Thread: Where did my rulebases go?
View Single Post
  #1 (permalink)  
Old 2005-08-13
roadrunner roadrunner is offline
Senior Member
  
Join Date: 2005-08-12
Posts: 162
Rep Power: 4
roadrunner has an average reputation (10+)
Default Where did my rulebases go?
Where did my rulebases go?
When you open up Policy Editor, the rulebase name is "Standard" with no rules. Also when doing a "File > Open" only "Standard" shows up in the "Open Security Policy" window. All former rules do actually exist in the conf directory, however you cannot see them via the GUI. Doing "fw stat" at the FW itself shows that the correct rulebase is running and when you look at the current log, you see that the rules are being correctly implemented. Further, all the Network Objects, Users, etc., are still there.

There are actually two copies of your rulebases:


Individual rulebase.W files (for backward compatibility with fwui)
A single rulebases.fws or rulebases_5_0.fws file (which contains all your rulebases)
The Motif/Win95 GUI uses the rulebases.fws file. When all you see is "Standard" in your rulebase listing, this file had to be recreated for whatever reason.

NG AI and later allows you to use the cp_merge command as follows, which can run from a UNIX or Windows management station:

# cp_merge import_policy -f old_policy.W -n myPolicy

myPolicy is the name of the policy package to import the rulebase file into. Since a .W file no longer contains all of the policy information, this command should only be used as a last resort.

In VPN-1/FireWall-1 up to NG FP1, Check Point allowed you to use the fwm -g command to reimport your rulebases, using the complete pathname to the appropriate rulebase.W file as an argument. The problem for NG FP2 users is that this command is still allowed, yet it causes corruption of the rulebase. NG FP3 and beyond properly informs you this is no longer a supported feature.

On Unix in NG FP1 and before:

# cd $FWDIR/conf
# fwm -g *.W
On Windows in NG FP1 and before:
c:> cd %FWDIR%\bin
c:\WINNT\FW\bin> for %i in (*.W) do fw fwm -g %i
The differences are:

On Unix, the * is interpreted as a wildcard, including all .W files
On windows, The rulebases.W files will be in the FWDIR\conf directory.
On Windows, the * is not interpreted as a wildcard, so you must list the .W files individually.
On Windows, there is no 'fwm' binary, but it is included as part of fw.exe
Note that it is possible that when importing rulebase files, you may see "Not in Scope" messages. This will occur if objects referenced in the specified rulebase file no longer exist. The rulebase in question will not be successfully imported in this case.

-- PhoneBoy - 29 Mar 2004


FAQForm
FAQs.Class: SmartClientsFAQs, TroubleshootingFAQs
FAQs.OS: OsWindows
FAQs.Version:
Reply With Quote