2622296 Checkpoint Object Filler and Object Dumper Presentation (1)
-
Upload
nitin-mayekar -
Category
Documents
-
view
135 -
download
15
Transcript of 2622296 Checkpoint Object Filler and Object Dumper Presentation (1)
27 November 2006 1
The Object Filler and Object Dumper
Object Management Toolsfor Check Point SmartCenter
By Martín H. Hoz Salvadormhoz (at) mexico (dot) com
martinhoz <at> gmail <dot> com
July 2005Revision 20061127
4
Object Management Basics � Objects and rules are created primarily
trough SmartDashboard (GUI)� Good for day-to-day administration� Not too easy for massive loads, like new configs
� Objects have different properties according to their type� Groups have members� Gateways have interfaces� Networks have netmasks� Hosts can be “servers” for DNS, Web or Mail
� Rules have predefined properties, the same for every type of rule� Desktop Security, QoS, NAT and Security rules are
different types of rules
5
Where’s this stuff stored?� Most valuable configuration information is stored
under $FWDIR/conf/ (or %FWDIR%\conf in MS Windows)
� Objects are primarily placed under objects_5_0.C
� Rules are stored under rulebases_5_0.C
� Both are ASCII files
6
However…
� The files are in text, but using a special format� Which is *very* sensitive
� Manual changes in these files can trigger severe problems� The general rule is: Don’t do it� Unless you really know what
you are doing and you have CP Support backing you
� Specially because there is a supported way to make changes…
8
DBedit� Supported by Check Point Command line tool that allows
changes in the overall configuration� Indirect changes in the objects_5_0.C and rulebases_5_0.C� Allows and extends what can be done from the SmartDashboard
� Present in all NG and NGX versions� All the operating systems supported by Check Point
SmartCenters� Known to have better behavior since NG FP3
� As all the CLIs, there’s a special syntax that has to be used. This is usually documented through SecureKnowledge� skI3301, sk10104, sk22957, sk30370, sk23802
� DBedit is scriptable� Can take commands from a file…
10
DBedit invocation� Preferably use it from the SmartCenter you’re going to
operate. This is, use localhost� If you are using it form a different machine, then the IP
address you’re using has to be declared as a valid GUI� Use the credentials of a regular R/W administrator
� dbedit without options
� dbedit with all options
12
So, DBedit…
� Is really powerful, but could be a bit complex� The syntax is as well very sensitive to spaces, colons, dots,
etc.
� If you want to write a script, you’ve to spend some time:� Learning the DBedit syntax (useful then and forever)� Writing a (Shell/Perl/etc.) script to generate the DBedit
Script from a more easier syntax, such as a CSV file� Or type/edit the DBedit script file by yourself
� That sums up easily a couple of hours� Writing something you will use only once most of the times
13
Other Scenarios. What if…� You’ve to do massive operations
� You have to create 256 networks for 10.10.0.0/16 � 10.10.1.0/24, 10.10.2.0/24, 10.10.3.0/24, and so
on…� You have a list with 400 hosts objects with employee names
and IP addresses which you need to enter to SmartCenter� Add NAT to a group of objects that are already created
� Or a bit more complicated: Migrating from Cisco PIX or NetScreen/Juniper to Check Point…� … and there’s a customer that has 300 objects plus 900
rules on it.
� In all those cases, takes lots of time analyzing and/or typing
15
What is Object Filler?� To begin with, is an unsupported and unofficial tool
� Automates the DBedit script creation to feed SmartCenter’s dbedit
� Works mainly with Network/Service Objects� It works as well with firewall (security) rules
� Can take information from 3 different type of feeds� Command Line
� Useful when creating consecutive objects: nets, hosts within a given range, etc.
� Predefined file with objects information� CSV File (predefined format), Hosts File (UN*X, Windows), …
� Configuration from a third-party vendor configuration file� Cisco PIX and Cisco Routers (ACLs), NetScreen, Gauntlet,
SideWinder, Raptor
16
Creating objects from Command Line
� ofiller -t net -s 192.168.0.0 -d 192.168.255.0 -m 24 -c green -o networks.txt
18
Importing the results into SmartCenter
� Pass the file to the SmartCenter � Use FTP (ASCII file type), copy-paste, etc.
� Use DBedit with the file as the input file� Make sure no GUI is running with R/W permissions
19
The results in the database
� The objects are now created in the Objects Database� In less than 5 minutes
� You should be able to see them within the SmartDashboard
� You may create a new Database Revision Control entry before and/or after the objects creation, as a “backup”
before after
20
Other sources for importing objects
� Comma Separated Values (CSV) files� Created usually with an spreadsheet (MS Excel an
option), with values fixed according to the column� Uses Object Filler with options -f (filename) and –i
csv� The most powerful way to import objects
� That’s the format Object Dumper uses
22
Other source files supported
� Lists Files� Files with just IP addresses and netmasks� Object Filler creates the names and the type of object
according to the IP address and netmask.� Uses the program with Options –f and –i list
� Hosts � A regular Hosts file. The ones found at /etc/hosts in UN*X
or %SYSTEMROOT%\system32\drivers\etc in Windows � Uses the program with Options –f and –i hosts
23
Importing from Other Brands
� Object Filler supports importing Network Objects from configurations of other brands
� Object Filler parses the configuration file, and when detects some valid IP address and netmask, builds an object according to such data.
