Checkpoint -- queryDB_util to query Smartcenter from command line

A few days ago I looked at the licenseDataCollector.sh: script and found that it was creating a lot of files in a temporary directory. these files were the network objects in the Smartcenter DB.
inside the script I found several calls to the command queryDB_util
some investigation on Google returned a few hits on this interesting tool

here is the help from the queryDB_util

U s a g e:
==========

queryDB interactive mode:
----------------------
[-t <table_name> [-s <query_str>]]  # name of requested table. 'query_str' is valid CPMI query string
[-o <object_name>]                  # name of requested object
[-a]                                # prints details of all objects

[-mu <modified_by>]                 # administrator who last modified the object
[-mh <modified_from>]               # host from which object was last modified
[-ma <modified_after>]              # minimum last modification date <[hh:mm:ss][-ddmmmyyyy]>
[-mb <modified_before>]             # maximum last modification date <[hh:mm:ss][-ddmmmyyyy]>

[-p<m|u|h|t|f>]                     # special print options: 
                                    #    m - last_modification details
                                    #    u - administrator name modification 
                                    #    h - host name modification
                                    #    t - last modification time 
                                    #    f - fields details

[-f <file_name>]                    # output file name for results
[-h]                                # get this usage info
[-q]                                # quit

Arguments can appear in any order.
If an argument appears more than once, the last one counts.


To get one of 'Objects Query' or 'Rules Query' modes:
----------------------------------------------------
   Phase I - connection arguments:
----------------------------------
-s <server_name> [-u <username> -p <password> | -c <certificate_name> -p <password>]

   Phase II - feature-mode argument:
------------------------------------
-objectsquery | -rulesquery             #'objectsquery' for Objects Query, 'rulesquery' for Rules Query

   Phase III - specific mode arguments:
---------------------------------------

Objects Query Usage:
====================
<ip address(es)>        #one or more ip addresses to be query for their referencing objects

Rules Query Usage:
==================

-ob <network_objects name(s) or ip(s)>          #a mix of objects names and ip addresses is valid
[-c <column_name>]                                              #specify the query on one column
[-op]                                   #search of ALL given objects under sub-query (default: AT LEAST ONE)
[-e]                                    #force explicit search in rules (default: implicit search)
[-n]                                    #for search of the negation of sub-query

[-r]                                    #defines an OR relation on all sub-queries. (default: AND relation)


Notes:
======
1.      Only the -ob argument has to be present. This argument informs the utility that a new sub-query is to be parsed.
2.      Due to the former note, the -ob argument have to be the first argument of each sub-query input.
3.      The -r argument applies to all of the sub-queries set and defines there relation. Since the number of sub-queries is unlimited, this argument must come last!
4.      All other arguments can appear in any order.

What can you do with this utility?

You can query the Smartcenter database for all kind of objects ( as long as you understand the CPMI syntax).

here are a few examples to give you an idea taken from the licenseDataCollector.sh script

return number of smartcenter objects:

echo -e "localhost\n-t network_objects -s management='true'\n-q" | queryDB_util 

Enter Server name: 

Please enter a query, -h for help or -q to quit: 

query> 

Q u e r y i n g   D B

=====================

Object Name: Management1

Table Name: network_objects

Last Modified by: Security Management Server

Last Modified from: localhost

Last Modification time: Tue Sep  9 09:26:09 2014

Object Name: Management2

Table Name: network_objects

Last Modified by: Security Management Server

Last Modified from: localhost

Last Modification time: Tue Sep  9 09:26:08 2014

Object Name: Management3

Table Name: network_objects

Last Modified by: Security Management Server

Last Modified from: localhost

Last Modification time: Tue Sep  9 09:26:06 2014

A total of 3 objects match the query.

query all network objects of type host, then extract with grep name and ip address

echo -e "localhost\n-t network_objects -s type='host' -pf\n-q" | queryDB_util | egrep 'Name Object|ipaddr:'

Object Name: Node1
    ipaddr: 10.1.2.3
Object Name: Node2
    ipaddr: 10.4.5.6

Query to find all firewalls modules (both managed and externally managed:

echo -e "localhost\n-t network_objects -s type='gateway' -s cp_products_installed='true' \n-q" | queryDB_util  | grep Object


