Search:

Every time I think my day job is settling down a little, there's some new crisis. As a result, I haven't been able to spend as much time on this project as I'd like. I have also run into a...

The space Gaia uses for snapshots doesn't show up in 'df'. I'm betting somebody has handed all of the space on the disk to lv_current, leaving no space for snapshots. You can check this with the...

No screenshot for this update, as it's "just" fixes for stuff I showed off in the last one.

Updated my policy package objects to have an ordered relationship to access layers, updated the rest of...

It's been a little while!

Today, I found that you can't both turn a policy package's "access" property to true and set its access layers in one API call. The API just barfs with an extremely...

Spent some time this weekend building detail views for a few more types of object: access layers and policy packages. I still have a little work left to do on them before they're really done, but...

I really need to stop posting in the afternoon. That evening, I figured out how to use the view to edit group members! And with the way I've built the editor, it should be trivial to extend to most...

I am now able to create a view for part of my object tree and represent a set of selected objects. I can toggle the selections, and the new selections are reflected in the set of selected objects....

Work on this application has been slowed by day job stuff. I also took the time a while ago to tweak my development machine's EFI extensions (OCLP is pretty nice!) to let me upgrade more smoothly....

I've used the method of dealing with complex properties to add handling of automatic NAT and aggressive aging settings for objects which have them. Changes to automatic NAT currently aren't reflected...

One of the big problems I've had with my data model has been complex properties. Most properties of an access rule are either simple types (like a boolean value for source negation or a string for...

Huh! I haven't had that problem yet. Hit something similar on R81.10, which wound up being a bug somewhere in the management server or API service. Try using the script in the first post to find the...

Earlier this week, I managed to connect the progress meter to the API interaction queue. And as of an hour or so ago, I think I have resolved all the new bugs I introduced getting it to work!
...

It looks like Check Point has done something in R81.10 which breaks this method of making disposable hosts with preset SSH keys. My user key survives, but new host keys are generated when the system...

Day job has been busier than expected the last few weeks. Thorny firewall upgrade. It eventually worked, but I haven't had the focus left at the end of the day to really program effectively.

Over...

While building some test data to confirm I handle policy installation targets correctly, I noticed I didn't import clusters at all. I think I started developing this client against R80.20, which...

Let's say you have gateway A (with only private addresses) which goes through gateway B, which NATs A's private address to a public address. That option exists to let you form a VPN straight from A...

Just added the ability to push policy! The UI is still a work in progress, but it's usable.

1462

Right now, the installation targets list just shows all firewalls. I don't currently interpret...

Just finished adding the ability to add and delete access and NAT rules and sections. I create rules disabled to let you build the rule before enabling it. This isn't as big a deal as it was before...

Still thinking about the right way to calculate rule numbers. I do have some minor things to share. I've added the ability to disable NAT rules (and to show that they are disabled), as well as the...

Well, I just discovered that while policies have automatically-generated NAT sections which you can't modify at the top, you can add NAT rules above them. So that's fun. Time to rework a chunk of my...

It's extremely limited right now. Shows most things, but can only manipulate a few of them. The login flow is iffy (it defaults to my lab SmartCenter's address and doesn't remember any others you log...

I think I've finally cracked it. Removed some debugging code I had added, and now drag-and-drop is working from inside a section to outside a section, from outside a section to inside, between...

Duplicate post.

Even if it comes after browser-based management, I won't be too disappointed. I'm one person doing this in my spare time, after all. ;) I will always prefer the performance achievable with a thick...

You can use 'who' to find out who is currently connected and how:

[Expert@LabSC]# who
admin pts/2 Aug 12 17:42 (10.20.30.40)
admin pts/3 Aug 12 17:42 (10.20.30.40)
The...

Databases are one of those things I really don’t understand all that well. Key-value observing is another. This, unfortunately, combines both, so it has taken me a long time to learn what I need to...

