Documente Academic
Documente Profesional
Documente Cultură
By Martn H. Hoz Salvador mhoz (at) mexico (dot) com martinhoz <at> gmail <dot> com July 2005 Revision 20061127
27 November 2006
Agenda
Objects Management basics DBedit Object Filler Object Dumper Conclusions
27 November 2006
Rules have predefined properties, the same for every type of rule
Desktop Security, QoS, NAT and Security rules are different types of rules
4
However
The files are in text, but using a special format
Which is *very* sensitive
DBedit
27 November 2006
DBedit
Supported by Check Point Command line tool that allows changes in the overall configuration
Indirect changes in the objects_5_0.C and rulebases_5_0.C Allows and extends what can be done from the SmartDashboard
As all the CLIs, theres a special syntax that has to be used. This is usually documented through SecureKnowledge
skI3301, sk10104, sk22957, sk30370, sk23802
DBedit is scriptable
Can take commands from a file
DBedit invocation
DBedit invocation
Preferably use it from the SmartCenter youre going to operate. This is, use localhost If you are using it form a different machine, then the IP address youre using has to be declared as a valid GUI Use the credentials of a regular R/W administrator
dbedit without options
11
So, DBedit
Is really powerful, but could be a bit complex
The syntax is as well very sensitive to spaces, colons, dots, etc.
Or a bit more complicated: Migrating from Cisco PIX or NetScreen/Juniper to Check Point
and theres a customer that has 300 objects plus 900 rules on it.
Object Filler
27 November 2006
14
16
17
18
You should be able to see them within the SmartDashboard You may create a new Database Revision Control entry before and/or after the objects creation, as a backup
19
20
21
Hosts
A regular Hosts file. The ones found at /etc/hosts in UN*X or %SYSTEMROOT%\system32\drivers\etc in Windows Uses the program with Options f and i hosts
22
23
NetScreen/Juniper
Network Objects, Static NAT
Gauntlet
Network Objects
SideWinder
Network Objects, Groups, Services
Raptor
Network Objects
24
27 November 2006
25
26
27
28
29
Object Dumper
27 November 2006
30
Works with the regular objects_5_0.C, or with the one found in the Gateway.
Supports objects recovery from SmartCenter crash scenarios
Step 1: Transfer the objects_5_0.C file from the SmartCenter to the host where you have Object Dumper
Preferably use FTP with ASCII file type
32
33
27 November 2006
36
Recovery from SmartCenter crashes However, Not recommended to use it as a reliable backup/restore procedure
There are settings that are not dumped by Object Dumper Not all the information is present Is not supported
37
38
39
40
The results
The new imported objects are now created in the Objects Database You can see them when you log to the SmartDashboard
before
after
41
Tools Documentation
27 November 2006
42
Documentation
Theres a document (Users Manual) included in the programs distribution file. Covers lots of details on how the programs work.
Including tested environments and known limitations
There are other documents describing special scenarios, such as utilization on Provider-1 / SiteManager-1 environments. Questions and suggestions can be sent to the Authors email address
Public PGP Key is available in the tools package.
43
Conclusions
27 November 2006
44
Tools availability
They are publicly available in the Internet
http://ofiller.chatscope.com - main download site with forums, FAQs, Beta versions, bug report forms and other nice resources. http://www.lindercentral.com/ofiller/ - Always keeps the latest stable http://www.cpug.org/ - Always keeps the latest stable
Tools supported natively in the following OSs: Windows (2000, XP); Red HAT Linux; SecurePlatform, Solaris They dont require installation at all. Just execute them. They are being updated constantly At least 1 new version per year since 2003. For each new version, more recent Check Point versions are tested and supported, new functionality is added and newer object types are supported.
45
Warnings
Always remember that the tools are not supported officially.
But they work Just in case, get approval from the proper entity that has the authority to allow the use of unsupported tools in your specific environment
If possible, test in a lab environment first, whatever you are planning to do with the tools
An alternate machine where the whole configuration is restored, is an option VMWare is another (very good) option.
46
Wrap-up
There are Command line tools for Objects Manipulation in Check Point SmartCenter Servers and Provider-1 environments The tools can be used on conversion scenarios: from other firewall brands to Check Point.
Today objects and rules are supported. Better support to rules (such as NAT rules) is planned.
Give a good way to rebuild systems from the scratch, without losing too much time on rebuilding objects You can use them in several scenarios where using a GUI cant be optimal
And with this, reduce times a lot. There are reports where the tools have saved days of type-and-click
47
Thank you!
Questions?
27 November 2006
48