Management Server

Overview

©2015 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals 1
 Introduction

©2015 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals 2
 Agenda

1 MGMT roles

2 Main processes

3 Important Database files

4 GUI DBedit

- Not for distribution -

©2015 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals 3
 Agenda

1 MGMT roles

2 Main processes

3 Important Database files

4 GUI DBedit

- Not for distribution -

©2015 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals 4
 MGMT server main roles
MGMT roles

Policy config The MGMT server has several important roles:

CA

Stat monitor  Policy Configuration

Log server

Main
 Certificate Authority
processes
fwm
 Log Server
fwd
 Status Monitoring
cpd

cpca

cpwd We will discuss these roles further on..

Important DB
files
Objects

Users
Rules &
Policy
Classes C

GUI DBedit

©2015 Check Point Software Technologies Ltd. 5

 MGMT server main roles
MGMT roles

Policy config
Policy Configuration
The MGMT server is the entity responsible for configuring, maintaining and
CA
deploying the policy among the different managed GWs.
Stat monitor

Log server

Main Certificate Authority

processes As you know Check Point products use certificates for different purposes
fwm such as SIC and VPN.
fwd
The MGMT server is functioning as the Certificate Authority of all managed
Check Point products, therefor It's responsible for generating, managing and
cpd
validating the certificates for the products we are managing in our
cpca environment.
cpwd We will learn about the MGMT server CA also known as ICA (Internal
Important DB
Certificate authority) more extensively in later chapters.
files
Objects

Users
Rules &
Policy
Classes C

GUI DBedit

©2015 Check Point Software Technologies Ltd. 6

 MGMT server main roles
MGMT roles

Policy config
Log Server
By default the MGMT server will also be functioning as a log server,
CA
meaning that all managed GW's will send their logs to the MGMT server.
Stat monitor It’s also possible to install a dedicated log server in addition to the MGMT
Log server server.
Main
processes
fwm Status Monitoring
fwd
The MGMT server is also responsible for monitoring the different Check
Point products in the environment.
cpd
It monitors various parameters for each product (such as cpu & memory
cpca consumption, Interfaces, statuses etc…)
cpwd The different statuses are presented in Smart View monitor.
Important DB
files
Objects

Users
Rules &
Policy
Classes C

GUI DBedit

©2015 Check Point Software Technologies Ltd. 7

 Agenda

1 MGMT roles

2 Main processes

3 Important Database files

4 GUI DBedit

- Not for distribution -

©2015 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals 8
 The fwm process
MGMT roles

Policy config
Who is it?
CA The main process of the MGMT server is the fwm process.
Stat monitor it will only run on MGMT products such as MGMT, Log server, Eventia.
Log server
The fwm process is responsible for most operations made in the MGMT
server.
Main
processes
What does it do?
fwm

fwd The fwm process is responsible for several operations:

cpd
1. Serving the different GUI clients
2. Database tasks
cpca
3. Collecting statuses
cpwd 4. Policy complication
Important DB
files
Objects

Users
Rules &
Policy
Classes C

GUI DBedit

©2015 Check Point Software Technologies Ltd. 9

 fwm- Main roles
MGMT roles
1. Serving GUI clients
Policy config

CA  All the communications between the different GUI clients (Smart Dashboard\tracker\
Stat monitor monitor etc..) and the MGMT server are done through the fwm process on the
MGMT sever using the CPMI* protocol (Check Point MGMT interface) over port 18190.
Log server

Main  In this scenario the SmartConsole applications acts as CPMI clients while the fwm
processes process acts as a CPMI server.
fwm For example: whenever we connect to the MGMT server with SmartDashboard we
are basically opening a connection from the GUI dashboard machine to the fwm
fwd
process on the MGMT serve over port 18190 via the CPMI protocol.
cpd In the background: during the login process the GUI client sends CPMI commands
to the fwm process asking it to present us the database, the fwm process then
cpca
sends the relevant database information which allows us to view our database via
cpwd SmartDashboard.
Important DB
files Note: In case the fwm process is down, or if port 18190 is blocked for some reason, it
wont be possible to establish a connection to the MGMT server with any GUI client.
Objects