Object Name: FW1
Object Name: FW2
Object Name: Fw3
Object Name: FW4
Object Name: Fw5


If you want to go deeper you change the greps

echo -e "localhost\n-t network_objects -s type='gateway' -s cp_products_installed='true' -pf \n-q" | queryDB_util  | egrep 'Object Name|location:|osName' | grep -v ip_pool | grep -v phone_directo

Object Name: FW1
    location:internal
    osName=Gaia
Object Name: FW2
    location:external
Object Name: Fw3

    location:internal
    osName=Gaia

Furthering analyzing the text based objects_5.0.C file provides info about the query that should be performed to obtain specific objects. ClassName attribute provides the type that should be queried.
For example here is a list of possible types:

• gateway
• host
• cluster_member
• gateway_cluster
• network
• group_with_exception

Checkpoint - how to install updates with CPUSE from Gaia CLISH

1. First update CPUSE software 
1. Download latest build from Usercenter
2. Latest build of Check Point CPUSE - Gaia Software Updates(Solution ID: sk98228). At 02 Dic. 2014 build 714 is latest version.
3. To check the current version of the Gaia Software Updates Agent, run[Expert@HostName]# cpvinfo $DADIR/bin/DAService | grep -E "Build|Minor"
4. Transfer the updated Gaia Software Updates Agent package (GaiaSoftwareUpdatesAgent_<build>.tgz) to the machine into /tmp/DA.patch directory.
5. Unpack the Gaia Software Updates Agent package:
6. [Expert@HostName]# cd /tmp/DA.patch
7. [Expert@HostName]# tar zxvf GaiaSoftwareUpdatesAgent_<build>.tgz

Install the Gaia Software Updates Agent RPM (starting in Build 553, the currently running agent will be automatically stopped during the RPM installation):

• $DADIR/stop/dastop
• dbget installer:stop
• [Expert@HostName]# rpm -Uhv --force CPda-00-00.i386.rpm
• Start the Gaia Software Updates Agent:
• [Expert@HostName]# $DADIR/bin/dastart 

Installation instructions for Hotfixes / Minor version / Major version

•  Log in to Clish shell.
•  See the list of available packages for download:
•  HostName> show installer available_packages 

 Num File Name                                             Type
1   Check_Point_Hotfix_R77_sk101186.tgz                   Hotfix
2   Check_Point_Hotfix_R77_sk100431.tgz                   Hotfix
3   Check_Point_R76_T265.tgz                              Major Version
4   Check_Point_Hotfix_R77_sk100195.tgz                   Hotfix
5   Check_Point_Hotfix_R77_sk98814.tgz                    Hotfix
6   Check_Point_R77_Hotfix_SK97566.tgz                    Hotfix
7   Check_Point_R75.46_Fresh_Install.tgz                  Major Version
8   Check_Point_hotfix_R77_sk96269.tgz                    Hotfix
9   Check_Point_R77_UDP_Hotfix_sk95056.tgz                Wrapper
10  Check_Point_SmartConsole_and_SmartDomain_Manager_R... Wrapper
11  Check_Point_R77.tgz                                   Major Version
12  Check_Point_R75_40VS_T157.tgz                         Major Version
13  Check_Point_Hotfix_R77_sk102673.tgz                   Hotfix
14  Check_Point_Hotfix_R77_sk102989.tgz                   Wrapper
15  Check_Point_R77.10.tgz                                Wrapper
16  Check_Point_R77_R77_20_T124.tgz                       Wrapper

• Hostname>  installer download 16
• verify download progress
• Hostname> show installer  package_status

Check_Point_R77_R77_20_T124.tgz              - Downloading (1.05 MB/s)   - Progress: 92%

• Hostname>  installer install 16
• verify installation progress
• Hostname> show installer  package_status

16  Check_Point_R77_R77_20_T124.tgz        Installing                   (0%)


after installing the upgrade package R77.20 the firewall will automatically reboot

Checkpoint firewall debugging basics

Hello
here is blog entry I found with basic debugging commands for Checkpoint firewall (http://itsecworks.com/2011/08/09/checkpoint-firewall-debugging-basics/).
The post is not recent but the method is still valid

To debug a checkpoint firewall is not a big deal, but to understand the output is in many cases imposible for those NOT working at Checkpoint.
I write here not about the exact analysation with debugging, just a ‘how to collect the required informations’ that may speed up the troubleshooting.

