Dissecting Object Filler and Object Dumper Martn Hoz

Dissecting Object Filler and Object Dumper Martín Hoz martinhoz@gmail. com CPUG CON Europe - Switzerland September 8 th, 2009

Who am I? • Martín Humberto Hoz Salvador – Electronics and Communications Engineer. • UANL – México – Interested on Internet Security since ~1993. – Been using Check Point products since 1998 (3. 0 b/4. 0). • CCSE 4. 1 – CCSE NGX R 60 – Check Point employee for ~6 years (2001 -2007). – Wrote Object Filler / Object Dumper (2003 -2006). – Native Language: Spanish.

Where is México?

Some expectations • You already know the basics on Internet Security – IP Addressing, routing • You already know the basics on Check Point – Creating objects and rules – Saving configurations • You know a bit of SPLAT / Windows / … – You get into the command line – You are able to transfer files over FTP

Some comments and warnings • My Check Point knowledge stops on NGX R 65 • I have NOT tested the tools on NGX R 70 – I tested it on NGX R 65 and all works, with exception of Connectra objects • My motivations for doing this talk: – Fully explain what the tools can do and cannot do before they die… – Explain why and how the tools are designed – Have a final chance to answer questions

Agenda • • Introduction Motivations on designing the tool Object Filler – objects, files and other vendors Object Dumper – dumping and recovering Interesting operations Provider-1 – considerations Conclusions – and the future…

Object Management Basics • Objects and rules are created primarily trough Smart. Dashboard (GUI) – Good for day-to-day administration – Not too easy for massive loads, like new configs • Objects have different properties according to their type – – Groups have members Gateways have interfaces Networks have netmasks Hosts can be “servers” for DNS, Web or Mail • Rules have predefined properties, the same for every type of rule – Desktop Security, Qo. S, NAT and Security rules are different types of rules 7

Where’s this stuff stored? • Most valuable configuration information is stored under $FWDIR/conf/ (or %FWDIR%conf in MS Windows) • Objects are primarily placed under objects_5_0. C • Rules are stored under rulebases_5_0. C • Both are ASCII files 8

However… • The files are in text, but using a special format – Which is *very* sensitive • Manual changes in these files can trigger severe problems – The general rule is: Don’t do it – Unless you really know what you are doing and you have CP Support backing you • Specially because there is a supported way to make changes… 9

DBedit 10

DBedit • Supported Command line tool that allows changes in the overall configuration – Therefore, allows changes in the objects_5_0. C and rulebases_5_0. C – Allows and extends what can be done from the Smart. Dashboard • Present in all NG and NGX versions – All the operating systems supported by Check Point Smart. Centers – Known to have better behavior since NG FP 3 • As all the CLIs, there’s a special syntax that has to be used. This is documented by Check Point – Nowadays, manuals and Knowledge Base entries have information on it • DBedit is scriptable – It can take commands from a file… 11

DBedit invocation 12

DBedit invocation • Preferably use it from the Smart. Center you’re going to operate. This is, use localhost • If you are using it form a different machine, then the IP address you’re using has to be declared as a valid GUI • Use the credentials of a regular R/W administrator – dbedit without options – dbedit with all options 13

Doing a basic operation • Creating a basic host • Changing color and adding NAT… 14

So, DBedit… • Is really powerful, but could be a bit complex – The syntax is as well very sensitive to spaces, colons, dots, etc. • If you want to write a script, you’ve to spend some time: – Learning the DBedit syntax (useful then and forever) – Writing a (Shell/Perl/etc. ) script to generate the DBedit Script from a more easier syntax, such as a CSV or XML file • Or type/edit the DBedit script file by yourself – That sums up easily a couple of hours • Writing something you will use only once most of the times 15

Other Scenarios: What if… • You’ve to do massive operations – You have to create 256 networks for 10. 0. 0/16 • 10. 1. 0/24, 10. 2. 0/24, 10. 3. 0/24, and so on… – You have a list with 400 hosts objects with employee names and IP addresses which you need to enter to Smart. Center – Add NAT to a group of objects that are already created 16

Other Scenarios: What if… (2) • Or a bit more complicated: Migrating from Cisco PIX or Net. Screen/Juniper to Check Point… – … and there’s a customer that has 300 objects plus 900 rules on it. • In all those cases, takes lots of time analyzing and/or typing 17

