Embed Size (px)
Citation preview
27 November 2006 1
The Object Filler and Object Dumper
Object Management Toolsfor Check Point SmartCenter
By Martín H. Hoz Salvadormhoz (at) mexico (dot) com
martinhoz <at> gmail <dot> com
July 2005Revision 20061127
2
Agenda
� Objects Management basics� DBedit� Object Filler� Object Dumper� Conclusions
27 November 2006 3
Check Point Object Management basics
4
Object Management Basics � Objects and rules are created primarily
trough SmartDashboard (GUI)� Good for day-to-day administration� Not too easy for massive loads, like new configs
� Objects have different properties according to their type� Groups have members� Gateways have interfaces� Networks have netmasks� Hosts can be “servers” for DNS, Web or Mail
� Rules have predefined properties, the same for every type of rule� Desktop Security, QoS, NAT and Security rules are
different types of rules
5
Where’s this stuff stored?� Most valuable configuration information is stored
under $FWDIR/conf/ (or %FWDIR%\conf in MS Windows)
� Objects are primarily placed under objects_5_0.C
� Rules are stored under rulebases_5_0.C
� Both are ASCII files
6
However…
� The files are in text, but using a special format� Which is *very* sensitive
� Manual changes in these files can trigger severe problems� The general rule is: Don’t do it� Unless you really know what
you are doing and you have CP Support backing you
� Specially because there is a supported way to make changes…
27 November 2006 7
DBedit
8
DBedit� Supported by Check Point Command line tool that allows
changes in the overall configuration� Indirect changes in the objects_5_0.C and rulebases_5_0.C� Allows and extends what can be done from the SmartDashboard
� Present in all NG and NGX versions� All the operating systems supported by Check Point
SmartCenters� Known to have better behavior since NG FP3
� As all the CLIs, there’s a special syntax that has to be used. This is usually documented through SecureKnowledge� skI3301, sk10104, sk22957, sk30370, sk23802
� DBedit is scriptable� Can take commands from a file…
9
DBedit invocation
10
DBedit invocation� Preferably use it from the SmartCenter you’re going to
operate. This is, use localhost� If you are using it form a different machine, then the IP
address you’re using has to be declared as a valid GUI� Use the credentials of a regular R/W administrator
� dbedit without options
� dbedit with all options
11
Doing a basic operation
� Creating a basic host
� Changing color and adding NAT…
12
So, DBedit…
� Is really powerful, but could be a bit complex� The syntax is as well very sensitive to spaces, colons, dots,
etc.
� If you want to write a script, you’ve to spend some time:� Learning the DBedit syntax (useful then and forever)� Writing a (Shell/Perl/etc.) script to generate the DBedit
Script from a more easier syntax, such as a CSV file� Or type/edit the DBedit script file by yourself
� That sums up easily a couple of hours� Writing something you will use only once most of the times
13
Other Scenarios. What if…� You’ve to do massive operations
� You have to create 256 networks for 10.10.0.0/16 � 10.10.1.0/24, 10.10.2.0/24, 10.10.3.0/24, and so
on…� You have a list with 400 hosts objects with employee names
and IP addresses which you need to enter to SmartCenter� Add NAT to a group of objects that are already created
� Or a bit more complicated: Migrating from Cisco PIX or NetScreen/Juniper to Check Point…� … and there’s a customer that has 300 objects plus 900
rules on it.
� In all those cases, takes lots of time analyzing and/or typing
27 November 2006 14
Object Filler
15
What is Object Filler?� To begin with, is an unsupported and unofficial tool
� Automates the DBedit script creation to feed SmartCenter’s dbedit
� Works mainly with Network/Service Objects� It works as well with firewall (security) rules
� Can take information from 3 different type of feeds� Command Line
� Useful when creating consecutive objects: nets, hosts within a given range, etc.
� Predefined file with objects information� CSV File (predefined format), Hosts File (UN*X, Windows), …
� Configuration from a third-party vendor configuration file� Cisco PIX and Cisco Routers (ACLs), NetScreen, Gauntlet,
SideWinder, Raptor
16
Creating objects from Command Line
� ofiller -t net -s 192.168.0.0 -d 192.168.255.0 -m 24 -c green -o networks.txt
17
The resulting text file contents
18
Importing the results into SmartCenter
� Pass the file to the SmartCenter � Use FTP (ASCII file type), copy-paste, etc.
� Use DBedit with the file as the input file� Make sure no GUI is running with R/W permissions
19
The results in the database
� The objects are now created in the Objects Database� In less than 5 minutes
� You should be able to see them within the SmartDashboard
� You may create a new Database Revision Control entry before and/or after the objects creation, as a “backup”
before after
20
Other sources for importing objects
� Comma Separated Values (CSV) files� Created usually with an spreadsheet (MS Excel an
option), with values fixed according to the column� Uses Object Filler with options -f (filename) and –i
csv� The most powerful way to import objects
� That’s the format Object Dumper uses
21
Sample CSV File
22
Other source files supported
� Lists Files� Files with just IP addresses and netmasks� Object Filler creates the names and the type of object
according to the IP address and netmask.� Uses the program with Options –f and –i list
� Hosts � A regular Hosts file. The ones found at /etc/hosts in UN*X
or %SYSTEMROOT%\system32\drivers\etc in Windows � Uses the program with Options –f and –i hosts
23
Importing from Other Brands
� Object Filler supports importing Network Objects from configurations of other brands
� Object Filler parses the configuration file, and when detects some valid IP address and netmask, builds an object according to such data.
