Files and Directory Structure
FwPlatinum comes as a Tar Gzipped file, once you unpacked it, (which you
must have already done when reading this file) it creates the following
The client scripts to be run on the Webserver are:
- bin - Contains executables.
- etc - Contains configuration files.
- db - Default repository for user databases.
- lib - Contains shared module files.
- tmp - Default repository for temporary files.
The server scripts to be run on the Firewall Management Station are:
- fwplat-cron Runs from cron every 5 minutes on the webserver to
contact fwplatd (running on the management
station), get the latest statistics, and update
the RRD databases.
- fwplat A CGI script which generates and displays graphs
of the statistics stored in the RRDdatabases.
None of these need to run as root, so I recommend that they don't.
This daemon binds to a port and listens for connections from
fwplatd-cron. If a connection comes from an authorised host, it
outputs the current statistics. It gets the statistics from text
files maintained by fwplat-logtaild and fwplat-tabd.
This daemon spawns a 'fw log -tfn' command.
It continually parses the results and stores the results in a text file
for fwplat-serverd to read.
This daemon runs 'fw tab -t connections -short'
at 30 intervals. It stores the results in a text file for fwplat-serverd to read.
Startup script to start and stop the other server scripts. It should be
copied and adapted to the rc structure of the server.
FwPlatinum can run on a single Fw-1 Management Station/Web server machine.
Or, you can have the fwplatd daemon running on the Fw-1 Management Station,
and have fwplat.cron and the fwplat CGI script running on your webserver.
Repeat the process below for each machine involved, and ensure that the
configuration files are identical on each machine.
- Obtain RRDtool from
http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/ and install it onto the webserver.
I recommend you install it into /usr/local/rrdtool, /opt/local/rrdtool,
or /opt/rrdtool. Better still, create a symlink to it from one of
these locations -
ln -s /usr/local/rrdtool-x.yy /usr/local/rrdtool
- Unpack the fwplat distribution onto both the webserver and the management station.
The programs assume that they are installed into one of the following
locations: /usr/local/fwplat/, /opt/local/fwplat/, /opt/fwplat/.
I recommend you unpack as /usr/local/fwplat-x.yy.z and then symlink -
gunzip -c /tmp/fwplat-x.yy.tar.gz | tar -xvf -
ln -s /usr/local/fwplat-x.yy.z /usr/local/fwplat.x.yy
ln -s /usr/local/fwplat-x.yy /usr/local/fwplat
The reason for this structure is because yy releases involve changes to
the Fwplat library code and z releases involve other lesser changes.
Provided that the code can always refer to it's correct library along the
fwplat-x.yy symlink, you can have live and test versions of fwplat running
- All the scripts use perl and assume it's location is /usr/local/bin/perl.
If perl is installed elsewhere, then I recommend creating a
/usr/local/bin/perl symlink. Otherwise you will need to change the first
line of each script.
Note: you can get perl for Nokia firewalls from Nokia Resolution 1783.
Warning: This program has only been tested on perl versions 5.004
and above. It should work at lower Perl 5 versions, but let me know how it turns out!
- Copy the master configuration file and user database files -
cp -p fwplat.conf.orig fwplat.conf
cp -p userdb.conf.orig userdb.conf
- Edit the configuration files and modify accordingly:
vi fwplat.conf userdb.conf
- Copy the master configuration file (fwplat.conf) to /etc/fwplat.conf
(or create a symlink to fwplatpath/etc/fwplat.conf). Otherwise you
will need to explicitly specify the config file location using the
-c ConfigFile option.
- Create a userid (fwplat) to run fwplatd and fwplat-cron as.
On the management station, the userid will need access to the
CheckPoint FW-1 (©) directories, so add the userid into
a group which is authorised to run 'fw log'. To create the group,
- Make sure that all the directories defined in /etc/fwplat.conf exist
and are writable by the appropriate userids.
- On the Webserver, create a symlink in your cgi-bin directory to
- On the Webserver, copy the docs/fwplatinum.png file to your CLIENTIMAGEPATH
- You can check that all the server scripts are working, by
running them in debug mode (see Debugging FwPlatinum).
You are now ready to start the server daemon and to define the cronjob
Give the server 10 minutes to get some initial data, and you can then see some
results by going to
- On the management station, start the daemon by running :
fwplatpath/bin/fwplat-tabd [-c ConfigFile]
fwplatpath/bin/fwplat-logtaild [-c ConfigFile]
fwplatpath/bin/fwplat-serverd [-c ConfigFile]
Or better yet, copy the fwplatpath/bin/fwplat.init script into
your rc directory structure, edit it to set the appropriate FWPLAT_DIR,
CONF_FILE, and USERID values, and then call it with
The daemon can be stopped at any time by running :
- On the webserver, define the following cronjob :
0,5,10,15,20,25,30,35,40,45,50,55 * * * * fwplatpath/bin/fwplat-cron [-c ConfigFile]
This will update the databases every five minutes.
Multiple Firewall Management Stations
I need to run multiple instances of Fwplat (I have multiple management
stations), but I only use one stats/web server to get and display the
statistics for all the instances. This means I need to use different
configuration filesnames for each fwplat instance. Here's how you
set up diffent configuration file names:
- On each management station, /etc/init.d/fwplat.init should be
modified. In it, change the CONF_FILE constant to specify the specific
- On the stats gathering server, have multiple cron entries for
fwplat.cron, specifying the config file by using the
-c /usr/local/fwplat/etc/ConfigFileName flag.
- On the Web server, you can pass the name of the config file to
the CGI script by means of the conf parameter -
Note that the file must be in one of the default config file directories.
Using Offline Firewall Logs
If you can't run the server scripts on the firewall management station for
whatever reason, you can run them on another machine if it can be
sent chunks of the logs every 5 minutes.
First, set up a job to send the logs from the management station to the
fwplat server. This could be done in various ways. Eg, using SSH:
while [ 1 ]; do
fw log -ftn > /tmp/fw.log&
scp -bQC -i IDFile /tmp/fw.log fwplat@fwplat-server:$SERVERTMPDIR/fw.log
Next, on the Fwplat server, run the following:
fwplatpath/bin/fwplat-logtaild [-c ConfigFile] -f $SERVERTMPDIR/fw.log
fwplatpath/bin/fwplat-serverd [-c ConfigFile]
Note that we cannot run fwplat-tabd, so we will not be able to
graph TABLE type entries and need to fake a fwplat-tabd.txt file.
Steve Campbell <email@example.com>, 10 Oct 2001