Agenda • • Introduction Motivations on designing the tool Object Filler – objects, files and other vendors Object Dumper – dumping and recovering Interesting operations Provider-1 – considerations Conclusions – and the future…

What drove the tool creation? • Three large config conversions from PIX in a row… • Two times of setting up 200+ objects for a Po. C • Once helping a friend to add NAT config to his objects

About ofiller/odumper design • The tool had to be useful and solve the problem: ease the task of populating the Smart. Center. • The tool had to work! (or I would be in big trouble with my friends/customers) • I used the only language I knew and had a compiler for… – Not Perl

More notes (or the advantages of an “unsupported tool”) • I wanted to work with a “human-readable” format: ASCII Text seems fine to me – Reads text, writes text: You can modify anything you need – Your changes do not affect your configuration necessarily • You can work offline – No latencies – You can take work to a plane – You don’t depend on the Check Point software to be “up and running” (especially useful on crashes) • Multiplatform and independant – As it is a standard C file, no dependencies to libraries – You can run it on Windows, Solaris and GNU/Linux (that includes SPLAT)

Some other notes • The tool was NOT supposed to be shared with anybody but my friends • The tool was NOT thought on being extensible, upgradable, maintainable or scalable… • And so Object Filler was born. Object Dumper just came a couple of years later • When people began to use it, documentation became a priority. I estimate I spent almost 50% of the time devoted to documentation…

A recent success story • http: //www. networksandsecurity. com/home/2009/08/24/re covering-from-a-dead-check-point-smartcenter/ – “Recovering from a dead Check Point Smart. Center” says it all

Agenda • • Introduction Motivations on designing the tool Object Filler – objects, files and other vendors Object Dumper – dumping and recovering Interesting operations Provider-1 – considerations Conclusions – and the future…

What is Object Filler? • To begin with, it is a FREE but unsupported and unofficial tool • Automates the DBedit script creation to feed Smart. Center’s dbedit • Works mainly with Network/Service Objects – It works as well with firewall (security) rules • Can take information from 3 different type of feeds – Command Line • Useful when creating consecutive objects: nets, hosts within a given range, etc. – Predefined file with objects information • CSV File (predefined format), Hosts File (UN*X, Windows), … – Configuration from a third-party vendor configuration file • Cisco PIX and Cisco Routers (ACLs), Net. Screen, Gauntlet, Side. Winder, Raptor 25

Object Filler Command Line Arguments CSV File Spreadsheet / Text Editor objects Text Predefined File (CSV, etc. ) objects, rules Object Filler objects, rules Third-party config file DBedit commands DBEdit File Check Point Smart. Center

Supported by Object Filler / Dumper • Network Objects • Services • Firewall rules – Careful with resources and authentication! • It does NOT Support users or groups – They have a different database Reference: Pages 25 -27 on the User’s Manual contain tables for all supported objects

Objects Supported

Resources, Services and Operations supported

Creating objects from Command Line • ofiller -t net -s 192. 168. 0. 0 -d 192. 168. 255. 0 -m 24 -c green -o networks. txt • For producing a CSV file, try: ofiller -t net -s 192. 168. 0. 0 30 d 192. 168. 255. 0 -m 24 -c green -a networks. csv

The resulting (-o) text file contents 31

Importing the results into Smart. Center • Pass the file to the Smart. Center – Use FTP (ASCII file type), copy-paste, etc. • Use DBedit with the file as the input file – Make sure no GUI is running with R/W permissions 32

The results in the database before after • The objects are now created in the Objects Database – In less than 5 minutes • You should be able to see them within the Smart. Dashboard • You may create a new Database Revision Control entry before and/or after the objects creation, as a “backup” 33

Another example: • The task “Using the address space 10. 0. 0/16, create all the networks that can have a 22 bit netmask (255. 252. 0) and Hide NAT’em behind the IP addresses 172. 16. 10 -15” • The command line: ofiller -t net -s 10. 0. 0 -d 10. 255 -m 22 -c blue -ns 172. 16. 10 -nd 172. 16. 10. 15 -nm 24 -a with_nats. csv

The result: CSV

The result: DBEdit

The result: Smart. Dashboard

Other sources for importing objects • Comma Separated Values (CSV) files – Created usually with an spreadsheet (MS Excel is an option), with values fixed according to the column – The most powerful way to import objects • Represents object and Firewall rules • That’s the format Object Dumper uses – Uses the program with Options –f and –i list – Format is documented on the Manual • Section 11. 2 Comma Separated Values (CSV) file type • Pages 35 -45 38

