InfoView User Guide version 3.5.0

Table of contents

Introduction ...... 5 What is InfoView?...... 6 Supported Platforms ...... 6 General Description...... 6 Input...... 6 Basic Operations...... 7 Reading Input ...... 7 Command line:...... 7 Drag and Drop...... 7 File :...... 7 Data Display ...... 7 Viewing Multiple Inputs ...... 7 Sorting Icons ...... 8 ...... 8 Internal Table Viewer ...... 8 Files and Sections ...... 8 Files...... 8 Sections...... 8 Tests...... 9 Purpose...... 9 List of tests:...... 9 Usage ...... 9 Advanced Operations ...... 10 Configuration...... 10 General ...... 10 Sorting tab...... 10 Tool Tips tab...... 10 Analysis tab...... 11 Directories tab...... 11 External Tools ...... 11 SmartDashboard (Policy Viewer) ...... 11 InfoTab...... 11 ObjParse...... 11 IKEView ...... 12 LicView ...... 12 NDB Converter ...... 12 DLL Version Tools ...... 12 Internal Tools...... 13 Export Object File...... 13 Analysis Report...... 13 InfoView for Provider-1...... 14 Overview ...... 14 Installation...... 14 Limitations ...... 14 Usage...... 14 General View ...... 14 Operations...... 15 Appendices ...... 16 InfoView Buttons, Icons and Keyboard Shortcuts ...... 16 Buttons...... 16 Icons...... 17

3 of 18

Keyboard Shortcuts...... 17 Troubleshooting...... 18 Disk space:...... 18 InfoView crashes/stuck on start: ...... 18 Policy Editor crashes while loading:...... 18 Policy Editor Crashes:...... 18 Policy Editor complains about missing files:...... 18

4 of 18

Introduction

This document describes InfoView version 3.5.0

New in Version 3.5.0 General: - Added Analysis Menu - Unix soft-links are marked as such - SmartDashboard: - Smooth start-up (No need to hit OK) - Close all open SmartDashboard windows when closing InfoView - SmartDefence tab provides valid data - View LSM objects - Supports InterSpect - Improved support for R55 and future versions. InfoView for Provider-1: - New InfoView for Provider-1 is installed with InfoView - InfoView ceased supporting Provider-1 - Per-CMA testing, reporting and exporting

5 of 18

What is InfoView? InfoView is a productivity tool for Check Point Support Engineers. InfoView offers a graphical representation of the status of a machine with installed Check Point products.

Supported Platforms InfoView is an MS Windows application. It may be installed on any MS Windows platform (Windows NT, Windows 95, Windows 98, Windows ME, Windows XP and Windows 2000).

General Description InfoView takes as its input, a file containing data, which consist of a mixture of text and binary information, and displays these data in a graphical . The data are displayed as a hierarchical tree of icons, each representing a file or a section. The root icon represents the product (e.g. FloodGate-1, SecuRemote) on the customer’s computer. This display gives a first impression of the situation on the customer’s machine. Apart from the root icon, the hierarchical tree contains Files and Sections. InfoView extracts the files that were embedded in the input file. Each of the extracted files is represented by an icon. The existence or absence of certain file icons may be significant. The text in the input file is broken into textual sections and sub-sections, according to subjects. InfoView can analyze several input files simultaneously.

Input InfoView can read files that are output of one of the following utilities: FWinfo: For FireWall-1 and FloodGate-1 (version 4.x) SRinfo: For SecuRemote (version 4.x) CPinfo: For most products (NG only) MIPinfo: For MetaIP InfoView will reject all other inputs. InfoView does not unzip input files. Input files must be unzipped before use. The input file may be produced on any platform (Windows, Solaris, IPSO etc.).

6 of 18

Basic Operations

Reading Input InfoView can open one or more input files. It takes a few seconds to load and analyze a file, depending on the size of the input file.

Command line: Use the following command: infoview This will succeed provided that InfoView is located on the command path.

Drag and Drop Drag the input file into the InfoView application or Icon.

