CheckPoint VPN-1 / Firewall-1

Nipper requires a copy of the CheckPoint VPN-1/Firewall-1 configuration files in order to produce a report. This page provides information on how to retreive the configuration from a device and how to use Nipper to produce a report.

This page contains the following:

• Getting The Configuration Files
  • SSH and Secure Copy
• Using Nipper
  • Report Formats
  • Policy Collection Auditing
  • Configuration File

Getting The Configuration Files

This section outlines different methods of obtaining a copy of your CheckPoint VPN-1/Firewall-1 configuration. Nipper is capable of processing the configurations from both CheckPoint management and firewall modules.

SSH and Secure Copy

If you have an SSH service running on the CheckPoint server, connect using this.

1. Connect to the CheckPoint VPN-1/Firewall-1 device using SSH.
2. Login.
3. Locate the configuration directory, it is named conf and can be located using the $FWDIR environment variable. The directory should contain a number of files, such as objects.C, rulebases_5_0.fws and possibly a number of files ending with .W
4. Archive the directory using your favorite archiving program. The following command will create a tar archive of the conf directory on Sun Solaris:

   tar -cvf firewall1.tar conf

5. Transfer the file to your Nipper host, the following example illustrates using scp securely to transfer the file from the Sun Solaris VPN-1/Firewall-1 host at 192.168.0.60 to the local host:

   scp firewall@192.168.0.60:/home/firewall/firewall1.tar firewall1.tar

6. Extract the archive to where you want Nipper to process it. Nipper does not support any non-device native archive formats and will need to process the extracted files. The following command will extract the tar archive created above:

   tar -xvf firewall1.tar

Using Nipper

Nipper has a number of different options to change how a CheckPoint VPN-1/Firewall-1 configuration is processed and Nipper supports both CheckPoint management and firewall module configurations. Other Nipper options are described latter in this section. A CheckPoint VPN-1/Firewall-1 configuration can be processed with the following command, the conf directory is used as the input:

nipper --fw1 --input=/home/firewall/conf --output=report.html

Report Formats

Nipper currently supports HTML, XML, Latex and ASCII text report formats. The default format is HTML. The following command line options can be used to tell Nipper to output to a specific format:

• --html - HTML report format.
• --xml - XML report format.
• --latex - Latex report format.
• --text - ASCII text report format.

Policy Collection Auditing

As part of a security audit of your device configuration, Nipper will audit the policy collections and the rules. The audit is based on a network filtering policy which can be defined, otherwise Nipper will use its own builtin defaults.

The following command options can be used to enable checking for particular issues:

• --any-source - Rules MUST NOT accept from any source.
• --network-source - Rules MUST NOT accept from a network source.
• --any-destination - Rules MUST NOT accept to any destination.
• --network-destination - Rules MUST NOT accept to a network destination.
• --destination-service - Rules MUST NOT accept to any destination port.
• --disabled-rules - NO disabled rules.
• --deny-log - Drop rules MUST log.
• --log-rules - All rules must log.
• --log-deny-rules - Policy collections MUST end with a drop all and log.

Each setting can be reversed using a --no-{policy} instead of --{policy}.

The Policy Collection can be output to a seperate CSV file for further analysis, you simply have to supply Nipper with the name of the CSV file you would like it to write to. This can be done using --csv=rulesfile.csv, where rulesfile.csv is the name of the CSV file.

Configuration File

All the settings described in this section and more can be configured using an external configuration file. On Linux and UNIX type systems this file is called nipper.conf and is typically stored in /etc. On Windows systems the file is called nipper.ini and will be automatically loaded from the current directory. These files are essentially the same and if not found Nipper will use internal default settings.

A specific external configuration file can be specified on the command line using --config={Config Filename}.

The file is self documenting and generally relates to the various command line options. The default configuration file can be downloaded from here.