CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 9 of 9

Thread: Provider-1: Renaming Global Objects

  1. #1
    Join Date
    2011-08-10
    Posts
    26
    Rep Power
    0

    Default Provider-1: Renaming Global Objects

    Hi,

    I just found these instructions on enabling the renaming ob global objects:
    Renaming Global Objects in Provider-1 fireverse.org

    I just tried this, but when assigning the global policy to the CMA I get a bunch of errors: "the object <oldname> cannot be deleted because it is referenced by rule xyz"

    I was excited to read this tip because I thought we could rename global objects without removing/reinserting them into the rules.
    Is this not possible? If we can only rename UNUSED global objects then it's not nearly as helpful as I had hoped.

    regards,
    Ethan

  2. #2
    Join Date
    2005-11-25
    Location
    United States, Southeast
    Posts
    857
    Rep Power
    18

    Default Re: Provider-1: Renaming Global Objects

    The inability to rename Global Objects is a thorn in my side everyday. Such as when one on my junior admins creates a global object that doesn't conform to the standard, or the heartache of having to live with hundreds of global objects that were created by the previous team over 5 year ago....

    Given an object is internally represented by a long Windows Registry looking number ( yes, I now developement is done on Windows, hence the Registry Number), and an object's name is just a human readable piece of metadata, I don't understand why this limitation still exists in CheckPoint Provider-1/Multi-Domain Manager.

    I personally chose to create the same object multiple times, once in each CMA, just to avoid this limitation; but I have only a few CMAs. I'm sure this pain is felt much more by those who have dozens of CMAs.

  3. #3
    Join Date
    2011-08-10
    Posts
    26
    Rep Power
    0

    Default Re: Provider-1: Renaming Global Objects

    Exactly, the object UID doesnt have to change, which means the CMA probably wouldnt even need to ever see the human-readable name. It's just a "translation" of the UID for viewing in the "Smart"Dashboard GUI, nothing more. Or at least thats how it could be done technically.

    I have to admit, I'm a Checkpoint beginner, but I'm already surprised what simple little stupid things which makes admin'ing a real pain are still in such a widely-used enterprize-class product. Imagine Cisco requiring you to export a config somewhere, change it, and re-upload it to the router anytime you want to change anything. Thats about as much sense as this makes.

  4. #4
    Join Date
    2011-08-10
    Posts
    26
    Rep Power
    0

    Default Re: Provider-1: Renaming Global Objects

    After looking more closely at how fw1 stores it's data, I have to correct my previous statement. For some reason I don't understand, apparently objects are not represented by registry-like keys but as plaintext. When I "grep -r" a global object name in all the objects_5_0.C files on the MDA (going through several CMA's) I see it defined in plaintext in each CMA's config file. So the bad news is, there is no central place where the name can be changed without having to physically touch the CMA internal config.

    The good news is, maybe a simple global recursive search-and-replace (using sed?) will do what we want. I'll experiment some more...

  5. #5
    Join Date
    2011-08-10
    Posts
    26
    Rep Power
    0

    Default Re: Provider-1: Renaming Global Objects

    Has anyone ever tried using the CLI tool DBEDIT (which can rename objects) on the MDA to rename global objects in the global policy, AND in all the CMA Policies which use those global objects, simultaneously? Seems to me it shouldnt be too hard to write a little script (shell or perl) to do that? It would make spring cleaning in a multi-domain environment much easier...

    EDIT: here is my first attempt.
    2 problems so far:
    a) the automatic localhost authentication doesnt work (although i'm logged in as admin on the MDA and the MDA is in the GUI access list) so I have to enter username+password every time
    b) the command "mdsenv" is actually an environment variable function and doesnt work from within the script ("command not found").
    Any ideas anyone?


    Code:
    #!/bin/sh
    
    if [ $# -ne 2 ] ; then
      echo "syntax: $0 <old_object_name> <new_object_name>"
      exit
    fi
    
    oldname=$1
    newname=$2
    
    echo "rename network_objects $oldname $newname" > cross-cma-rename.scr
    
    echo "Searching for policies containing $oldname..."
    
    for cma in goofy hulk batman wonderwoman ; do
    
      echo "Scanning $cma..."
      count = `grep $oldname /opt/CPmds-R71/customers/$cma/CPsuite-R71/fw1/conf/objects_5_0.C`
      if [ $count > 0 ]
      then
        echo "Found $count occurrences of $oldname in $cma! Renaming..."
        mdsenv $cma
        dbedit -s localhost -f cross-cma-rename.scr
      fi
    done
    
    echo "Renaming object in global policy..."
    mdsenv
    dbedit -s localhost -f cross-cma-rename.scr
    Last edited by arnolde; 2011-11-22 at 11:29.

