Solved

Extract CheckPoint rules, nodes, networks, groups

Posted on 2006-07-09
14
6,799 Views
Last Modified: 2013-11-16
I have a Check Point R54 w/AI firewall with roughly over 2,000 nodes, 100 networks, 30 groups, and a bunch of rules.  I am in the process of migrating this firewall to another a different firewall product, which is not CP.  How do I extract all this onto an external document (let's say a spreadsheet or anything would be helpful) so I can create a text file so I can just copy and paste onto the other firewall much easier.  I really don't want to write it all down by hand.  Please help


Pentrix2
0
Comment
Question by:Pentrix2
  • 6
  • 4
  • 3
  • +1
14 Comments
 
LVL 15

Assisted Solution

by:Frabble
Frabble earned 100 total points
ID: 17068539
Use cpinfo on the management machine. Free download from
http://www.checkpoint.com/downloads/quicklinks/utilities/downloadsng/utilities.html#cpinfo

-o option outputs information to file (will  be 10 - 30 MB , containing machine info, objects and rules) e.g.
cpinfo -o hughtextfile.txt
0
 
LVL 9

Author Comment

by:Pentrix2
ID: 17068631
This CP is on a Nokia IP350.  My laptop has the Smartclient GUI which is on an Windows XP.  How do I complete that command so I can get it on my laptop?
0
 
LVL 15

Assisted Solution

by:Frabble
Frabble earned 100 total points
ID: 17069106
I don't know about the Nokia specifically, other platforms it's a simple case of transferring the file, executing the command and then transferring the resulting output off. Are you not able to FTP and ssh to the appliance?

As an alternative, an R55 system I've just looked at has objects_5_0.C file in the conf directory in FWDIR. You might want to check this out on your system.
0
 
LVL 9

Author Comment

by:Pentrix2
ID: 17069487
I am able to ssh onto the Nokia appliance and should have no problem in completing that command.  Once completed how would I transfer this file to my Windows XP laptop?
0
 
LVL 15

Expert Comment

by:Frabble
ID: 17070949
You should be able to FTP the file to your laptop.
Either enable the FTP server on the Nokia (appears this is an option using Network Voyager) and use the Windows FTP client, or
Install an FTP server on your laptop and use the ftp client on the Nokia. ftp://ftp.3com.com/pub/utilbin/win32/3cdv2r10.zip is a freeware FTP/TFP/SYSLOG application.
0
 
LVL 9

Author Comment

by:Pentrix2
ID: 17086748
Thanks Frabble.  Will give it a try and let you know the results.

Pentrix2
0
 
LVL 4

Expert Comment

by:imreble1
ID: 17087081
This is a scary migration you are performing here Pentrix. Unfortunatley there is no easy way to do this no matter what checkpoint product your coming from. The objects5_0.C file does not contain the rulebases in a easy readable format, it actually contains the Objects. hence the name of the file. The file that contains the rulebase is the rulebases_5_0.fws. but unfortunately this will not help you out either.. I would definatley recommend you consulting time. Your about to dig a hole that may be hard to get out of. The closest thing to what your wanting would be a tool called the Web visulization tool.

The Web Visualization Tool allows export of the Security Policy and objects in the objects database in a readable format. This exported information represents a snapshot of the database. The Security Policy can be exported in HTML or XML formats.
If you would like i have the PDF for this and also the utility and how to install. I would be willing to elaborate on it more if you would like.

~DC
fishnetsecurity.com
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 9

Author Comment

by:Pentrix2
ID: 17087158
I definitely agree.  Without testing I'm skeptic to attempt anything.

I did do the web visualization tool on a Windows 2000 server platform having Check Point in the test environment and it worked.  I installed this tool on the firewall itself, but the problem I'm having with this tool is my production firewall is on a Nokia appliance and of course I'm managing it through my laptop Windows XP prof.  I downloaded the Nokia IP tool from checkpoint.com but how do I use this so I can the same results from my test environment?  I currently don't have a test Nokia checkpoint environment or else I would of tried the web tool.

Please help.

Pentrix2
0
 
LVL 4

Expert Comment

by:imreble1
ID: 17087267
What firewall are you migrating to?
0
 
LVL 9

Author Comment

by:Pentrix2
ID: 17089046
Juniper Netscreen 204s.
0
 
LVL 4

Accepted Solution

by:
imreble1 earned 400 total points
ID: 17095699
Well I spoke with the engineer next to me that is also a CCSE plus a JNCIA-FWV and from what we debated on I do not think it is going to be easily done. There are too many factors in checkpoint. Node, IP, Nat (hide,static), topology, etc.etc for a program to systematically take your objects and or even rulebases and import them in to junipers enviroment. Everything is going to have to be done manually. I know we had an engineer perform this for a semi big company doing the same thing you are doing, he went down the rulebase and manually entered it, but paying $175/hr was not cheap by no means. The web visulization is mainly used for auditing. It probably wouldn't be of any help. You can just load dashboard up and get the same difference, just with web viz. you cannot edit. We have a fortune 500 company that was splitting apart into two different companies. One was running a Provider 1 enviroment and the other was running a distributed R55 enviroment. The guy running r55 was giving up a couple hundred nodes and a couple policy packages to the P1 enviroment there is a utility checkpoint uses called cpmerge to do this type of operation, but low and behold it will not work in a P1 enviroment. So don't feel too bad checkpoint has a utility out there that is "suppose" to perform the operation you are trying to do with their own software and it still doesn't work... Thats checkpoint for ya!! If you have any other questions please feel free to ask.

~DC
0
 
LVL 4

Expert Comment

by:imreble1
ID: 17095706
BTW,
The way our engineer performed this was set up the juniper in a test enviroment dual screened over to the checkpoint dashboard and started typing away. About 60+ hours later he was done..

GL


~DC
0
 
LVL 9

Author Comment

by:Pentrix2
ID: 17096062
Thanks imreble1.  I rather be safe and not take any risk even if it means taking 10 times longer.  I learned in my career when there are risk things will fail and you actually work harder and longer hours then just taking the time to do it with the lowest amount of risk.  Thank you very much for your help and I definitely will be doing it manually.


Pentrix2
0
 

Expert Comment

by:mbelmont
ID: 22170993
Try fwdoc by Volker Tanger  locate at www.wyae.de/fwdoc
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This video discusses moving either the default database or any database to a new volume.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now