It depends if you offer or use unencrypted services. For example, if you host an FTP site or if you access somebody else's, then IPS, threat emulation, and so on could see the traffic and provide...

So it took me waaaay longer than I expected to figure out live UI updates in response to database changes, but I think I have it mostly working now. And it turns out it involves using a Cocoa...

Figured out how to update the rule ordering criteria and rule numbers. Now dragged-and-dropped rules gets reordered in the UI, and they get the correct rule number (or at least, I'm not aware of any...

I've collected enough data for what I care about. It's posted here:

https://github.com/Bob-Zimmerman/CPAPI-Stats

There's an Excel spreadsheet with a tab for each configuration and a column for...

Over the weekend, I added color swatches to the object color picker. That was WAAAAY harder than it seems like it should have been, but it's working now:
1456
And just now, an hour before the WWDC...

Here's the script I've been using with VMs:

#!/usr/bin/env bash
TIMEFORMAT='%R'
filePrefix="vm$(egrep "^processor\s" /proc/cpuinfo | wc -l)$(grep MemTotal /proc/meminfo | awk '{GB = $2/1000000}...

It may just be down to having more thermal headroom. The Atom was originally a reimplementation of the core x86 instructions without power-hungry features like branch prediction and speculative...

I am indeed. A while ago, I found out how to modify config_system to let me set it up as a standalone. The firewall part has one rule: any, any, any, accept.

This performance is surely why...

So I've been working on adding drag-and-drop rule rearrangement to my Mac-native client, and it's presenting a problem. Refreshing the rule positions after a drag operation would require re-fetching...

Lots of visible updates! I've been adding menus to access rule fields and items within those fields. While most of the menu items aren't hooked up to anything yet, I do have this one which I think is...

Just got object search working in the sidebar. It's not quite as smooth as I want it. It searches automatically as you type and shows the results live in the sidebar, but it closes the object types....

When the GUI disagrees with the command line (or with itself), I generally jump right to trashing the applications.C* and CPMILinksMgr.db*. They're all in $FWDIR/conf. cpstop the MDS, trash them (or...

My client has long had a big, gross limitation which isn't really obvious in screenshots: it didn't handle data updates very well. You could download objects, edit existing objects, and now make new...

I've figured out enough about contextual menus to allow for object deletion.
1451
This required more "fun" with Objective-C selectors. Selectors are basically function calls, but you can't pick...

While figuring out some menu stuff, I decided it's time to learn more about how localization works on macOS (this was actually to help me reliably place the "Add Object" menu in the menubar). Turns...

Took a bit longer than I thought to finish shaving some other yaks and get back to directly working on this project. I'm happy to report I was able to figure out enough about menus to allow for the...

I eventually decided using snapshots for this is too slow. I have a ludicrously powerful desktop (2x Xeon X5675 [3.06 GHz, 6 cores plus hyperthreading], 96 GB of RAM), and it was still taking over 20...

I just confirmed the 2200 can handle 8 GB of DDR3 RAM in the form of two 4 GB SODIMMs. Mine have eight chips on each side, 16 chips per stick, so 256 MB per chip. I hear sticks with 512 MB chips...

Now that I have a good way to build an MDS for testing, I'm starting to work with the multi-domain parts of the API. This leads to a big question:

How should connecting to an MDS work?

It would...

Most of my development work so far has been against a 2200 which I personally own. It has a perpetual license, but it's sometimes a little unpredictable. The API service sometimes crashes. It has a...

Finding some rough edges when it comes to application/site objects and their relationships with categories. Suspending my work on that for now.

I think I've figured out how to make new objects. It...

You should look up the Cherpumple.

Gave up on the progress meter for now, and learned to do this instead:

1448

I now have support for dragging objects from the sidebar into the source, destination, and service fields of rules,...

Ran into the group-members-are-sometimes-objects-and-sometimes-UUIDs thing again, but this time with tags. I suspect this inconsistency will bite me a few more times before I've tracked down all the...