� Rules support is here as well� Importing ACL Rules from Cisco PIX and Cisco Routers
24
Importing from Other Brands
� Currently (as Object Filler 2.4) Supported� Cisco PIX and Cisco Routers
� Network Objects, Groups, NAT, Services and Rules
� NetScreen/Juniper� Network Objects, Static NAT
� Gauntlet� Network Objects
� SideWinder� Network Objects, Groups, Services
� Raptor� Network Objects
27 November 2006 25
Converting from Cisco PIX to Check Point
Example
26
Source PIX configuration (part of it)
27
Translating just Network Objects (Preview mode)
28
Translating Rules (Preview mode)
29
Translating Network Objects and rules (DBedit commands)
27 November 2006 30
Object Dumper
31
What is Object Dumper?
� Also an unofficial and unsupported tool� Kind of does the opposite that Object Filler: dumps the objects
and rules of the SmartCenter to a text format� Going from there, you can do modifications in the exported
objects/rules, move them, merge them, …� It is possible to do it from any text editor (Notepad, vi, emacs,
etc.)� You must keep the format if you plan to import them back to the
same or another SmartCenter Server� Works with the regular objects_5_0.C, or with the one found
in the Gateway.� Supports objects recovery from SmartCenter crash scenarios
� Works with the regular rulebases_5_0.fws� Today only security rules are supported. No NAT nor QoS rules
32
How does it work?� It works by parsing all the entries in the
objects_5_0.C file, and writing them to a defined file� The format of such file is CSV (Comma Separated Values)� The same file can be used to feed Object Filler later and
produce DBedit commands to replicate the configuration
� Step 1: Transfer the objects_5_0.C file from the SmartCenter to the host where you have Object Dumper� Preferably use FTP with ASCII file type
33
Dumping the objects
� Run Object Dumper over it. Example:odumper -f objects_5_0.C -o objects.csv
34
Viewing the results
� The results can be viewed by any Spreadsheet or program able to interpret CSV files� Such as Microsoft
Excel or Calc from StarOffice
� Can be edited. If is going to be imported back, keeping the format is mandatory
35
Comments About Object Dumper behavior
� By default it doesn’t export the “default”predefined objects and services.� Just exports the ones created by the user
� Tested up to NGX R62� Useful to track service additions in the local environment
� You can export default objects using the –d switch
� It can export the results as an HTML file� Use the –html switch in the Command Line
� Can as well export rules� See documentation for known limitations
27 November 2006 36
Using Object Filler to import CSV files
(Such as Object Dumper’s output)
37
Why import back?
� Migrations where you want or must import the results within a new environment
� Large number of modifications� Modifying IPs or names is supported by DBedit, and also
supported by Object Filler� SmartCenter limitation (also observed by Object Filler): Names
and IPs cannot be changed for Check Point objects
� Recovery from SmartCenter crashes…� However, Not recommended to use it as a “reliable”
backup/restore procedure� There are settings that are not dumped by Object Dumper� Not all the information is present� Is not supported
38
Running Object Filler over an Object Dumper’s result file
� ofiller -f objects.csv -i csv -o importing.txt
39
Taking a look in the results file
40
Importing the file into the SmartCenter
� Follow the same procedure you already saw
Existing Objects areNot overwritten*•When finishing the operations answer NO to the questions about objects updates
41
The results…
� The new imported objects are now created in the Objects Database
� You can see them when you log to the SmartDashboard
before after
27 November 2006 42
Tools Documentation
43
Documentation
� There’s a document (User’s Manual) included in the program’s distribution file.
� Covers lots of details on how the programs work.� Including tested environments and known limitations
� There are other documents describing special scenarios, such as utilization on Provider-1 / SiteManager-1 environments.
� Questions and suggestions can be sent to the Author’s email address� Public PGP Key is available in the tools’ package.
27 November 2006 44
Conclusions
45
Tools availability
� They are publicly available in the Internet� http://ofiller.chatscope.com - main download site with forums, FAQs,
Beta versions, bug report forms and other nice resources.� http://www.lindercentral.com/ofiller/ - Always keeps the latest “stable”� http://www.cpug.org/ - Always keeps the latest ”stable”
� Tools supported natively in the following OSs:� Windows (2000, XP); Red HAT Linux; SecurePlatform, Solaris� They don’t require installation at all. Just execute them.
� They are being updated constantly� At least 1 new version per year since 2003.� For each new version, more recent Check Point versions are
tested and supported, new functionality is added and newer object types are supported.
46
Warnings� Always remember that the tools are not supported
officially. � But they work…� Just in case, get approval from the proper entity that has
the authority to allow the use of unsupported tools in your specific environment
� Always perform a backup before doing any operation� You never know… - and you are playing with your security
configuration. So, be careful…� If possible, test in a lab environment first, whatever
you are planning to do with the tools� An alternate machine where the whole configuration is
restored, is an option� VMWare is another (very good) option.
47
Wrap-up
� There are Command line tools for Objects Manipulation in Check Point SmartCenter Servers and Provider-1 environments
� The tools can be used on conversion scenarios: from other firewall brands to Check Point. � Today objects and rules are supported. Better support to rules (such as
NAT rules) is planned.
� Give a good way to “rebuild” systems from the scratch, without losing too much time on rebuilding objects
� You can use them in several scenarios where using a GUI can’t be optimal� And with this, reduce times a lot. � There are reports where the tools have saved days of type-and-click
27 November 2006 48
Thank you!
Questions?
