Installing FwPlatinum

Files and Directory Structure
Installation Procedure
Multiple Firewall Management Stations
Using Offline Firewall Logs

Files and Directory Structure

FwPlatinum comes as a Tar Gzipped file, once you unpacked it, (which you must have already done when reading this file) it creates the following directory structure:

fwplatpath
- bin - Contains executables.
- etc - Contains configuration files.
- db - Default repository for user databases.
- lib - Contains shared module files.
- tmp - Default repository for temporary files.

The client scripts to be run on the Webserver are:

fwplat-cron Runs from cron every 5 minutes on the webserver to contact fwplatd (running on the management station), get the latest statistics, and update the RRD databases.
fwplat A CGI script which generates and displays graphs of the statistics stored in the RRDdatabases.

The server scripts to be run on the Firewall Management Station are:

fwplat-serverd This daemon binds to a port and listens for connections from fwplatd-cron. If a connection comes from an authorised host, it outputs the current statistics. It gets the statistics from text files maintained by fwplat-logtaild and fwplat-tabd.
fwplat-logtaild This daemon spawns a 'fw log -tfn' command. It continually parses the results and stores the results in a text file for fwplat-serverd to read.
fwplat-tabd This daemon runs 'fw tab -t connections -short' at 30 intervals. It stores the results in a text file for fwplat-serverd to read.
fwplat-init Startup script to start and stop the other server scripts. It should be copied and adapted to the rc structure of the server.

None of these need to run as root, so I recommend that they don't.

Installation Procedure

FwPlatinum can run on a single Fw-1 Management Station/Web server machine. Or, you can have the fwplatd daemon running on the Fw-1 Management Station, and have fwplat.cron and the fwplat CGI script running on your webserver.

Repeat the process below for each machine involved, and ensure that the configuration files are identical on each machine.

Obtain RRDtool from http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/ and install it onto the webserver. I recommend you install it into /usr/local/rrdtool, /opt/local/rrdtool, or /opt/rrdtool. Better still, create a symlink to it from one of these locations -
```
ln -s /usr/local/rrdtool-x.yy /usr/local/rrdtool
```
Unpack the fwplat distribution onto both the webserver and the management station. The programs assume that they are installed into one of the following locations: /usr/local/fwplat/, /opt/local/fwplat/, /opt/fwplat/. I recommend you unpack as /usr/local/fwplat-x.yy.z and then symlink -
```
cd /usr/local
gunzip -c /tmp/fwplat-x.yy.tar.gz | tar -xvf -
ln -s /usr/local/fwplat-x.yy.z /usr/local/fwplat.x.yy
ln -s /usr/local/fwplat-x.yy /usr/local/fwplat
```
The reason for this structure is because yy releases involve changes to the Fwplat library code and z releases involve other lesser changes. Provided that the code can always refer to it's correct library along the fwplat-x.yy symlink, you can have live and test versions of fwplat running simultaneously.
All the scripts use perl and assume it's location is /usr/local/bin/perl. If perl is installed elsewhere, then I recommend creating a /usr/local/bin/perl symlink. Otherwise you will need to change the first line of each script.
Note: you can get perl for Nokia firewalls from Nokia Resolution 1783.
Warning: This program has only been tested on perl versions 5.004 and above. It should work at lower Perl 5 versions, but let me know how it turns out!

Copy the master configuration file and user database files -

cd fwplatpath/etc
cp -p fwplat.conf.orig fwplat.conf
cp -p userdb.conf.orig userdb.conf

