comp_init_policy

Important - This section does not apply to Scalable Platforms (Maestro and Chassis).

Description

Generates, loads, or removes the Initial Policy on a Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., or a Cluster Member Security Gateway that is part of a cluster..

Until the Security Gateway or cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. administrator installs the user-defined Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. on the Security Gateway or Cluster Members for the first time, security is enforced by an Initial Policy.

The Initial Policy operates by adding Check Point "implied rules" to the Default Filter to allow internal Check Point communication between the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. and the Security Gateway / Cluster Member.

The Initial Policy also protects a Security Gateway or Cluster Members in these cases:

During Check Point product upgrades.
When a SIC Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. certificate is reset on the Security Gateway or Cluster Member.
When Check Point product license expires.

The Security Gateway enforces the Initial until an administrator installs a user-defined policy. In subsequent boots, the Security Gateway loads the user-defined policy immediately after the Default Filter.

Important - In a Cluster, you must configure all the Cluster Members in the same way.

Notes:

You must run this command from the Expert mode.
The Initial Policy overwrites the user-defined policy.
Output of the "cpstat -f policy fw" command (see cpstat) shows the name of this policy as "InitialPolicy".
Security Gateway, or Cluster Member stores the installed Access Control Policy in these directories:
- $FWDIR/state/__tmp/FW1/
- $FWDIR/state/local/FW1/
- $FWDIR/state/<Name of Cluster Object>/FW1/
Refer to these related commands:

Syntax

[Expert@HostName:0]# $FWDIR/bin/comp_init_policy [-u | -U]

[Expert@HostName:0]# $FWDIR/bin/comp_init_policy [-g | -G]

Parameters

Parameter	Description
No Parameters	The command runs with the last used parameter.
`-u` `-U`	Performs these steps: Removes an attribute :InitialPolicySafe (true) from the ": (FW1" section the Check Point Registry file (`$CPDIR/registry/HKLM_registry.data`). Removes the "`InitialPolicy`" policy files from the `$FWDIR/state/local/FW1/` directory.
`-g` `-G`	Performs these steps: Removes an attribute :InitialPolicySafe (true) from the ": (FW1" section in the Check Point Registry file (`$CPDIR/registry/HKLM_registry.data`). Generates the "`InitialPolicy`" in the `$FWDIR/state/local/FW1/` directory. You can use this parameter, if there is no Initial Policy generated yet. If Initial Policy was already generated, make sure that after removing the Initial Policy, you delete the `$FWDIR/state/local/FW1/` directory on the Security Gateway, or Cluster Member. This parameter generates the Initial Policy and ensures that Security Gateway loads it the next time it fetches a policy (at "`cpstart`", at next boot, or with the "`fw fetch localhost`" command). The "`comp_init_policy -g`" command only works, if currently there is no policy installed on the Security Gateway, or Cluster Member. If you run one of these pairs of the commands, the original policy is still loaded: `comp_init_policy -g` `fw fetch localhost` `comp_init_policy -g` `cpstart` `comp_init_policy -g` `reboot`

Parameter

Description

No Parameters

The command runs with the last used parameter.

-u

-U

Performs these steps:

Removes an attribute :InitialPolicySafe (true) from the ": (FW1" section the Check Point Registry file ($CPDIR/registry/HKLM_registry.data).
Removes the "InitialPolicy" policy files from the $FWDIR/state/local/FW1/ directory.

-g

-G

Performs these steps:

Removes an attribute :InitialPolicySafe (true) from the ": (FW1" section in the Check Point Registry file ($CPDIR/registry/HKLM_registry.data).
Generates the "InitialPolicy" in the $FWDIR/state/local/FW1/ directory.

You can use this parameter, if there is no Initial Policy generated yet.

If Initial Policy was already generated, make sure that after removing the Initial Policy, you delete the $FWDIR/state/local/FW1/ directory on the Security Gateway, or Cluster Member.

This parameter generates the Initial Policy and ensures that Security Gateway loads it the next time it fetches a policy (at "cpstart", at next boot, or with the "fw fetch localhost" command).

The "comp_init_policy -g" command only works, if currently there is no policy installed on the Security Gateway, or Cluster Member.