� Rules support is here as well� Importing ACL Rules from Cisco PIX and Cisco Routers
24
Importing from Other Brands
� Currently (as Object Filler 2.4) Supported� Cisco PIX and Cisco Routers
� Network Objects, Groups, NAT, Services and Rules
� NetScreen/Juniper� Network Objects, Static NAT
� Gauntlet� Network Objects
� SideWinder� Network Objects, Groups, Services
� Raptor� Network Objects
31
What is Object Dumper?
� Also an unofficial and unsupported tool� Kind of does the opposite that Object Filler: dumps the objects
and rules of the SmartCenter to a text format� Going from there, you can do modifications in the exported
objects/rules, move them, merge them, …� It is possible to do it from any text editor (Notepad, vi, emacs,
etc.)� You must keep the format if you plan to import them back to the
same or another SmartCenter Server� Works with the regular objects_5_0.C, or with the one found
in the Gateway.� Supports objects recovery from SmartCenter crash scenarios
� Works with the regular rulebases_5_0.fws� Today only security rules are supported. No NAT nor QoS rules
32
How does it work?� It works by parsing all the entries in the
objects_5_0.C file, and writing them to a defined file� The format of such file is CSV (Comma Separated Values)� The same file can be used to feed Object Filler later and
produce DBedit commands to replicate the configuration
� Step 1: Transfer the objects_5_0.C file from the SmartCenter to the host where you have Object Dumper� Preferably use FTP with ASCII file type
34
Viewing the results
� The results can be viewed by any Spreadsheet or program able to interpret CSV files� Such as Microsoft
Excel or Calc from StarOffice
� Can be edited. If is going to be imported back, keeping the format is mandatory
35
Comments About Object Dumper behavior
� By default it doesn’t export the “default”predefined objects and services.� Just exports the ones created by the user
� Tested up to NGX R62� Useful to track service additions in the local environment
� You can export default objects using the –d switch
� It can export the results as an HTML file� Use the –html switch in the Command Line
� Can as well export rules� See documentation for known limitations
37
Why import back?
� Migrations where you want or must import the results within a new environment
� Large number of modifications� Modifying IPs or names is supported by DBedit, and also
supported by Object Filler� SmartCenter limitation (also observed by Object Filler): Names
and IPs cannot be changed for Check Point objects
� Recovery from SmartCenter crashes…� However, Not recommended to use it as a “reliable”
backup/restore procedure� There are settings that are not dumped by Object Dumper� Not all the information is present� Is not supported
38
Running Object Filler over an Object Dumper’s result file
� ofiller -f objects.csv -i csv -o importing.txt
40
Importing the file into the SmartCenter
� Follow the same procedure you already saw
Existing Objects areNot overwritten*•When finishing the operations answer NO to the questions about objects updates
41
The results…
� The new imported objects are now created in the Objects Database
� You can see them when you log to the SmartDashboard
before after
43
Documentation
� There’s a document (User’s Manual) included in the program’s distribution file.
� Covers lots of details on how the programs work.� Including tested environments and known limitations
� There are other documents describing special scenarios, such as utilization on Provider-1 / SiteManager-1 environments.
� Questions and suggestions can be sent to the Author’s email address� Public PGP Key is available in the tools’ package.
45
Tools availability
� They are publicly available in the Internet� http://ofiller.chatscope.com - main download site with forums, FAQs,
Beta versions, bug report forms and other nice resources.� http://www.lindercentral.com/ofiller/ - Always keeps the latest “stable”� http://www.cpug.org/ - Always keeps the latest ”stable”
� Tools supported natively in the following OSs:� Windows (2000, XP); Red HAT Linux; SecurePlatform, Solaris� They don’t require installation at all. Just execute them.
� They are being updated constantly� At least 1 new version per year since 2003.� For each new version, more recent Check Point versions are
tested and supported, new functionality is added and newer object types are supported.
46
Warnings� Always remember that the tools are not supported
officially. � But they work…� Just in case, get approval from the proper entity that has
the authority to allow the use of unsupported tools in your specific environment
� Always perform a backup before doing any operation� You never know… - and you are playing with your security
configuration. So, be careful…� If possible, test in a lab environment first, whatever
you are planning to do with the tools� An alternate machine where the whole configuration is
restored, is an option� VMWare is another (very good) option.
47
Wrap-up
� There are Command line tools for Objects Manipulation in Check Point SmartCenter Servers and Provider-1 environments
� The tools can be used on conversion scenarios: from other firewall brands to Check Point. � Today objects and rules are supported. Better support to rules (such as
NAT rules) is planned.
� Give a good way to “rebuild” systems from the scratch, without losing too much time on rebuilding objects
� You can use them in several scenarios where using a GUI can’t be optimal� And with this, reduce times a lot. � There are reports where the tools have saved days of type-and-click