Users
Rules &
Policy
Classes C

GUI DBedit

©2015 Check Point Software Technologies Ltd. 10

 fwm- Main roles
MGMT roles
2. Database tasks
Policy config

CA The fwm process is also responsible to perform all database tasks, such as:
Stat monitor Creating, removing and modifying Objects rules etc.
Whenever we create an Object via SmartDashboard we are basically sending a
Log server CPMI command to the fwm process on the MGMT server requesting it to
Main create the Object.
processes
fwm 3. Collecting statuses

fwd
All statuses presented in Smartview Monitor are being collected by the fwm
cpd process.
The fwm process contacts the different GW's, asking them to send him their
cpca
Statuses and then it presents them on Smartview Monitor.
cpwd

Important DB
4. Policy complication
files
As you will learn later on, the Policy Installation process has several stages.
Objects
The first stage in the policy installation process is verifying the policy and
Users compiling it to a "language" the GW can understand and implement.
Rules & The verification and compilation stages are performed by the fwm process.
Policy
Classes C

GUI DBedit

©2015 Check Point Software Technologies Ltd. 11

 fwm- Log file
MGMT roles
What is it?
Policy config

CA  Each Check Point process (such as fwm) has a unique log file.
Stat monitor The name of the log file contains the following: <process name>.elg.

Log server  By default, the log file will write "critical" messages to the log file (for example: every
Main time that the fwm process will start or crash ).
processes
fwm  Most of Check Point log files are stored under: $FWDIR/log
and some of them are under: $CPDIR/log.
fwd

cpd
Note: the fwm log file is called: fwm.elg and its located under $FWDIR/log
cpca

cpwd

Important DB
files
Objects

Users
Rules &
Policy
Classes C

GUI DBedit

©2015 Check Point Software Technologies Ltd. 12

 fwm- Log file
MGMT roles
This is an example of a log file fwm.elg (only one of many lines are presented in the output as
Policy config
an example):
CA

Stat monitor [FWM 2309 2002617920]@cpmodule [18 Dec 23:04:47] FWM: Sat Dec 18 23:04:47
2010
Log server VPN-1 Power/UTM SmartCenter Server is running
Main FireWall-1 SmartCenter Server going to die on sig 15
processes
fwm FWM- the process name
2309 – PID (Process id).
fwd
Each time a process is coming up it gets a unique ID number by the operating system.
cpd This number (PID) will accompany the process until it will restarted (due to Administrator
operation such as reboot, cpstop; cpstart etc. ) or crashes. Each of those scenarios are
cpca
mentioned in the log file.
cpwd cpmodule- machine hostname
Important DB
[18 Dec 23:04:47] FWM – the date and time when the message was written. This
files information is extremely important to understand whether the message is relevant to
the examined issue.
Objects
The pink part is the message itself written into the fwm.elg file
Users
Rules & NOTE: In some cases we need to collect a more detailed output about the fwm process
Policy
operation in order to troubleshoot the issue (for example if we cant connect to the MGMT
Classes C server with the Dashboard). We will discuss this further on…

GUI DBedit

©2015 Check Point Software Technologies Ltd. 13

 fwm- debug
MGMT roles
In order to get a more detailed output we can enable the fwm process in debug mode.
Policy config
While enabling the fwm process in debug mode it will write a detailed output of every
CA operation it is doing into the fwm.elg file.
Stat monitor That will assist us in many cases to identify the source of the problem.

