Professional Documents
Culture Documents
Object Dumper
Object Management Tools
for Check Point SmartCenter
July 2005
Revision 20061127
27 November 2006 1
Agenda
Objects Management basics
DBedit
Object Filler
Object Dumper
Conclusions
2
Check Point Object
Management basics
27 November 2006 3
Object Management Basics
Objects and rules are created primarily
trough SmartDashboard (GUI)
Good for day-to-day administration
Not too easy for massive loads, like new configs
Objects have different properties according
to their type
Groups have members
Gateways have interfaces
Networks have netmasks
Hosts can be “servers” for DNS, Web or Mail
Rules have predefined properties, the same
for every type of rule
Desktop Security, QoS, NAT and Security rules are
4
different types of rules
Where’s this stuff stored?
Most valuable configuration information is stored
under $FWDIR/conf/ (or %FWDIR%\conf in MS
Windows)
Objects are primarily placed under objects_5_0.C
5
However…
27 November 2006 7
DBedit
Supported by Check Point Command line tool that allows
changes in the overall configuration
Indirect changes in the objects_5_0.C and rulebases_5_0.C
Allows and extends what can be done from the SmartDashboard
DBedit is scriptable 8
9
DBedit invocation
Preferably use it from the SmartCenter you’re going to
operate. This is, use localhost
If you are using it form a different machine, then the IP
address you’re using has to be declared as a valid GUI
Use the credentials of a regular R/W administrator
dbedit without options
10
Doing a basic operation
Creating a basic host
11
So, DBedit…
Is really powerful, but could be a bit complex
The syntax is as well very sensitive to spaces, colons, dots,
etc.
If you want to write a script, you’ve to spend some
time:
Learning the DBedit syntax (useful then and forever)
Writing a (Shell/Perl/etc.) script to generate the DBedit
Script from a more easier syntax, such as a CSV file
Or type/edit the DBedit script file by yourself
12
Other Scenarios. What if…
You’ve to do massive operations
You have to create 256 networks for 10.10.0.0/16
10.10.1.0/24, 10.10.2.0/24, 10.10.3.0/24, and so
on…
You have a list with 400 hosts objects with employee names
and IP addresses which you need to enter to SmartCenter
Add NAT to a group of objects that are already created
Or a bit more complicated: Migrating from Cisco PIX
or NetScreen/Juniper to Check Point…
… and there’s a customer that has 300 objects plus 900
rules on it.
In all those cases, takes lots of time analyzing
and/or typing
13
Object Filler
27 November 2006 14
What is Object Filler?
To begin with, is an unsupported and unofficial tool
Automates the DBedit script creation to feed
SmartCenter’s dbedit
Works mainly with Network/Service Objects
It works as well with firewall (security) rules
Can take information from 3 different type of feeds
Command Line
Useful when creating consecutive objects: nets, hosts within a
given range, etc.
Predefined file with objects information
CSV File (predefined format), Hosts File (UN*X, Windows), …
Configuration from a third-party vendor configuration file
Cisco PIX and Cisco Routers (ACLs), NetScreen, Gauntlet, 15
SideWinder, Raptor
Creating objects from
Command Line
ofiller -t net -s 192.168.0.0 -d 192.168.255.0 -m 24 -
c green -o networks.txt
16
The resulting text file contents
17
Importing the results into
SmartCenter
Pass the file to the SmartCenter
Use FTP (ASCII file type), copy-paste, etc.
18
The results in the database
before after
20
Sample CSV File
21
Other source files supported
Lists Files
Files with just IP addresses and netmasks
Object Filler creates the names and the type of object
according to the IP address and netmask.
Uses the program with Options –f and –i list
Hosts
A regular Hosts file. The ones found at /etc/hosts in UN*X
or %SYSTEMROOT%\system32\drivers\etc in Windows
Uses the program with Options –f and –i hosts
22
Importing from Other Brands
Object Filler supports importing Network Objects from
configurations of other brands
23
Importing from Other Brands
Currently (as Object Filler 2.4) Supported
Cisco PIX and Cisco Routers
Network Objects, Groups, NAT, Services and Rules
NetScreen/Juniper
Network Objects, Static NAT
Gauntlet
Network Objects
SideWinder
Network Objects, Groups, Services
Raptor
Network Objects
24
Converting from Cisco
PIX to Check Point
Example
27 November 2006 25
Source PIX configuration (part
of it)
26
Translating just Network Objects
(Preview mode)
27
Translating Rules (Preview mode)
28
Translating Network Objects and rules
(DBedit commands)
29
Object Dumper
27 November 2006 30
What is Object Dumper?
