The Object Filler and Object Dumper

Object Management Tools for Check Point SmartCenter

By Martn H. Hoz Salvador mhoz (at) mexico (dot) com martinhoz <at> gmail <dot> com July 2005 Revision 20061127

27 November 2006

Agenda
Objects Management basics DBedit Object Filler Object Dumper Conclusions

Check Point Object Management basics

27 November 2006

Object Management Basics

Objects and rules are created primarily trough SmartDashboard (GUI)
Good for day-to-day administration Not too easy for massive loads, like new configs

Objects have different properties according to their type

Groups have members Gateways have interfaces Networks have netmasks Hosts can be servers for DNS, Web or Mail

Rules have predefined properties, the same for every type of rule
Desktop Security, QoS, NAT and Security rules are different types of rules
4

Wheres this stuff stored?

Most valuable configuration information is stored under $FWDIR/conf/ (or %FWDIR%\conf in MS Windows) Objects are primarily placed under objects_5_0.C

Rules are stored under rulebases_5_0.C Both are ASCII files

However
The files are in text, but using a special format
Which is *very* sensitive

Manual changes in these files can trigger severe problems

The general rule is: Dont do it Unless you really know what you are doing and you have CP Support backing you

Specially because there is a supported way to make changes

DBedit

27 November 2006

DBedit
Supported by Check Point Command line tool that allows changes in the overall configuration
Indirect changes in the objects_5_0.C and rulebases_5_0.C Allows and extends what can be done from the SmartDashboard

Present in all NG and NGX versions

All the operating systems supported by Check Point SmartCenters Known to have better behavior since NG FP3

As all the CLIs, theres a special syntax that has to be used. This is usually documented through SecureKnowledge
skI3301, sk10104, sk22957, sk30370, sk23802

DBedit is scriptable
Can take commands from a file

DBedit invocation

DBedit invocation
Preferably use it from the SmartCenter youre going to operate. This is, use localhost If you are using it form a different machine, then the IP address youre using has to be declared as a valid GUI Use the credentials of a regular R/W administrator
dbedit without options

dbedit with all options

10

Doing a basic operation

Creating a basic host

Changing color and adding NAT

11

So, DBedit
Is really powerful, but could be a bit complex
The syntax is as well very sensitive to spaces, colons, dots, etc.

If you want to write a script, youve to spend some time:

Learning the DBedit syntax (useful then and forever) Writing a (Shell/Perl/etc.) script to generate the DBedit Script from a more easier syntax, such as a CSV file Or type/edit the DBedit script file by yourself That sums up easily a couple of hours Writing something you will use only once most of the times
12

Other Scenarios. What if

Youve to do massive operations
You have to create 256 networks for 10.10.0.0/16

10.10.1.0/24, 10.10.2.0/24, 10.10.3.0/24, and so on

You have a list with 400 hosts objects with employee names and IP addresses which you need to enter to SmartCenter Add NAT to a group of objects that are already created

Or a bit more complicated: Migrating from Cisco PIX or NetScreen/Juniper to Check Point
and theres a customer that has 300 objects plus 900 rules on it.

In all those cases, takes lots of time analyzing and/or typing

13

Object Filler

27 November 2006

14

What is Object Filler?

To begin with, is an unsupported and unofficial tool Automates the DBedit script creation to feed SmartCenters dbedit Works mainly with Network/Service Objects
It works as well with firewall (security) rules

Can take information from 3 different type of feeds

Command Line Useful when creating consecutive objects: nets, hosts within a given range, etc. Predefined file with objects information CSV File (predefined format), Hosts File (UN*X, Windows), Configuration from a third-party vendor configuration file Cisco PIX and Cisco Routers (ACLs), NetScreen, Gauntlet, 15 SideWinder, Raptor

Creating objects from Command Line

ofiller -t net -s 192.168.0.0 -d 192.168.255.0 -m 24 c green -o networks.txt

16

The resulting text file contents

17

Importing the results into SmartCenter

Pass the file to the SmartCenter
Use FTP (ASCII file type), copy-paste, etc.

Use DBedit with the file as the input file

Make sure no GUI is running with R/W permissions

18

The results in the database

before after

The objects are now created in the Objects Database

In less than 5 minutes

You should be able to see them within the SmartDashboard You may create a new Database Revision Control entry before and/or after the objects creation, as a backup

19

Other sources for importing objects

Comma Separated Values (CSV) files
Created usually with an spreadsheet (MS Excel an option), with values fixed according to the column Uses Object Filler with options -f (filename) and i csv The most powerful way to import objects Thats the format Object Dumper uses

20

Sample CSV File

21

Other source files supported

Lists Files
Files with just IP addresses and netmasks Object Filler creates the names and the type of object according to the IP address and netmask. Uses the program with Options f and i list

Hosts
A regular Hosts file. The ones found at /etc/hosts in UN*X or %SYSTEMROOT%\system32\drivers\etc in Windows Uses the program with Options f and i hosts
22

Importing from Other Brands

Object Filler supports importing Network Objects from configurations of other brands Object Filler parses the configuration file, and when detects some valid IP address and netmask, builds an object according to such data. Rules support is here as well
Importing ACL Rules from Cisco PIX and Cisco Routers

23

Importing from Other Brands

Currently (as Object Filler 2.4) Supported
Cisco PIX and Cisco Routers
Network Objects, Groups, NAT, Services and Rules

NetScreen/Juniper
Network Objects, Static NAT

Gauntlet
Network Objects

SideWinder
Network Objects, Groups, Services

Raptor
Network Objects
24

Converting from Cisco PIX to Check Point

Example

27 November 2006

25

Source PIX configuration (part of it)

26

Translating just Network Objects (Preview mode)

27

Translating Rules (Preview mode)

28

Translating Network Objects and rules (DBedit commands)

29

Object Dumper

27 November 2006

30

What is Object Dumper?