  6. #6
    Join Date
    2011-08-10
    Posts
    26
    Rep Power
    0

    Default Re: Provider-1: Renaming Global Objects

    Next approach: Just edit the objects_5_0.C files directly (warning! This may be buggy or dangerous, only use this if you understand exactly what the script does!)
    Especially consider that the "sed" command simply finds+replaces any matching string in the whole file, regardless if it's a network object name, or anything else that might match.

    Code:
    #!/bin/bash
    
    if [ $# -ne 2 ] ; then
      echo "syntax: $0 <old_object_name> <new_object_name>"
      exit
    fi
    
    oldname=$1
    newname=$2
    epoch=`date +'%s'`
    echo "All objects_5_0.C files will be backed up to objects_5_0.C.bak.$epoch!"
    
    for cma in goofy daffy dummy dorkie ; do
    
      grep -q ": ($oldname" $FWDIR/customers/$cma/CPsuite-R71/fw1/conf/objects_5_0.C && (
        echo "Replacing '$oldname' by '$newname' in $cma..."
        sed -i.bak.$epoch 's/: ('$oldname'/: ('$newname'/g' $FWDIR/customers/$cma/CPsuite-R71/fw1/conf/objects_5_0.C
        gzip $FWDIR/customers/$cma/CPsuite-R71/fw1/conf/objects_5_0.C.bak.$epoch
      ) || echo "Object $oldname not found in $cma"
    done
    
    grep -q ": ($oldname" $FWDIR/conf/objects_5_0.C && (
      echo "Renaming $oldname in global policy..."
      sed -i.bak.$epoch 's/: ('$oldname'/: ('$newname'/g' $FWDIR/conf/objects_5_0.C
      gzip $FWDIR/conf/objects_5_0.C.bak.$epoch
    ) || echo "Not found in global policy!"

  7. #7
    Join Date
    2005-11-25
    Location
    United States, Southeast
    Posts
    857
    Rep Power
    18

    Default Re: Provider-1: Renaming Global Objects

    Have you, or anyone else, successfully tested this script/methodology?

    I've spun up a firewall rulebase re-write project, and will be re-naming hundreds of global objects. So tedious.

  8. #8
    Join Date
    2011-08-10
    Posts
    26
    Rep Power
    0

    Default Re: Provider-1: Renaming Global Objects

    I've tested it in the testlab, but not in production yet.
    It works, but just be aware that there is no error checking or safeguards against unexpected conditions.
    Make sure the search strings you enter only match the objects you want to rename and nothing else.
    If you have very unique object names like DE123SRV67 then it's likely to be safe.
    Also, since it maked a unique backup on every run, make sure you dont run out of disk space if you use it 50 times in a row ;-)
    I suggest processing max 10 objects and then installing and testing the policies before continuing.

    We havent used it ourselves yet because we're planning on converting all our global objects to local ones, by zapping through the rulebase and "clone"ing each global object into a local one.

  9. #9
    Join Date
    2005-11-25
    Location
    United States, Southeast
    Posts
    857
    Rep Power
    18

    Default Re: Provider-1: Renaming Global Objects

    I'm attempting to develop a script to rename global objects in the most user friendly way possible.

    I was going to operate on the assumption that the UID would be the same between the Global object in the MDS, and the same Global object in each CMA. No go. The UID is the same for objects I've created in R75.10, but Global Objects that were created prior to the upgrade have different UIDs between the Global and CMA versions.

    Does anyone know of a way to synchronize the UIDs between the Global and CMA versions of a global object?

    If I can get the UIDs synchronized, then I can ignore having to know the previous name of a Global Object. A script could just conduct an export of objects and their associated UIDs from the MDS, then compare the UIDs with global objects in each CMA one at a time, and rename out-of-sync object names as needed.

    With several untested assumptions, this method would seem to be workable.

Similar Threads

  1. Provider-1, unable to add global policy.
    By hema_ckp in forum Provider-1 (Multi-Domain Management)
    Replies: 3
    Last Post: 2009-06-22, 07:38
  2. Provider-1 Global mesh Global VPN community with permanent tunnels
    By mjaramillo in forum Provider-1 (Multi-Domain Management)
    Replies: 4
    Last Post: 2008-07-21, 10:55
  3. Error to install "global policy" in Provider-1
    By jiga7282 in forum Provider-1 (Multi-Domain Management)
    Replies: 3
    Last Post: 2008-04-08, 07:52
  4. Provider-1 Global Objects
    By luisrocha in forum Provider-1 (Multi-Domain Management)
    Replies: 2
    Last Post: 2007-11-20, 10:02
  5. Provider-1 Global Policy unable to be applied
    By wicked in forum Provider-1 (Multi-Domain Management)
    Replies: 1
    Last Post: 2007-06-13, 13:45

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •