[logs] Checkpoint Firewall rulebase - logs

Sat Aug 4 21:45:54 PDT 2007

> What Billford so tersely means is that there's a separate 
> logfile for "administrative" actions.
> 
> There are some details here:
> http://www.secureworks.com/research/articles/firewall-primer/
> 
> (I just found this link - can't swear to it but it seems 
> reasonable; look for "Audit Log" section)

Here's a bit I wrote up on how to monitor Checkpoint admin activity, which
includes policy saves and loads (and an idea about how to monitor rules
changes by monitoring the directory in which the rule bases are saved) --
this stuff is aimed at UNIX-based FW-1 hosts, but the same ideas apply in
general for Windows based systems:

To monitor operating system events, bear in mind that FireWall-1 is
generally installed as an application on a general-purpose operating system,
such as Windows 2003, Linux, or Solaris. To capture operating system events
on the firewall host, be sure to monitor the host's syslog output. You may
also want to verify that /etc/syslog.conf is capturing data at the level
required to record events such as failed logins and reboots, which vary
depending on the OS.

Whether they are created via the GUI or the FW-1 command line interface, all
FW-1 rulesets are stored in the $FWDIR/conf directory, in text files whose
names end either in .pf or .W. The .pf extension designates a file as an
Inspection Set; the ruleset is stored in the necessary format for the
firewall to implement it directly. The .W extension indicates a Rule Base
created via the GUI, which may not yet be compiled into its final format.
Monitoring this directory will provide change management to your firewall
infrastructure, and greatly improve your ability to correlate firewall logs
with other events based on the specific allowed and denied activities.

For the rare handful of administrators who manage their firewall rulesets
via direct modification of Inspection Scripts and manual loads of policies
to FW modules, the FW-1 daemon writes records of the activity to syslog on
the host OS. The majority of FW-1 administrators, however, use the GUI
interface for system management. In this situation, depending on the version
of the CheckPoint software in use. For FW-1 versions prior to NG,
administrative logs are stored in the ASCII file $FWDIR/log/cpmgmt.aud, and
may be fed into sysl.

For FireWall-1 NG, GUI-based administrator activity is stored on the
Management Server. For use with the Log Viewer utility, binary formatted
data is stored in $FWDIR/log/fw.adtlog. For streaming to syslog or other
monitoring systems, records of administrative actions are also stored in
$FWDIR/log/cpmi_audit.txt. (CPMI is the acronym for CheckPoint Management
Interface.)

Logs of network connections are stored in $FWDIR/log/fw.log by default. When
a new log file is created, either by explicit administrator request or other
mechanism, the current file is renamed $FWDIR/log/<date>.log and written to
disk. The new log file assumes the default name. You can automate the
creation of new network connection log files based on file size, date and
time, or amount of free disk space, using the Logging Policy page in the
Workstation Properties window of the management GUI.

fw.log will also contain records of some system alerts and other significant
events.

Hope this helps -- I'm a bit out of touch with FW-1 -- tbird