Policy Files

In the process of compiling your security policy, Check Point NG uses the contents of the rule base file *.W (which you created through the Policy Editor GUI) to create an INSPECT script with the same name adding a .pf extension. The *.pf file is compiled into INSPECT code designated as a file called *.fc (where the * represents the name given to your policy in the initial dialog). The INSPECT code is then applied to the network objects (firewalls) specified in the install. Keep in mind that when you install a policy on a module that has no rules to enforce, the default implicit deny all will be in effect for that host and module.

To back up your policy, you should make and keep a separate copy of the files listed below:

• $FWDIR\conf\objects_5_0.C

• $FWDIR\conf\*.W

• $FWDIR\conf\rulebases_5_0.fws

• $FWDIR\database\fwauth.NDB*

The objects_5_0.C file stores all the network objects, resources, servers, services, and so on. The *.W files are each individual policy file that you named via the Policy Editor. The rulebases_5_0.fws file is the master rule base file that holds each of the individual *.W policies in one place. If you needed to restore your policies, then you would not necessarily have to replace each .W file, but just the rulebases_5_0.fws. When you log into the Policy Editor, this file will open and create the .W files that were not already in the conf directory. This fws file gets called whenever you select File | Open in the Policy Editor, and you can rename or delete policies from this file via the Open window. Deleting a policy from here does not remove it from the hard drive; it just simply removes it from the rulebases_5_0.fws file. The fwauth.NDB* files contain the user database.