1. Reset the debugs to the default.
In case someone changed the setting in the past and since then the firewall was not rebooted we should set all back to the defaults.

# fw ctl debug 0 Defaulting all kernel debugging options

2. Check the module list we can use and choose the requied ones
With the following command you can see the modules with their options.

[Expert@sgLondon]# fw ctl debug -m debug: option requires an argument — m Usage: fw ctl debug [-d ] [-s “”] [-v (“”|all)] [-x] [-m ] [-e expr | -i | -u] [+|-] Or: fw ctl debug [-t (NONE|ERR|WRN|NOTICE|INFO)] [-f (RARE|COMMON)] Or: fw ctl debug -buf [buffer size] -h – for helpWhere possible options are:Module: kiss Kernel debugging options: error warning ioctl memory misc chain driver pools handles vbuf pm rem sm dfa pmdump pmint htab bench ghtab mtctx queue thread Messaging threshold set to type=Info freq=CommonModule: kissflow Kernel debugging options: error warning memory pm compile dfa Messaging threshold set to type=Info freq=CommonModule: fw Kernel debugging options: error warning cookie crypt domain ex driver filter hold if install ioctl kbuf ld log machine memory misc packet q xlate xltrc conn synatk media sip vm chain bridge tcpstr scv packval sync ipopt link nat cifs drop route citrix misp portscan leaks mgcp sock mail spii chainfwd msnms wire balance dynlog smtp wap content mrtsync sam sock malware cmi aspii dos advp multik netquota monitor monitorall dfilter integrity epq cvpnd cptls ftp Messaging threshold set to type=Info freq=CommonModule: h323 Kernel debugging options: error init h225 h245 ras decode align cpas Messaging threshold set to type=Info freq=Common

Module: multik
Kernel debugging options: error conn packet api message state packet_err counter event quota ioctl lock clb
Messaging threshold set to type=Info freq=Common
Module: BOA
Kernel debugging options: fatal error warning info stat memory analyzer spider flow stream disasm lock
Messaging threshold set to type=Info freq=Common
Module: WS
Kernel debugging options: fatal error warning info timestamp connection session parser body global stat memory address policy pfinder regexp coverage report_mgr spii uuid ioctl module mem_pool pkt_dump subject sslt cookie stream vs event
Messaging threshold set to type=Info freq=Common
Module: CI
Kernel debugging options: fatal error warning info timestamp coverage subject memory module session address vs regexp ioctl policy profile filter uf av crypto stat
Messaging threshold set to type=Info freq=Common
Module: CPAS
Kernel debugging options: error warning tcp api glue events conns pkts timer tcpinfo http ftp skinny notify sync
Messaging threshold set to type=Info freq=Common
Module: VPN
Kernel debugging options: driver err packet policy sas rdp pcktdmp queue init sr mem comp xl counters mspi cphwd ref vin cluster nat l2tp tnlmon warn tcpt tagging ike ifnotify resolver gtp topology multik multicast
Messaging threshold set to type=Info freq=Common

3. Set the buffer Size
The size of the buffer depends on how much modules and options you choose and how much the are going to generate.

# fw ctl debug -buf 9600 Initialized kernel debugging buffer to size 9600K

4. Choose the modules an their options for the debug
A) If we do not use any options than the default is error and warning or just error (or just error multicast, like at VPN):

# fw ctl debug -m fw Kernel debugging buffer size: 9600KB Module: fw Enabled Kernel debugging options: error warning Messaging threshold set to type=Info freq=Common

B) if you would set your own options, then just type them after the module name:

# fw ctl debug -m fw packet drop sam Updated kernel’s debug variable for module fw# fw ctl debug -m fw Kernel debugging buffer size: 9600KB Module: fw Enabled Kernel debugging options: packet drop sam Messaging threshold set to type=Info freq=Common

C) To add another option type “+”:

# fw ctl debug -m fw + route Updated kernel’s debug variable for module fw# fw ctl debug -m fw Kernel debugging buffer size: 9600KB Module: fw Enabled Kernel debugging options: packet drop route sam Messaging threshold set to type=Info freq=Common

D) To delete the option you have set and start it again type “- all”:

# fw ctl debug -m fw – all Updated kernel’s debug variable for module fw# fw ctl debug -m fw Kernel debugging buffer size: 9600KB Module: fw Enabled Kernel debugging options: None

5. Start writing debug into a file:
Basic command is the “fw ctl kdebug”. The syntax is the following:
One of the most important parameter is the ‘t’ or ‘T’, that write a timestamp to the entries. This is always required.

