Checkpoint Firewalls are having following important configuration files from this post:
- objects.C
- objects.C_41
- objects_5_0.C
- rules.C
- rulebases.fws
- rulebases_5_0.fws
For Integrity check, you can either monitor those files md5 value or just like me to monitor whole conf folder with some exception file such as prov_agent_state.conf which will be changed daily.
sed “/prov_agent_state.conf/d” < dir.md5 > dir1.md5
2. Some important changed files after a policy push
[Expert@Pub2]# cd $FWDIR/conf
[Expert@Pub2]# ls -l | grep Jul
-rw-rw-r– 1 admin config 19 Jul 25 13:55 adlog_muh.dbidl
-rw-rw—- 1 admin root 57441 Jul 25 13:54 cache_pm_buffers.bin
-rw-rw—- 1 admin root 565 Jul 25 13:55 log_policy.C
-rw-rw—- 1 admin root 65 Jul 25 13:54 masters
-rw-rw-r– 1 admin config 281 Jul 25 18:06 prov_agent_state.conf
-rwxrwx— 1 admin bin 328 Jul 25 13:54 smtp.conf
-rw-rw—- 1 admin root 46422 Jul 25 13:54 thresholds.conf
[Expert@Pub-cp2]# cd /opt/CPsuite-R75.40/fw1/database
[Expert@Pub-cp2]# ls -l | grep Jul
drwxrwxr-x 2 admin config 4096 Jul 25 17:58 CrlCache_1
-rw-rw—- 1 admin root 33703 Jul 25 13:54 Sandbox-persistence.xml
drwxrwx— 2 admin root 4096 Jul 25 18:06 SessionCache_1
-rw-rw—- 1 admin root 3 Jul 25 13:54 ad_query_profiles.C
-rw-rw—- 1 admin root 5468 Jul 25 13:54 authentication_objects.C
-rw-rw—- 1 admin root 6077 Jul 25 13:54 connectra_global_properties.C
-rw-rw—- 1 admin root 436 Jul 25 13:54 connectra_policy.C
-rw-rw—- 1 admin root 20481 Jul 25 17:41 cookiedb.NDB
-rw-rw—- 1 admin root 680 Jul 25 13:54 current_recovery.profile
-rw-rw—- 1 admin root 26781 Jul 25 13:54 data_files.C
-rw-rw—- 1 admin root 20481 Jul 25 17:41 deldb.NDB
-rw-rw—- 1 admin root 3 Jul 25 13:54 domain_objects_for_web_applications.C
-rw-rw—- 1 admin root 610 Jul 25 13:55 doubleSignCerts.C
-rw-rw—- 1 admin root 28 Jul 25 13:55 dynamic_objects.db
-rw-rw—- 1 admin root 5096 Jul 25 13:54 embedded_applications.C
-rw-rw—- 1 admin root 984 Jul 25 13:54 eps_notify.html
-rw-rw—- 1 admin root 1667 Jul 25 13:54 eps_notify.mail
-rw-rw—- 1 admin root 143361 Jul 25 13:55 fwauth.NDB
-rw-rw—- 1 admin root 0 Jul 25 13:54 fwuserauth.keys
-rw-rw—- 1 admin root 209697 Jul 25 13:54 ics_configuration.C
-rw-rw—- 1 admin root 3 Jul 25 13:54 identity_roles.C
-rw-rw—- 1 admin root 675 Jul 25 13:54 inspect.lf
-rw-rw—- 1 admin root 5356 Jul 25 13:54 languages.C
drwx—— 2 admin root 4096 Jul 25 13:54 logo
-rw-rw—- 1 admin root 40757 Jul 25 13:54 magic
-rw-rw—- 1 admin root 878700 Jul 25 13:54 magic.mgc
-rw-rw—- 1 admin root 35 Jul 25 13:54 mgmt_dhcp_data.C
-rw-rw—- 1 admin root 99 Jul 25 13:54 mv_tag.C
-rw-rw—- 1 admin root 1597 Jul 25 13:54 nac_agents.C
-rw-rw—- 1 admin root 2691 Jul 25 13:54 network_applications.C
-rw-rw—- 1 admin root 14909807 Jul 25 13:54 objects.C
-rw-rw—- 1 admin root 4940 Jul 25 13:54 products_updates.C
-rw-rw—- 1 admin root 3281 Jul 25 13:54 rad_services.C
-rw-rw—- 1 admin root 42342 Jul 25 13:54 request.xml
-rw-rw—- 1 admin root 6328 Jul 25 13:54 rulebase_tracks.C
-rw-rw—- 1 admin root 1128385 Jul 25 13:54 rules.C
-rw-rw—- 1 admin root 111 Jul 25 13:54 smart-center-servers.properties
-rw-rw—- 1 admin root 3 Jul 25 13:54 ssl_certificates.C
-rw-rw—- 1 admin root 937245 Jul 25 13:54 ssl_inspection.C
-rw-rw—- 1 admin root 72986 Jul 25 13:54 user_check_interactions.C
-rw-rw—- 1 admin root 0 Jul 25 13:54 userdef.C
3. Automatic Process
such as Tripwire doc shows detailed procedures how to do it.
another pdf file: http://www.it-secure.com/downloads/tfs-check_point.pdf