Log server In order to enable the fwm process in debug mode we need to perform the following:
Main 1. Start the fwm debug by running the following commands on the MGMT server:
processes
 # fw debug fwm on TDERROR_ALL_ALL=5
fwm

fwd Note: In order to print all data to a single file run:

# tail -f $FWDIR/log/fwm.elg >& <output file name>
cpd

cpca 2. Reproduce the problem, or take the relevant steps you want to investigate.
cpwd
3. Stop the debug by running the following commands on the MGMT server:
Important DB # fw debug fwm off TDERROR_ALL_ALL=0
files Stop the tail with CTRL +C
Objects
4. As mentioned previously all output will be written to: $FWDIR/log/fwm.elg*
Users or if tail is used it will print it to the <output file name> .
Rules &
Policy
Classes C

GUI DBedit

©2015 Check Point Software Technologies Ltd. 14

 fwm.elg file indicating an object creation
MGMT roles
 wm_cpmi_command_handler: Command set=
 (
Policy config  :type (command)
 :subject (update-object)
 :body (
CA  :object (training
 :AdminInfo (
 object’s UID :chkpf_uid ("{2BB83456-1011-43FC-A45F-71B005FE369B}")
Stat monitor  :ClassName (host_plain)
 cpmi command which is sent to the fwm :NewObject (true)
 process to create an object. :table (network_objects)
Log server  :Wiznum (-1)
 )
 :read_community ()
Main  :sysContact ()
 :sysDescr ()
processes 

:sysLocation ()
:sysName ()
 :write_community ()
fwm  :add_adtr_rule (false)
 :certificates ()
 :data_source (not-installed)
fwd  :edges ()
 :enforce_gtp_rate_limit (false)
 :gtp_rate_limit (2048)
cpd  :interfaces ()
 :os_info ()
 :DAG (false)
cpca  :NAT ()
 :SNMP ()
 :VPN ()
 :additional_products ()
cpwd  :color (black)
 :comments ()
 :cp_products_installed (false)
Important DB  :data_source_settings ()
 :firewall (not-installed)
files  :floodgate (not-installed)
 :ipaddr (1.1.1.1) object’s IP
Objects  :type (host)
 )
 :database ()
 :db_open_id (0x4D0D4EDF)
Users  )
 :no-reply (false)
Rules &  :seq (62)
Policy
Classes C

GUI DBedit

©2015 Check Point Software Technologies Ltd. 15

 fwm- debug
MGMT roles
 The fwm.elg log file is limited to 20MB. Therefore , once it will reach 20MB it
Policy config
will start writing to a new log file: fwm.elg.0. the previous data will be written
CA there and the fwm.elg log file will contain the most updated data.
Stat monitor

Log server  Another limitation is for the amount of only 10 fwm log files
Main In case that the system tries to write a new log file (11 th in number), the
processes oldest log file (fwm.elg.8) will be removed automatically. All other log files will
fwm be renamed accordingly.
fwd

cpd
Note: the fwm.elg will always contain the most updated info written by the fwm
process.
cpca

cpwd

Important DB
files
Objects

Users
Rules &
Policy
Classes C

GUI DBedit

©2015 Check Point Software Technologies Ltd. 16

 The fwd process
MGMT roles
Who is it?
Policy config

CA The fwd process is responsible for sending and receiving the logs from the different
Check Point entities to the MGMT\log server (sometimes they are on the same machine ).
Stat monitor

Log server

Main
processes What does it do?
fwm
On MGMT side:
fwd fwd listens on port 257, waiting for logs to be sent from various GW’s that are
cpd connected to it.
cpca
On GW side:
cpwd fwd opens a connection to the fwd on the log\MGMT server side on port 257.
Important DB
files
Note: In case fwd is down on either MGMT or GW, logging will not work.

Objects

Users
Rules &
Policy
Classes C

GUI DBedit

©2015 Check Point Software Technologies Ltd. 17

 fwd log file & debugging
MGMT roles
fwd.elg
Policy config

CA The fwd log file is located in: $FWDIR/log/fwd.elg

Stat monitor

Log server fwd debug

Main To enable fwd debug use the same syntax as the fwm debug and change the fwm with
processes fwd:
fwm 1. Start the fwd debug by running the following commands on the MGMT server:
fwd  # fw debug fwd on TDERROR_ALL_ALL=5
cpd
Note: In order to print all data to a single file run:
cpca # tail -f $FWDIR/log/fwd.elg &> <output file name>

cpwd
2. Reproduce the problem, or take the relevant steps you want to investigate
Important DB
files 3. Stop the debug by running the following commands on the MGMT server:
Objects # fw debug fwd off TDERROR_ALL_ALL=0
Stop the tail with CTRL +C
Users
Rules &
Policy
4. As mentioned previously all output will be written to: $FWDIR/log/fwd.elg*
or if tail was not used it will print it to the <output file name>
Classes C

