fw1_lea2dlf.in(1)

NAME

fw1_lea2dlf - convert Check Point FireWall-1 NG logs to firewall DLF

SYNOPSIS

fw1_lea2dlf file

DESCRIPTION

fw1_lea2dlf converts Check Point FireWall-1 NG logs into firewall DLF format. Input for this converter is the output of fw1-loggrabber, a
simple LEA (Log Export Api) client.

ACTIVATION INSTRUCTIONS

This DLF converter isn't activated by default in Lire. It requires the Date::Manip perl module and the fw1-loggrabber tool. Date::Manip can be installed from CPAN. fw1-loggrabber is available from
http://sourceforge.net/projects/fw1-loggrabber .

If both of these components are installed, you can activate the fw1_lea DLF conveter by uncommenting its line in the file
@sysconfdir@/@PACKAGE@/address.cf

OTHER NOTES

Arrayfw1-loggrabber is build using OPSEC's Software Development Kit. OPSEC (Open Platform for Security, http://www.opsec.com/) is an open, multivendor security framework.

Some notes about fw1-loggrabber quoted here.
********************************************************
FW1-LOGGRABBER
Author: Torsten Fellhauer
current Version: 1.0
********************************************************
1) Prerequisites
2) How to Build
3) How to Use
4) Change History
********************************************************
1) Prerequisites
a) for running FW1-LOGGRABBER
FW1-LOGGRABBER is statically linked and can therefore be
run on the following systems:
* Linux (Tested distributions are Red Hat, SuSE and De
bian with Kernel Versions 2.2.x and 2.4.x)
* Solaris SPARC (Tested versions are Solaris 8 and 9)
* Windows NT/2000/XP (currently no W32 of FW1-LOGGRABBER
is available yet and therefore not yet tested)
b) for building FW1-LOGGRABBER
FW1-LOGGRABBER uses API-functions from Checkpoints'
OPSEC SDK. In order to be able to build applications
which are using this SDK, a very special build environment has to be used. Currently building FW1-LOGGRABBER is
supported only for Solaris SPARC platform and the Linux
platform.
* Linux
- Red Hat 6.2
- gcc 2.95.1
- Checkpoint OPSEC SDK NG-FP3 for Linux 2.2
* Solaris SPARC
- Solaris 8
- gcc 2.95.2
- Checkpoint OPSEC SDK NG-FP3 for Solaris SPARC
* Windows
- EDITME
3) How to Use
a) Configure FW1 to enable LEA-Protocol
In order to be able to use this tool with a Checkpoint
FW-1 installation, the following tasks have to be done:
* modify $FWDIR/conf/fwopsec.conf and define the port
for unauthenticated lea connections.
# lea_server auth_port 18184
lea_server port 50001
* bounce FW1 (cpstop / cpstart) to activate changes
* add rule to policy to enable connections on port
50001 to the FW-1 Management-Server
b) Usage of FW1-LOGGRABBER
FW1-LOGGRABBER is statically linked and therefore not
dependent of OPSEC libraries. The binary can be run on
any Linux or Solaris SPARC system.
Command-Line Options:
-s IP-Address of FW1-Management-Server
-p unauthenticated LEA-Port of FW1-Server
-f exact name of FW1-Logfile or pattern to
be matched on FW1-Logfiles.
--resolve Resolve IP-Addresses to Names
--noresolve Do not resolve IP-Addresses to Names
--showfiles Only show available FW1-Logfiles and exit.
--debug Enable debug-mode of FW1-LOGGRABBER
Examples:
o fw1-loggrabber -s 192.168.2.254 -p 50001 --showfiles

Show all logfiles that are available on the FW1-Management-Server with the IP-Address 192.168.2.254. The LEAPort the Management-Server is listening for unauthenticated connections is 50001.
o fw1-loggrabber -s 192.168.2.254 -p 50001

Show all logentries of the default FW1-Logfile (fw.log)
on the FW1-Management-Server with the IP-Address
192.168.2.254 and the LEA-Port 50001.
o fw1-loggrabber -s 192.168.2.254 -p 50001 -f 2003-03-27_213652.log

Show all logentries of the specified logfile. If the Logfile doesn't exist on the specified FW1-Management-Server,
no entries are returned.
o fw1-loggrabber -s 192.168.2.254 -p 50001 -f 2003-03

Show all logentries of all logfiles on the FW1-ManagementServer, that contain the pattern "2003-03", i.e. all LogFiles from March 2003
o fw1-loggrabber -s 192.168.2.254 -p 50001 -f fw.adtlog

Show all logentries of audit logfile on FW1-Management-Server
4) Change History
* 1.0 - Initial Version (2003/03/30)
o get all available FW1-Logfiles
o get data of one or more FW1-Logfiles
5) Features to be implemented
* Implementation of authenticated connections
* Win32 build

EXAMPLES

To process a log as produced by FW-1:
$ fw1-loggrabber -s 192.168.2.254 -p 50001 -f fw.log | fw12dlf
fw1_lea2dlf will be rarely used on its own, but is more likely called
by lr_log2report:

$ fw1-loggrabber -s 192.168.2.254 -p 50001 -f fw.log | \
lr_log2report fw1_lea

BUGS / TO DO

This convertor needs perl's Date::Manip library. It'd better use
another module for this, used by more Lire code.

The status and licensing of fw1-loggrabber is unknown.

SEE ALSO

Unfortunately, Check Point supplies no easily available documentation: http://www.checkpoint.com/support/technical/documents/index.html is
password protected. Some notes about the FireWall-1 product are on
http://www.checkpoint.com/products/protect/firewall-1.html .

AUTHORS

Torsten Fellhauer <torsten@fellhauer-web.de>

VERSION

$Id: fw1_lea2dlf.in,v 1.9 2006/07/23 13:16:35 vanbaal Exp $

COPYRIGHT

Copyright (C) 2003 Torsten Fellhauer

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the
Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.

You should have received a copy of the GNU General Public License along with this program (see COPYING); if not, check with
http://www.gnu.org/copyleft/gpl.html.

Lire 2.0.3 2006-07-23 FW1_LEA2DLF.IN(1)

Copyright © 2010-2025 Platon Technologies, s.r.o.           Home | Man pages | tLDP | Documents | Utilities | About
Design by styleshout