Posted on Wednesday, 7th July 2010 by Michael
CheckPoint Site to Site VPN Audit automation with “fwm logexport and scripting”
Up to recently we use to pay a third party SEIM provider to provide us reporting for all our site to site VPN tunnels. This is due to an audit requirement we had that said that our system administrators had to report on any time their vendor connected to the tunnel. If they connected they had to provide the start date & time, the end date & time, the duration of the connection, the source address and destination address, the protocol & port as well as the tunnel name.
Due to the cost of the third party SEIM provider as well as their not so wonderful service we decided to find a replacement. The only issue is the replacements we found all cost over 100,000 a year. This is when Michael Yan and I set forth to develop our own solution.
We are happy to bring you “CP-VPN-Auto-Audit 1.0”. This system is compromised of 4 scripts that run together to export your logs, format them into individual tunnel csv reports and then email them to the system administrators.
To use these scripts you will need the following:
- You must be running the SPLAT operating system on your management server
- You must install active Perl on your mgmt server.
- You must have a SSH key pair setup with another Linux box that has the ability to mail files. (This is useful for log backups and automated upgrade_exports as well).
- Understanding of basic Perl, Linux and Shell scripting.
- You must configure your logs to rotate nightly at midnight and make sure to do a install database to apply the settings.
How to install Active Perl on your Mgmt server:
Since the Splat Operating system is just a striped down secured version of Red Hat Linux you are able to install some dependency limited RPM packages.
- Log into your mgmt server and escalate your privileges to “expert”
- Download the RPM that is right for your processor architect: http://www.activestate.com/activeperl/downloads. This file needs to be downloaded to a box that has either a SSH server running or an ftp server running since your mgmt station will not have wget, curl or lynx. But you do have SCP and FTP
- From your mgmt server copy the RPM over to /root.
- Issue the command “rpm –ivh file_name.rpm” to install
- Next we will have to edit our environment so the Splat operating system will detect it.
- Use your favorite Linux editor to edit the file $FWDIR/tmp/.CPprofile.sh
- Find the line “PATH=${PATH}:${FWDIR}/bin:” and modify it to PATH=${PATH}:${FWDIR}/bin:/opt/ActivePerl-5.10/bin ; (change to version number that matches your Perl version).
- Log out of your mgmt server, log back in and escalate your privilege to “expert”
- Execute the command “which perl” You should get a path back if it worked.
Installation of the Perl script on the mgmt server:
On the mgmt server you will need to copy the logstrap.pl and the vpn-audit.pl to the /root directory. Once you have the files copied there you will need to modify them to match your version of checkpoint , the log output directory, the remote server name and account. I normally like to use variables but in this project the use of variables seemed to add so many headaches and countless additional hours of trouble shooting.
Inside look at logstrap.pl: Download code here: http://www.digitaloffensive.com/files
The code is heavily documented so to keep this document clean just search for the lines below to see the code:
#Get Yesterday Date: This code will get the server time and convert it from epoch and format it to a usable format for us. It will also add a 0 in front of any day value that has only 1 character.
#Create shell script to use *CheckPoint Environment* and Process the log export for yesterday log: This code will create the shell script called execute-me.sh. This script will define the CheckPoint environment and process the day before account logs using the fwm logexport command. Next since the cron will spawn a new shell when we declare the CheckPoint environment we need a script that will launch the rest of the code for us in the new shell, this script does that for us by call /root/vpn-audit.pl.
Inside look at vpn-audit.pl: Download code here: http://www.digitaloffensive.com/files
The code is heavily documented so to keep this document clean just search for the lines below to see the code:
#Get Yesterday Date: This code will get the server time and convert it from epoch and format it to a usable format for us. It will also add a 0 in front of any day value that has only 1 character.
#Logs to use: This code will open all the log files that we will use to separate the log file into individual csv files, 1 per vpn tunnel that we have.
#Printing header: This code will add a header to each of the csv files. This allows for easy filtering of results and also makes understanding what data is in each column.
# Find Column numbers based on column names since *CheckPoint changes the column numbers daily*: This code will resolve the issue of where the column numbers found in the CheckPoint logs change daily. Instead of using a preset number we find the column name and then find what column that is associated with.
#Process individual reports: This is the part of the code where we process each VPN tunnel into and individual report using regular expression matching and unique tunnel names.
#Close all open logs: This code will close all the logs that we have opened.
# Tar files and move them to server to be emailed: This code will make use of the SSH keys we have established with our other Linux box. It will tar up the logs and transfer them to the other box. It will also clean up all the logs we just created as well as call the mail.sh code located on the other box.
Inside look at the crontab entry on the mgmt server:
To edit your crontab use the command “crontab –e”
45 11 * * * /root/logstrap.pl >& /var/log/cron.err
Since we use GMT time I have to set the cron 4 hours in the future from the time I want to execute the script. We output the results to /var/log/cron.err for error checking and debugging.
Installation of mail.sh on your other Linux server: Download code here: http://www.digitaloffensive.com/files
Remember on this server you have already confirmed that you can send email from it.
- Log on to the box as the user that you established the SSH key pair with.
- Create a directory called vpn.
- Copy the mail.sh code into that directory.
- chmod –Rf 777 /user/vpn
Inside look at mail.sh:
##Variables: This section will allow you to define the following:
- The path to the csv files
- The mail recipient.
- The email message body.
- The subject line of the email.
## Do not edit below this line: This section of the code contains a loop that will mail all the csv files as attachments until it is done. It will also clean up and remove all the tars and csv files after it sends them out.
Posted in Code | Comments (2)
July 7th, 2010 at 2:21 pm
[…] Digital Offensive » Blog Archive » CheckPoint Site to Site VPN Audit automation with “… […]
July 7th, 2010 at 6:33 pm
My friends at checkpoint ask me to add a warning saying that installing active Perl on your mgmt server is not supported by them. So please do a upgrade_export before hand.