GUI DBedit

©2015 Check Point Software Technologies Ltd. 18

 fwd log file & debugging
MGMT roles

Policy config

257 257 Install

CA

PING
Stat monitor

Log server database

Main
processes
SIC
fwm FWD FWD Configuratio
fwd

cpd

cpca

cpwd

Important DB
files
Check Connectivity
Objects 5. Is Database
the log fileis growing
out of sync – install
on the database
Security Gateway? #cd $FWDIR/log/fw.log #ls -la fw.log
Users 6. Verify Connection is established on
Verify that FWD is up on booth GW & MGMT/Log port 257 #netstat
server–nap | grep 257 list
#cpwd_admin
Rules & 7. Verifypolicy
Install configuration
Verify SICFireWall Object
is properly > Logging > Logs and Masters > Log Servers
working
Policy 8. For more troubleshooting steps see sk32758, sk38848
Classes C

GUI DBedit

©2015 Check Point Software Technologies Ltd. 19

 The cpd process
MGMT roles
Who is it?
Policy config
The cpd process is running on all Check Point products (MGMT products as well as
CA Gateways).
Stat monitor
What does it do?
Log server It has 3 major responsibilities:
Main
processes Sic - the cpd process is the one we contact during the SIC negotiation to validate
fwm and/or push the certificate. If the cpd process on a certain GW is down, policy
installation on that GW will fail due to a "SIC issue".
fwd
When the GW has no certificate (just after the installation, or after performing sic reset ) the
cpd cpd process will be listening to port 18211 and will receive a certificate from the
MGMT server while the SIC is being re-initialized.
cpca
After the SIC was established the rest of the communication to the GW will be via port
cpwd 18191 (for example: when the MGMT server will need to install a policy on a certain GW ).
Important DB
files Loading the policy on the GW side – we will learn more about it in the policy
installation chapter.
Objects

Users Status collection – the fwm process requests the cpd process for the different Check
Rules & Point Gateways statuses and also from the MGMT server itself and then it presents it in
Policy SmartView monitor.
Classes C The protocol which is used to collect the statuses is called AMON, and it works over
port 18192. In case the cpd process is down we will not be able to get the Gateways
GUI DBedit and MGMT statuses on SmartView monitor.

©2015 Check Point Software Technologies Ltd. 20

 The cpd process
MGMT roles

Policy config Please test it yourself: open SmartView monitor and check the current status of a MGMT server.
CA
Now kill the cpd process on the MGMT server side. as you can see the MGMT server will now appear
as ‘Disconnected’ although it's actually up and running, that is because the fwm failed to receive the
Stat monitor status from the cpd process (as it's down).
Log server

Main
processes
fwm

fwd

cpd

cpca

cpwd

Important DB
files
Objects

Users
Rules &
Policy
Classes C

GUI DBedit

©2015 Check Point Software Technologies Ltd. 21

 cpd debug
MGMT roles
In order to enable the cpd process in debug mode we need to perform the following:
Policy config
1. Start the cpd debug by running the following commands on the MGMT server:
CA
 # cpd_admin debug on TDERROR_ALL_ALL=5
Stat monitor

Log server Note: In order to print all data to a single file run:
# tail -f $CPDIR/log/cpd.elg &> <output file name>
Main
processes 2. Reproduce the problem, or take the relevant steps you want to investigate
fwm

fwd
3. Stop the debug by running the following commands on the MGMT server:
# cpd_admin debug off TDERROR_ALL_ALL=0
cpd Stop the tail with CTRL +C
cpca
4. As mentioned previously all output will be written to: $CPDIR/log/cpd.elg*
cpwd or if tail was not used it will print it to the <output file name>
Important DB
files
Objects
All Process take there settings for there operation and there environment variable
from the registry file to $CPDR/registry/HKLM_registry.data
Users
Rules &
Policy
Classes C