# fw ctl kdebug ? Usage: fw ctl kdebug [-i | [-f] -o ] [-b ] [-t|-T] [-p fld1[,fld2..] [-m num [-s size]] -t/-T to print the time field (seconds/microseconds) -p to print specific fields all|proc|pid|date|mid|type|freq|topic|time|ticks|tid|text|err|host|vsid|cpu -m – number of cyclic files, -s – size of each

A) Write it in a file:

# fw ctl kdebug -T -f > samrules.txt(-o filename makes binary file, that is why I use the “>” sign)

B) Or write in a file in background and to the output as well, but give back the cursor:

# fw ctl kdebug -T -f | tee samdebug.txt &

It can happen that the debugging process eats up all the cpu and we loose the control and maybe sessions are dropped.
Before this command ist started it is useful to create a crontab entry or a single script that kills this process after a couple of minutes.

Lets do a bash script that kills debugging after 10 second:

This example script writes in a file samrules.txt and stops after 10 seconds. Those values can be changed if you want.

# vi debug.sh timeout=10 # in seconds fw ctl kdebug -T -f > samrules.txt & cmdpid=$! # Command to terminate # Start “watchdog” process to terminate the command # after $timeout seconds: (sleep $timeout; kill -9 $cmdpid) & watchdogpid=$! wait $cmdpid # wait for command kill $watchdogpid >/dev/null 2>&1

Change the file permissions and we can start it:

# chmod +x debug.sh # ./debug.sh

The time in script should be as long as the reproduction time of the problem. It has no use if it is shorter.

How to add space to a Checkpoint firewall

here is a brief procedure on how to add space when you run out of it on a Checkpoint firewall.
Of course this procedure applies to any Linux box.

1. add disk to system
2. check with fdisk -l that disk is visible
3. create partition on system via fdisk and assign type LVM 0x8e (i.e. /dev/sdb1)
4. pvcreate /dev/sdb1
5. vgextend VGname Partition ( i.e. vgextend vg_splat /dev/sdb1 )
6. launch utility lvm_manager
7. choose to resize the logical volume that needs to be resized

But what if the disk is bigger than 2TB ?

fdisk does not support this kind of disk so you need to use parted

Let's say that you have an HP server and a logical drive with this device driver

/dev/cciss/c0d1

1. parted
2. select /dev/cciss/c0d1
3. mklabel gpt (to create a GPT table )
4. mkpart primary 0 -1 ( to create a partition using all disk space)
5. set 1 lvm on ( to change type of partition to LVM)
6. quit

At this point you can run pvcreate and vgextend as before using /dev/cciss/c0d1p1 partition.

Uncover the Meaning of top's Statistics

Interesting article I found on the Internet (http://www.linux.com/learn/tutorials/42048-uncover-the-meaning-of-tops-statistics)

Its name is kind of unique for something that shows system statistics: top. It is a part of the procps package, a set of Linux utilities that provide system information. Besides top, procps also includes free, vmstat, ps, and many other tools.
Top gives you a snapshot of a system's situation, e.g., free physical memory, number of running tasks, percentage of CPU time usage of each processes--all in a single view. So it's like using ps, free, and uptime at the same time. Top gets most of its information from several files under the /proc directory. You might already be aware that this directory provides users with a broad range of system-wide statistics, but thanks to top, we can summarize most of them inside a single organized window.
Furthermore, with top you can do things like:

Evasion techniques

Evasion & the limitations of legacy AV tools: Zeus banking malware hides a crucial file in a photo computerworld.com/s/article/9246… via @computerworld http://twitter.com/#!/thecyberwire/status/435843412919476224 > via Android Pro Widgets