Eh. GNS3 is only mildly weird. I was hoping for something like an x86 emulator on a Raspberry Pi emulated by an UltraSPARC. ;p

So a Fortinet VM inside a PAN VM inside a Check Point box? Please tell me that's also a VM on something weird.

At some point, sure. For now, I figure I have about 20% the functionality of SmartDashboard. Lots left to add, but it's mostly view-side code in MVC. The object model changes put me in a better...

Spent a while completely rewriting my entire import architecture and my entire object model. Previously I had been using one single object definition for everything. Hosts, networks, services,...

'show object' returns a JSON structure with a top-level key of "object" which has its value set to the JSON structure for the object you are trying to get:


[Expert@mySmartCenter:0]# mgmt_cli -r...

No screenshots to really show this off, but a small update.

I have just made my first successful API call to change the properties of an object based on changes made locally in my client.

While...

Made some advances and thought I would show them off.

1446

Dark mode actually worked perfectly right out of the gate.

Dramatically improved login. That's the phone button at the far left of...

Ran into some issues, which stalled my progress for a while. I decided the fix was to rewrite most of the UI. Still not done with that, and still not past the issues in question, but I think I'm...

Change management's name? Need to reset the ICA and all trust relationships. I hit that mostly when rebuilding a failed management (I wrote the process for the three-file rebuild, and used it on a...

Elaborating on this one a bit. Resetting SIC should almost never be necessary, and it often makes problems worse and reduces your ability to troubleshoot the problem. While building your...

The trust establishment negotiation is actually from the management to the gateway and from the management to the log server. The rest is accurate, yes.

There was also SunOS/Solaris, and I think you could install FW-1 on Redhat as well for a while.

The level of sensitivity to Solaris patches was a huge pain. That build also didn't get great...

Sure, but there's a great saying among programmers: the best code is the code you don't have to write. If you can arrange other things such that you don't need the modification, that's vastly...

I try really hard not to make modifications to files like the table.def, implied_rules.def, and so on. This is why. Upgrades always wipe them out, and updates sometimes do as well. Rediscovering all...

'show changes' is so close! It provides enough information to highlight items which were changed. Unfortunately, it doesn't provide enough to actually merge those changes from just the 'show changes'...

Still working on the ordering of empty sections.

Since I last posted, I have:

Added NAT rulebase display.
Added a picker to choose the policy package you want to view. It also has a special...

And back to hair-pulling frustration.

If you run 'show objects', and you get a group, that group's members are given as a list of UUIDs.

If you get the same group via 'show object', the group's...

For my initial development, I skipped dealing with certificates and so on. Instead, I coded it to use custom TLS trust evaluation, and to blindly trust any certificate presented by a particular IP...

Just ran into a more pleasant surprise! 'show object' appears to work with any UUID. Object, policy package, layer, even individual rules. I noticed when I made a mistake handling inline layers and...

Entirely possible. That said, if somebody else wants to build tools like the ones I build, this might help them avoid some of the data model potholes I've hit. It took me days to convert from a...

Found a new one. I'm probably going to report this as a bug.

Access sections don't give you their position. They have a 'from' integer and a 'to' integer for the rules inside them, but no position...

Your comment did remind me I forgot to handle cell negation. Simple enough fix. I just added a "negate" variable in my cell view, and fed it the appropriate value from the working row. SwiftUI is...

That's actually the thing I find most disappointing about the API. It was a chance for a clean break. You could have provided a VCS like Hg or Git (or even non-distributed; something like SVN), but...

It's 100% Swift 5.2. It's a very nice language. Easy to reason about. Automatic reference counting for memory management, a good static analyzer, good exception handling capabilities.

The UI is a...

I was not aware, but web applications are universally pretty awful. You have reduced working space due to the browser's chrome on top of the application chrome. In-page state interacts in really...

Funny this should be the most recent thread in the off-topic forum. I was just trying to determine where to ask if anybody was interested in a little application I've been working on.

