CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 14 of 14

Thread: R80: object explorer: unused objects

  1. #1
    Join Date
    2017-07-17
    Posts
    18
    Rep Power
    0

    Lightbulb R80: object explorer: unused objects

    In our R80 manager

    object explorer > all> unused objects we have more than 600 unused objects.

    I know if we have more unused objects it will increase the policy verification time. so I want to know before deleting object under unused object list in R80, is there something I need to verify or to follow any kind rules like checking is it not used anywhere [test].

  2. #2
    Join Date
    2016-06-10
    Posts
    11
    Rep Power
    0

    Default Re: R80: object explorer: unused objects

    Hi,

    Unused objects are not used. So you can safely delete them. Especially with the built-in validations mechanism of R80 - you will never end up with broken links.

    One small thing - amount of objects shouldn't be significant to policy installation time in R80 or above. The policy verification looks at the rules and all of its contained objects - so unused objects aren't looked at. Having lots of unused objects is more of an ease of policy management problem.

    And last - performance of security management server as well as policy installation time has been improved in R80.10 comparing to R80 (as well as overall stability) and we recommend every R80 customer to upgrade to R80.10 Management.

  3. #3
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,084
    Rep Power
    12

    Default Re: R80: object explorer: unused objects

    As Tomer says, the unused objects are safe to delete in R80+ management.

    However in R77.30 and earlier management a nasty situation I've run into before is having an object come up as unused, and deleting it. Almost immediately after policy install I find out the hard way that an Automatic NAT was configured on that deleted object and some other part of the configuration was depending on it. So in R77.30 and earlier management, before deleting an "unused" object I always look to see if there is an Automatic NAT configured for it and proceed with caution if there is.
    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.

  4. #4
    Join Date
    2016-06-10
    Posts
    11
    Rep Power
    0

    Default Re: R80: object explorer: unused objects

    Quote Originally Posted by ShadowPeak.com View Post
    As Tomer says, the unused objects are safe to delete in R80+ management.

    However in R77.30 and earlier management a nasty situation I've run into before is having an object come up as unused, and deleting it. Almost immediately after policy install I find out the hard way that an Automatic NAT was configured on that deleted object and some other part of the configuration was depending on it. So in R77.30 and earlier management, before deleting an "unused" object I always look to see if there is an Automatic NAT configured for it and proceed with caution if there is.
    In that case, in R77.30 as well as R80.10 the automatic NAT rule would have been automatically deleted. Was that the case?

  5. #5
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,084
    Rep Power
    12

    Default Re: R80: object explorer: unused objects

    Quote Originally Posted by tomersole' View Post
    In that case, in R77.30 as well as R80.10 the automatic NAT rule would have been automatically deleted. Was that the case?
    Yes the automatic NAT rule was always deleted, but I've seen that break other things. Even if the unused object was not referenced anywhere, its NAT was actually needed for something else to work.
    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.

  6. #6
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,461
    Rep Power
    8

    Default Re: R80: object explorer: unused objects

    Quote Originally Posted by tomersole' View Post
    In that case, in R77.30 as well as R80.10 the automatic NAT rule would have been automatically deleted. Was that the case?
    Yikes. I assume it's clear that from a user prospective that would not be an unused object since it's in the nat policy. I understand the flip side could be it's not really in the nat policy but that is for sure a nasty issue.

  7. #7
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    88
    Rep Power
    11

    Default Re: R80: object explorer: unused objects

    Quote Originally Posted by ShadowPeak.com View Post
    Yes the automatic NAT rule was always deleted, but I've seen that break other things. Even if the unused object was not referenced anywhere, its NAT was actually needed for something else to work.
    To elaborate, this generally happens between object types or with duplicate objects. For an example of the former, let's say you have a public block for your web servers: 20.30.40.0/24. You add a rule allowing any source to the whole network on 443, and you have an object for 192.168.100.2 with an automatic NAT to 20.30.40.234. The host wouldn't show as being used in any rules. I sometimes see configurations like this done intentionally to move a single public IP from an old box to a new box without reconfiguring internal things. It's kind of goofy and it would generally be better to use manual NAT rules for that, but it happens.

    People sometimes have multiple objects for the same IP and wind up using one in rules, and putting the automatic NAT on the other. I can't think of a reason to do this intentionally, but I've seen it happen accidentally several times.

    This has long been one of the limitations of "Where Used..." or of automatic NAT, depending on how you count.
    Zimmie

  8. #8
    Join Date
    2016-06-10
    Posts
    11
    Rep Power
    0

    Default Re: R80: object explorer: unused objects

    Hi guys, Where Used in R80.10 will not signal that a host which has automatic NAT properties is "used" in the NAT policy. Even though a side-effect of deleting that host will be removal of 2 auto-generated NAT rules.

    We will incorporate this feedback in our next releases. Thank you for mentioning this.

