Need to know more about web visualization tool of Checkpoint


 We have a mix of Checkpoint R75 and R77 in our environment and we want a quick way to retrieve objects from our Management server and we saw this web visualization tool:

I plan to use the windows version of the tools and I am just curious about
1. Does the tool actually WRITE something on the Management Server or it is just purely reading the objects database?
2. Where is most of the processing of the database extraction happening?  on the Checkpoint server or my windows machine where the xml and html files are being collected?
3. In your experience, is this safe to run at regular intervals?  (maybe once a day or so, in a script we need to plan)....
4. Any experience where running the script causes adverse impact on the management server?  Our rule base is only a few hundred lines long and all our objects conbined should be less than 1,000.

Thanks and regards,
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
1. That is supposed to be (and often since webviz as alternative compared to the more powerful dbedit or its GUI version - GuiDBedit that indeed has Write functionality) the case but there is no evidence at least in public sharing on this, but may want to consider a restricted account for login to the mgmt port to run this tool and not access by external party including auditor etc. They received the html report separately from your company. There is a tool named sandboxie that can "sandbox" the targeted appl but not tested with webviz though.

You did not see the snapshot advised by Checkpoint using webviz compared to the other two tools mentioned that advice to back up your system on SecurePlatform before usage.

2. We can take ref the CLI field e.g.
[-t table_names] (optional)  If this parameter is not specified, all the default tables (including Policies, Network Objects, Services, Users and Communities) will be exported.
Everything output from the tool is on the machine installed and not inside the checkpoint device at all. In fact, the Webviz does not need to be installed on a specific machine or in a specific location. Rather, it can be installed on any machine in any directory. As long it has reached to the mgmt port of the appliance and with admin credential provided, it should be able to perform the export.

3. As it is running a "high" privileged task using privileged account and the output is really comprehensive to see and understand the security policies, the machine installed need to be managed closely if you are running the script. I do not suggest leaving unattended and even run in schedule means. The intend is not like reporting tool and is definitely should be one off for sake of producing the as-is evidence requested.

Otherwise the use case objective to monitor the health and changes should be via controlled and managed environment and other tools like Firemon or Algosec which is available for such purpose but needed budgeting. You need to make a risk assessment on that, even then scheduling it also required monitor such that the machine installed does not inadvertently overrides or cause full disk into the machine...the latter should not be connected to any other network at the same time (bridging) unless necessary...

4. Not that I know of for one time but for the security policy db that is huge it may take a while but still not an issue. The output.html file will still be generated in few min (hard to estimate) after you run this command from there you can do what ever you want. It is just passive read and will not degrade the performance of firewall.

However as good practice, do plan non-peak (or not so busy days like first day when everyone is back at work etc) period for such tasks. By the way, whether it is in your mgmt machine, as mentioned in (1), it can be any machine if really still on paranoid side, you may want to install it in another separate one but need to open access for this only machine (on top of your dedicated mgmt machine to appliance). There is option that allow it and most time ppl installed in mgmt machine is to reuse existing connection already and expose less connected machine to the mgmt lan.
[-s management_server] represents the name or IP address of the Security Management Server (if Web Visualization Tool is installed on the Security Management Server itself, you can use the IP address of the Loopback interface On Provider-1/Multi-Domain Security Server, this is the Virtual IP address of the relevant CMA/Domain Management Server.
By the way there is a CPUG froum on the Webviz that may have more experience doing it far, did not hear much from that though...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rleyba828Author Commented:
Excellent feedback.  thanks very much.
rleyba828Author Commented:
Excellent feedback.  thanks very much.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.