Friday, March 18, 2022

CPRID_UTIL

If you have access to the Checkpoint smartcenter you have a powerful command to manage your firewalls 

This command is cprid_util and it uses the SIC channel established between management and remote firewalls

What you can do with this command is based on your fantasy

I am adding some commands I have collected so far but of course this is not exhaustive

I found this command looking at the script /opt/CPsuite-R77/fw1/bin/licenseDataCollector.sh from Checkpoint 

this command checks if you have access to a remote system

variable remoteServerIpAddr : firewall IP address


# test access

#

cprid_util -server $remoteServerIpAddr getarch &> /dev/null

if [ $? -ne 0 ]; then

   echo ${scriptName}: Cannot communicate with server $remoteServerIpAddr 1>&2

     # return an error value

     return 1

fi


Example: 


[Expert@srfacpmgnt1:0]#  cprid_util -server 10.39.35.10 getarch

gaia


You can send a script to the remote firewall to be executed locally


variables

 remoteServerIpAddr : firewall IP address

 scriptNameFullPath : full script path

 scriptName         : filename on remote server


# copy the command

#

cprid_util -server $remoteServerIpAddr putfile -local_file $scriptNameFullPath -remote_file /tmp/remote-command-$scriptName.$$ -perms 755

if [ $? -ne 0 ]; then

       echo ${scriptName}: Cannot copy script to server $remoteServerIpAddr 1>&2

        # return an error value

        return 1

fi


### some examples


cprid_util -server 192.168.1.1 -verbose rexec -rcmd bash -c "/bin/df -h"


Filesystem            Size  Used Avail Use% Mounted on

/dev/mapper/vg_splat-lv_current

                       32G   10G   20G  34% /

/dev/md0              145M   99M   39M  73% /boot

tmpfs                  32G     0   32G   0% /dev/shm

/dev/mapper/vg_splat-lv_log

                      146G   17G  122G  12% /var/log

## reboot machine

cprid_util -server 192.168.1.1 -verbose rexec -rcmd bash -c "/sbin/shutdown -r 0"


What if you need to create a user on a remote firewall

Easy>

### remote create user on gateway


1. create file with clish commands newuser.sh


add user myuser uid 0 homedir /home/myuser 

add rba user myuser roles adminRole

set user myuser gid 0 shell /bin/bash

set user myuser realname myuser 

set user myuser password-hash $1$i7VPfjkjug%fkPP00ddddsY7RVAG/K.

save config


2. copy file to gateway


cprid_util -server $remoteServerIpAddr putfile -local_file newuser.sh -remote_file /tmp/newuser.sh -perms 755


3. execute command


cprid_util -verbose -server $remoteServerIpAddr rexec -rcmd clish -f /tmp/newuser.sh 

Thursday, November 25, 2021

CHECKPOINT - NEW SMARTCENTER UPGRADE (FROM R80.20 ONWARDS)

Checkpoint has introduced a new mechanism to export smartcenter database ( from old migrate_export tool)

the script is in $MDS_FWDIR/scripts directory and is called migrate_server

see sk135172 for a complete reference 

here is a brief list of commands to verify upgrade feasibility, export and import

First you may want to check you have the script (in later versions you have it by default)

Run in the Expert mode:

cpprod_util CPPROD_GetValue CPupgrade-tools-<Version> BuildNumber 1

<Version> is the target version, to which you upgrade. One of these: R80.20, R80.20.M2, R80.30, R80.40, R81, R81.10

Example:
cpprod_util CPPROD_GetValue CPupgrade-tools-R80.40 BuildNumber 1

VERIFY
  • The Verify command should be:

    [Expert@HostName:0]# $MDS_FWDIR/scripts/migrate_server verify -skip_upgrade_tools_check -v <Target Version>

    <Target Version> is the target version, to which you upgrade. One of these: R80.20, R80.20.M2, R80.30, R80.40, R81, R81.10

    Example:
    [Expert@HostName:0]# $MDS_FWDIR/scripts/migrate_server verify -skip_upgrade_tools_check -v R80.40

EXPORT
  • The Export command should be:

    [Expert@HostName:0]# $MDS_FWDIR/scripts/migrate_server export -skip_upgrade_tools_check -v <Target Version> <Path and Name of the Export TGZ file>

    Example:
    [Expert@HostName:0]# $MDS_FWDIR/scripts/migrate_server export -skip_upgrade_tools_check -v R80.40 /var/log/Export_for_Upgrade_from_R8020_to_R8040.tgz

IMPORT
  • The Import command should be:

    [Expert@HostName:0]# $MDS_FWDIR/scripts/migrate_server import -skip_upgrade_tools_check -v <Target Version> <Path and Name of the Exported TGZ file>