I'm solving...

That would be my expectation. Kernels are easy to swap. It’s a single binary image stored on the disk. Point to a new one, done.

Filesystems are much harder to swap (though not impossible; Apple...

I upgraded my personal 2200 from R80.20 to R80.40 over the weekend. It has a 1.8 GHz dual-core processor, 4 GB of RAM, and a SATA SSD. Except for the SSD, it's pretty close to a worst-case scenario....

I converted my code to use a single class for all objects, then switched to using 'show objects' to get everything.

Tags aren't included in 'show objects'.

Are you kidding me?



I'm also...

Ah. Yeah. By convention, brackets indicate optional arguments in UNIX/Linux, and less-than and greater-than indicate mandatory arguments. In both cases, the enclosing characters need to be removed as...

Found another one. Some API endpoints are case-insensitive, while others (the specific one I hit was where-used) don't return anything for uppercase UUIDs. It's easy enough to just add a...

I'm trying to do more with the management API, and it is insanely frustrating to deal with. Thought I would vent a little here.

First, something actually very good: the API is versioned. Version...

My knowledge of Palo Alto is limited, but I know their feature to identify users on endpoints (like Identity Awareness) is trivial to misconfigure. I've seen a few Palo Altos with that feature...

SSH keys are a user-level thing. Check Point doesn't use them directly for anything, and they won't interfere with anything Check Point does.

I'm working on SCP stuff myself (specifically, still...

The file should be created as soon as you touch it, and it should have contents as soon as the >> is run. My bet would be time zone confusion (maybe he checked before the script had run?) or node...

Remove the "return 1;" from the end of line 1129, and config_system will happily set up your 2200 as a standalone system.



For some reason, I couldn't post (or preview) with that final line of...

I recently needed to get a personal Check Point license for some development work I'm doing. Getting a new software license would be hundreds to thousands of dollars, while Check Point branded...

Thanks for the comment! I'm never sure if anybody else cares about this kind of thing.

I just updated my MDS past the versions in sk163300, which changed mds_backup to no longer gzip the final tar file. That broke my file renaming logic. Testing a fix.

Edited to add: This should...

IPSec VPNs are negotiated by the gateways for pairs of endpoints. An "endpoint" in this context can be a single host or a network (including the network 0.0.0.0/0, which includes all IPv4 addresses)....

I normally use mds_backup -b -i -l. The b sets batch mode, which doesn't prompt for anything. The i includes the rule hit counts. The l (lowercase L) excludes logs (I have separate MLMs, so this is...

So you're aware, the last step in that list undid all the earlier steps in that list. That button exists specifically for people who don't want to build the interface themselves. I would guess that...

The first screenshot is telling you someone else is making changes to gate01, so you can't make your changes.

The second screenshot is telling you it doesn't like something about the change you...

To me, the single biggest selling point of Check Point's software is just that: it's software you can throw on your own server or VM. You can download the installer ISO for all the current versions...

I doubt the firewall would do automatic proxy ARP for the virtual server. You could try adding a proxy ARP statement or using a VIP which isn't on any real network you use.

Python has a concept of modules. A module provides functions and object types which Python by itself does not.

Apparently this script requires one called "rulebasecsv", which isn't on the system...

To expand on this, the "^M" part of the error is a control character. Control-M is a carriage return.

Different platforms encode line endings in different ways. Specifically, classic Mac OS used a...

A Check Point SmartCenter or MDS runs an internal certificate authority (ICA). It is self-signed, and is the root of trust for the SIC domain. Secondary managements, log servers, firewalls, and so on...

Are the public IPs close to any public IPs you have defined? In the same /24, for example? You can do static NAT between two network objects of the same size, so that can cause NAT to IPs you don't...

I am very much not a fan of Check Point the company, so I prefer to post here. My posting on CheckMates is mostly just code and quick answers I know off the top of my head to questions about some...