----------------------------------------------------------------------- FW1Rules V 7.3.43 (2008-03-04) 2000-2008 by Volker Tanger ----------------------------------------------------------------------- The perl program "FW1Rules" reads the configuration files of Checkpoint Firewall-1 and produces a well readable, cross-referenced HTML summary of the firewall configuration. Additionally dump of network and service objects, users, rules and settings into separate files (TXT and Tab-separated tables) or templates (TXT, CSV, SQL, etc.) is possible. Support for Checkpoint Firewall-1 versions 3.x, 4.x and NG up to SP3 is tested and stable. The compatibility continuously is being improved, though. ----------------------------------------------------------------------- Requirements: ----------------------------------------------------------------------- * Perl installed (version 5.something will do) * Checkpoint files objects.C and .W * It was/is being tested against Firewall-1 Version 3.x, 4.x and NG - where NG now is the main target. * The script must be run within directory with a copies of configuration files - or give the files incl. paths. ----------------------------------------------------------------------- Known Issues ----------------------------------------------------------------------- As CheckPoint likes to change the configuration file format from version to version (or in newer times: from patch to patch), you will need to use at least these FW1rules versions for your system: CheckPoint Versions Minimum FW1Rules Version ------------------------------------------------ 3.0 - 4.1 SP1 fw1rules 6.1.4 3.0 - 4.1 SP3 fw1rules 7.1.4 3.0 - NG = 2000 fw1rules 7.3.5 3.0 - NG SP3 fw1rules 7.3.30 3.0 - NG AI (up to R55) fw1rules 7.3.39 3.0 - NGX (up to R65) fw1rules 7.3.43 KNOWN ISSUES (up to 7.3.x branch): - Since NG SP3 comments are saved in the FWS files only - if you want comments, include them with the proper commands: --merge_SP3= and --merge_AI= respectively. - Since NG FP3 the service definitions changed. So matches/pattern stuff will not be available for output. - network objects used only outside the NAT/access rulebases (i.e. outside the currently processed parts) are not marked as "used" and thus not printed in standard mode. Examples are encryption domains, servers (e.g.) cluster objects, etc. This behaviour will be completed automatically with each corresponding part that is implemented. - IKE is being printed with UDP icon, not with its own IKE icon. Originally simply due to a missing graphic I think displaying it as UDP is even as good. - properties / settings seem to be off in parts sometimes. Please report your experiences. - templates work but could be done better - especially the atrocious LaTeX output. Someone help here, please? - see below ("Hopefully one day") for missing stuff - some of the current implementations (e.g. servers, interfaces) are not implemented for templates, yet. - Quite some NG-icons are still missing - especially there currently are no negated ones. Help, someone? ----------------------------------------------------------------------- Roadmap / Contributing ----------------------------------------------------------------------- Please check the website for updates prior to submitting patches! The development of this codebase is frozen - but there's work underway on a new codebase that will include full support for NGX (R60) and later. This "FW1Rules" development line will be discontinued - please see the successor project FWdoc (http://www.wyae.de/software/fwdoc/) ----------------------------------------------------------------------- Alternatives ----------------------------------------------------------------------- * FWDoc system http://www.wyae.de/software/fwdoc/ FWdoc is our vendor-independent standard of storing firewall ruleset configurations. We provide tools to extract the ruleset from proprietary formats into FWdoc format (in JSON), filter rules and objects, and export them into a number of other formats. From the FWdoc file you can produce a well readable, cross-referenced HTML summary of the firewall configuration. A dump of network and service objects, users, rules and settings into separate files (TXT and Tab-separated tables) or templates (TXT, CSV, SQL, etc.) is possible. * CheckPoint's own Web Visualization Tool http://www.checkpoint.com/downloads/quicklinks/utilities/ngx/utilities.html (NGX) http://www.checkpoint.com/downloads/quicklinks/utilities/downloadsng/utilities.html#visualization (NG) Creates HTML pages from configurations. Only runs on a licensed management