Also an unofficial and unsupported tool
Kind of does the opposite that Object Filler: dumps the objects
and rules of the SmartCenter to a text format
Going from there, you can do modifications in the exported
objects/rules, move them, merge them, …
It is possible to do it from any text editor (Notepad, vi, emacs,
etc.)
You must keep the format if you plan to import them back to the
same or another SmartCenter Server
Works with the regular objects_5_0.C, or with the one found
in the Gateway.
Supports objects recovery from SmartCenter crash scenarios
Works with the regular rulebases_5_0.fws
Today only security rules are supported. No NAT nor QoS rules
31
How does it work?
It works by parsing all the entries in the
objects_5_0.C file, and writing them to a
defined file
The format of such file is CSV (Comma Separated Values)
The same file can be used to feed Object Filler later and
produce DBedit commands to replicate the configuration
32
Dumping the objects
Run Object Dumper over it. Example:
odumper -f objects_5_0.C -o objects.csv
33
Viewing the results
The results can be
viewed by any
Spreadsheet or
program able to
interpret CSV files
Such as Microsoft
Excel or Calc from
StarOffice
Can be edited. If is
going to be imported
back, keeping the
format is mandatory
34
Comments About Object
Dumper behavior
By default it doesn’t export the “default”
predefined objects and services.
Just exports the ones created by the user
Tested up to NGX R62
Useful to track service additions in the local environment
You can export default objects using the –d switch
It can export the results as an HTML file
Use the –html switch in the Command Line
Can as well export rules
See documentation for known limitations 35
Using Object Filler to
import CSV files
(Such as Object Dumper’s
output)
27 November 2006 36
Why import back?
Migrations where you want or must import the results
within a new environment
Large number of modifications
Modifying IPs or names is supported by DBedit, and also
supported by Object Filler
SmartCenter limitation (also observed by Object Filler): Names
and IPs cannot be changed for Check Point objects
Recovery from SmartCenter crashes…
However, Not recommended to use it as a “reliable”
backup/restore procedure
There are settings that are not dumped by Object Dumper
Not all the information is present
Is not supported 37
Running Object Filler over an
Object Dumper’s result file
ofiller -f objects.csv -i csv -o importing.txt
38
Taking a look in the results file
39
Importing the file into the
SmartCenter
Follow the same procedure you already saw
40
The results… before after
41
Tools Documentation
27 November 2006 42
Documentation
There’s a document (User’s Manual) included in the
program’s distribution file.
Covers lots of details on how the programs work.
Including tested environments and known limitations
There are other documents describing special
scenarios, such as utilization on Provider-1 /
SiteManager-1 environments.
Questions and suggestions can be sent to the
Author’s email address
Public PGP Key is available in the tools’ package.
43
Conclusions
27 November 2006 44
Tools availability
They are publicly available in the Internet
http://ofiller.chatscope.com - main download site with forums, FAQs,
Beta versions, bug report forms and other nice resources.
http://www.lindercentral.com/ofiller/ - Always keeps the latest “stable”
http://www.cpug.org/ - Always keeps the latest ”stable”
Tools supported natively in the following OSs:
Windows (2000, XP); Red HAT Linux; SecurePlatform, Solaris
They don’t require installation at all. Just execute them.
They are being updated constantly
At least 1 new version per year since 2003.
For each new version, more recent Check Point versions are
tested and supported, new functionality is added and newer
object types are supported.
45
Warnings
Always remember that the tools are not supported
officially.
But they work…
Just in case, get approval from the proper entity that has
the authority to allow the use of unsupported tools in your
specific environment
Always perform a backup before doing any
operation
You never know… - and you are playing with your security
configuration. So, be careful…
If possible, test in a lab environment first, whatever
you are planning to do with the tools
An alternate machine where the whole configuration is
restored, is an option
VMWare is another (very good) option. 46
Wrap-up
There are Command line tools for Objects Manipulation in
Check Point SmartCenter Servers and Provider-1
environments
The tools can be used on conversion scenarios: from other
firewall brands to Check Point.
Today objects and rules are supported. Better support to rules (such as
NAT rules) is planned.
Give a good way to “rebuild” systems from the scratch,
without losing too much time on rebuilding objects
You can use them in several scenarios where using a GUI
can’t be optimal
And with this, reduce times a lot.
There are reports where the tools have saved days of type-and-click
47
Thank you!
Questions?
27 November 2006 48