The PhoneBoy Blog

Simplifying Telecom, Mobile Phones, Gadgets, Health, and More!

FireWall-1 FAQ: Where Did My Rulebases Go?

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.

I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.

If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)

When you open up Policy Editor, the rulebase name is “Standard” with no rules. Also when doing a “File > Open” only “Standard” shows up in the “Open Security Policy” window. All former rules do actually exist in the conf directory, however you cannot see them via the GUI. Doing “fw stat” at the FW itself shows that the correct rulebase is running and when you look at the current log, you see that the rules are being correctly implemented. Further, all the Network Objects, Users, etc., are still there.

There are actually two copies of your rulebases:

  • Individual rulebase.W files (for backward compatibility with fwui)
  • A single rulebases.fws or rulebases_5_0.fws file (which contains all your rulebases)

The Motif/Win95 GUI uses the rulebases.fws file. When all you see is “Standard” in your rulebase listing, this file had to be recreated for whatever reason.

NG AI and later allows you to use the cp_merge command as follows, which can run from a UNIX or Windows management station:

cp_merge import_policy -f old_policy.W -n myPolicy

myPolicy is the name of the policy package to import the rulebase file into. Since a .W file no longer contains all of the policy information, this command should only be used as a last resort.

In VPN-1/FireWall-1 up to NG FP1, Check Point allowed you to use the fwm -g command to reimport your rulebases, using the complete pathname to the appropriate rulebase.W file as an argument. The problem for NG FP2 users is that this command is still allowed, yet it causes corruption of the rulebase. NG FP3 and beyond properly informs you this is no longer a supported feature.

On Unix in NG FP1 and before:

    # cd $FWDIR/conf
    # fwm -g *.W

On Windows in NG FP1 and before:

    c:> cd %FWDIR%\bin
    c:\WINNT\FW\bin> for %i in (*.W) do fw fwm -g %i

The differences are:

  • On Unix, the * is interpreted as a wildcard, including all .W files
  • On windows, The rulebases.W files will be in the FWDIR\conf directory.
  • On Windows, the * is not interpreted as a wildcard, so you must list the .W files individually.
  • On Windows, there is no ‘fwm’ binary, but it is included as part of fw.exe

Note that it is possible that when importing rulebase files, you may see “Not in Scope” messages. This will occur if objects referenced in the specified rulebase file no longer exist. The rulebase in question will not be successfully imported in this case.

#Cybersecurity Evangelist, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.