Latest update: 2.01
Released on 26/10/2009, this version is only a minor update to fix some issues with 2.00
NGX Support added to CPRules version 2.00!!!
Note: This will probably be the last version to be released. Check Point is making progress with their Web Visualisation tool, although I have not seen the results of this tool. Please let me know how this compares to CPRules, so the future of CPRules can be reconsidered.
As the management of a FW is a security-sensitive subject, one can not allow others to access the management servers. With 'others' being non-administrators of the firewall, like internal or external customers. In many cases it is even prohibited by the security policy of your company and sometimes the mgmt LAN is even physically disconnected!
However in many cases it is very convenient to have a copy of the configuration available for viewing by a select group of 'others'. This can be for a helpdesk for trouble shooting purposes (not needing to call you every five minutes), a customer demanding to have an insight in their FW configuration or just for backup purposes.
On the other hand, it's not wise to leave this kind of configurations lying around for everybody to see (you're auditors would have a field day). So you might not want everything being published, but only a subset of the configuration (i.e. only the FW rulebase itself). Such a subset would still enable the customer (being either internal or external) to request meaningful changes without having to bother the administrators first.
To be able to do all this, we need a tool to convert the Check Point files to a readable format. This tool would need to be configurable to allow administrators to define what to publish and how. CPRULES is designed to accommodate in just that wish.
Searching the internet the only tool available to convert Check Point configurations is a perl script called FW1RULES, written and maintained by Volker Tanger <firstname.lastname@example.org>. Admittedly this program did serve very well and is widely used. This program is originally written to cope with Check Point FW-1 version 4.1 code and has later been adapted to support NG configurations as well.
The code of FW1RULES drastically needed a rewrite of the code due to additions and changes made in the past. Furthermore, the Check Point data was not easily accessible, making it hard to make changes or add features That is basically where CPRULES has taken of.
CPrules has been developed in Perl. That means Perl needs to be installed on your machine. Any version 5.x or higher should suffice, although there is a reported problem with the Perl version include with the Windows 2000 Resource Kit. Download the latest version from ActiveState or Perl.com if needed.
To create the basic webpages two CheckPoint files are required:
These files hold all the objects and rulebases of a management server (SmartCenter) or CMA.
This last file holds the Desktop Security Policies and can optionally be included. This option is only available since version 1.06
Since version 1.04 it is possible to include the users and usergroups. Unfortunately, Check Point does not provide a readable database file for them (yet?). Therefore the users and groups should be exported from the database with the following commands (the filenames are free to choose):
fwm dbexport –f users.exp
fwm dbexport –g –f groups.exp
The two resulting files can then be referred to as input for CPRules.
Since version 1.08 the export functionality has been introduced. It’s now possible to export the database of CheckPoint to a delimited file format. This can be used for backup purposes or to port the data to some kind of database structure.
See the documentation for more details on how to set up your environment
The documentation of CPrules is stored as POD in the perl files. They are also included on this webpage.
CPRules.html contains the description of the main program, how to create the html output from the Check Point files and how to influence the output.
The program uses two supporting libraries and one supporting program. The first is specifically developed for this program to read and manipulate the Check Point databases in memory, called CheckPoint.pm. I hope to use this library for other projects involving Check Point FW-1 databases …
The supporting program CPUsers.pl is to convert the exported userfiles to a CheckPoint database format to be used by CPRules. CPUsers.html describes how it works.
View the online demo to get a feeling on how the result of this program looks like in real life. The demo is a conversion of the demo (Advanced) rulebase in the SmartConsole R62 called Firewall-VPN. It has been created with the default settings, so this is how it looks like right out of the box!
The software can be freely downloaded from this website. To support both Unix – and Windows based systems, both a tar.gz and a zip file is included. Just unzip and unpack the software in its final location and you are ready to go; there is no install program to be run. Check the documentation for the location of all other files and folders created.
The latest version: 2.01
Windows systems: CPRules.zip (341kB)
Unix based systems: CPRules.tar.gz (257kB)
Well, this is a tricky part. The history of this program actually started with fw1rules.pl as described above. However the code itself is completely rewritten. So I guess there is no real history to speak of before version 1.00.
Undoubtedly there will be (more) bugs to be found. Please report them to me, Peter-Paul Worm (Peter-Paul.Worm@wormnet.nl). I will try to fix them as soon as possible and release new versions as we go.
The same address as mentioned above can be used for support on the software. However I can not give any guarantees on responding in a timely matter. If time permits I will try to answer all questions. If there are requests for functionality changes, please post them to me. I will review and reply if possible.
There is no license needed to use the software. It is however much appreciated if you let me know where and how it is used.