This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Martin_Valenta
Advisor
‎2019-03-15 04:36 AM

Global object cleanup

https://github.com/adi0s/CPCleanupGlobalObject

 

This tools provides a way how to determine, if some global object created in Check Point global policy is used across all domains or not.

How does it work?

Get all network objects from global policy (hosts,networks,groups,address-range)
Get list of all domains on MDS
Search over each domain to check if particular object is used or not - using where-used api command
Write down results and generate API CLI commands for object deletion for each object type
By default is generating list of objects, which are not used in any domain or just used in one domain. Example: you have 12 domains on MDS and reported object is not used in any of 12 domains or it's just used on 1 domain from 12 (this kind of object should be only local object)

Requirements: Download and install the Check Point API Python SDK repository, follow the instructions in the SDK repository.

https://github.com/CheckPointSW/cp_mgmt_api_python_sdk

Written for python3, but if you put in first line also this: from future import print_function it should run on python2

How to use?

python global_object_cleaner.py -m management_ip -u username -p password -g "global domain name"

11 Replies
Ron_Izraeli
Employee
Employee
‎2019-03-15 08:20 AM

Very nice.

Check out SmartConsole Extensions platform to integrate this useful tool inside SmartConsole

Martin_Valenta
Advisor
‎2019-03-21 12:14 AM

@JozkoMrkvicka @Kaspars_Zibarts i believe that you guys have for sure environment with MDS, could you please test in your test/qa environments? Thanks!

JozkoMrkvicka
Authority
Authority
‎2019-03-21 02:15 PM
In response to Martin_Valenta

@Martin_Valenta wrote:

@JozkoMrkvicka @Kaspars_Zibarts i believe that you guys have for sure environment with MDS, could you please test in your test/qa environments? Thanks!

You will not believe me, but TODAY, I started to think about to script EXACTLY THE SAME, but for R77.30 🙂


Anyway, I do have testing R80.20 MDS with 5 CMAs, using Global policy. Some global objects are used, some not. Will revert back with more updates.

PS: In production environments, we are using also global services (TCP, UDP, group) and time objects. Maybe a suggestion for further extension of this script - let the user choose what to check (all, only network, only hosts, only ranges, only time objects).

Kind regards,
Jozko Mrkvicka
Martin_Valenta
Advisor
‎2019-03-25 01:54 AM
In response to JozkoMrkvicka

Thanks for suggestion with services!
0 Kudos
Kaspars_Zibarts
Employee Employee
Employee
‎2019-03-28 12:22 AM
In response to Martin_Valenta

Sorry Martin, won't have time right now, totally snowed under 😞 even ignoring checkmates for last two weeks 🙂
0 Kudos
Jerry
Mentor
Mentor
‎2019-03-21 01:43 AM

nicely done, will test on SMS R80.20 with 4 Domains and let you know (VSX). Cheers!
Jerry
JozkoMrkvicka
Authority
Authority
‎2019-03-21 03:18 PM

The file itself has a name:
global_object_cleaner.py

But in instructions, it is stated that we need to run file:

How to use? python global_object_cleanup.py -m management_ip -u username -p password -g "global domain name"

If I run the script without any parameter, it will ask for username and once entered, the following pop-up:
image.png

Kind regards,
Jozko Mrkvicka
Martin_Valenta
Advisor
‎2019-03-22 02:53 AM
In response to JozkoMrkvicka

You run it with python2 right? It will be probably due to differente function on gathering input from console..Python2 have raw_input() and python3 just input.

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2019-03-26 02:21 AM
In response to Martin_Valenta

@Martin_Valenta wrote:

You run it with python2 right? It will be probably due to differente function on gathering input from console..Python2 have raw_input() and python3 just input.

Yep.

Anyway, what is the point to have output in CSV file? What about a simple text file with all relevant commands? Also, there is no message that the files were created and are stored in the same directory.

Kind regards,
Jozko Mrkvicka
PEO
Participant
‎2020-04-03 01:03 AM

Is this tool still the best or do you know of any who have developed on this matter?

My exact need, is actually to identify which impact a change of a global object will have in all domains.

Meaning, in what rulesets are the object in use?

0 Kudos
Martin_Valenta
Advisor
‎2020-04-03 01:12 AM
In response to PEO

This script is going over global objects and searching if their are used within each domain, if not then they are reported to be deleted.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    In-Person

    Tue 25 Mar 2025 @ 09:00 AM (EDT)

    Canada In-Person Cloud Security with Hands-On CloudGuard Workshops!
    In-Person

    Tue 25 Mar 2025 @ 12:00 PM (MDT)

    Salt Lake City: CPX 2025 Recap
    In-Person

    Tue 08 Apr 2025 @ 12:00 PM (MDT)

    Denver: CPX 2025 Recap
    CheckMates Events
    Top