[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 7738
  • Last Modified:

Extract CheckPoint rules, nodes, networks, groups

I have a Check Point R54 w/AI firewall with roughly over 2,000 nodes, 100 networks, 30 groups, and a bunch of rules.  I am in the process of migrating this firewall to another a different firewall product, which is not CP.  How do I extract all this onto an external document (let's say a spreadsheet or anything would be helpful) so I can create a text file so I can just copy and paste onto the other firewall much easier.  I really don't want to write it all down by hand.  Please help


Pentrix2
0
Pentrix2
Asked:
Pentrix2
  • 6
  • 4
  • 3
  • +1
3 Solutions
 
FrabbleCommented:
Use cpinfo on the management machine. Free download from
http://www.checkpoint.com/downloads/quicklinks/utilities/downloadsng/utilities.html#cpinfo

-o option outputs information to file (will  be 10 - 30 MB , containing machine info, objects and rules) e.g.
cpinfo -o hughtextfile.txt
0
 
Pentrix2Author Commented:
This CP is on a Nokia IP350.  My laptop has the Smartclient GUI which is on an Windows XP.  How do I complete that command so I can get it on my laptop?
0
 
FrabbleCommented:
I don't know about the Nokia specifically, other platforms it's a simple case of transferring the file, executing the command and then transferring the resulting output off. Are you not able to FTP and ssh to the appliance?

As an alternative, an R55 system I've just looked at has objects_5_0.C file in the conf directory in FWDIR. You might want to check this out on your system.
0
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

 
Pentrix2Author Commented:
I am able to ssh onto the Nokia appliance and should have no problem in completing that command.  Once completed how would I transfer this file to my Windows XP laptop?
0
 
FrabbleCommented:
You should be able to FTP the file to your laptop.
Either enable the FTP server on the Nokia (appears this is an option using Network Voyager) and use the Windows FTP client, or
Install an FTP server on your laptop and use the ftp client on the Nokia. ftp://ftp.3com.com/pub/utilbin/win32/3cdv2r10.zip is a freeware FTP/TFP/SYSLOG application.
0
 
Pentrix2Author Commented:
Thanks Frabble.  Will give it a try and let you know the results.

Pentrix2
0
 
imreble1Commented:
This is a scary migration you are performing here Pentrix. Unfortunatley there is no easy way to do this no matter what checkpoint product your coming from. The objects5_0.C file does not contain the rulebases in a easy readable format, it actually contains the Objects. hence the name of the file. The file that contains the rulebase is the rulebases_5_0.fws. but unfortunately this will not help you out either.. I would definatley recommend you consulting time. Your about to dig a hole that may be hard to get out of. The closest thing to what your wanting would be a tool called the Web visulization tool.

The Web Visualization Tool allows export of the Security Policy and objects in the objects database in a readable format. This exported information represents a snapshot of the database. The Security Policy can be exported in HTML or XML formats.
If you would like i have the PDF for this and also the utility and how to install. I would be willing to elaborate on it more if you would like.

~DC
fishnetsecurity.com
0
 
Pentrix2Author Commented:
I definitely agree.  Without testing I'm skeptic to attempt anything.

I did do the web visualization tool on a Windows 2000 server platform having Check Point in the test environment and it worked.  I installed this tool on the firewall itself, but the problem I'm having with this tool is my production firewall is on a Nokia appliance and of course I'm managing it through my laptop Windows XP prof.  I downloaded the Nokia IP tool from checkpoint.com but how do I use this so I can the same results from my test environment?  I currently don't have a test Nokia checkpoint environment or else I would of tried the web tool.

Please help.

Pentrix2
0
 
imreble1Commented:
What firewall are you migrating to?
0
 
Pentrix2Author Commented:
Juniper Netscreen 204s.
0
 
imreble1Commented:
Well I spoke with the engineer next to me that is also a CCSE plus a JNCIA-FWV and from what we debated on I do not think it is going to be easily done. There are too many factors in checkpoint. Node, IP, Nat (hide,static), topology, etc.etc for a program to systematically take your objects and or even rulebases and import them in to junipers enviroment. Everything is going to have to be done manually. I know we had an engineer perform this for a semi big company doing the same thing you are doing, he went down the rulebase and manually entered it, but paying $175/hr was not cheap by no means. The web visulization is mainly used for auditing. It probably wouldn't be of any help. You can just load dashboard up and get the same difference, just with web viz. you cannot edit. We have a fortune 500 company that was splitting apart into two different companies. One was running a Provider 1 enviroment and the other was running a distributed R55 enviroment. The guy running r55 was giving up a couple hundred nodes and a couple policy packages to the P1 enviroment there is a utility checkpoint uses called cpmerge to do this type of operation, but low and behold it will not work in a P1 enviroment. So don't feel too bad checkpoint has a utility out there that is "suppose" to perform the operation you are trying to do with their own software and it still doesn't work... Thats checkpoint for ya!! If you have any other questions please feel free to ask.

~DC
0
 
imreble1Commented:
BTW,
The way our engineer performed this was set up the juniper in a test enviroment dual screened over to the checkpoint dashboard and started typing away. About 60+ hours later he was done..

GL


~DC
0
 
Pentrix2Author Commented:
Thanks imreble1.  I rather be safe and not take any risk even if it means taking 10 times longer.  I learned in my career when there are risk things will fail and you actually work harder and longer hours then just taking the time to do it with the lowest amount of risk.  Thank you very much for your help and I definitely will be doing it manually.


Pentrix2
0
 
mbelmontCommented:
Try fwdoc by Volker Tanger  locate at www.wyae.de/fwdoc 
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

  • 6
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now