The Object Filler and

Object Dumper
Object Management Tools
for Check Point SmartCenter

By Martín H. Hoz Salvador

mhoz (at) mexico (dot) com
martinhoz <at> gmail <dot> com

July 2005
Revision 20061127

27 November 2006 1
Agenda

Objects Management basics

DBedit

Object Filler

Object Dumper

Conclusions

2
 Check Point Object
Management basics

27 November 2006 3
 Object Management Basics

Objects and rules are created primarily
trough SmartDashboard (GUI)

Good for day-to-day administration

Not too easy for massive loads, like new configs

Objects have different properties according
to their type

Groups have members

Gateways have interfaces

Networks have netmasks

Hosts can be “servers” for DNS, Web or Mail

Rules have predefined properties, the same
for every type of rule

Desktop Security, QoS, NAT and Security rules are
4
different types of rules
Where’s this stuff stored?

Most valuable configuration information is stored
under $FWDIR/conf/ (or %FWDIR%\conf in MS
Windows)

Objects are primarily placed under objects_5_0.C

Rules are stored under rulebases_5_0.C

Both are ASCII files

5
However…

The files are in text, but using

a special format

Which is *very* sensitive

Manual changes in these files
can trigger severe problems

The general rule is: Don’t do it

Unless you really know what
you are doing and you have CP
Support backing you

Specially because there is a
supported way to make
changes… 6
 DBedit

27 November 2006 7
DBedit

Supported by Check Point Command line tool that allows
changes in the overall configuration

Indirect changes in the objects_5_0.C and rulebases_5_0.C

Allows and extends what can be done from the SmartDashboard

Present in all NG and NGX versions

All the operating systems supported by Check Point
SmartCenters

Known to have better behavior since NG FP3

As all the CLIs, there’s a special syntax that has to be used.

This is usually documented through SecureKnowledge

skI3301, sk10104, sk22957, sk30370, sk23802

DBedit is scriptable 8

Can take commands from a file…

DBedit invocation

9
DBedit invocation

Preferably use it from the SmartCenter you’re going to
operate. This is, use localhost

If you are using it form a different machine, then the IP
address you’re using has to be declared as a valid GUI

Use the credentials of a regular R/W administrator

dbedit without options

dbedit with all options

10
Doing a basic operation

Creating a basic host

Changing color and adding NAT…

11
So, DBedit…

Is really powerful, but could be a bit complex

The syntax is as well very sensitive to spaces, colons, dots,
etc.

If you want to write a script, you’ve to spend some
time:

Learning the DBedit syntax (useful then and forever)

Writing a (Shell/Perl/etc.) script to generate the DBedit
Script from a more easier syntax, such as a CSV file

Or type/edit the DBedit script file by yourself

That sums up easily a couple of hours

Writing something you will use only once most of the times

12
Other Scenarios. What if…

You’ve to do massive operations

You have to create 256 networks for 10.10.0.0/16

10.10.1.0/24, 10.10.2.0/24, 10.10.3.0/24, and so
on…

You have a list with 400 hosts objects with employee names
and IP addresses which you need to enter to SmartCenter

Add NAT to a group of objects that are already created

Or a bit more complicated: Migrating from Cisco PIX
or NetScreen/Juniper to Check Point…

… and there’s a customer that has 300 objects plus 900
rules on it.

In all those cases, takes lots of time analyzing
and/or typing
13
 Object Filler

27 November 2006 14
 What is Object Filler?

To begin with, is an unsupported and unofficial tool

Automates the DBedit script creation to feed
SmartCenter’s dbedit

Works mainly with Network/Service Objects

It works as well with firewall (security) rules

Can take information from 3 different type of feeds

Command Line

Useful when creating consecutive objects: nets, hosts within a
given range, etc.

Predefined file with objects information

CSV File (predefined format), Hosts File (UN*X, Windows), …

Configuration from a third-party vendor configuration file

Cisco PIX and Cisco Routers (ACLs), NetScreen, Gauntlet, 15
SideWinder, Raptor
Creating objects from
Command Line

ofiller -t net -s 192.168.0.0 -d 192.168.255.0 -m 24 -
c green -o networks.txt

16
The resulting text file contents

17
 Importing the results into
SmartCenter

Pass the file to the SmartCenter

Use FTP (ASCII file type), copy-paste, etc.

Use DBedit with the file as the input file

Make sure no GUI is running with R/W permissions

18
The results in the database
before after

The objects are now

created in the Objects
Database

In less than 5 minutes

You should be able to

see them within the
SmartDashboard

You may create a new
Database Revision
Control entry before
and/or after the objects
creation, as a “backup” 19
Other sources for importing objects

Comma Separated Values (CSV) files

Created usually with an spreadsheet (MS Excel an
option), with values fixed according to the column

Uses Object Filler with options -f (filename) and –i
csv

The most powerful way to import objects

That’s the format Object Dumper uses

20
Sample CSV File

21
Other source files supported

Lists Files

Files with just IP addresses and netmasks

Object Filler creates the names and the type of object
according to the IP address and netmask.

Uses the program with Options –f and –i list

Hosts

A regular Hosts file. The ones found at /etc/hosts in UN*X
or %SYSTEMROOT%\system32\drivers\etc in Windows

Uses the program with Options –f and –i hosts

22
Importing from Other Brands

Object Filler supports importing Network Objects from
configurations of other brands

Object Filler parses the configuration file, and when

detects some valid IP address and netmask, builds an
object according to such data.