Also an unofficial and unsupported tool Kind of does the opposite that Object Filler: dumps the objects and rules of the SmartCenter to a text format Going from there, you can do modifications in the exported objects/rules, move them, merge them,
It is possible to do it from any text editor (Notepad, vi, emacs, etc.) You must keep the format if you plan to import them back to the same or another SmartCenter Server

Works with the regular objects_5_0.C, or with the one found in the Gateway.
Supports objects recovery from SmartCenter crash scenarios

Works with the regular rulebases_5_0.fws

Today only security rules are supported. No NAT nor QoS rules
31

How does it work?

It works by parsing all the entries in the objects_5_0.C file, and writing them to a defined file
The format of such file is CSV (Comma Separated Values) The same file can be used to feed Object Filler later and produce DBedit commands to replicate the configuration

Step 1: Transfer the objects_5_0.C file from the SmartCenter to the host where you have Object Dumper
Preferably use FTP with ASCII file type

32

Dumping the objects

Run Object Dumper over it. Example: odumper -f objects_5_0.C -o objects.csv

33

Viewing the results

The results can be viewed by any Spreadsheet or program able to interpret CSV files
Such as Microsoft Excel or Calc from StarOffice

Can be edited. If is going to be imported back, keeping the format is mandatory

34

Comments About Object Dumper behavior

By default it doesnt export the default predefined objects and services.
Just exports the ones created by the user
Tested up to NGX R62 Useful to track service additions in the local environment

You can export default objects using the d switch

It can export the results as an HTML file

Use the html switch in the Command Line

Can as well export rules

See documentation for known limitations
35

Using Object Filler to import CSV files

(Such as Object Dumpers output)

27 November 2006

36

Why import back?

Migrations where you want or must import the results within a new environment Large number of modifications
Modifying IPs or names is supported by DBedit, and also supported by Object Filler SmartCenter limitation (also observed by Object Filler): Names and IPs cannot be changed for Check Point objects

Recovery from SmartCenter crashes However, Not recommended to use it as a reliable backup/restore procedure
There are settings that are not dumped by Object Dumper Not all the information is present Is not supported

37

Running Object Filler over an Object Dumpers result file

ofiller -f objects.csv -i csv -o importing.txt

38

Taking a look in the results file

39

Importing the file into the SmartCenter

Follow the same procedure you already saw

Existing Objects are Not overwritten*

When finishing the operations answer NO to the questions about objects updates

40

The results
The new imported objects are now created in the Objects Database You can see them when you log to the SmartDashboard

before

after

41

Tools Documentation

27 November 2006

42

Documentation
Theres a document (Users Manual) included in the programs distribution file. Covers lots of details on how the programs work.
Including tested environments and known limitations

There are other documents describing special scenarios, such as utilization on Provider-1 / SiteManager-1 environments. Questions and suggestions can be sent to the Authors email address
Public PGP Key is available in the tools package.
43

Conclusions

27 November 2006

44

Tools availability
They are publicly available in the Internet
http://ofiller.chatscope.com - main download site with forums, FAQs, Beta versions, bug report forms and other nice resources. http://www.lindercentral.com/ofiller/ - Always keeps the latest stable http://www.cpug.org/ - Always keeps the latest stable

Tools supported natively in the following OSs: Windows (2000, XP); Red HAT Linux; SecurePlatform, Solaris They dont require installation at all. Just execute them. They are being updated constantly At least 1 new version per year since 2003. For each new version, more recent Check Point versions are tested and supported, new functionality is added and newer object types are supported.
45

Warnings
Always remember that the tools are not supported officially.
But they work Just in case, get approval from the proper entity that has the authority to allow the use of unsupported tools in your specific environment

Always perform a backup before doing any operation

You never know - and you are playing with your security configuration. So, be careful

If possible, test in a lab environment first, whatever you are planning to do with the tools
An alternate machine where the whole configuration is restored, is an option VMWare is another (very good) option.
46

Wrap-up
There are Command line tools for Objects Manipulation in Check Point SmartCenter Servers and Provider-1 environments The tools can be used on conversion scenarios: from other firewall brands to Check Point.
Today objects and rules are supported. Better support to rules (such as NAT rules) is planned.

Give a good way to rebuild systems from the scratch, without losing too much time on rebuilding objects You can use them in several scenarios where using a GUI cant be optimal
And with this, reduce times a lot. There are reports where the tools have saved days of type-and-click
47

Thank you!
Questions?

27 November 2006

48