GUI DBedit

©2015 Check Point Software Technologies Ltd. 22

 cpca process
MGMT roles
Who is it?
Policy config

CA The cpca is a child process of the fwd process, meaning that in case the fwd process
Stat monitor will be down for some reason, cpca will also be down.
In case cpca is down it will not be possible to generate any new certificate at that time.
Log server Cpca process listens to ports:
Main 18264 – Used to retrieve the CRL
processes 18265 – Used for “ICA management tool”
fwm
What does it do?
fwd
The cpca process is responsible for the ICA (internal CA).
cpd It’s responsible for generating\modifying certificates for the defined Check Point
entities.
cpca

cpwd

Important DB
files
Objects

Users
Rules &
Policy
Classes C

GUI DBedit

©2015 Check Point Software Technologies Ltd. 23

 cpca debug
MGMT roles
In order to enable the cpd process in debug mode we need to perform the following:
Policy config
1. Start the cpca debug by running the following commands on the MGMT server:
CA
 # fw debug cpca on TDERROR_ALL_ALL=5
Stat monitor

Log server Note: In order to print all data to a single file run:
# tail -f $FWDIR/log/cpca.elg &> <output file name>
Main
processes 2. Reproduce the problem, or take the relevant steps you want to investigate
fwm

fwd
3. Stop the debug by running the following commands on the MGMT server:
# fw debug cpca off TDERROR_ALL_ALL=0
cpd Stop the tail with CTRL +C
cpca
4. As mentioned previously all output will be written to: $FWDIR/log/cpca.elg*
cpwd or if tail was not used it will print it to the <output file name>
Important DB
files
Objects

Users
Rules &
Policy
Classes C

GUI DBedit

©2015 Check Point Software Technologies Ltd. 24

 cp watcdog
MGMT roles
Who is it?
Policy config
The cpwd – Check Point Watch Dog
CA

Stat monitor What does it do?

The cpwd process is responsible for monitoring the statuses of processes such as :
Log server fwm, cpd, fwd. In case a certain process is down for some reason, then the cpwd will
Main identify it and will try to re-load it within one minute.
processes
fwm
To view the current status of a process use the following command: # cpwd_admin list
Example for its output:
fwd APP PID STAT START START_TIME COMMAND MON
CPD 3488 E 1 [00:14:25] 19/12/2010 cpd Y
cpd
FWD 3592 E 1 [00:14:28] 19/12/2010 fwd N
cpca FWM 3597 E 1 [00:14:29] 19/12/2010 fwm N
CPSM 3609 E 1 [00:14:31] 19/12/2010 cp stat_monitor N
cpwd
APP- Indicate the process name (cpd\fwm etc)
Important DB
files
PID- Shows the current PID of the process.
STAT- Show the status of the process, E means enabled (running) while T means terminated
Objects (down).
Users
START – means how many times the process was loaded by the cp watchdog process, 1
means that it was only loaded once during the boot and the process did not went down since
Rules &
Policy then.
Classes C
Each time a certain process s is going down and being reloaded by the cp watchdog it will be
added to the “start” section. this can assist us in identifying whether a certain process is
GUI DBedit crashing.

©2015 Check Point Software Technologies Ltd. 25

 Agenda

1 MGMT roles

2 Main processes

3 Important Database files

4 GUI DBedit

©2015 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals 26
 Important database files
MGMT roles
 All the data presented on SmartDashboard is loaded from the MGMT server
Policy config
using the fwm process.
CA

