Jan 212017

Have you ever been frustrated that simple scripting is a problem when doing things on your Check Point firewall? There is a reason why compilers and scripting tools are very limited on such devices. The less options a potential attacker finds to do harm with the better.

As far as I remember from different trainings Check Point uses a GCC compiler to build the policies. But this compiler is said to be stripped down to a large extent.

And there exists Python within GAiA. I would not suggest to use this Python on a gateway, but on a management server it could be very useful.

This is how you start python:

[Expert@cp2205:0]# $FWDIR/Python/bin/python
Python 2.7.3 (default, Jun 27 2012, 14:41:05)
[GCC 3.2.3 20030502 (Red Hat Linux 3.2.3-20)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
Python usage is limited in Check Point security gateway

The last line is true. We will see it in a few moments. Let’s try with a simple script:

[Expert@cp2205:0]# cat test.py
# -*- coding: utf-8 -*-
print("Hello, World!")

We start this script:

[Expert@cp2205:0]# ./test.py
File './test.py' execution is not allowed according to Check Point policy

Oops. Which policy? Where do I define this? With strace you will find a hint to /etc/fw/conf/whitelist. Let’s append our file to this whitelist:

# VER: 20140202
# Python Whitelist

Okay. Next try:

[Expert@cp2205:0]# ./test.py
File './test.py' execution is not allowed according to Check Point policy

That was not really what I expected. Maybe precisely in the same way as in the whitelist?

[Expert@cp2205:0]# /home/admin/test.py
Hello, World!

Voilà! The rest is up to you.

Some last words: Knowing about the existence of /etc/fw/conf/whitelist maybe you will have a look on the contents of this file on your Check Point devices in the future.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>