Have you ever been frustrated that simple scripting is a problem when doing things on your Check Point firewall? There is a reason why compilers and scripting tools are very limited on such devices. The less options a potential attacker finds to do harm with the better.
As far as I remember from different trainings Check Point uses a GCC compiler to build the policies. But this compiler is said to be stripped down to a large extent.
And there exists Python within GAiA. I would not suggest to use this Python on a gateway, but on a management server it could be very useful.
This is how you start python:
[Expert@cp2205:0]# $FWDIR/Python/bin/python
Python 2.7.3 (default, Jun 27 2012, 14:41:05)
[GCC 3.2.3 20030502 (Red Hat Linux 3.2.3-20)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
Python usage is limited in Check Point security gateway
The last line is true. We will see it in a few moments. Let’s try with a simple script:
[Expert@cp2205:0]# cat test.py
#!/opt/CPsuite-R77/fw1/Python/bin/python
# -*- coding: utf-8 -*-
print("Hello, World!")
We start this script:
[Expert@cp2205:0]# ./test.py
File './test.py' execution is not allowed according to Check Point policy
Oops. Which policy? Where do I define this? With strace
you will find a hint to /etc/fw/conf/whitelist
. Let’s append our file to this whitelist:
# VER: 20140202
# Python Whitelist
p;$TE_UPDATES_HOME/SA_rules/496149D5-0689-472B-8F50-21DD409F0EC6/${SA_REV}/ole_analyzer/oleanalyzer.pyc
p;$TE_UPDATES_HOME/SA_rules/496149D5-0689-472B-8F50-21DD409F0EC6/${SA_REV}/ole_analyzer/office2007_analyzer.pyc
p;$TE_UPDATES_HOME/SA_rules/496149D5-0689-472B-8F50-21DD409F0EC6/${SA_REV}/pdf_analyzer/pdf_static_analysis.pyc
p;${FWDIR}/scripts/fake_server/FakeServer.pyc
p;$TE_UPDATES_HOME/Raw_Files/A8B5A5DC-4335-47AB-9895-D58BBDFBE2D5/${BINR_REVISION}/binres/msi.fix.pyc
p;$TE_UPDATES_HOME/Raw_Files/A8B5A5DC-4335-47AB-9895-D58BBDFBE2D5/${BINR_REVISION}/binres/rtl.fix.pyc
p;${FWDIR}/teCurrentPack/fake_server/FakeServer.pyc
p;${FWDIR}/scripts/CheckSMTPconnectivity.py
p;/home/admin/test.py
Okay. Next try:
[Expert@cp2205:0]# ./test.py
File './test.py' execution is not allowed according to Check Point policy
That was not really what I expected. Maybe precisely in the same way as in the whitelist?
[Expert@cp2205:0]# /home/admin/test.py
Hello, World!
Voilà! The rest is up to you.
Some last words: Knowing about the existence of /etc/fw/conf/whitelist
maybe you will have a look on the contents of this file on your Check Point devices in the future.
One Response to “Using Python on Check Point Firewalls”
Sorry, the comment form is closed at this time.
Very nice article!
The /etc/fw/conf/whitelist file has 2 type of entries: path (the line begins with “p;”) or hash (line begins with “h;”).
p;
or
h;
Path:
The path use wordexp() C library call, which is a shell-like expansion of the string (man wordexp). In other words, you can use wildcard characters in the path (in above example: p;/home/admin/*.py). The problem is, just the first match will check (if the /home/admin/ directory contains ‘a.py’ and ‘hello.py’ only the ‘a.py’ allow to execute it, because ‘a.py’ is first match and ‘hello.py’ is the second match (or you can use a full path of the python script without wildcard).
Hash:
The hash method uses the SHA1() hash of the python program. It is easy to create sha1() hash of the above example:
[Expert:]# sha1sum /home/admin/hello.py # or ‘cpopenssl sha1 /home/admin/hello.py’ (why cpopenssl? Why cp? 🙂
5b3488b47c302c3dfe9195032877dbab13dc4bd4 /home/admin/hello.py
In this case the whitelist entry is:
h;5b3488b47c302c3dfe9195032877dbab13dc4bd4
Just a final note: from R80.30 (maybe R80) no any restriction to execute python script.