Export Checkpoint Firewall Policy to HTML/XML/Excel and Checkpoint Management Portal using cpdb2web tool - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Wednesday, September 17, 2014

Export Checkpoint Firewall Policy to HTML/XML/Excel and Checkpoint Management Portal using cpdb2web tool

I was looking for a tool to export Checkpoint Management Server database to a readable format in Excel or Html format. Checkpoint already has a great tool and KB to present a solution for this purpose:

"sk64501:Exporting Check Point configuration from Security Management Server into readable format using Web Visualization Tool"

1. Installation the Web Visualization Tool cpdb2html

Download it from the link.
Extract the file cpdb2web_B983000003_1.tgz into a folder. You will get these files in the folder:


2. Command line

C:\Tools\cpdb2web_B983000003_1>cpdb2html.bat ?Check Point Web Visualization Tool
Usage: cpdb2html cpdb2html_path output_directory security_management (admin_name
 or certificate_file) password [-o output_file_name] [-m gateway] [-gr] [-go]
Where:
cpdb2html_path      - Web Visualization Tool's root directory.
output_directory    - Path to place the result html file.
security_management - Name or IP address of the Security Management.
                      (for Multi-Domain Security Management the IP associated
                      with a Domain).
admin_name /
certificate_file    - User name of a Security Management administrator, or full
                      path of a certificate file.
password            - Administrator's password, or certificate's password.
-o output_file_name - HTML output file name to use
                      (default file name is '1.html').
-m gateway_name     - A specific gateway for which to generate the policy.
-gr                 - For Check Point Multi-Domain Security Management only.
                      When the -gr option is set the output will include
                      customer rules only (no global rules).
-go                 - For Check Point Multi-Domain Security Management only.
                      When the -go option is set the output will include
                      customer objects only (no global objects).
C:\Tools\cpdb2web_B983000003_1>cpdb2html.bat c:\tools\cpdb2web_B983000003_1 c:\tools\output 192.168.2.37 admin Password1234
CUR_PATH = c:\tools\cpdb2web_B983000003_1
TARGET_DIR = c:\tools\outputHOST = 192.168.2.37
USERNAME = adminPASSWORD = Password1234
TEMP_DIR = "c:\tools\output\temp"
XSLDIR = c:\tools\cpdb2web_B983000003_1\xsl
XSLFILE = stripped_html.xsl
BASE_XML_FILE = stripped_html.xml
OUTPUT_FILE = 1.html
POLICY_NAME = standard
Connected to Security Management version 9.9.0.
Querying tables...
Processing table Communities ...FinishedProcessing table FireWall Policies ...FinishedProcessing table Network Objects ...FinishedProcessing table Services ...FinishedProcessing table Users and Administrators ...Finished
0 1 file(s) copied. 1 file(s) copied.C:\Tools\cpdb2web_B983000003_1>
Notes: you could customize your output file name with date and time in it. Here is a script example with date in the output name used in my test environment:

cd D:\Download\cpdb2webcpdb2html.bat d:\Download\cpdb2web d:\Download\cpdb2web\output 10.9.2.7 admin Password1234 -o %date:~0,2%_%date:~3,2%_%date:~6,4%_%date:~11,2%_%date:~14,2%policy.html

I got output file name "10_09_2014__policy.html" when ran on Sep 10 2014. If you run this .bat file in a windows schedule task weekly as shown below, you will get an automatically backup of your policies.

3. Output in HTML and Excel

Html page will include Security Policy, Address Translation Policy, Network Objects, Users and Services.

The policy can be imported / copied into Excel for further editing.

Notes:

1. Actually the cpdb2html.bat is only able to use to export one active or last opened policy to html. For multiple policies you either use -m option to specify the gateway one by one in your script just like following line: 

cpdb2html.bat d:\Download\cpdb2web d:\Download\cpdb2web\output 10.4.2.3 admin password1234 -o %date:~0,2%_%date:~3,2%_%date:~6,4%_%date:~11,2%_%date:~14,2%test-Internet.html -m CP-Internet

2 You could use following script (cpdb2web.exe) to export all policies to xml file, then convert them one by one to html pages:

mkdir output\tempset output_dir=D:\Download\cpdb2web\output\%date:~0,2%_%date:~3,2%_%date:~6,4%_%date:~11,2%_%date:~14,2%mkdir %output_dir%echo %output_dir%
cpdb2web -s 10.4.2.3 -u admin -p passwoed -o d:\Download\cpdb2web\output\temp
copy D:\Download\cpdb2web\xsl\strip*.* D:\Download\cpdb2web\output\temp\strip*.*
cd D:\Download\cpdb2web\output\tempcopy ECOMM_Security_Policy.xml Security_Policy.xmlcopy ECOMM_Nat_Policy.xml Nat_Policy.xmlcd D:\Download\cpdb2webXalan.exe -o %output_dir%\Brazil-DMZ.html "D:\Download\cpdb2web\output\temp\stripped_html.xml" "D:\Download\cpdb2web\output\temp\stripped_html.xsl"
cd D:\Download\cpdb2web\output\tempcopy DMZ_Security_Policy.xml Security_Policy.xmlcopy DMZ_Nat_Policy.xml Nat_Policy.xmlcd D:\Download\cpdb2webXalan.exe -o %output_dir%\Test-RAS.html "D:\Download\cpdb2web\output\temp\stripped_html.xml" "D:\Download\cpdb2web\output\temp\stripped_html.xsl"

3. For browsing purpose, the easiest way is to copy all these XML files inside this sub-directory. Firefox is best one for browsing xml file. Chrome and IE will not process xml file the way we want:

<Visualization_Tool_installation_directory>/xsl/xml/.

Then, open the <Visualization_Tool_installation_directory>/xsl/index.xml file with your web browser .

In my case, command line is :

copy D:\Download\cpdb2web\output\temp\*.* D:\Download\cpdb2web\xsl\xml\*.*

Then open it in the browser:

------------------------------------------------------------------------------------------------------------

Checkpoint Management Portal Screenshots:

It can show gateways status, logs, policies and objects.




No comments:

Post a Comment