Sample CSV File for objects 39

Sample CSV File for groups 40

Sample CSV File for services 41

Sample CSV File for firewall rules

Some special tips • When copying multiple objects, disable verifications: – “-nopv” will disable internal verifications, allowing you to copy duplicates • When handling policies – You must use the “-p” switch on object filler to specify a policy name. • Otherwise, rules WILL NOT be processed, even if they are on the CSV file • Policy Name should NOT exist, or it will overwrite it! • You may need to create a “Policy Package” with the same name – Make sure you use “-nopv” to avoid issues, if some of the objects were not processed on “this run”.

Other source files supported • Lists Files (a “less-complex” CSV) – Files contain just IP addresses and netmasks – Object Filler creates the names and the type of object according to the IP address and netmask. – Uses the program with Options –f and –i list 44

Other source files supported • Hosts – A regular Hosts file. The ones found at /etc/hosts in UN*X or %SYSTEMROOT%system 32driversetc in Windows – Uses the program with Options –f and –i hosts 45

Importing from Other Brands • Object Filler supports importing Network Objects from configurations of other brands • Object Filler parses the configuration file, and when detects some valid IP address and netmask, builds an object according to such data. • Rules support is here as well – Importing ACL Rules from Cisco PIX and Cisco Routers 46

Importing from Other Brands • As of Object Filler 2. 4 it is “supported” – Cisco PIX and Cisco Routers • Network Objects, Groups, NAT, Services and Rules – Net. Screen/Juniper • Network Objects, Static NAT – Gauntlet • Network Objects – Side. Winder • Network Objects, Groups, Services – Raptor • Network Objects 47

Converting from Cisco PIX to Check Point Example 03 June 2021 48

Source PIX configuration (part of it) 49

Translating just Network Objects (Preview mode – using –a to get a CSV file) 50

Translating Rules (Preview mode – using –a to get a CSV file) 51

Translating Network Objects and rules (DBedit commands) 52

Troubleshooting • Remember: DBEdit Syntax may change from version to version – However, the majority is still valid through versions. • On the Smart. Center: If you run into issues while importing DBEdit commands, then enter them one-byone – See which one is causing the problem, and try to fix the issue accordingly • On Object Filler, use the undocumented “debug” command – Tons of information! – so, use it with care – Gives you especial aid when there is some weird behavior while analyzing strings

Troubleshooting (-debug)

Troubleshooting (2) • If you get issues on policy verification – Review if the scope of the policy includes Edge / Sofa. Ware objects – Review for duplicities – It is kind of common to find issues with several services with the check “Match for Any”. Simply work on the sevices to tune them • When importing big amounts of objects – Be ready to spend some time on reviewing the configuration – odumper/ofiller save you “typing” work only…

Agenda • • Introduction Motivations on designing the tool Object Filler – objects, files and other vendors Object Dumper – dumping and recovering Interesting operations Provider-1 – considerations Conclusions – and the future…

What is Object Dumper? • Dumps the objects and rules of the Smart. Center to a text format • You can later modify the exported objects/rules, move them, merge them, … – It is possible to do it from any text editor (Notepad, vi, emacs, etc. ) – You must keep the CSV format if you plan to import them back to the same or another Smart. Center Server 57

How does it work? • Works with the regular objects_5_0. C, or with the one found in the Gateway. – Supports objects recovery from Smart. Center crash scenarios. • Works with the regular rulebases_5_0. fws file – Only security rules are supported. No NAT nor Qo. S rules. • It works by parsing all the entries in the objects_5_0. C and/or rulebases_5_0. fws file(s), and writing them to a defined file – The format of such file can be CSV (Comma Separated Values) or HTML – The same file can be used to feed Object Filler later and produce DBedit commands to replicate the configuration. • Warning: parsing the files is done line-by-line – Context information is done internally on the tools. 58

Object Dumper objects_5_0. C CSV File Spreadsheet / Text Editor Text Object Dumper HTML rulebases_5_0. fws HTML File Internet Browser

How does it work? – Step by Step • Step 1: Transfer the objects_5_0. C file from the Smart. Center to the host where you have Object Dumper – Transfer the file as a plain text ASCII file – Preferably use FTP or SCP 60