    Example:
    [Expert@HostName:0]# $MDS_FWDIR/scripts/migrate_server import -skip_upgrade_tools_check -v R80.40 /var/log/Export_for_Upgrade_from_R8020_to_R8040.tgz

Monday, November 22, 2021

 CHECKPOINT - CPUSE install latest agent version    

Here is a procedure to manually upgrade CPUSE agent

First check agent build:


  • Connect to command line on Gaia machine.
  • Log in to Expert mode.
  • Run this command:[Expert@HostName:0]# cpvinfo $DADIR/bin/DAService | grep -E " Build|Minor "

Example output:

Build Number = 1523
Minor Release = knockout_ms1_ga


Then we need to download the latest DeploymentAgent_<build>.tgz  package to the machine (see sk92449)

  • Transfer the CPUSE Agent package (DeploymentAgent_<build>.tgz) to the machine (into some directory – e.g., /some_path_to_CPUSE/).
  • Unpack the CPUSE Agent package:

    [Expert@HostName:0]# cd /some_path_to_CPUSE/
    [Expert@HostName:0]# tar -zxvf DeploymentAgent_<build>.tgz

  • Install the CPUSE Agent RPM:

    [Expert@HostName:0]# rpm -Uhv –-force CPda-00-00.i386.rpm


After these operations check again the Build number with above command



Monday, March 8, 2021

CHECKPOINT -- new commands in Dynamic CLISH

 Since release R80.10 Dynamic CLISH was introduced to extend CLISH functionality

with this feature some commands ,available in EXPERT mode, are no longer available in CLISH (deprecated)

These commands are deprecated and thus unavailable


  • cpinfo
  • cplic
  • fw ips
  • raidconfig
  • fwaccel
  • cphaprob

Here is complete list of new commands















Monday, January 14, 2019

Import Certificate on Windows IIS

Finally you have chosen IIS

Import your certificate in the 'awesome' windows IIS


OK, maybe you are enforced to use IIS as web server, then, i would like to know you that my thoughts are with you.

So, let's see how to import an owned certificate in IIS environment.

Apllication and files needed:
- OpenSSL (http://www.openssl.org/)
- Certificate (.crt) file
- Private key (.key) file

Are you ready? I hope it...

1- First of all we should create a .pfx file (certificate + private key).
2- Locate your .crt and .key file.
3- Using OpenSSL:
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile more.crt
where:
      - pkcs12 - utility for PCKS#12 files in OpenSSL
      - -export -out certificate.pfx - export and save the PFX file as certificate.pfx
      - privateKey.key - your private key
      - certificate.crt - use certificate.crt as the certificate the private key will be combined with
      - -certfile more.crt – This is optional, this is if you have any additional certificates you would like to      include in the PFX file.
4- When running the above command, you are required to generate a password for exporting file, please don't forget it.
5- You will see a new file, named 'certificate.pfx'.
6- Open IIS dashboard, then in Connections column select your server.
7- Click, on central part of window, Server Certificates icon.


8- After open it, stroke a right click and chose import from 'Actions' menu.



9- Select your newly created 'certificate.pfx' and write your export password down.
10- Click OK.

Now, you are able to see your certificate in the list, so, you can choose it in Sites/Bindings section.


Thanks to: ssl.com


Wednesday, November 21, 2018

Checkpoint smartcenter - manage size of $FWDIR/log/postgres.elg

In the last few months I have started migrating to R80.10 software and I found an interesting issue with the postgres sql database on smartcenter
No rotation of log file has been added to /etc/cpshell/log_rotation.conf so file , over time, can grow to any size until it fills up all disk space

Simple work around until Checkpoint fixes it


  • edit /etc/cpshell/log_rotation.conf file adding this line 
  • log_start list to verify that your change is visible 
  • cpstop && cpstart on management 
If $FWDIR/log/postgres.elg file is way too BIG I did this fix:

after cpstop you issue cat /dev/null > $FWDIR/log/postgres.elg and file is zeroed



Friday, September 28, 2018

Checkpoint how to clear all tables of IA

The following command  clears all pdp and pep tables on security gateway:

fw tab -t pdp_sessions -t pdp_super_sessions -t pdp_super_sessions -t pdp_encryption_keys -t pdp_whitelist -t pdp_timers -t
pdp_expired_timers -t pdp_ip -t pdp_net_reg -t pdp_net_db -t pdp_cluster_stat -t pep_pdp_db -t pep_networks_to_pdp_db -t
pep_net_reg -t pep_reported_network_masks_db -t pep_port_range_db -t pep_async_id_calls -t pep_client_db -t
pep_identity_index -t pep_revoked_key_clients -t pep_src_mapping_db -t pep_log_completion -x -y


 This commands causes temporary disconnection for all traffic passing the firewall, so use it with caution