control_bootsec

Description

Warning - If you disable the boot security, you leave your Security Gateway, or a Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Member without any protection during the boot. Before you disable the boot security, we recommend to disconnect your Security Gateway, or a Cluster Member from the network completely.

Important - In a Cluster, you must configure all the Cluster Members in the same way.

Notes:

Syntax

[Expert@GW:0]# $FWDIR/bin/control_bootsec [-g | -G]

[Expert@GW:0]# $FWDIR/bin/control_bootsec {-r | -R}

Parameters

Parameter	Description
No Parameter `-g` `-G`	Enables the boot security: Executes the "`$FWDIR/boot/fwboot bootconf set_def $FWDIR/boot/default.bin`" command that updates the path to the Default Filter policy in the `$FWDIR/boot/boot.conf` file to point to the correct policy file (`DEFAULT_FILTER_PATH /etc/fw.boot/default.bin`). Executes the "`$FWDIR/bin/comp_init_policy -g`" command that: Removes the attribute ":InitialPolicySafe (true)" from the section ": (FW1" in the Check Point Registry (the `$CPDIR/registry/HKLM_registry.data` file). Generates the Initial Policy files in the `$FWDIR/state/local/FW1/` directory.
`-r` `-R`	Disables the boot security: Executes the "`$FWDIR/boot/fwboot bootconf set_def`" command that updates the path to the Default Filter policy in the `$FWDIR/boot/boot.conf` file to point nowhere (`DEFAULT_FILTER_PATH 0`). Executes the "`$FWDIR/bin/comp_init_policy -u`" command that: Adds the attribute ":InitialPolicySafe (true)" to the section ": (FW1" in the Check Point Registry (the `$CPDIR/registry/HKLM_registry.data` file). Deletes all files in the `$FWDIR/state/local/FW1/` directory.

Parameter

Description

No Parameter

-g

-G

Enables the boot security:

Executes the "$FWDIR/boot/fwboot bootconf set_def $FWDIR/boot/default.bin" command that updates the path to the Default Filter policy in the $FWDIR/boot/boot.conf file to point to the correct policy file (DEFAULT_FILTER_PATH /etc/fw.boot/default.bin).
Executes the "$FWDIR/bin/comp_init_policy -g" command that:
1. Removes the attribute ":InitialPolicySafe (true)" from the section ": (FW1" in the Check Point Registry (the $CPDIR/registry/HKLM_registry.data file).
2. Generates the Initial Policy files in the $FWDIR/state/local/FW1/ directory.

-r

-R

Disables the boot security:

Executes the "$FWDIR/boot/fwboot bootconf set_def" command that updates the path to the Default Filter policy in the $FWDIR/boot/boot.conf file to point nowhere (DEFAULT_FILTER_PATH 0).
Executes the "$FWDIR/bin/comp_init_policy -u" command that:
1. Adds the attribute ":InitialPolicySafe (true)" to the section ": (FW1" in the Check Point Registry (the $CPDIR/registry/HKLM_registry.data file).
2. Deletes all files in the $FWDIR/state/local/FW1/ directory.

Example 1 - Disabling the boot security

[Expert@GW:0]# cd $FWDIR/state/local/FW1/

[Expert@GW:0]#

[Expert@GW:0]# pwd

/opt/CPsuite-R81.10/fw1/state/local/FW1

[Expert@GW:0]#

[Expert@GW:0]# ls -l

total 7736

-rw-rw---- 1 admin root   11085 Jul 19 20:16 install_policy_report.txt

-rw-rw---- 1 admin root      56 Jul 19 20:16 install_policy_report_timing.txt

-rw-rw---- 1 admin root   37355 Jul 19 20:16 local.Sandbox-persistence.xml

-rw-rw---- 1 admin root       3 Jul 19 20:16 local.ad_query_profiles

... ... ...

-rw-r----- 1 admin root   14743 Jul 19 20:16 manifest.C

-rw-rw---- 1 admin root    7381 Jul 19 20:16 policy.info

-rw-rw---- 1 admin root    2736 Jul 19 20:16 policy.map

-rw-rw---- 1 admin root      51 Jul 19 20:16 sig.map

[Expert@GW:0]#

[Expert@GW:0]# $FWDIR/bin/control_bootsec -r

Disabling boot security

FW-1 will not load a default filter on boot

[Expert@GW:0]#

[Expert@GW:0]# cat $FWDIR/boot/boot.conf

CTL_IPFORWARDING        1

DEFAULT_FILTER_PATH     0

KERN_INSTANCE_NUM       3

COREXL_INSTALLED        1

KERN6_INSTANCE_NUM      2

IPV6_INSTALLED  0

CORE_OVERRIDE   4

[Expert@GW:0]#

[Expert@GW:0]# grep InitialPolicySafe $CPDIR/registry/HKLM_registry.data

                                        :InitialPolicySafe (true)

[Expert@GW:0]#

[Expert@GW:0]# ls -l

total 0

[Expert@GW:0]#

Example 2 - Enabling the boot security

[Expert@GW:0]# cd $FWDIR/state/local/FW1/

[Expert@GW:0]#

[Expert@GW:0]# pwd

/opt/CPsuite-R81.10/fw1/state/local/FW1

[Expert@GW:0]#

[Expert@GW:0]# control_bootsec -g

Enabling boot security

[Expert@GW:0]#

[Expert@GW:0]# cat $FWDIR/boot/boot.conf

CTL_IPFORWARDING        1

DEFAULT_FILTER_PATH     /opt/CPsuite-R81.10/fw1/boot/default.bin

KERN_INSTANCE_NUM       3

COREXL_INSTALLED        1

KERN6_INSTANCE_NUM      2

IPV6_INSTALLED  0

CORE_OVERRIDE   4

[Expert@GW:0]#

[Expert@GW:0]# grep InitialPolicySafe $CPDIR/registry/HKLM_registry.data

[Expert@GW:0]#

[Expert@GW:0]# ls -l

total 56

-rw-rw---- 1 admin root    8 Jul 19 20:22 local.ctlver

-rw-rw---- 1 admin root 4514 Jul 19 20:22 local.fc

-rw-rw---- 1 admin root 4721 Jul 19 20:22 local.fc6

-rw-rw---- 1 admin root  235 Jul 19 20:22 local.ft

-rw-rw---- 1 admin root  317 Jul 19 20:22 local.ft6

-rw-rw---- 1 admin root  135 Jul 19 20:22 local.fwrl.conf

-rw-rw---- 1 admin root   14 Jul 19 20:22 local.ifs

-rw-rw---- 1 admin root  833 Jul 19 20:22 local.inspect.lf

-rw-rw---- 1 admin root  243 Jul 19 20:22 local.lg

-rw-rw---- 1 admin root  243 Jul 19 20:22 local.lg6

-rw-rw---- 1 admin root    0 Jul 19 20:22 local.magic

-rw-rw---- 1 admin root    3 Jul 19 20:22 local.set

-rw-rw---- 1 admin root   51 Jul 19 20:22 sig.map

[Expert@GW:0]#