File Menu: When InfoView is already open, use the Open option. Note: InfoView can deal with up to 255 input files at the same time.

Data Display

Viewing Multiple Inputs InfoView can analyze several input files simultaneously. Every new input file opens in a new view (child ). The last view always covers the previous ones, but you can always bring others to the front, or arrange the views side by side. Bringing a view to the top: Open Window menu. Select the desired window. Arranging views: Open Window menu. Select Cascade or Tile. OR Click one of the following buttons:

Tile all windows side by side

Tile all windows in tiers

Cascade all windows Duplicating a view: Open Window menu. Select New Window. OR

Open the current input file in a new window

7 of 18

Sorting Icons The icons on the tree are arranged in the order CPinfo collected them. To sort the icons, click the following buttons:

Sort alphabetically, Top-down

Sort alphabetically, bottom-up

Sort by size, Top-down

Sort by size, bottom-up

ToolTips Tree View Tips: To see additional information regarding the entity, hold the cursor over an icon for about a second. A Tool Tip appears with additional information such as file size and role. Editor Tips: To convert a HEX number to IP Address format or Port number, hold the cursor over that number, and wait for a few seconds. A tool tip displaying the converted values will appear. Note: To configure InfoView, see Advanced Operations, below

Internal Table Viewer It is highly recommended to include InfoTab during the installation process. However, if InfoTab is not installed, an internal Table Viewer is available. Select the FireWall-1 Tables section using the right mouse , and then select one of the tables offered as a sub-menu.

Files and Sections The hierarchical tree contains two types of items (apart from the root icon) – Files and Sections.

Files InfoView extracts the files that were embedded in the input file, and builds a temporary structure, mirroring the one that exists on the customer’s computer. A solid file icon represents each of the extracted files. Files that reside on the customer’s FWDIR/CPDIR but are not embedded in the input file are called Phantom files. Phantom files are inaccessible and represented by a hollow file icon. To view a (text) file, use one of the following methods: Drag and Drop: Drag the file icon outside InfoView into some other folder (e.g. Desktop), and then open it. This method allows a file to be saved for future use. Double-click: Double-click a file icon. This opens the file with a text editor. Sometimes this opens the file with a specific viewer. Pop-up Menu: Right click a file icon, and select Open. This opens the file with a text editor.

Sections The text in the input file is broken into textual sections and sub-sections, according to subjects. In a few cases, InfoView creates a dummy section, representing data that it extracts from the input file. Dummy sections do not represent a concrete part of the input file.

8 of 18

To view a section, including its subsections (if they exist), double-click the section icon. To view only one of its subsections, click once (left button) on the ‘+’ sign to the left of the icon, and then double- click the subsection icon.

Tests

Purpose The analysis of the input file is in the right pane, and is separate from the display of the files and sections, which is in the left pane. The tests may be activated separately or in groups, manually or automatically. Some tests may take long time, depending on the size of the input file.

List of tests: The following tests are currently available: Host File Verify the validity of file hosts (FireWall Module only)

License- Verify that every license has a corresponding interface in the machine object. Object Duplicate Verify that there are no duplicate objects in the objects file. Objects All Interfaces Run tests on all interfaces of the machine (FireWall Module only).

Machine Verify the validity of the object representing the tested machine (FireWall Module only) Interfaces I/F-Object Verify that the machine is referred to in the objects file.

Process Verify that %CPU of CP related processes, does not exceed a certain limit (80%).

Pstat Verify that values in the “FireWall-1 Statistics” and “SecuRemote Statistics (ctl pstat)” do not exceed a certain value.

IP Fwd Verify that IP forwarding is on.

License Verify that the license is valid.

DLL View Test the DLL (and other executable files) build number.

Support Indicates whether there are Support Hotfixes installed on the Hotfix machine.

