Forum Discussion

Antony_Hawkins's avatar
4 years ago

CheckPoint ConfigSource (PoC)

Proof of concept ConfigSource for CheckPoint firewalls, named as such to avoid confusion when a core version is available.

From original work by @David Lee, developed and tweaked as more data became available.

Requires SSH credentials that either log in directly to the clish / expert mode / bash shell (">" prompt) *or* at least have the right to issue the 'clish' command without further credential - scripts will detect and adapt based on initially-seen prompt character.

Discovery finds Virtual Systems using 'show virtual-system all'; collection then does 'show configuration' for each.

EDIT: See below for improved ConfigSources for appliances and virtual systems:


8 Replies

  • Hi Chris,

    Lauren has brought this to my attention also and I'm taking a look. My initial finding (testing on one device only so far) is that the 'show virtual-system all' command works, but that the device lists no virtual systems.

    E.g., the discovery script gets an unparsed output like:


    Last login: Sun Apr 10 16:11:48 2022 from

    You have logged into the system.
    [(User)@(systemName):0]# clish
    (systemName)> set clienv rows 0
    (systemName)> show virtual-system all
    Virtual systems list
    VS ID       VS NAME                    


    If you can point me (via Lauren) to a device where virtual systems definitely exist and should be found, I can follow up.



  • Hi Chris,

    Update, I think I've figured it, conceptually at least. This module was built specifically for those resources with virtual systems defined, as that is what my original customer had. Clearly this is not always the case, so, I've found the list of other available commands.

    The good news is, this is possible and not particularly difficult.

    I'll communicate further with Lauren rather than here.



  • Updates...

    In light of @ckong's comments above, I've made some changes.

    The original DataSource is now renamed to Checkpoint_Virtual_Systems_Config_PoC

    v1.1 is published with lmLocator: YJARHM

    There is now a second DataSource for actual appliances, named Checkpoint_Firewall_Config_PoC.

    v1.1 of this is Published with lmLocator: 2HKP9T

    By default the appliance-specific DataSource, Checkpoint_Firewall_Config_PoC, runs only the "show configuration" command.

    However, if you wish, you can add further commands by editing this line in the discovery script:

    def commandsToShow = ['configuration'];


    You can add any suitable commands into this list, e.g. you could make it:

    def commandsToShow = ['configuration','route'];

  additionally monitor routing tables for changes.

    All commands in this list get checked against what the device says it supports (via a 'show \t' command to list all possibles). Erroneous / mis-spelled / non-existent commands will not create instances, but equally the ConfigSource will not tell you if you've made a mistake here.

  • Hi Antony,

    We got 112 Checkpoint FW devices but only 82 have the backups as those 82 are listed under show devices with instances, 30 are not. Not sure why, any ideas? 

    Thanks, Chris


  • Hey Chris,

    Usually, if a ConfigSource has been applied for "a while" but discovered no instances, I would expect that to be down to credentials or the device refusing the SSH connection from the Collector's IP, so I would take a sample non-responsive Resource in LM and double-check the ssh.user/ssh.pass values against the device itself, and ensure the device's config isn't going to be blocking a port 22 connection from the Collector.

    You can also use the "Test script" button within the ConfigSource definition page to select one of the non-responsive devices as a test (start with the Active Discovery script) to see what the Collector sees.

    Also, if you run Active Discovery against a Resource, the Collector debug commands !adlist, suitably targeted to the Resource and/or ConfigSource name, and !adetail for the relevant discovery task ID, may show error message details.

    Hope this helps!


  • If none of that gives any clues, I usually take the discovery script and run it in the Collector debug's !groovy function, targeting the device it's not working on. That way I can see the full output of the script, not just what LM can parse.

  • Hi Antony,

    I tried this and run the script without errors but we are not getting the checkpoint fw config either.

    Any suggestions do when the core version will be available?

    Thanks, Chris

  • Hi Antony,

    Thanks for looking into it.  Ours are actual appliances and if we can do > show configuration in clish then we should see the configs.