Re: CP "Unused Objects" compare with Tufin "Unatta...

vavava · ‎2022-12-11

Hi all
I got a task to check for unused objects on our FW, version 80.40.
We also have Tufin to managering our Network.
After I export CP "Unused_Objects" & Tufin "Unattached_Objects"
I can find out all CP "Unused_Objects" in Tufin "Unattached_Objects" list
and Tufin has more objects than CP.
I check up on those extra objects on CP & the result confuse me.
All those extra objects are not used in any policies or groups object & without NAT setting , why those objects did not show in "Unused_Objects" of Object Explorer.
As I know, As long as it meets "not in policy, Groups and no NAT setting, it belongs to "Unused_Objects"
Am i wrong or something wrong?

the_rock · ‎2022-12-11

I believe your assumption is 100% correct actually. That was always my thought as well. Just curious, what is the difference as far as what Tufin showed you for unused objects? Was the number way higher than the list you saw in smart console?

Best,
Andy

vavava · ‎2022-12-11

smartconsole show "483" objects, Tufin show "1098" objects.
Tufin 1098 objects contain all of "CP unused Objects (483).
I also via smartconsole to check object by "right click> Where Used" to confirm object and the windows show nothing, only display "No usages found"

Chris_Atkinson · ‎2022-12-11

Were the differences in objects accounted for by a particular type of object, those used in VPN or anti-spoofing settings (sk176150) perhaps?

Also how far back does your database revision history go?

CCSM R77/R80/ELITE

vavava · ‎2022-12-11

CP-> all of Network_objects, Tufin ->cleanup type "C06" Unattached network objects.
I'm not sure the relationship between "objects" and "VPN or anit-spoofing" on CP.
Maybe someone could help us to comprehend it.

"Also how far back does your database revision history go?"

>>> about 1 year 6 months

the_rock · ‎2022-12-12

I agree with @PhoneBoy . I also have a feeling that Tufin is finding unsused object on way different criteria than smart console. Maybe if you call their support and clarify this, we can all get a better idea, so it would most likely make more sense. Personally, I never used Tufin myself, so cant really comment on something I have no clue about or how it even works. I know on surface how it functions, but never seen it in action, so to speak : - )

Best,
Andy

PhoneBoy · ‎2022-12-12

What it sounds like is Tufin is finding “unused objects” we’re not showing as such, correct?
For us to troubleshoot this, we would need precise, detailed examples of objects Tufin discovered as unused that we do not identity as such.
This might be better done with the TAC as the underlying issue might be a bug.

vavava · ‎2022-12-12

I don't mean to say that "CP" is worse than Tufin.
I just don't know how to explain to my boss why the extra items shown on Tufin and not on CP.
I attach a photo and cover some words.

It look like no any different in boths host objects.

Is there any methods to show out more objects details ?

PhoneBoy · ‎2022-12-13

Details level full is as much as you can show about an object.
I assume when you query “where-used” on both objects, they show as unused, correct?
Like I said, a TAC case is probably necessary.

Are you a member of CheckMates?

CP "Unused Objects" compare with Tufin "Unattached Network objects"