If you run one of these pairs of the commands, the original policy is still loaded:

comp_init_policy -g

fw fetch localhost
comp_init_policy -g

cpstart
comp_init_policy -g

reboot

Example

[Expert@GW:0]# cd $FWDIR/state/local/FW1/
[Expert@GW:0]#
 
[Expert@GW:0]# pwd
/opt/CPsuite-R81.10/fw1/state/local/FW1
[Expert@GW:0]#
 
[Expert@GW:0]# ls -l
total 7744
-rw-r--r-- 1 admin root   20166 Jun 13 16:34 install_policy_report.txt
-rw-r--r-- 1 admin root      55 Jun 13 16:34 install_policy_report_timing.txt
-rw-r--r-- 1 admin root   37355 Jun 13 16:34 local.Sandbox-persistence.xml
... output was cut for brevity ...
-rw-r--r-- 1 admin root    2278 Jun 13 16:34 local.vsx_cluster_netobj
-rw-r--r-- 1 admin root    5172 Jun 13 16:34 local.{939922F7-DF98-4988-B776-B70B9B8340F3}
-rw-r--r-- 1 admin root   10328 Jun 13 16:34 local.{B9D14722-3936-4B33-814B-F87EA4062BEB}
-rw-r----- 1 admin root   14743 Jun 13 16:34 manifest.C
-rw-r--r-- 1 admin root    7381 Jun 13 16:34 policy.info
-rw-r--r-- 1 admin root    2736 Jun 13 16:34 policy.map
-rw-r--r-- 1 admin root      51 Jun 13 16:34 sig.map
[Expert@GW:0]#
 
[Expert@GW:0]# comp_init_policy -u
erasing local state..
[Expert@GW:0]#
 
[Expert@GW:0]# ls -l
total 0
[Expert@GW:0]#
 
[Expert@GW:0]# comp_init_policy -g
initial_module:
Compiled OK.
initial_module:
Compiled OK.
[Expert@GW:0]#
 
[Expert@GW:0]# ls -l
total 56
-rw-rw---- 1 admin root    8 Jul 19 19:51 local.ctlver
-rw-rw---- 1 admin root 4514 Jul 19 19:51 local.fc
-rw-rw---- 1 admin root 4721 Jul 19 19:51 local.fc6
-rw-rw---- 1 admin root  235 Jul 19 19:51 local.ft
-rw-rw---- 1 admin root  317 Jul 19 19:51 local.ft6
-rw-rw---- 1 admin root  135 Jul 19 19:51 local.fwrl.conf
-rw-rw---- 1 admin root   14 Jul 19 19:51 local.ifs
-rw-rw---- 1 admin root  833 Jul 19 19:51 local.inspect.lf
-rw-rw---- 1 admin root  243 Jul 19 19:51 local.lg
-rw-rw---- 1 admin root  243 Jul 19 19:51 local.lg6
-rw-rw---- 1 admin root    0 Jul 19 19:51 local.magic
-rw-rw---- 1 admin root    3 Jul 19 19:51 local.set
-rw-rw---- 1 admin root   51 Jul 19 19:51 sig.map
[Expert@GW:0]#

Unloading the user-defined policy

If the installed Access Control Policy prevents administrator access to the Security Gateway or drops traffic incorrectly, you need to uninstall the current user-defined policy and install the updated policy from the Management Server.

Follow these steps to keep your Security Gateway and your networks protected when you uninstall the user-defined policy:

Connect to the problematic Security Gateway / each Cluster Member through the console port.

Warning - If you connect over SSH, the "Initial Policy" blocks your connection.

Back up the current user-defined policy files:

cd $FWDIR/state/local/

tar cvf /var/log/FW1_Policy_Bkp.tar FW1

Remove the current user-defined policy files:

rm $FWDIR/state/local/FW1/*

Generate the default Check Point policy called "InitialPolicy":

comp_init_policy

Load the "Initial Policy":

fw fetch local

Make sure the "Initial Policy" is loaded:

cpstat -f policy fw | head -n 3

In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., make the required changes and install the Access Control policy on the Security Gateway / Cluster.