server. Binary distribution. * CheckPoint's own GUI DB-Edit http://www.checkpoint.com/downloads/quicklinks/utilities/downloadsng/utilities.html#dbtool Mangle objects in the definition files. Only runs on a licensed management server. Binary distribution. * CPRules http://www.wormnet.nl/cprules/ A quite new perl script, converting NG (only) rulesets into a number of HTML pages. Templates are supported, too. ----------------------------------------------------------------------- Usage: -> see USAGE.txt file ----------------------------------------------------------------------- CheckPoint-NG users beware: do use the 'objects_5_0.C' file, not the additionally provided 'objects.C' for your '--objects=' option. Extended usage or intelligent combination with other techniques and tools for enhanced admin support -> see ADVANCED_USAGE.txt file Working with templates -> see templates/README_TEMPLATES.txt file Additional tools included with this package (see contrib directory): anon_objects.pl fwdbexport.pl ruleshistory.sh ----------------------------------------------------------------------- Examples ----------------------------------------------------------------------- 1.) simple firewall, just give the rules into HTML fw1rules.pl --output_html=configuration.html 2.) A number of firewall modules, configured from a central management module. Document all of them into HTML fw1rules.pl --rules=fw_berlin.W --output_html=fw_berlin.html fw1rules.pl --rules=fw_frankfurt.W \ --output_html=fw_frankfurt.html fw1rules.pl --with_implicit_rules \ --rules=fw_munich.W --output_html=fw_munich.html 3.) Run a firewall analysis - or just do some cleanup. HTML includes everything on one solid piece with objects and services sorted by type - plus a printout of unused objects can save a lot of time cleaning up. fw1rules.pl --with_implicit_rules \ --dump_unused_objects=unused_objects.txt \ --sort_by_type --output_html=configuration.html 4.) Do a simple, compatible customer documentation. For this we need an easy to read text representation to be included as appendix. This is a primitive example on how to work with templates: fw1rules.pl \ --template=templates/fullconfig.txt \ --output=configuration.txt ----------------------------------------------------------------------- Programming / Contributing ----------------------------------------------------------------------- The data aquisition is based on knowledge derived from analysis of well known configurations. The script is not (officially) supported by Checkpoint or representatives. There is a user/developer mailing list available. To subscribe send a mail with "subscribe fwtools" as subject to minimalist@wyae.de For bug reports and suggestions or if you just want to talk to me please contact me at volker.tanger@wyae.de or fwtools@wyae.de ----------------------------------------------------------------------- Forks, Scions (youngest first) ----------------------------------------------------------------------- ASLrules started 08/2002 from FW1Rules 7.3.0 by Volker Tanger The ASLrules script does similar things for the "Astaro Security Linux" Firewall. The script homepage is located at http://www.wyae.de/software/aslrules/ Cp2FWbuilder started 02/2002 from FW1Rules 7.1.0 by Stefan Majer (email unreachable) The project CP2FWBUILDER converts a FW1 rulesets into a FWBUILDER configuration file (XML). Project is located at SourceForge (http://cp2fwbuilder.sourceforge.net/) - but seems to be stalled since quite some time now. fw2tux started 01/2002 from FW1Rules 7.1.0 by Volker Tanger The Perl script is written to convert a Checkpoint FW-1 rulebase to a similar Linux (kernel 2.4) IPChains/Netfilter configuration script - still ALPHA release fwrules 6.4.1 fork started July 2001 from FWRules V6.1.2 by Johta Nakatsuma / Stephen Poon They added some features (resources, authentication, interfaces), but unfortunately the changes never made it back to me before I started the new code base. After I discovered the (then a few months old code) I changed the name to FW1Rules to mark that forking and new codebase. So beware - there are overlapping versions after 6.1.2 that both run under the same name FWRULES. ----------------------------------------------------------------------- Shortcut: Distributable under GPL ----------------------------------------------------------------------- Copyright (C) 2000-2008 Volker Tanger This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. or on their website http://www.gnu.org/copyleft/gpl.html -----------------------------------------------------------------------