This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
J_Saun
Contributor
‎2019-02-25 12:56 PM

Unique? Non-Unique? What to choose?

I am trying to change the following network object:

10.188.172.0/24

to

10.188.172.0/23

I receive the following error/pop-up:

"This IPv4 address is unique and already used by one or more networks in the system. Would you like to define this network's IPv4 addresses as non-unique?"

What does that mean and what do I choose? I do already have another object that is 10.188.173.0/24. Is that the conflict?

7 Replies
Maarten_Sjouw
Champion
Champion
‎2019-02-25 02:21 PM

When you this message it simply means there is already a object with the exact same network (IP and Mask).

So if you choose to make it non-unique it will create the duplicate, only thing is that you have it with a different name.

How did this happen you might think, well when you do a get interfaces WITH topology the SmartConsole will create a network object for every route that you have. Same goes for VSX when you add a route a new network object is created.

The problem with these objects is that they are partially hidden, you can add them on a rule, but you dont see them in the object explorer.

Hope this helps.

Regards, Maarten
0 Kudos
J_Saun
Contributor
‎2019-02-26 12:48 PM
In response to Maarten_Sjouw

What additional implications or possible issues does making an object non-unique have?

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-02-26 01:56 PM
In response to J_Saun

Sometimes there are reasons to create a host with the same IP as a gateway, specially when creating some very specific NAT rules. For most other reasons you should try to stay away from creating them and use the existing object instead.

Regards, Maarten
0 Kudos
J_Saun
Contributor
‎2019-02-27 08:44 AM

Still confused. I get the following additional error after saying YES to object 10.188.172.0/24 being non-unique:

"There are one or more non-unique address ranges contained in this range. Would you like to replace the existing ranges by this one?"

Some additional background:

I have 2 network objects:

- Network_10.188.172.0_24_WEB (10.188.172.0/24). It is used in about 10 rules

- Net_10.188.172.0_23 (10.188.172.0/23). It is used in an interface antispoofing group.

I would prefer to have the 2 network objects as the one is labelled properly for the rules and the other is labelled properly for the antispoof group. But I guess best practice would dictate to only have one.

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-02-27 10:56 AM
In response to J_Saun

The point here is that the Net_10.188.172.0_23  was created by the 'Get interfaces WITH Topology' function, the way this is created is that is partially invisible. Having said that, this error / warning should not appear with these 2 networks as  the one is a /23 and the other is a /24 next to that the name is different.

For anti Spoofing you need the full range that lives behind a specific interface, but for the access rules you sometimes need a smaller subnet, like a /25 to give it specific access to something.

Are these objects real network objects or are they address ranges objects as it says in your error message?

Regards, Maarten
J_Saun
Contributor
‎2019-02-28 04:36 AM
In response to Maarten_Sjouw

Both networks were created manually as they were not part of the original topology of the environment, and then the /23 was added to the antispoofing group. Multiple admins have worked on this policy since its inception and one of them created the /23 for the antispoofing, then later a request was made to use the /24's in the policy. We are now doing a cleanup of the policy and it's been requested to make the /24 a /23 - then we get the error about non-unique.

I guess I will just rename the /23 to something more appropriate and put it in each rule that has the /24 currently (and remove the /24 from the rule as well) as the desire is to have the /23 in the rules (not 2 /24's).

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-02-28 04:46 AM
In response to J_Saun

The thing here is that it should not nag about this as they have different subnet masks and should not be seen as the same.

Ohh wait a minute, you are on R77.30 AND you have SmartMap turned on, don't you?

Go into global preferences and in the SmartMap page turn it OFF!!

Sorry, needed to scroll back and reread your original question. You have a net/24 and you have another net/23 and you want to change the Net/24 to Net/23 and then it starts nagging.

Ok here is what you do:

  • Change the /23 object to set it to another network ie change the 10 to 100
  • Change the /24 object to the wanted /23
  • Open the anti spoofing group and replace the old /23 with the correct /23
  • Delete the original /23

Done.

Regards, Maarten
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top