Checkpoint
General Information
The Forward Collector will automatically collect VSX virtual instances assuming that the login credentials have administrative access to the firewall. No additional configuration is necessary in most cases.
Credentials
An expert/privileged mode or a non-expert mode (Gaia shell) password must be supplied in the credentials to collect from Checkpoint firewalls. However, non-expert CLI doesn't have native commands to collect some data like User Identity (user-id) and bridge domain (bridge).
Starting with release 23.7, Forward provides the ability to collect user-id and bridge information via non-expert mode by expanding the set of available commands in non-expert CLI. This applies to both "Checkpoint gateway with manager" and "Checkpoint non-expert mode".
You need to do it, only if you are using these features and if you cannot provide expert mode access.
Collect User Identity in non-expert mode
The expert/privileged mode command pdp monitor all is used to get the user/IP association.
To get this result from Gaia shell (non-expert mode), you can create an additional shell command alias for the expert mode command.
- Step 1: SSH into the Checkpoint device and run
expertto enable expert mode - Step 2: Check the full path of the command
[Expert@checkpoint:0]# which pdp
/opt/CPsuite-R81.10/fw1/bin/pdp
- Step 3: Add a command alias named
pdpfor this path and save the config
checkpoint> add command pdp path /opt/CPsuite-R81.10/fw1/bin/pdp description "PDP monitor"
Command (pdp) was added.
checkpoint> save config
Collect Bridge Domain in non-expert mode
If a Checkpoint device has a bridge interface (for example for a VSX device with the virtual switches), Forward needs to
collect the command brctl showmacs $iface.
To get this result from Gaia shell (non-expert mode), you can create an additional shell command alias for the expert mode command.
- Step 1: SSH into the Checkpoint device and run
expertto enable expert mode - Step 2: Check the full path of the command
[Expert@checkpoint:0]# which brctl
alias brctl='/bin/brctl_start'
/bin/brctl_start
- Step 3: Add a command alias named
brctlfor this path and save the config
checkpoint> add command brctl path /bin/brctl_start description "Bridge control"
Command (brctl) was added.
checkpoint> save config
Collect using Checkpoint non-expert mode
Starting with release 24.7, Forward provides the ability to collect without expert mode access by expanding the set of available commands in the non-expert CLI using the Checkpoint non-expert mode connection type. This requires adding the following command aliases on each Checkpoint device that will be collected using this connection type.
Create pdp command alias
- Step 1: SSH into the Checkpoint device and run
expertto enable expert mode - Step 2: Check the full path of the command
[Expert@checkpoint:0]# which pdp
/opt/CPsuite-R81.10/fw1/bin/pdp
- Step 3: Add a command alias named
pdpfor this path and save the config
checkpoint> add command pdp path /opt/CPsuite-R81.10/fw1/bin/pdp description "PDP monitor"
Command (pdp) was added.
checkpoint> save config
Create brctl command alias
- Step 1: SSH into the Checkpoint device and run
expertto enable expert mode - Step 2: Check the full path of the command
[Expert@checkpoint:0]# which brctl
alias brctl='/bin/brctl_start'
/bin/brctl_start
- Step 3: Add a command alias named
brctlfor this path and save the config
checkpoint> add command brctl path /bin/brctl_start description "Bridge control"
Command (brctl) was added.
checkpoint> save config
Create env command alias
- Step 1: SSH into the Checkpoint device and run
expertto enable expert mode - Step 2: Check the full path of the command
[Expert@checkpoint:0]# which env
/bin/env
- Step 3: Add a command alias named
envfor this path and save the config
checkpoint> add command env path /bin/env description "Environment"
Command (env) was added.
checkpoint> save config
Create cat command alias
- Step 1: SSH into the Checkpoint device and run
expertto enable expert mode - Step 2: Check the full path of the command
[Expert@checkpoint:0]# which cat
/bin/cat
- Step 3: Add a command alias named
catfor this path and save the config
checkpoint> add command cat path /bin/cat description "Cat"
Command (cat) was added.
checkpoint> save config