a bit of both. some parts of the system use other peoples scripts etc.
ie. Volker Tanger wrote >*PLEASE* use the current version from it's homepage > http://www.wyae.de/software/fw1rules/ as phoneboy still hosts an old > copy (version 7.2.7) whereas the current version is 7.3.5 which includes > a number of important bugfixes. Please note that while it runs smoothly > with V4.1 it does not work completely yet for NG configurations. the rest are custom written scripts for our organisation. Unfortunately it was not developed in mind for a commercial or other release. I can give you a few pointers if it is something you would like to get up and running. cheers Leon. -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST@;beethoven.us.checkpoint.com]On Behalf Of Michael Mills Sent: 17 October 2002 16:30 To: [EMAIL PROTECTED] Subject: Re: [FW-1] Change management tools and techniques Is this something that you made? Or bought? I would be interested in this solutiuon!! Thank You Michael Mills [EMAIL PROTECTED] 312-498-1139 -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST@;beethoven.us.checkpoint.com] On Behalf Of Leon Noble Sent: Thursday, October 17, 2002 10:02 AM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Change management tools and techniques Hi Dave, I have created a password protected php front-end with ssl for various firewall logging and change information. This is for checkpoint only sorry no pix information. I use php, perl, mysql, apache with mod_ssl and openssl. we currently do the following. extract the rules file from downloaded backups and run with fwrules downloadable from www.phoneboy.com in the downloads section. This creates an html file which is stored and can be accessed over the secure connection, this runs everyday. The html file that fwrules creates is a very detailed and very accurate representation of your rulebase it is a very good script. if your firewall runs on Nokia ipso you can use the summary.tcl file in the /web/cgi-bin directory to output html file of your current firewall config. you can script this to do it daily. This can help if you need to rebuild the firewall. run an md5 check on the rulebase and alert if is different from the stored md5 checksum. dump logs into a mysql database and run a custom script to output a monthly report detailing number of packets dropped and accepted by day, source, destination and service. outputs these reports in a bar graph format using the GD module for perl. include the cpmgmt.aud file in the backups. Extract the information from this file, parse and output in a password protected php file. The cpmgmt.aud file contains all access to the firewall and when rulebase was installed. Use the Mysql database to store details about your firewall ie. hostname, md5 checksum etc. You can also create a table detailing changes and have this updateable/viewable from a password protected php file. I can't forward on any files for you to look at for obvious reasons, but these are a few ideas to get you going. There is a lot of information you can extract from your firewall so you could maybe combine your change control idea with a whole administration centre for your firewall(s). hope this helps a little. cheers Leon. -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST@;beethoven.us.checkpoint.com]On Behalf Of crypto isakmp Sent: 17 October 2002 01:58 To: [EMAIL PROTECTED] Subject: [FW-1] Change management tools and techniques What tools are you using to manage fw-1, access routers, <insert other security device> changes? I am currently working with an excel spreadsheet but am considering the benefits of creating an access or sql database to track changes to rules, objects etc. Long term goal is to write a php front-end with ssl to provide the network team with a web-based change management facility. Then as soon as a rule or access-list change is made, the change can be manually updated in the change-management database. Are there any opensource or commercial products out there already providing this functionality? Keep in mind the tool needs to cover rules, objects, nats plus router reflexive lists, ios firewall configs, pix configs, ids configs etc. Appreciate all experiences you may have. Regards Dave _________________________________________________________________ Surf the Web without missing calls! Get MSN Broadband. http://resourcecenter.msn.com/access/plans/freeactivation.asp ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ________________________________________________________________________ This email has been scanned for all viruses by the MessageLabs SkyScan service. For more information on a proactive anti-virus service working around the clock, around the globe, visit http://www.messagelabs.com ________________________________________________________________________ ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ________________________________________________________________________ This email has been scanned for all viruses by the MessageLabs SkyScan service. For more information on a proactive anti-virus service working around the clock, around the globe, visit http://www.messagelabs.com ________________________________________________________________________ ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