Rules support is here as well

Importing ACL Rules from Cisco PIX and Cisco Routers

23
Importing from Other Brands

Currently (as Object Filler 2.4) Supported

Cisco PIX and Cisco Routers

Network Objects, Groups, NAT, Services and Rules

NetScreen/Juniper

Network Objects, Static NAT

Gauntlet

Network Objects

SideWinder

Network Objects, Groups, Services

Raptor

Network Objects
24
Converting from Cisco
PIX to Check Point
Example

27 November 2006 25
Source PIX configuration (part
of it)

26
Translating just Network Objects
(Preview mode)

27
Translating Rules (Preview mode)

28
Translating Network Objects and rules
(DBedit commands)

29
 Object Dumper

27 November 2006 30
What is Object Dumper?

Also an unofficial and unsupported tool

Kind of does the opposite that Object Filler: dumps the objects
and rules of the SmartCenter to a text format

Going from there, you can do modifications in the exported
objects/rules, move them, merge them, …

It is possible to do it from any text editor (Notepad, vi, emacs,
etc.)

You must keep the format if you plan to import them back to the
same or another SmartCenter Server

Works with the regular objects_5_0.C, or with the one found
in the Gateway.

Supports objects recovery from SmartCenter crash scenarios

Works with the regular rulebases_5_0.fws

Today only security rules are supported. No NAT nor QoS rules
31
How does it work?

It works by parsing all the entries in the
objects_5_0.C file, and writing them to a
defined file

The format of such file is CSV (Comma Separated Values)

The same file can be used to feed Object Filler later and
produce DBedit commands to replicate the configuration

Step 1: Transfer the objects_5_0.C file from

the SmartCenter to the host where you have
Object Dumper

Preferably use FTP with ASCII file type

32
Dumping the objects

Run Object Dumper over it. Example:
odumper -f objects_5_0.C -o objects.csv

33
Viewing the results

The results can be
viewed by any
Spreadsheet or
program able to
interpret CSV files

Such as Microsoft
Excel or Calc from
StarOffice

Can be edited. If is
going to be imported
back, keeping the
format is mandatory
34
Comments About Object
Dumper behavior

By default it doesn’t export the “default”
predefined objects and services.

Just exports the ones created by the user

Tested up to NGX R62

Useful to track service additions in the local environment

You can export default objects using the –d switch

It can export the results as an HTML file

Use the –html switch in the Command Line

Can as well export rules

See documentation for known limitations 35
 Using Object Filler to
import CSV files
(Such as Object Dumper’s
output)

27 November 2006 36
 Why import back?

Migrations where you want or must import the results
within a new environment

Large number of modifications

Modifying IPs or names is supported by DBedit, and also
supported by Object Filler

SmartCenter limitation (also observed by Object Filler): Names
and IPs cannot be changed for Check Point objects

Recovery from SmartCenter crashes…

However, Not recommended to use it as a “reliable”
backup/restore procedure

There are settings that are not dumped by Object Dumper

Not all the information is present

Is not supported 37
Running Object Filler over an
Object Dumper’s result file

ofiller -f objects.csv -i csv -o importing.txt

38
Taking a look in the results file

39
Importing the file into the
SmartCenter

Follow the same procedure you already saw

Existing Objects are

Not overwritten*
•When finishing the operations answer NO to
the questions about objects updates

40
The results… before after

The new imported

objects are now
created in the
Objects Database

You can see them

when you log to the
SmartDashboard

41
 Tools Documentation

27 November 2006 42
Documentation

There’s a document (User’s Manual) included in the
program’s distribution file.

Covers lots of details on how the programs work.

Including tested environments and known limitations

There are other documents describing special
scenarios, such as utilization on Provider-1 /
SiteManager-1 environments.

Questions and suggestions can be sent to the
Author’s email address

Public PGP Key is available in the tools’ package.
43
 Conclusions

27 November 2006 44
Tools availability

They are publicly available in the Internet

http://ofiller.chatscope.com - main download site with forums, FAQs,
Beta versions, bug report forms and other nice resources.

http://www.lindercentral.com/ofiller/ - Always keeps the latest “stable”

http://www.cpug.org/ - Always keeps the latest ”stable”

Tools supported natively in the following OSs:

Windows (2000, XP); Red HAT Linux; SecurePlatform, Solaris

They don’t require installation at all. Just execute them.

They are being updated constantly

At least 1 new version per year since 2003.

For each new version, more recent Check Point versions are
tested and supported, new functionality is added and newer
object types are supported.

45
Warnings

Always remember that the tools are not supported
officially.

But they work…

Just in case, get approval from the proper entity that has
the authority to allow the use of unsupported tools in your
specific environment

Always perform a backup before doing any
operation

You never know… - and you are playing with your security
configuration. So, be careful…

If possible, test in a lab environment first, whatever
you are planning to do with the tools

An alternate machine where the whole configuration is
restored, is an option

VMWare is another (very good) option. 46
Wrap-up

There are Command line tools for Objects Manipulation in
Check Point SmartCenter Servers and Provider-1
environments

The tools can be used on conversion scenarios: from other
firewall brands to Check Point.

Today objects and rules are supported. Better support to rules (such as
NAT rules) is planned.

Give a good way to “rebuild” systems from the scratch,
without losing too much time on rebuilding objects

You can use them in several scenarios where using a GUI
can’t be optimal

And with this, reduce times a lot.

There are reports where the tools have saved days of type-and-click

47
 Thank you!
Questions?

27 November 2006 48