Usage It is possible to configure every test as Manual (default) or Auto. When configured as Auto, a test will run when a new input file is loaded. This may cause a significant slowing down of the process because some tests may not be needed in that particular situation. You can manually choose the tests you wish to run. To manually activate a test, select one or more tests, and press the Test button, or double-click the relevant icon. The results appear in several forms:

9 of 18

As a status symbol next to the test icon: Not Tested

OK

Suspicious Irrelevant As status text: Sometimes together with a short comment, and sometimes with a more detailed description pop-up window.

To make the pop-up window reappear, select one or more tests, and press the View button ( ).

Advanced Operations

Configuration When InfoView is first installed, it is set to a default configuration. This configuration can be modified. Once the modification is in effect, it becomes the current default behavior when reopening InfoView, even after InfoView is upgraded to a newer version. To modify configuration or verify current configuration select View in the main menu. Select Options…The InfoView Options window opens. This window has three tabs:

General tab Startup controls the way InfoView is launched: • Sort On Load – If checked, the information tree is displayed sorted. • UnTar Files – All compressed files and directories are uncompressed. • Load MRU File – InfoView automatically loads the Most Recently Used file (Not recommended). File Editor controls the editor used to display the embedded files. It offers two of the most common test editors (Write and Notepad). Alternatively, any other default text editor can be chosen.

Sorting tab Defines the default sorting. Use one of the sorting buttons overrides these settings. Sort Order to select either top-down or bottom-up. Sort select either alphabetical or by-size. Items to Sort determines what to sort: Everything, Files only or Sections only. Check Ignore Case if you want alphabetical sorting to be case insensitive.

Tool Tips tab Use Tree View Tips to select a Tool Tips view option: Whenever the mouse is held over a tree icon, Only when the item is selected, or Never. Editor Tips enables and disables the HEX to IP Address and the HEX to port conversions. Delay Time controls the time that the mouse cursor has to hover over an icon or text for a Tool Tip pop-up. The values may be between zero and two seconds. tips. Check to have a copy of the Tree View Tips on the view window status bar. This is independent of the Tree View Tips option.

10 of 18

Analysis tab Configures tests as Manual/Auto. Tests that are Auto will run when a new input file is loaded.

Directories tab Configures the location of the Policy Editors. InfoView can determine the correct version of the Policy Editor that is needed for every input. However, sometimes it cannot find its correct location. It is a good practice to fill-in these data for every FP.

External Tools The tools are software applications that are invoked by InfoView. Some of them are implicitly invoked in order to perform an intermediate task. Others are explicitly invoked from InfoView.

SmartDashboard (Policy Viewer) To better understand the customer’s set-up, and especially the customer policies, InfoView offers the option to launch the Check Point Policy Editor (FWpolicy). Click Policy Viewer (or select Policy from the Tools menu) and wait. InfoView converts the input data into the format needed by the Policy Editor. The customer’s current policy is then displayed. If the input is a FireWall-1 version 4.x file, Policy Editor version 4.1, which is internal to InfoView, will be launched. If the input is a FireWall-1 NG file, Policy Editor version NG will be launched, provided that it is already installed on your machine The NG policy viewer is not internal to InfoView. InfoView also supports InterSpect SmartDashboard. Limitations: InfoView launches Policy Editor in *local mode. This mode has certain limitations, such as a limitation on the number of the displayed rules. The exact limitations are a function of the installed Policy Editor. Currently, InfoView can successfully launch the Policy Editor only when analyzing a Management Server. If you try to launch it for a FireWall Module (or MetaIP, SecuRemote etc.) you will get many error messages.

InfoTab The FireWall-1 kernel tables that are part of the input file may reveal a lot about the machine under inspection. Unfortunately, they are very hard to interpret, and their format differs dramatically according to the FireWall-1 version. InfoTab is a standalone application that displays these data in a more readable format, according to the FireWall-1 version. It is part of the InfoView installation and so it is installed by default. The best way to launch InfoTab is to click the InfoTab button. Other methods are: Select InfoTab from the Tools menu. Select the FireWall-1 Tables icon and right click. InfoTab will be launched automatically, since InfoView supplies the data that it requires.