  9. #9
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    636
    Rep Power
    5

    Default Re: R80: object explorer: unused objects

    Quote Originally Posted by Bob_Zimmerman View Post
    To elaborate, this generally happens between object types or with duplicate objects. For an example of the former, let's say you have a public block for your web servers: 20.30.40.0/24. You add a rule allowing any source to the whole network on 443, and you have an object for 192.168.100.2 with an automatic NAT to 20.30.40.234. The host wouldn't show as being used in any rules. I sometimes see configurations like this done intentionally to move a single public IP from an old box to a new box without reconfiguring internal things. It's kind of goofy and it would generally be better to use manual NAT rules for that, but it happens.

    People sometimes have multiple objects for the same IP and wind up using one in rules, and putting the automatic NAT on the other. I can't think of a reason to do this intentionally, but I've seen it happen accidentally several times.

    This has long been one of the limitations of "Where Used..." or of automatic NAT, depending on how you count.
    To sum up things, if an organization does not USE Automatic NAT rules and upgrades to R80, then it's safe to delete all unused objects?

  10. #10
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    88
    Rep Power
    11

    Default Re: R80: object explorer: unused objects

    Quote Originally Posted by laf_c View Post
    To sum up things, if an organization does not USE Automatic NAT rules and upgrades to R80, then it's safe to delete all unused objects?
    I'd say it should be. Automatic NAT is the only thing I can think of which is a property of the object rather than a place the object is used, but which can affect traffic.
    Zimmie

  11. #11
    Join Date
    2016-10-19
    Posts
    21
    Rep Power
    0

    Default Re: R80: object explorer: unused objects

    Hello All

    I've seen this comment in Checkmates community:
    -> If you create an object just for NAT, but is not used in a policy rule, it will show as unused either in smartdashboard object explorer or via API calls.

    So if we proceed to delete the objects based on object explorer's result, we might be missing these as well??

    Thanks.

  12. #12
    Join Date
    2017-07-17
    Posts
    18
    Rep Power
    0

    Default Re: R80: object explorer: unused objects

    when we select the unused object and then where used and its not under Automatic Nat, can we delete then ?

  13. #13
    Join Date
    2016-06-10
    Posts
    11
    Rep Power
    0

    Default Re: R80: object explorer: unused objects

    Quote Originally Posted by venkata View Post
    Hello All

    I've seen this comment in Checkmates community:
    -> If you create an object just for NAT, but is not used in a policy rule, it will show as unused either in smartdashboard object explorer or via API calls.

    So if we proceed to delete the objects based on object explorer's result, we might be missing these as well??

    Thanks.
    Not sure if I emphasized this, we are working to change this behavior in our next releases. I know it doesn't help much right now, but still, thought you should know.

    The "either in SmartDashboard or via API calls" is actually in our strength - none of our clients (GUI/API) have product logics - all they do is expose the product logics that are within the Management Server, that's why behavior is expected to be exactly the same. Again, not necessarily helping this situation, but still something I would like to point out..

  14. #14
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    88
    Rep Power
    11

    Default Re: R80: object explorer: unused objects

    Quote Originally Posted by venkata View Post
    Hello All

    I've seen this comment in Checkmates community:
    -> If you create an object just for NAT, but is not used in a policy rule, it will show as unused either in smartdashboard object explorer or via API calls.

    So if we proceed to delete the objects based on object explorer's result, we might be missing these as well??

    Thanks.
    Quote Originally Posted by Sneha View Post
    when we select the unused object and then where used and its not under Automatic Nat, can we delete then ?
    “Where Used...” as it exists today is a rule-in test, but not a rule-out. That is, it detects whether something definitely affects the config, but it does not detect all situations in which it could. If it is updated to detect non-default object parameters, as tomersole has said is being considered, it would become both.

    “Where Used...” alone will not tell you definitively that removing the object will not remove configuration. You should use “Where Used...” and examine the contents of the object itself. If there is any non-default configuration inside the object, that object’s existence may affect traffic.
    Zimmie

Similar Threads

  1. Script to delete unused objects
    By nolan.rumble in forum Scripts and Tools
    Replies: 2
    Last Post: 2013-12-04, 12:30
  2. Unused objects in MDS
    By tcsgsm in forum Provider-1 (Multi-Domain Management)
    Replies: 0
    Last Post: 2012-01-27, 02:46
  3. Unused Objects In SmartDashboard
    By ButlerKevinD in forum Miscellaneous
    Replies: 5
    Last Post: 2009-09-25, 18:29
  4. Cleaning Unused Network Objects
    By scucci in forum Miscellaneous
    Replies: 3
    Last Post: 2009-03-11, 00:45
  5. Idenfitying duplicate or unused objects in R55
    By aramanujam in forum Security Management Server (Formerly SmartCenter Server ((Formerly Management Server))
    Replies: 1
    Last Post: 2008-06-27, 19:35

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •