Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sorin_Gogean
Advisor

Objects Utilization Report

Hello everyone,

 

We're in a process to clean-up the old objects that we have on our CheckPoint environment. For that, we were using until last year, usage reports on rules/groups/objects from AlgoSec, but today that option is not available anymore.

 

As example:

Untitled.png

 

So, can you recommend a way to generate some Usage Reports on Groups/Objects, so we would easily identify the "obsolete" ones.

 

Thank you,

25 Replies
Timothy_Hall
Champion
Champion

I don't think you can can easily determine which objects are hit the most without doing some heavy log crunching with something like Algosec.  However there is a hidden option in the Object Explorer that can show you completely unused objects:

unused.png

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Sorin_Gogean
Advisor

Hey @Timothy_Hall ,

 

Thank you for pointing that out,

I was aware of that option, but it shows the defined objects that are not used in any rule.

And most definitely we can use that for clean-ups of orphaned objects, but like you concluded we're looking for the other option "doing some heavy log crunching with something like Algosec".

In the end I'll play dumb and get an AlgoSec Demo for a month or so, and still have some better view/reporting, if no other tool can do this.

 

Ty,

 

 

 

0 Kudos
Matlu
Advisor

Hello,

Can I be 100% sure and confident that this option shows me all those objects that are not being used, and therefore, I can safely remove them from the SMS?

I currently have an SMS Smart-1, which is showing me more than 500 Items "apparently" that are not being used.

UNOB.png

Greetings.

the_rock
Legend
Legend

Hey bro,

Yes, I am 100% POSITIVE the ones that show up in unused objects are indeed unused. I feel confident about it, because I went over that in at least 5 different labs and 2 of them had probably close to 100 objects showing there and I clicked on "where used" on every single one of them and it was not used anywhere. I always say to people, just to be on the safe side, you can do the same, but backup/migrate_server is better to have, just in case.

Andy

0 Kudos
Matlu
Advisor

Thank you for clarifying my doubt.

One question I have is, deleting such a large number of objects (more than 500), doing it manually through the SmartConsole, is too exhausting.

Are there ways/options to delete such amount of objects that are already "unusable"?

Thank you. 🙂

0 Kudos
the_rock
Legend
Legend

Yes, you have to keep clicking CTRL to highlght as many as you can and then delete them.

Andy

 

Screenshot_1.png

0 Kudos
the_rock
Legend
Legend

You can also do CTRL+A to highlight all of them, but does not always work lol

Andy

0 Kudos
Matlu
Advisor

Thank you.

I will delete all the objects listed as "not used".

Some objects in the MODIFIER field are listed as "WEB API" and "System".

I guess that shouldn't worry us, right?

As long as they are listed as unused, we can delete them with peace of mind.

0 Kudos
the_rock
Legend
Legend

Si senor 🙂

0 Kudos
Bob_Zimmerman
Authority
Authority

One SUPER IMPORTANT NOTE: Automatic NAT counts as a property of the object, not as a use of the object. Deleting an object which has automatic NAT rules can break stuff, even if Where Used says the object is not used.

0 Kudos
Timothy_Hall
Champion
Champion

Yes as @the_rock said the Unused Objects is 100% accurate.  In much older releases there was an issue where objects could show up here even though they implemented needed Automatic NAT rules in their properties, and when the objects were removed the results were...unfortunate for NAT functionality.  Thankfully that was fixed long ago.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Bob_Zimmerman
Authority
Authority

Unfortunately, still an issue as of R81.10 jumbo 110.

Automatic NAT doesn't use objects.png

(1)
Henrik_Noerr1
Advisor

wow, that is toxic.

Thanks for bringing it up

0 Kudos
the_rock
Legend
Legend

I noticed in R81.20 as well..

0 Kudos
Timothy_Hall
Champion
Champion

Reading this thread I knew something was wrong here as I remember this issue being fixed.  I tested it in my lab and what I remember being rectified is not the "Where Used" function that @Bob_Zimmerman correctly points out, but the "Unused Objects" setting on the Objects Explorer, which does exhibit the proper behavior when Automatic NAT rules are present as shown below.  This was on R81.20 but I'm confident the fix was introduced somewhere in R80.X0 releases:

nat1.pngnat2.png

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
the_rock
Legend
Legend

Yep, thats 100% the case. Just did it in my R81.20 lab and exact same results. 

Andy

0 Kudos
Matlu
Advisor

Hello,

So, according to the latest comments I'm reading.

It is no longer 100% safe to "delete everything" that appears in "Unused Objects"?

I would still have to manually check every single object before "deleting" it?

😞

Greetings.

0 Kudos
the_rock
Legend
Legend

If there is nat on the object, then it will NOT show as hidden. Sorry, I meant unused.

Andy

0 Kudos
Matlu
Advisor

If I have an object with an "AUTOMATIC NAT", will this type of object not appear in the "UNUSED OBJECTS" list?

This is my understanding.

Is my interpretation correct?

Then, I can "recover" the faith in the UNUSED OBJECTS (and delete what appears in this list, without fear).

😇

0 Kudos
the_rock
Legend
Legend

Correct bro. Any object with nat, static or dynamic, will NOT appear in unused object.

Andy

0 Kudos
Matlu
Advisor

Ok.

Then, I can debug, without fear.

Thanks for your help.

0 Kudos
the_rock
Legend
Legend

No problem.

0 Kudos
the_rock
Legend
Legend

Regardless, I would still always generate backup/migrate_server.

Andy

0 Kudos
Matlu
Advisor

Oka.

I see that you recommend, to take the backup, with the "migrate_server export".

Is it no longer recommended to use the "migrate export"?

0 Kudos
the_rock
Legend
Legend

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events