Dumping the objects • Step 2: Run Object Dumper over it. Example: odumper -f objects_5_0. C -o objects. csv 61

Step 3: Viewing the results • The results can be viewed by any Spreadsheet or program able to interpret CSV files – Such as Microsoft Excel or Calc from Star. Office • The file can be edited. If is going to be imported back, keeping the format is mandatory 62

Dumping the objects to HTML Run Object Dumper over the file using –html: odumper -f objects_5_0. C -o objs. htm -html 63

The HTML results

Comments About Object Dumper behavior • By default it doesn’t export the “default” predefined objects and services. – Just exports the ones created by the user – Works fine up to NGX R 62. On NGX R 65 some services are not detected as default • MGCP_dynamic_ports (other), HTTP_and_HTTPS_proxy (tcp/8080), CP_Smart. Portal (tcp/4433), Remote_Desktop_Protocol (tcp/3389) – Useful to track service additions in the local environment – You can export default objects using the –d switch 65

Comments About Object Dumper behavior (2) • It can export the results as an HTML file – Use the –html switch in the Command Line • It can export firewall rules – It uses the rulebases_5_0. fws – It exports *all* the “Policy packages” on the Smart. Center 66

Debugging • Remember odumper parses the files – Changes on formats may affect the results – Especially true with newer versions • Odumper also has a –debug option – Use it with care due the amount of output

Agenda • • Introduction Motivations on designing the tool Object Filler – objects, files and other vendors Object Dumper – dumping and recovering Interesting operations Provider-1 – considerations Conclusions – and the future…

Using Object Filler to import back Object Dumper’s output 69

Why to import back a configuration? • Migrations where you want or must import the results within a new environment – Between Smart. Centers, from CMA to Smart. Center, from Smart. Center to CMA – Migrating from old versions (CP 2000, NG FP 2, …) to NGX. • Large number of modifications – Think of these scenarios: • Need to change the IP addressing for Internal network • Due corporate merger, need to rename several objects – Modifying IPs or names is supported by DBedit, and also supported by Object Filler • Smart. Center limitation (also observed by Object Filler): Names and IPs cannot be changed for Check Point objects 70

Why to import back a configuration? (2) • Recovery from Smart. Center crashes… – Object Dumper can “dump” the objects file on Check Point gateways • WARNING: ofiller/odumper are NOT recommended to use them as a “reliable” backup/restore procedure – There are settings that are not dumped by Object Dumper – Not all the information is present – It is NOT officially supported 71

Existing objects: common issue while importing back configuration • Simply take note on them, and let the procedure continue. DBEdit takes care of this… Existing Objects are NOT overwritten • When finishing the operations answer NO to the questions about objects updates 72

Example: Renaming Objects • Scenario: You are merging two configurations. You want to rename from “Net_*” to “Network_*”

Example: Renaming objects (2) • Step 1. Export the objects using odumper • Step 2. Create a CSV file with this format: – 1 st. column = current name – 2 nd. column the word “rename” – 3 rd. column = the new name

Example: Renaming objects (3) • Step 4. Run object filler over the resulting file and then import it to the Smart. Center

Example: Renaming objects (4) • Step 5. Login to Smart. Dashboard and review the results

Example: Changing IP addressing • Step 1. Export the objects with object dumper • Step 2. Change the IP addresses you need to change • Step 3. *Very* important: use “mod” object types on the CSV file on the next column – If you do not do this, then Ofiller will consider the objects new, and Dbedit will face duplicate name errors • Step 4. Run DBEdit on the resulting files • Step 5. Login to Smart. Dashboard and review the results

Example: Changing IP addressing (2) Special care should be taken with the object type on the CSV file. Please refer to the manual section 9. 4 page 25 for more details.

Example: Recovering from Smart. Center crash • Everytime you install a policy on the gateway, the relevant objects and policies are copied over. – $FWDIR/database/objects. C and rules. C – They are there even if the Smart. Center dies • You can use them to recover your information – WARNING!: The procedure is NOT supported (but it works ; -) – Tested up to NGX R 65 on *distributed* installations

Recovering from Smart. Center crash (2) • Step 1. Copy objects. C to your PC – Use SCP or FTP to do it. Remember it is a text file • Step 2. Run odumper on it

Recovering from Smart. Center crash (3) • Step 3. Review the resulting file • Step 4. Use ofiller to produce the relevant DBEdit commands – You already know how to perform this step!