Edit the configuration files and modify accordingly:
```
vi fwplat.conf userdb.conf
```
Copy the master configuration file (fwplat.conf) to /etc/fwplat.conf (or create a symlink to fwplatpath/etc/fwplat.conf). Otherwise you will need to explicitly specify the config file location using the -c ConfigFile option.
Create a userid (fwplat) to run fwplatd and fwplat-cron as. On the management station, the userid will need access to the CheckPoint FW-1 (©) directories, so add the userid into a group which is authorised to run 'fw log'. To create the group,
- On fw-1 4.1, use fwconfig to specify the authorised group.
- On fw-1 NG, Checkpoint removed the ability for non-root users to read the logs, so we have to add it back in manually :-) The following seems to work for NG R55. You will need to redo it everytime you create a new firewall object. It's not supported by CHeckpoint, and I give no warrenty!
```
chgrp -R fwgrp /opt/CP* /var/opt/CP*

for dir in /opt/CP*; do
  echo "Doing $dir"
  chmod g+rx `find $dir -type d` 2>/dev/null 
  chmod g+r `find $dir -type f` 2>/dev/null
done
for dir in /opt/CP*/tmp /opt/CP*/database /var/opt/CP*; do
  echo "Doing $dir"
  chmod g+rwxs `find $dir -type d` 2>/dev/null
  chmod g+rw `find $dir -type f` 2>/dev/null
done
chmod g+w /opt/CPshrd-R55/tmp/*
chmod g+w /opt/CPfw1-R55/conf/*

cat << EoText >> /etc/profile
if [ -r /opt/CPshrd-R55/tmp/.CPprofile.sh ]; then
  .  /opt/CPshrd-R55/tmp/.CPprofile.sh
fi
EoText

cat 
```
Make sure that all the directories defined in /etc/fwplat.conf exist and are writable by the appropriate userids.
On the Webserver, create a symlink in your cgi-bin directory to fwplatpath/bin/fwplat
On the Webserver, copy the docs/fwplatinum.png file to your CLIENTIMAGEPATH directory.
You can check that all the server scripts are working, by running them in debug mode (see Debugging FwPlatinum).

You are now ready to start the server daemon and to define the cronjob client's task.

On the management station, start the daemon by running :
```
fwplatpath/bin/fwplat-tabd [-c ConfigFile]
fwplatpath/bin/fwplat-logtaild [-c ConfigFile]
fwplatpath/bin/fwplat-serverd [-c ConfigFile]
```
Or better yet, copy the fwplatpath/bin/fwplat.init script into your rc directory structure, edit it to set the appropriate FWPLAT_DIR, CONF_FILE, and USERID values, and then call it with
```
InitScriptPath/fwplat.init start
```
The daemon can be stopped at any time by running :
```
IntiScriptPath/fwplat.init stop
```
On the webserver, define the following cronjob :
```
0,5,10,15,20,25,30,35,40,45,50,55 * * * * fwplatpath/bin/fwplat-cron [-c ConfigFile]
```
This will update the databases every five minutes.

Give the server 10 minutes to get some initial data, and you can then see some results by going to

http://WebServer/cgi-bin/fwplat

Multiple Firewall Management Stations

I need to run multiple instances of Fwplat (I have multiple management stations), but I only use one stats/web server to get and display the statistics for all the instances. This means I need to use different configuration filesnames for each fwplat instance. Here's how you set up diffent configuration file names:

On each management station, /etc/init.d/fwplat.init should be modified. In it, change the CONF_FILE constant to specify the specific configuration file.
On the stats gathering server, have multiple cron entries for fwplat.cron, specifying the config file by using the -c /usr/local/fwplat/etc/ConfigFileName flag.
On the Web server, you can pass the name of the config file to the CGI script by means of the conf parameter - http://WebServer/cgi-bin/fwplat?conf=ConfigFileName. Note that the file must be in one of the default config file directories.

Using Offline Firewall Logs

If you can't run the server scripts on the firewall management station for whatever reason, you can run them on another machine if it can be sent chunks of the logs every 5 minutes.

First, set up a job to send the logs from the management station to the fwplat server. This could be done in various ways. Eg, using SSH:

#!/bin/ksh
while [ 1 ]; do
  fw log -ftn > /tmp/fw.log&
  sleep 300
  kill %+
  scp -bQC -i IDFile /tmp/fw.log fwplat@fwplat-server:$SERVERTMPDIR/fw.log
done

Next, on the Fwplat server, run the following:

touch $SERVERTMPDIR/fwplat-tabd.txt
fwplatpath/bin/fwplat-logtaild [-c ConfigFile] -f $SERVERTMPDIR/fw.log
fwplatpath/bin/fwplat-serverd [-c ConfigFile]

Note that we cannot run fwplat-tabd, so we will not be able to graph TABLE type entries and need to fake a fwplat-tabd.txt file.

Steve Campbell <steve@computurn.com>, 10 Oct 2001