Latest update: 2.01

Released on 26/10/2009, this version is only a minor update to fix some issues with 2.00

NGX Support added to CPRules version 2.00!!!

Note: This will probably be the last version to be released. Check Point is making progress with their Web Visualisation tool, although I have not seen the results of this tool. Please let me know how this compares to CPRules, so the future of CPRules can be reconsidered.

Thanks,
Peter-Paul Worm

General

As the management of a FW is a security-sensitive subject, one can not allow others to access the management servers. With 'others' being non-administrators of the firewall, like internal or external customers. In many cases it is even prohibited by the security policy of your company and sometimes the mgmt LAN is even physically disconnected!

However in many cases it is very convenient to have a copy of the configuration available for viewing by a select group of 'others'. This can be for a helpdesk for trouble shooting purposes (not needing to call you every five minutes), a customer demanding to have an insight in their FW configuration or just for backup purposes.

On the other hand, it's not wise to leave this kind of configurations lying around for everybody to see (you're auditors would have a field day). So you might not want everything being published, but only a subset of the configuration (i.e. only the FW rulebase itself). Such a subset would still enable the customer (being either internal or external) to request meaningful changes without having to bother the administrators first.

To be able to do all this, we need a tool to convert the Check Point files to a readable format. This tool would need to be configurable to allow administrators to define what to publish and how. CPRULES is designed to accommodate in just that wish.

Searching the internet the only tool available to convert Check Point configurations is a perl script called FW1RULES, written and maintained by Volker Tanger <volker.tanger@wyae.de>. Admittedly this program did serve very well and is widely used. This program is originally written to cope with Check Point FW-1 version 4.1 code and has later been adapted to support NG configurations as well.

 

The code of FW1RULES drastically needed a rewrite of the code due to additions and changes made in the past. Furthermore, the Check Point data was not easily accessible, making it hard to make changes or add features That is basically where CPRULES has taken of.

 

 

Requirements

 

CPrules has been developed in Perl. That means Perl needs to be installed on your machine. Any version 5.x or higher should suffice, although there is a reported problem with the Perl version include with the Windows 2000 Resource Kit. Download the latest version from ActiveState or Perl.com if needed.

To create the basic webpages two CheckPoint files are required:

  1. objects_5_0.C
  2. rulebases_5_0.fws

These files hold all the objects and rulebases of a management server (SmartCenter) or CMA.

  1. slprulebases_5_0.fws

This last file holds the Desktop Security Policies and can optionally be included. This option is only available since version 1.06

 

Since version 1.04 it is possible to include the users and usergroups. Unfortunately, Check Point does not provide a readable database file for them (yet?). Therefore the users and groups should be exported from the database with the following commands (the filenames are free to choose):

fwm dbexport f users.exp

fwm dbexport g f groups.exp

The two resulting files can then be referred to as input for CPRules.

 

Since version 1.08 the export functionality has been introduced. Its now possible to export the database of CheckPoint to a delimited file format. This can be used for backup purposes or to port the data to some kind of database structure.

 

See the documentation for more details on how to set up your environment

 

 

Documentation

 

The documentation of CPrules is stored as POD in the perl files. They are also included on this webpage.

 

CPRules.html contains the description of the main program, how to create the html output from the Check Point files and how to influence the output.

 

The program uses two supporting libraries and one supporting program. The first is specifically developed for this program to read and manipulate the Check Point databases in memory, called CheckPoint.pm. I hope to use this library for other projects involving Check Point FW-1 databases

 

The other library, Template.pm, is used for creating the html pages from a template, giving more freedom in designing the web pages. The author of this module is Sam Tregar (sam@tregar.com).

 

The supporting program CPUsers.pl is to convert the exported userfiles to a CheckPoint database format to be used by CPRules. CPUsers.html describes how it works.

 

Demo

 

View the online demo to get a feeling on how the result of this program looks like in real life. The demo is a conversion of the demo (Advanced) rulebase in the SmartConsole R62 called Firewall-VPN. It has been created with the default settings, so this is how it looks like right out of the box!

 

 

Download

 

The software can be freely downloaded from this website. To support both Unix and Windows based systems, both a tar.gz and a zip file is included. Just unzip and unpack the software in its final location and you are ready to go; there is no install program to be run. Check the documentation for the location of all other files and folders created.

 

The latest version: 2.01

Windows systems: CPRules.zip (341kB)

Unix based systems: CPRules.tar.gz (257kB)

 

 

History

 

Well, this is a tricky part. The history of this program actually started with fw1rules.pl as described above. However the code itself is completely rewritten. So I guess there is no real history to speak of before version 1.00.

 

Old versions are stored in the history folder. The changes since version 1.00 are documented in the history file.

 

Known Bugs

 

Undoubtedly there will be (more) bugs to be found. Please report them to me, Peter-Paul Worm (Peter-Paul.Worm@wormnet.nl). I will try to fix them as soon as possible and release new versions as we go.

 

  1. For some reason, the program will not run with the Perl version distributed in the Windows 2000 Resource Kit. The reported version of this distribution is: ActivePerl Build 521. Trying to run the program will result in errors like below:

    Bareword "our" not allowed while "strict subs" in use at lib/Constants.pm line 7.
    Bareword "Table" not allowed while "strict subs" in use at lib/Constants.pm line 7.
    Operator or semicolon missing before %Table at lib/Constants.pm line 7.

 

Support

 

The same address as mentioned above can be used for support on the software. However I can not give any guarantees on responding in a timely matter. If time permits I will try to answer all questions. If there are requests for functionality changes, please post them to me. I will review and reply if possible.

 

Peter-Paul.Worm@wormnet.nl

 

License

 

There is no license needed to use the software. It is however much appreciated if you let me know where and how it is used.