Print Download PDF Send Feedback

Previous

Next

control_bootsec

Description

Controls the boot security - loading of both the Default Filter policy (defaultfilter) and the Initial Policy (InitialPolicy) during boot on a Security Gateway, or a Cluster Member.

Warning

If you disable the boot security, you leave your Security Gateway, or a Cluster Member without any protection during the boot. Before you disable the boot security, we recommend to disconnect your Security Gateway, or a Cluster Member from the network completely.

Also refer to these commands:

Syntax

[Expert@GW:0]# $FWDIR/bin/control_bootsec [-g | -G]

[Expert@GW:0]# $FWDIR/bin/control_bootsec {-r | -R}

Notes:

Parameters

Parameter

Description

No Parameter

-g

-G

Enables the boot security:

  1. Executes the $FWDIR/boot/fwboot bootconf set_def $FWDIR/boot/default.bin command that updates the path to the Default Filter policy in the $FWDIR/boot/boot.conf file to point to the correct policy file (DEFAULT_FILTER_PATH /etc/fw.boot/default.bin)
  2. Executes the $FWDIR/bin/comp_init_policy -g command that:
    1. Removes the attribute :InitialPolicySafe (true) from the section ": (FW1" in the Check Point Registry (the $CPDIR/registry/HKLM_registry.data file)
    2. Generates the Initial Policy files in the $FWDIR/state/local/FW1/ directory

-r

-R

Disables the boot security:

  1. Executes the $FWDIR/boot/fwboot bootconf set_def command that updates the path to the Default Filter policy in the $FWDIR/boot/boot.conf file to point nowhere (DEFAULT_FILTER_PATH 0)
  2. Executes the $FWDIR/bin/comp_init_policy -u command that:
    1. Adds the attribute :InitialPolicySafe (true) to the section ": (FW1" in the Check Point Registry (the $CPDIR/registry/HKLM_registry.data file)
    2. Deletes all files from the $FWDIR/state/local/FW1/ directory

Example - Disabling the boot security

[Expert@GW:0]# cd $FWDIR/state/local/FW1/

[Expert@GW:0]#

 

[Expert@GW:0]# pwd

/opt/CPsuite-R80.20/fw1/state/local/FW1

[Expert@GW:0]#

 

[Expert@GW:0]# ls -l

total 7736

-rw-rw---- 1 admin root 11085 Jul 19 20:16 install_policy_report.txt

-rw-rw---- 1 admin root 56 Jul 19 20:16 install_policy_report_timing.txt

-rw-rw---- 1 admin root 37355 Jul 19 20:16 local.Sandbox-persistence.xml

-rw-rw---- 1 admin root 3 Jul 19 20:16 local.ad_query_profiles

... ... ...

-rw-r----- 1 admin root 14743 Jul 19 20:16 manifest.C

-rw-rw---- 1 admin root 7381 Jul 19 20:16 policy.info

-rw-rw---- 1 admin root 2736 Jul 19 20:16 policy.map

-rw-rw---- 1 admin root 51 Jul 19 20:16 sig.map

[Expert@GW:0]#

 

[Expert@GW:0]# $FWDIR/bin/control_bootsec -r

Disabling boot security

FW-1 will not load a default filter on boot

[Expert@GW:0]#

 

[Expert@GW:0]# cat $FWDIR/boot/boot.conf

CTL_IPFORWARDING 1

DEFAULT_FILTER_PATH 0

KERN_INSTANCE_NUM 3

COREXL_INSTALLED 1

KERN6_INSTANCE_NUM 2

IPV6_INSTALLED 0

CORE_OVERRIDE 4

[Expert@GW:0]#

 

[Expert@GW:0]# grep InitialPolicySafe $CPDIR/registry/HKLM_registry.data

:InitialPolicySafe (true)

[Expert@GW:0]#

 

[Expert@GW:0]# ls -l

total 0

[Expert@GW:0]#

Example - Enabling the boot security

[Expert@GW:0]# cd $FWDIR/state/local/FW1/

[Expert@GW:0]#

 

[Expert@GW:0]# pwd

/opt/CPsuite-R80.20/fw1/state/local/FW1

[Expert@GW:0]#

 

[Expert@GW:0]# control_bootsec -g

Enabling boot security

[Expert@GW:0]#

 

[Expert@GW:0]# cat $FWDIR/boot/boot.conf

CTL_IPFORWARDING 1

DEFAULT_FILTER_PATH /opt/CPsuite-R80.20/fw1/boot/default.bin

KERN_INSTANCE_NUM 3

COREXL_INSTALLED 1

KERN6_INSTANCE_NUM 2

IPV6_INSTALLED 0

CORE_OVERRIDE 4

[Expert@GW:0]#

 

[Expert@GW:0]# grep InitialPolicySafe $CPDIR/registry/HKLM_registry.data

[Expert@GW:0]#

 

[Expert@GW:0]# ls -l

total 56

-rw-rw---- 1 admin root 8 Jul 19 20:22 local.ctlver

-rw-rw---- 1 admin root 4514 Jul 19 20:22 local.fc

-rw-rw---- 1 admin root 4721 Jul 19 20:22 local.fc6

-rw-rw---- 1 admin root 235 Jul 19 20:22 local.ft

-rw-rw---- 1 admin root 317 Jul 19 20:22 local.ft6

-rw-rw---- 1 admin root 135 Jul 19 20:22 local.fwrl.conf

-rw-rw---- 1 admin root 14 Jul 19 20:22 local.ifs

-rw-rw---- 1 admin root 833 Jul 19 20:22 local.inspect.lf

-rw-rw---- 1 admin root 243 Jul 19 20:22 local.lg

-rw-rw---- 1 admin root 243 Jul 19 20:22 local.lg6

-rw-rw---- 1 admin root 0 Jul 19 20:22 local.magic

-rw-rw---- 1 admin root 3 Jul 19 20:22 local.set

-rw-rw---- 1 admin root 51 Jul 19 20:22 sig.map

[Expert@GW:0]#