Agenda • • Introduction Motivations on designing the tool Object Filler – objects, files and other vendors Object Dumper – dumping and recovering Interesting operations Provider-1 – considerations Conclusions – and the future…

Provider-1 support • ofiller/odumper support operations at MDS and CMA level – It requires you to use mdsenv to set the appropriate environment for the CMA • Due the “standalone” nature of the tools, operations among CMAs, MDS and Smart. Centers are possible – Such as copying objects from CMA to a Smart. Center • For more information, please Refer to the document: “Manipulating objects and rules on Provider-1/Site. Manager-1 with Object Filler and Object Dumper” included with the tools

Provider-1 support (2) Smart. Center objects, rules CMA objects, rules objects MDS (Global DB) objects, rules OFiller / ODumper objects, rules CMA objects MDS (Global DB)

Agenda • • Introduction Motivations on designing the tool Object Filler – objects, files and other vendors Object Dumper – dumping and recovering Interesting operations Provider-1 – considerations Conclusions – and the future…

Documentation • There’s a document (User’s Manual) included in the program’s distribution file. – It Covers lots of details on how the programs work. – Including tested environments and known limitations • There are other documents describing special scenarios, such as utilization on Provider-1 / Site. Manager-1 environments. • Questions can be sent to me if you like – I will try to address them – Public PGP Key is available in the tools’ package • Recommended path: Talk to your Check Point SE about Conf. Wiz. 86

Warnings • Always remember that the tools are not supported officially. – Just in case, get approval from the proper entity that has the authority to allow the use of unsupported tools in your specific environment • Always perform a backup before doing any operation – You never know… - and you are playing with your security configuration. So, be careful… • If possible, test in a lab environment first, whatever you are planning to do with the tools – An alternate machine where the whole configuration is restored, is an option – VMWare is another (very good) option. 87

Tools availability • FREE Tools • They are publicly available in the Internet from the following known sites: – http: //ofiller. chatscope. com – http: //www. cpug. org/check_point_resources. htm – http: //fireverse. org/? page_id=88 • Tools supported natively in the following OSs: – Windows (2000, XP, Vista); Red Hat Linux (I assume other distributions as well) ; Secure. Platform (tested up to R 62) and SUN Solaris – They don’t require installation at all. Just execute them. 88

Conf. Wiz • Recently (May 2009) released program to – Export Cisco configurations to XML Database – Export Smart. Center config to XML – Import XML config to a Smart. Center • It promises to be ofiller/odumper next step. • Officially supported by Check Point – You may log a support call on it. • Supports Smart. Centers and CMAs (not MDS)

Conf. Wiz- Architecture Processor (export) for Cisco configuration files/databases Data storage / processing tools Open format XML with defined scheme Command-line API for import/export of objects/tables Scripts/tools CHKP provides (possibly with open source) for import/ export/ manipulation Open source community that contributes scripts for configuration processing CPMI access layer API CPMI Repository

Conf. Wiz Useful Links • Home Page: http: //supportcontent. checkpoint. com/solutions? id=sk 41719 • Official Forum: https: //forums. checkpoint. com/forums/forum. jspa? forum. ID=46 • CPUG Forum: http: //www. cpug. org/forums/confwiz/ • Documentation: http: //downloads. checkpoint. com/dc/download. htm? ID=8649

Final comments • There are Command line tools for Objects Manipulation in Check Point Smart. Center Servers and Provider-1 environments • The tools can be used on conversion scenarios: from other firewall brands to Check Point. – Today objects and rules are supported. Better support to rules (such as NAT rules) is planned. • Give a good way to “rebuild” systems from the scratch, without losing too much time on rebuilding objects • You can use them in several scenarios where using a GUI can’t be optimal – And with this, reduce times a lot. – There are reports where the tools have saved days of type-and-click 92

By the way… • The tools are free, but you can giveback… * http: //iccf-holland. org/click 5. html * http: //www. google. com/search? q=Donate+Cancer+Foundation * http: //www. mexico-child-link. org/ * http: //www. cruzrojamexicana. org/donativos/portarjeta. php * http: //www. redcross. ca/ * http: //www. unicef. org/ * http: //www. apac. org. mx * http: //www. msf. ca/ * http: //www. teleton. org. mx * http: //www. savethechildren. org/ * http: //www. mexfam. org. mx/ * http: //www. redcross. org/ * http: //www. oxfam. org/