This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Vladimir
Champion
Champion
‎2019-03-04 06:43 AM
Jump to solution

Can someone put together a script to delete automatically created networks?

Scripting gurus, should one of you have a chance, please help with the script for identification and deletion of the automatically created network objects.

These are created based on topology of the gateways and/or static routes.

When "get interfaces with topology" is executed or when newly deployed gateway objects with static routes are created, number of networks starting with "Net_" are created that is impossible to delete from SmartConsole, but are present and visible in the group membership selection window.

I suspect that the script to identify and remove those will be welcome, especially if it could differentiate between automatically created objects and those defined manually or via scripts, even if using same prefix.

Thank you,

Vladimir

Labels
0 Kudos
1 Solution

Accepted Solutions
Kaspars_Zibarts
Employee Employee
Employee
‎2019-03-05 07:22 AM
Jump to solution

They are kept there for revision rollbacks so probably not too smart to delete them.. But otherwise you would have to use dbedit commands as API does not show "hidden" networks created by automatic topology process. If you look at this bit "cdm_auto_calculated", true will hide the object from being visible in console / API

you can list all the "invisible" networks that are not used in any groups using this one-liner Smiley Happy

names=($(echo -e "query network_objects,cdm_auto_calculated='true'\n-q\n" | dbedit -local | grep "Object Name:" | sed 's/Object Name: //')); for name in "${names[@]}"; do if [ `echo -e "whereused network_objects $name\n-q\n" | dbedit -local | grep -c "Numebr of results: 0"` -eq 1 ] && [ `echo -e "print network_objects $name\n-q\n" | dbedit -local | grep -c "type: group"` -eq 0 ]; then echo $name; fi; done

It will be fairly slow as it's running dbedit commands. To delete you will have to replace last echo used to print out with

echo -e "delete network_objects $name\n-q\n" | dbedit -local

I would not run it in production without lab testing. Worked OK on some CMAs that i tried on Smiley Happy

View solution in original post

10 Replies
Kaspars_Zibarts
Employee Employee
Employee
‎2019-03-05 07:22 AM
Jump to solution

They are kept there for revision rollbacks so probably not too smart to delete them.. But otherwise you would have to use dbedit commands as API does not show "hidden" networks created by automatic topology process. If you look at this bit "cdm_auto_calculated", true will hide the object from being visible in console / API

you can list all the "invisible" networks that are not used in any groups using this one-liner Smiley Happy

names=($(echo -e "query network_objects,cdm_auto_calculated='true'\n-q\n" | dbedit -local | grep "Object Name:" | sed 's/Object Name: //')); for name in "${names[@]}"; do if [ `echo -e "whereused network_objects $name\n-q\n" | dbedit -local | grep -c "Numebr of results: 0"` -eq 1 ] && [ `echo -e "print network_objects $name\n-q\n" | dbedit -local | grep -c "type: group"` -eq 0 ]; then echo $name; fi; done

It will be fairly slow as it's running dbedit commands. To delete you will have to replace last echo used to print out with

echo -e "delete network_objects $name\n-q\n" | dbedit -local

I would not run it in production without lab testing. Worked OK on some CMAs that i tried on Smiley Happy

Vladimir
Champion
Champion
‎2019-03-05 07:42 AM
In response to Kaspars_Zibarts
Jump to solution

Jeez, Kaspars, that one-liner wouldn't fit in a twitter post Smiley Happy

Dameon Welch-Abernathy claims that these objects could be deleted via API. I'd like to hear from him if the deletion requires manual definition of the objects or if 1.3 allows us to pull those out and feed them into delete object.

Kaspars_Zibarts
Employee Employee
Employee
‎2019-03-05 11:42 AM
In response to Vladimir
Jump to solution

Could be. I only looked at 1.1 / R80.10 and that did not show those objects.

0 Kudos
PhoneBoy
Admin
Admin
‎2019-03-05 10:45 PM
In response to Vladimir
Jump to solution

I was able to do it in R80.10 from the CLI, (and thus the API) as I recall.

Haven't seen the issue again to validate.

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee
‎2019-03-05 11:43 PM
In response to PhoneBoy
Jump to solution

100% correct - it was only Console that hides some nets, not API. So I can take my words back Smiley Happy

Whereas API and dbedit return two extra

But it is visible in the group it's used in Console

Is this a Console bug Dameon? I know it worked OK in R77.30 Smiley Happy

Kaspars_Zibarts
Employee Employee
Employee
‎2019-03-06 01:49 AM
In response to Kaspars_Zibarts
Jump to solution

I guess the only limitation with API is that we cannot see if network was created by topology generation process:

compare to dbedit:

Ari_Heber
Employee Alumnus
Employee Alumnus
‎2019-03-06 09:42 AM
Jump to solution

Hi Vladimir,

I'd like to refer you to sk126872 id you have not read it yet. It is important to understand why these objects are exist and make sure you do not use them before you delete them.

You can contact Check Point support in order to get this done.

Ari

Vladimir
Champion
Champion
‎2019-03-06 11:07 AM
In response to Ari_Heber
Jump to solution

Thank you Ari Heber‌. Unfortunately, these objects are being created not only when you perform "Get Interfaces with Topology" , but as I have described earlier, also during creation of the gateway objects with static routes already pre-provisioned.

These network objects are conflicting with scripted ingestion of the actual network objects with intended properties defined.

What I would like to know is that if it is safe to delete those using Kaspar's suggested one-liner if they are NOT used in the topologies of the gateways (i.e. topology of each was re-defined manually with custom groups containing manually created networks).

In a situation where multiple gateways destined for different sites, it is necessary to provision them with routes allowing communication with the management server.

Changing their properties individually via GuiDBedit is not really a viable option.

Regards,

Vladimir

0 Kudos
Ari_Heber
Employee Alumnus
Employee Alumnus
‎2019-03-07 11:01 AM
In response to Vladimir
Jump to solution

Hi Vladimir,

These 2 flows are actually the same flow; when initializing a SIC with remote gateway the interfaces and the routes are fetched automatically by the management (same as in Get Interfaces With Topology).

Using the one-liner command is quite safe, the operation will fail if the object is used by an interface.

Ari

Maxim_Tremblay
Participant
Participant
‎2022-07-12 11:25 AM
Jump to solution

Does anyone know how to simply disable the auto-creation of these objects? These objects pollute our database too much, especially when we have more than 300 GW.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events