----------------------------------------------------------------------- FW1r70_to_FWdoc V 10.6.6 2000-2010 by Volker Tanger ----------------------------------------------------------------------- FW1r70_to_FWdoc is a Perl script to parse Checkpoint Firewall-1 (versions 3.0 up to NG R70) configuration files and produces a standard FWdoc file that you can filter and use with standard FWdoc tools. It is based on FW1Rules 7.3.43 For more information about FWdoc see http://www.wyae.de/software/fwdoc/ Requirements: * Perl installed (version 5.something will do) * Checkpoint files objects.C and .W * It was/is being tested against Firewall-1 Version 3.x, 4.x and NG - where NG now is the main target. * The script must be run within directory with a copies of configuration files - or give the files incl. paths. KNOWN ISSUES: - Since NG SP3 comments are saved in the FWS files only - if you want comments, include them with the proper commands: --merge_SP3= and --merge_AI= respectively. - Since NG FP3 the service definitions changed. So matches/pattern stuff will not be available for output. - user accounts are not read from the firewall, but instead placeholders are created according to usage in firewall ruleset - RPCs are not treated properly yet (requires Layer7 rewrite) The data aquisition is based on knowledge derived from analysis of well known configurations. The script is not (officially) supported by Checkpoint or representatives. Updates will be available at http://www.wyae.de/software/fwdoc/ Please check there for updates prior to submitting patches! There is a user/developer mailing list available. To subscribe send a mail with "subscribe fwtools" as subject to minimalist@wyae.de For bug reports and suggestions or if you just want to talk to me please contact me at volker.tanger@wyae.de or fwtools@wyae.de ----------------------------------------------------------------------- Usage: -> see USAGE.txt file ----------------------------------------------------------------------- Users of "ancient" CheckPoint installtions prior to NG (i.e. 3.0 to 4.1) beware: you have to give '--objects=objects.C' as FW1r70_to_FWdoc is trying to read 'objects_5_0.C' by default. This is differnet to FW1Rules. ----------------------------------------------------------------------- Examples ----------------------------------------------------------------------- 1.) simple firewall, just convbert the rules into FWDOC ./fw1r70_to_fwdoc.pl \ --merge_AI=rulebases_5_0.fws \ > my_firewall.fwdoc 2.) A number of firewall modules, configured from a central management module. Document all of them into FWDOC ./fw1r70_to_fwdoc.pl --rules=fw_berlin.W > fw_berlin.fwdoc ./fw1r70_to_fwdoc.pl --rules=fw_london.W > fw_london.fwdoc ./fw1r70_to_fwdoc.pl --rules=fw_toronto.W > fw_toronto.fwdoc 3.) Similarily, but pipe the output into other processing ./fw1r70_to_fwdoc.pl --rules=fw_berlin.W | less 4.) preparing an anonymized version for debugging purposes ./fw1r70_to_fwdoc.pl \ --merge_AI=rulebases_5_0.fws \ --anonymize \ > my_firewall.fwdoc ----------------------------------------------------------------------- Programming / Contributing ----------------------------------------------------------------------- Please check the website for updates prior to submitting patches! ----------------------------------------------------------------------- History ----------------------------------------------------------------------- June 2010 v10.6.6 * Mike Barkett - added service timeout - icmp layer3 filter set correctly * David DeSimone - fixed time * Volker Tanger April 2010 v10.4.28 * Neil Burt - fixed error with zero NAT rules - fixed odd group behaviour with NGX clusters * Volker Tanger - update to R70 - added interface support for in/out to rules (constant "Any" with CKP) - changed "name" handling (now separate, no longer part of comment) - added VPN-context (filtering within VPNs) to access rules - corrected problems with merging FWS files (dynamic rules with R70) THIS WITH AN UGLY HACK - need mor input on that, but, alas, it does not throw errors anymore... March 2008 v0.8.15 * Volker Tanger - changed handling of implicit NAT - now is distinct from explicit NAT - corrected handling of IP ranges June 2008 v0.8.14 * Volker Tanger - filtered out the "Reference Object" on "install on" rules (bug reported & analyzed by Stojan Rancic ) v0.8.13 * Volker Tanger - filtered out the "Reference Object" - added "install on" for implicit NAT defined in objects - corrected problem in INSTALL_ON - thanks to Darran Boyd! March 2008 v0.8.11 * Jacob Jacobson & Volker Tanger - added NG R65 compatibility July 2007 v0.8.11 * Volker Tanger - replaced BACKslashes from DOS-based FW1 configs which led to errors (illegal escape sequences) * Dave Pascoe - added explanation for Windows errors v0.8.10 * Volker Tanger - corrected multiple bugs: empty arrays are not permissible in JSON. Thus printing out empty arrays should not happen. July 2007 v0.8.9 * J.D. Baldwin - found the annoying bug that only occurred when installing on multiple firewalls: a missing comma! Again! * Volker Tanger - found bug which prevented layer7 (security services) from being recognized July 2007 v0.8.8 * Miklós Zakar - found a bug within implicit NAT rules - superfluous comma May 2007 v0.8.7 * Volker Tanger - added the "--anonymize" option - removing all quotes from the parameters thus preventing some JSON errors April 2007 v0.8.6 * Volker Tanger - corrected missing comma in first implicit NAT rule (thanks to Carl Siegemund for the bugreport) February 2007 v0.8.5 * Volker Tanger - corrected empty layer7 / users (thanks to Daniel Wisniewsky for the bugreport) February 2007 v0.8.4 * Volker Tanger - corrected NAT Rule handling (missing install-on) - changed ORIG_ data structures in NAT rules to list - added user "creation" is used in list February 2007 v0.8.3 * Volker Tanger - corrected typo in NATrules (nat_servce) - corrected rule numbering - dissected layer7 binding in rules - dissected user-auth binding in rules - corrected implicit rules and objects - corrected NAT rule numbering February 2007 v0.8.2 * Volker Tanger - corrected incomplete implicit rules February 2007 v0.8.1 * Volker Tanger - restricted output to STDOUT only to enable pipe filtering/processing - corrected *dozens* of JSON errors (mostly surplus commas) ----------------------------------------------------------------------- Shortcut: Distributable under GPL ----------------------------------------------------------------------- Copyright (C) 2000-2009 Volker Tanger This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. or on their website http://www.gnu.org/copyleft/gpl.html -----------------------------------------------------------------------