ObjParse Objects.C (and its NG counterpart) is a file that holds a large amount of information about the user’s configuration. The property part of the file holds a hierarchical chunk of data that is only partly reflected by the Policy Editor. Users often tamper with this section, and it is difficult to find out what the properties that have been removed, added or changed. ObjParse analyses the properties part of objects.C file. It compares this part to a reference properties part, and displays the differences between the actual and the reference data in a graphical format.

11 of 18

ObjParse can also edit the input, and save the changes on an output file. You can then send this file to the user. The best way to launch ObjParse is to press on the ObjParse button. Other methods are: Select ObjParse from the Tools menu. Select the objects.C icon and double-click the left mouse-button. ObjParse will then be launched. In some cases, you will need to supply the version and the build of the FireWall-1 installation that you are inspecting.

IKEView When Internet Key Exchange (IKE) traffic debugging is turned ON for a Check Point product supporting IKE-based VPNs, the IKE.elg log file is created. This file contains information on all packets sent and received by the machine on which it is created; from the time that debugging is turned. IKEView displays the contents of this file graphically in a hierarchical / tree format, grouped at the top level by peer.

LicView The user sometimes complains that it is impossible to perform a certain task. The cause to this may be an inadequate license. Besides the option to view the license string directly by opening the relevant section, you can also activate the License Graphical viewer – LicView.

NDB Converter The FireWall-1 user database is encapsulated in a binary file, located in the conf directory. On Unix platforms, this file is fwauth.NDB. On MS platforms, this file is fwauth.NDBx, where the ‘x’ is a small integer. To convert this file to a readable format (the Check Point Set format), double click the file icon. Where the file is compressed, double click twice. The first time uncompresses the data and the second time converts it and displays the converted data as text.

DLL Version Tools Problems that arise from tampering with DLL files are very difficult to detect. The following two tools make it easier to detect such problems: DLLview: Compares the list of DLL files with a reference data file. The reference data file that is supplied with the tool is incomplete, so be aware that the tool can cause false alarms. DLLtab: Checks that all DLL files that belong to a single software module are of the same build. If one of the software modules contains files with different build numbers, it is possible that file have been tampered with. Note that in rare cases a module was released with files with different build numbers. To activate these tools, select section DLL versions, and then right click to select the required tool.

12 of 18

Internal Tools

Export Object File InfoView may be used to extract configuration files in order to reproduce the customer’s set-up. One of the most important files is Objects_5_0.C. Sometimes it contains Internal CA objects that causes conflicts during reproduction. It is advisable export a version of Objects_5_0.C that contains “fresh” CA. To do that, select File menu, then Export Object File, and use the exported file instead of the original file

Analysis Report It is sometimes desirable to get a report on all the Tests that were carried out by InfoView. The report is a text file that holds a list of tests that where taken plus their results. In addition, this file holds some extra information about the version of InfoView the time and the machine on which the tests where carried out. Example: ------Analysis Report Input File (cpinfo): 1-4861171101.txt InfoView Version: 3.4.0

Executed by shaul on machine SHAUL_IBM Date & Time of report: Tue Oct 07 13:02:37 2003 ------***************************************** Test: Pstat Status: OK

*****************************************

***************************************** Test: Process Status: OK

*****************************************

***************************************** Test: I/F-Object Status: OK Object 'GARGOYLE' (IP: 138.90.31.193) corresponding to this machine was found in the object file *****************************************

***************************************** Test: Machine Interfaces Status: OK

*****************************************

13 of 18

InfoView for Provider-1

Overview From InfoView version 3.5.0 and on, the treatment of cpinfo files originated from a Provider-1 management machine is taken care of by a separate application – InfoView for Provider-1 – which is a spin-off from the main InfoView.

Installation InfoView for Provider-1 is automatically installed when installing InfoView, and appears on the desktop and in the programs menu just like the latter. It has a clear distinctive icon:

Limitations Use InfoView for Provider-1 only for cpinfo files originated from a Provider-1 management unit. It will not open any other file. Some functionalities are inactive for pre-FP3 inputs.

