Checkpoint Firewalls are having following important configuration files from this post:

  • objects.C
  • objects.C_41
  • objects_5_0.C
  • rules.C
  • rulebases.fws
  • rulebases_5_0.fws

For Integrity check, you can either monitor those files md5 value or just like me to monitor whole conf folder with some exception file such as prov_agent_state.conf which will be changed daily.

Expert mode
Cd  /home/tttt/audit
ls -alF /var/opt/CPsuite-R75.40/fw1/conf/ > dir.md5
create script integrity_check.sh
vi integrity_check.sh or cat > integrity_check.sh (CTRL+D to end )
#!/bin/bash
MD5_1=”$(md5sum ‘dir1.md5’ | cut -d ‘ ‘ -f 1)”

ls -alF /var/opt/CPsuite-R75.40/fw1/conf/ > dir.md5

sed “/prov_agent_state.conf/d” < dir.md5 > dir1.md5

MD5_2=”$(md5sum ‘dir1.md5’ | cut -d ‘ ‘ -f 1)”
echo $MD5_1
echo $MD5_2
if [ $MD5_1 == $MD5_2 ]
then echo “No Changes”
else echo “Changed”
fi
chmod 755 integrity_check.sh
./integrity_check.sh
Running result:
[Expert@CP]# ./integrity_check.sh 
9d57784519e7571d38cbded6d1de9c97
9d57784519e7571d38cbded6d1de9c97
No Changes

2. Some important changed files after a policy push

[Expert@Pub2]# cd $FWDIR/conf
[Expert@Pub2]# ls -l | grep Jul
-rw-rw-r–  1 admin  config       19 Jul 25 13:55 adlog_muh.dbidl
-rw-rw—-  1 admin  root      57441 Jul 25 13:54 cache_pm_buffers.bin
-rw-rw—-  1 admin  root        565 Jul 25 13:55 log_policy.C
-rw-rw—-  1 admin  root         65 Jul 25 13:54 masters
-rw-rw-r–  1 admin  config      281 Jul 25 18:06 prov_agent_state.conf
-rwxrwx—  1 admin  bin         328 Jul 25 13:54 smtp.conf
-rw-rw—-  1 admin  root      46422 Jul 25 13:54 thresholds.conf
[Expert@Pub-cp2]# cd /opt/CPsuite-R75.40/fw1/database
[Expert@Pub-cp2]# ls -l | grep Jul
drwxrwxr-x 2 admin config     4096 Jul 25 17:58 CrlCache_1
-rw-rw—- 1 admin root      33703 Jul 25 13:54 Sandbox-persistence.xml
drwxrwx— 2 admin root       4096 Jul 25 18:06 SessionCache_1
-rw-rw—- 1 admin root          3 Jul 25 13:54 ad_query_profiles.C
-rw-rw—- 1 admin root       5468 Jul 25 13:54 authentication_objects.C
-rw-rw—- 1 admin root       6077 Jul 25 13:54 connectra_global_properties.C
-rw-rw—- 1 admin root        436 Jul 25 13:54 connectra_policy.C
-rw-rw—- 1 admin root      20481 Jul 25 17:41 cookiedb.NDB
-rw-rw—- 1 admin root        680 Jul 25 13:54 current_recovery.profile
-rw-rw—- 1 admin root      26781 Jul 25 13:54 data_files.C
-rw-rw—- 1 admin root      20481 Jul 25 17:41 deldb.NDB
-rw-rw—- 1 admin root          3 Jul 25 13:54 domain_objects_for_web_applications.C
-rw-rw—- 1 admin root        610 Jul 25 13:55 doubleSignCerts.C
-rw-rw—- 1 admin root         28 Jul 25 13:55 dynamic_objects.db
-rw-rw—- 1 admin root       5096 Jul 25 13:54 embedded_applications.C
-rw-rw—- 1 admin root        984 Jul 25 13:54 eps_notify.html
-rw-rw—- 1 admin root       1667 Jul 25 13:54 eps_notify.mail
-rw-rw—- 1 admin root     143361 Jul 25 13:55 fwauth.NDB
-rw-rw—- 1 admin root          0 Jul 25 13:54 fwuserauth.keys
-rw-rw—- 1 admin root     209697 Jul 25 13:54 ics_configuration.C
-rw-rw—- 1 admin root          3 Jul 25 13:54 identity_roles.C
-rw-rw—- 1 admin root        675 Jul 25 13:54 inspect.lf
-rw-rw—- 1 admin root       5356 Jul 25 13:54 languages.C
drwx—— 2 admin root       4096 Jul 25 13:54 logo
-rw-rw—- 1 admin root      40757 Jul 25 13:54 magic
-rw-rw—- 1 admin root     878700 Jul 25 13:54 magic.mgc
-rw-rw—- 1 admin root         35 Jul 25 13:54 mgmt_dhcp_data.C
-rw-rw—- 1 admin root         99 Jul 25 13:54 mv_tag.C
-rw-rw—- 1 admin root       1597 Jul 25 13:54 nac_agents.C
-rw-rw—- 1 admin root       2691 Jul 25 13:54 network_applications.C
-rw-rw—- 1 admin root   14909807 Jul 25 13:54 objects.C
-rw-rw—- 1 admin root       4940 Jul 25 13:54 products_updates.C
-rw-rw—- 1 admin root       3281 Jul 25 13:54 rad_services.C
-rw-rw—- 1 admin root      42342 Jul 25 13:54 request.xml
-rw-rw—- 1 admin root       6328 Jul 25 13:54 rulebase_tracks.C
-rw-rw—- 1 admin root    1128385 Jul 25 13:54 rules.C
-rw-rw—- 1 admin root        111 Jul 25 13:54 smart-center-servers.properties
-rw-rw—- 1 admin root          3 Jul 25 13:54 ssl_certificates.C
-rw-rw—- 1 admin root     937245 Jul 25 13:54 ssl_inspection.C
-rw-rw—- 1 admin root      72986 Jul 25 13:54 user_check_interactions.C
-rw-rw—- 1 admin root          0 Jul 25 13:54 userdef.C

3. Automatic Process

such as Tripwire doc shows detailed procedures how to do it.
another pdf file: http://www.it-secure.com/downloads/tfs-check_point.pdf

By Jon

Leave a Reply