I have a Provider-1 with a single CMA running R77.30 with JHFA_216. The CMA manages about 8 pairs of ClusterXL running H/A also R77.30 with JHFA_216.

I am in the processing of cleaning unused Firewalls rules and group objects and nodes. I would like to do this so that it will make things easier when we migrate from Checkpoint to Palo Alto next year. There are a lot of unused nodes and group objects in the policy, roughly about 8,000 out of 25,000 objects.

I normally right-click on the object and select "where used" and it will tell me which group object or Firewall rule where this object is being used. Simple, right?

The problem is that I've found in ten different instances where this is not the case. In other words, the object is being used in another group object and yet, in the "where used", it said that the object is NOT being used. WTF... The other issue is that in the same scenario for that object, it will let me delete the object but when I tried to save the policy, the GUI crashes.


#1 -Is there a way for me to identify those trouble nodes or group objects when I tried to delete 8,000 objects at once because that process takes a lot of time on the GUI (up to 45 minutes) and then when I tried to save the policy, it crashes.

#2- Can I really trust the "where-used" in checkpoint? I've found several instances that were not the case.

I've opened a TAC case with Checkpoint and the first thing come out of TAC is upgrade to R80. Not sure if I will get resolution from TAC on this.