Monthly Archives: October 2014

YAAT- Yet Another Audit Tool – Command Line Auditing

We want to know who is typing which commands into our firewalls. Because we are using RADIUS auth, all users are “non_local” users in the Linus audit facility…and it was a big beast I did not want to dink with. So I wrote my own 1 liner.

AND because we are using GAIA, the syslog file kept getting overwritten on every reboot.


Solves both problems.

log commands


Audit ON!



routed seems to finally work

We have a fairly huge dynamic routing infrastructure and the new ‘routed’ daemon was pretty flaky for a long time, since its release April 2013.  Last week we finally got a version routed-0.1-cp986005013.i386.rpm  that was finally stable and could handle our environment. So I can finally say its time to move dynamic routing to the firewall and you don’t have to worry about crashing your environment when routed suddenly stops working or fails to come up.

Having said that, the management of routed is still weak.

1) No zero downtime upgrades you have to copy routes between members and then delete them
2)Stop/Start clustering and routing separately
3)Debugging is pretty primitive Linux level skills required

Route ON!



R77.10: Identity Awareness and Groups

I’m on the edge of this so unfortunately don’t know the details, but my buddy will bring me up on the details as it develops. I have a 1/2 blog created on the details and am trying to bring it up to date.

We are a huge AD/Identity Awareness/Captive Portal shop and so we obviously have been breaking it on many fronts. Specifically, it was SmartDashboard picker slow/timeouts, dogging down WAN lines with tons of AD traffic, and most importantly could not work with AD/LDAP groups, not supporting multiple LDAP AU per AD domain (sk92782), having to adjust priorities on hundreds of AU’s over hundreds of firewalls….I’m not sure of all the other issues.

Basically, it didn’t scale.

CP has been working on it for a year and last week huge a breakthrough. Many of the above issues were fixed in the patches they issued to us. Yeah, there are still problems but it is nice to see things finally working after a year of pushing a boulder uphill. These patches were hot from development so not sure they are up for GA yet.

Anyways if your IA is a leaking rowboat note that a fix is on the way and its not your problem. CP knows about it and is working the issue. But you will have to push hard to get to the right people so start pushing.

IA out!






YAOS – Yet Another Ofiller Script (to import IP addresses into MDS or SmartCenter)

Probably 1000 of these, and yes it is a hack but I like learning new tools.

ofiller/odumper is a great tool for large enterprises that need to extract/enter LARGE number IP address and rules into MDS/SmartCenter in an automated way fashion. odumper extracts data into CSV, you can edit and import via ofiller from CSV. This could be especially cool if you want to upgrade/import and get rid of a lot of crap by editing CSV’s and not through the GUI.

So do you have a list of IPs that have to be inputted into MDS or SmartCenter? Well the hump is getting that list of IP addresses into ofiller format.

Here is a VBscript/Excel macro to do just that.

1) INPUT: List of IPs in CSV


2) Run this VB script inside of Excel


3) Voila!!! The output. Ofiller formatted file




4) Input into ofiller

./ofiller.lin -f ~/mds_import.csv -i csv -o dbedit_input.txt

5) Input into MDS (or smartcenter)

dbedit -f dbedit_input.txt


NOTE: R80 will have this built in, but ofiller will still be have a warm place in my heart.


Ofiller OUT,



New SmartLog Permissions

UPDATE: 12/1/14: mds_HOTFIX_GYPSY_HF_BASE_748 is the fix and it works in R77.10

button version

UPDATE: 11/13/14: After much hub-bub, this is fixed in R77.30 and they are backporting it to R77.10/20? Will let you know.

With X00 firewalls across X0 domains we live and die by SmartLog. R77.10 SmartLog is awesome, its fast, finally stable. It alone is sufficient reason to chuck any other firewall product.


They changed the way permissions work in R77.10. Now only Domain Super-users and MDS Super users can use  MDS SmartLog. This takes my breath away. Our front-line domain managers (SOC, NOC, Audit, IPS, Security/Risk Management) use SmartLog for debugging not only firewall problems but network problems in general….across all domains. They are not interested what domain the problem is…they just want to know where it is in the enterprise. Domain Super users and MDS Super users only use SmartLog a couple times a week for escalated calls.

So WHY???? restrict permissions to an awesome market changing tool to people that only use it a couple times a week??



YABU-Yet Another Backup Utility

This is a dumb one on my part so learn from my mistakes.

On my MDS’s I use WebUI to schedule backups. I like to restore using command line so I can see when it blows up. Well, there are at least 5 backup and restore commands

  1. /bin/restore — backups
  2. /sbin/restore — snapshots
  3. mds_backup — mds backups
  4. cpbackup_util restore –file BACKUPFILENAME.tgz – Does snapshots and backups
  5. CLISH: set backup restore local BACKUPFILENAME.tgz — clish version of #4

So make sure you use the right restore with the right backup.  I wound up using CLISH after 3 tries.


And make sure you test the integrity of your backups. Word from old and lesser dumb.

Backup OUT!



YAFLST – Yet Another Firewall Logging Status Tool

So you might have not noticed but logging HA is not quite the HA you think it is. About 10-20% of our 350 firewalls fail to HA and either just stop logging or log locally until we nudge them….or maybe we screwed something up.

Anyways….So how do you know which ones are not HA?

You don’t, until now. (OKAY it is a kludge but the best I know how)

  1. 1) Do this GET LIST OF FIREWALLs.
  2. This gets you a list of gateways and cluster members. You can get rid of the ‘gateway_cluster’, usually not needed for logging.Cluster members use their physical IP and not the VIP.
  3. Import into a spreadsheet with worksheet label ‘fw’. sort and get rid of obvious junk.
  4. On log servers do a ‘netstat -an | fgrep :257’. Lists all of the firewalls logging.
  5. Import them into same spreadsheet with worksheet label ‘targets’. Sort and get rid of junk.
  6. Import this macro into your spreadsheet: MACROOK, I hacked a VB script. not pretty. You could also use some perl script at this point.
  7. Anyways the script will put in column 3 an ‘X’ which firewalls are logging.

Seems to me a $$$$$ gazillion dollar HA logging system should do HA. Probably fixed in R80.

Oh yeah, I’ve been using this in Cattools to nudge them:

cpwd_admin stop -name FWD -path “$FWDIR/bin/fw” -command “fw kill fwd”

cpwd_admin start -name FWD -path “$FWDIR/bin/fwd” -command “fwd”

Logging off


Michael Endrizzi's - St. Paul MN - CheckPoint blog on topics related to Check Point products and security in general.