1793
Protocol: udp   Hits: 265

HOWTO: Check Point upgrade R77.x to R80.10

Pre-R80 Management Server Migration Tool – sk108623Download

Target Version and Products:

[[email protected]:0]# ./pre_upgrade_verifier --help

This is Check Point Pre-Upgrade Verifier for version R80.

Usage: pre_upgrade_verifier -p SecurityManagementPath -c CurrentVersion -t TargetVersion [-u | -a][-f FileName] [-w]
   Or: pre_upgrade_verifier -p SecurityManagementPath -c CurrentVersion -i [-f FileName] [-w]
        -p Path of the installed Security Management Server (FWDIR).
        -c Currently installed version.
        -t Target version.
        -i Check originality of Inspect files only.
        -u Perform plug-in related checks.
        -a Skip main train version checks, perform plug-in related checks only.
        -f Output in file.
        -w Web format file.

where the Currently installed version is one of the following:
NGX_R65 (aliases: 6.0.1.0)
R70 (aliases: R70_R70, 6.0.1.6)
R71 (aliases: R71_R71, 6.0.1.7)
R75 (aliases: R75_R75, 6.0.2.0)
R75.20 (aliases: R75.20_R75.20, 6.0.2.1)
R75.40 (aliases: R75.40_R75.40, 6.0.2.5)
R75.40VS (aliases: R75.40VS_R75.40VS, 6.0.3.0)
R76 (aliases: R76_R76, 6.0.3.5)
R77 (aliases: R77_R77, 6.0.4.0)

where the Target version is one of the following:
R70 (aliases: R70_R70, 6.0.1.6)
R71 (aliases: R71_R71, 6.0.1.7)
R75 (aliases: R75_R75, 6.0.2.0)
R75.20 (aliases: R75.20_R75.20, 6.0.2.1)
R75.40 (aliases: R75.40_R75.40, 6.0.2.5)
R75.40VS (aliases: R75.40VS_R75.40VS, 6.0.3.0)
R76 (aliases: R76_R76, 6.0.3.5)
R77 (aliases: R77_R77, 6.0.4.0)
R80 (aliases: R80_R80, 6.0.4.8)

Analyzes of the currently configuration;
#./pre_upgrade_verifier -p $FWDIR -c R77 -t R80

[[email protected]:0]#  ./pre_upgrade_verifier -p $FWDIR -c R77 -t R80


================================
Action items before upgrade:
================================


Warnings: It is recommended to resolve the following problems.
==============================================================


Title: Application Control deprecated categories
-----
* Description: Rulebase contains Application Control categories or group of categories that were deprecated.
For deprecated categories list and recommended substitutes please refer to sk106783.


To resolve the problem, fix the following categories:

The category: "Social Plugins" in rule Num. 12 of "PoC-Standard" policy is deprecated
The category: "Tunnels" in PoC_Block_APP group is deprecated
The category: "Facebook File Sharing" in PoC_Block_APP group is deprecated
The category: "Torrent Trackers" in PoC_Block_APP group is deprecated, it is recommended to replace it with "P2P File Sharing"
The category: "MySpace Games" in PoC_Block_APP group is deprecated



Pre-upgrade verification report can also be found in /opt/CPsuite-R77/fw1/log in the following formats:
pre_upgrade_verification_report.html
pre_upgrade_verification_report.xsl
pre_upgrade_verification_report.txt (text file)
[[email protected]:0]# ./pre_upgrade_verifier -p $FWDIR -c R77 -t R80
No errors found by the Pre Upgrade Verifier.
[[email protected]:0]# ./migrate export PoC-pre-R80.tgz


You are required to close all clients to Security Management Server
or execute 'cpstop' before the Export operation begins.

Do you want to continue? (y/n) [n]? y


Copying required files...
Compressing files...

The operation completed successfully.

Location of archive with exported database: /var/log/pre_upgrade_r80/PoC-pre-R80.tgz

Check Point CheckMates

“Load on Module failed – not enough disc space” error

Policy installation / fetch fails on Centrally Managed

The fix is included since:

As an immediate workaround, manually delete the temporary policy files on the SMB Appliance:

Connect to the command line on SMB Appliance.
Log in to Expert mode.
Delete the temporary policy files:
#rm $FWDIR/state/__tmp/FW1/*
To increase the size of the partition on-the-fly:
[[email protected]]# mount tmpfs /fwtmp -t tmpfs -o size=250m,remount
Install the policy again.
the size of the partition permanently:
Backup the current start up script /pfrm2.0/etc/userScript:
[[email protected]]# cp /pfrm2.0/etc/userScript /pfrm2.0/etc/userScript_ORG

Note: The userScript file does not exist by default. It should be created.
Edit the current start up script /pfrm2.0/etc/userScript
[[email protected]]# vi /pfrm2.0/etc/userScript

Add the following command in this script:
mount tmpfs /fwtmp -t tmpfs -o size=250m,remount

Save the changes and exit from Vi editor.
Reboot the appliance.

HOWTO: Debug Policy Verification

Solution
Follow these steps:

Connect to command line on Security Management Server / Multi-Domain Security Management Server.

Log in to Expert mode.

On Multi-Domain Security Management Server, switch to the context of the relevant Domain Management Server:

[[email protected]:0]# mdsenv
Start the debug of FWM daemon:

[[email protected]:0]# fw debug fwm on TDERROR_ALL_ALL=5
[[email protected]:0]# fw debug fwm on OPSEC_DEBUG_LEVEL=3
Verify the policy under debug:

Policy Syntax
Security Policy :fwm -d verify $FWDIR/conf/.W 1>> /var/log/Security_Policy_Verification_debug.txt 2>> /var/log/Security_Policy_Verification_debug.txt
Threat Prevention Policy :fwm -d verify -p threatprevention $FWDIR/conf/.W 1>> /var/log/Threat_Prevention_Policy_Verification_debug.txt 2>> /var/log/Threat_Prevention_Policy_Verification_debug.txt
Desktop Policy :fwm -d verify $FWDIR/conf/.S 1>> /var/log/Desktop_Policy_Verification_debug.txt 2>> /var/log/Desktop_Policy_Verification_debug.txt
QoS Policy :fgate -d verify $FWDIR/conf/.F 1>> /var/log/QoS_Policy_Verification_debug.txt 2>> /var/log/QoS_Policy_Verification_debug.txt
Notes:

– is the name of the involved policy package as appears in SmartDashboard R7x / SmartConsole R8x
Take all the relevant outputs / screenshots.

Stop the debug of FWM daemon:

[[email protected]:0]# fw debug fwm off TDERROR_ALL_ALL=0
[[email protected]:0]# fw debug fwm off OPSEC_DEBUG_LEVEL=0

How to send Check Point Tracker Logs to External Syslog Server

Add following line at the end. Please note this is a single line command so add it appropriately.
If required just type it manually

[email protected]#: fw log -f -t -n -l 2> /dev/null | awk 'NF' | sed '/^$/d' | logger -p local4.info -t CP_FireWall &

Permanently;

[email protected]#: cp /etc/rc.d/init.d/cpboot /etc/rc.d/init.d/cpboot.ORG

Edit cpboot file;

[email protected]#: vi /etc/rc.d/init.d/cpboot

Add following line at the end.

fw log -f -t -n -l 2> /dev/null | awk 'NF' | sed '/^$/d' | logger -p local4.info -t CP_FireWall &

Next,

add syslog log-remote-address x.x.x.x level info
save config