Usage This section will deal only with the differences between InfoView for Provider-1 and InfoView. Therefore, it is assumed that the reader is acquainted with InfoView.

General View

The general look of InfoView for Provider-1 consists of a left pane (Dark Yellow background) and a right pane (White background). The left pane displays a tree of the MDS and the CMAs that are installed on the customer’s machine. A selection of an icon (MDS or one of the CMAs) changes the context of the right pane to that of the selection. The grayed-out icons represent CMAs to which information is unavailable. One a CMA (or the MDS) has been selected, you should regard the right pane as a CMA-specific (or MDS-specific) InfoView. Note that the right pane header (White text over gray) indicates its context.

14 of 18

Operations All operations activated from the buttons or the menus and all analysis tests run from the analysis view are relevant to the selected CMA (or MDS). However, the report issued by clicking on button holds information about the entire set.

In addition, it is possible to launch the MDG related to the MDS by clicking on button . This feature requires the installation of MDG of the correct FP.

15 of 18

Appendices

InfoView Buttons, Icons and Keyboard Shortcuts

Buttons Tools:

Policy Viewer

Log Viewer

Provider-1 Viewer (InfoView for Provider-1 only)

IKEView

ObjParse – objects.C properties analyzer

InfoTab – FireWall-1 kernel tables viewer

LicView – Check Point license string graphical viewer

DllView – DLL comparison tool.

Processes – Show CP processes Analysis:

Test – Run analysis

View – Pop-up results window.

Report – Save Analysis report Sorting:

Sort Alphabetically

Sort by Size Files and Windows:

Open the current input file in a new window

Tile all windows side by side

Tile all windows in tiers

Cascade all windows

Open a new input file

16 of 18

Icons Root Icons – Representing the inspected machine:

FireWall-1 Provider-1 FloodGate-1 SecuRemote SecuRemote + SecureClient MetaIP InterSpect General (Unknown) File & Section Icons: File (General) Phantom File Soft-Link File Section (General) Registry section WinMSD section File folder Compressed/Encoded file

Keyboard Shortcuts InfoView offers a complete set of keystrokes for users who prefer not use the mouse. Note: Unless otherwise stated, the left mouse-button is referred to: Function Keyboard shortcut Mouse equivalent Movement on the Tree Up & Down arrows Point and click Select a subsection Right arrow Point and click Expand Tree branch Right arrow Click + sign Collapse Tree branch Left arrow Click– sign Default action on an icon ↵ Enter Double click Open popup menu Shift+F10 Right mouse click Copy Control+C Paste Control+V File Open Control+O Click File Menu Alt+F Click menu Alt+E Click menu View Menu Alt+V Click menu Tools Menu Alt+T Click menu Window Menu Alt+W Click menu Help Menu Alt+H Click menu

17 of 18

Troubleshooting

Disk space: If you get error messages about disk space, or InfoView fails to display large input files, or InfoView fails without a visible reason, the problem may relate to a lack of disk space for temporary files: InfoView stores its temporary files under directory %TEMP%\checkpoint. When InfoView exits, it is supposed to clean this directory. It does not always (bug) If still there is a lack of storage space, change the setting of %TEMP% to a freer disk.

InfoView crashes/stuck on start: Reason: Possibly a problem with the setup (e.g. MRU (Most Recently Used files list) is corrupted). Solution: Reset registry entries. Remove the following entry (including branches): HKEY_CURRENT_USER\Software\CheckPoint\InfoView

Policy Editor crashes while loading: Reason: SecuRemote is conflicting with the Policy Editor. Solution: None. Workaround: Rename the SecuRemote bin directory.

Policy Editor Crashes: Reason: Selection of a feature that is illegal in *local mode. Solution: None. Workaround: Use the usual file copying to FWDIR, if you have FireWall-1 installed on your machine

Policy Editor complains about missing files: Either FWinfo/CPinfo failed to bring these files, or you are analyzing a FireWall Module. InfoView can launch the Policy Editor only when analyzing a Management Server.

18 of 18