Stat monitor
 Most of the database files on the MGMT server are stored in $FWDIR/conf
directory, which is very important as it contains almost all of the Check Point
Log server
database (rules, objects, and all other configuration).
Main
processes  We will discuss 4 of the main DB files:
fwm
1. $FWDIR/conf/Objects_5_0.C
fwd
2. $FWDIR/conf/fwauth.NDB
cpd

cpca 3. $FWDIR/conf/rulebases_5_0.fws

cpwd 4. $FWDIR/conf/classes.C
Important DB
files
Objects

Users
Rules &
Policy
Classes C

GUI DBedit

©2015 Check Point Software Technologies Ltd. 27

 Important database files
MGMT roles
 $FWDIR/conf/Objects_5_0.C
Policy config
 The objects_5_0.C file contains all the objects database.
CA
 Each time an object is created on the dashboard, the fwm process register it
Stat monitor in the objects_5_0.C file.
Log server
 The objects_5_0.C file is a sensitive file, meaning that every character matters
and wrong syntax will cause a failure to start fwm.
Main  It is possible to modify the objects_5_0.C file manually when needed, though
processes
it is extremely important to back it up before making any modifications.
fwm

fwd
 $FWDIR/conf/fwauth.NDB

cpd
 contains all users and administrators information.
 This file is a binary file and cannot be modified manually.
cpca  Any corruption in this file will cause the fwm process to crash.
 This file can be removed:
cpwd
after performing # cpstop; cpstart a new file will be created, however by
Important DB removing this file all users database will be lost.
files
Objects

Users
Rules &
Policy
Classes C

GUI DBedit

©2015 Check Point Software Technologies Ltd. 31

 Important database files
MGMT roles
 $FWDIR/conf/rulebases_5_0.fws
Policy config
 contains all rules and polices information.
CA
 In case there is any problem with viewing a certain policy, or in case the policy
Stat monitor is not presented at all that is probably due to a corruption in the file.
Log server
 $FWDIR/conf/classes.C
Main  contains the definitions of the different fields and Objects.
processes
 Each object has its own unique fields, for example: a MGMT server object will
fwm have different fields than a regular host object.
the classes.C file define which fields exactly should be defined in each object
fwd type.
cpd  This file is similar in any environment running on the same version at it’s not
changed.
cpca

cpwd

Important DB
files
Objects

Users
Rules &
Policy
Classes C

GUI DBedit

©2015 Check Point Software Technologies Ltd. 32

 GUIDBEDIT
MGMT roles
As you could see the database is composed of many different database files.
Policy config in addition there are some fields in the database which are not presented in the GUI.
CA
In some cases, there is a need to modify certain database fields which does not appear
in the GUI.
Stat monitor Since modifying the relevant database file manually can be a complicated and risky
mission, we have a tool called: GUIDBEDIT.
Log server
The GUIDBEDIT provides us GUI visibility for the database itself.
Main
processes in order to use GUIDBEDIT you need to access the relevant SmartConsole directory, and
fwm from there run the GUIDBEDIT.exe.
You will need to enter your MGMT server login details exactly as you are doing
fwd when you connecting to the MGMT server via dashboard.
cpd

cpca

cpwd

Important DB
files
Objects

Users
Rules &
Policy
Classes C

GUI DBedit

©2015 Check Point Software Technologies Ltd. 33

 Agenda

1 MGMT roles

2 Main processes

3 Important Database files

4 GUI DBedit

- Not for distribution -

©2015 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals 34
 GUIDBEDIT
MGMT roles

Policy config

CA

Stat monitor

Log server

Main
processes
fwm

fwd

cpd

cpca

cpwd

Important DB
files
Objects

Users - - At the bottom you can see all objects fields (like IP address) and you can modify them if it’s
Rules & needed.
Policy - Note there are some fields which will only appear in the relevant database file and will not appear in
GUIDBEDIT.
Classes C

GUI DBedit

©2015 Check Point Software Technologies Ltd. 35

 In Summery..
MGMT roles

Policy config After reading this presentation you should understand:

CA

Stat monitor The different Check Point processes and their responsibilities
Log server

Main What is a debug, and how to enable fwm debug

processes
fwm
The major database files and what database they hold
fwd

cpd
How to identify objects in the objects_5_0.C file
cpca

cpwd How to use the GUIDBEDIT tool

Important DB
files
Objects

Users
Rules &
Policy
Classes C

GUI DBedit

©2015 Check Point Software Technologies Ltd. 36

©2015 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals 37