Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Evan_Fisher
Participant

Unused Objects Cleanup

Jump to solution

Is there an easy way in R80.10 to cleanup all unused objects or at least identify them? Our object database has been steadily growing for years and I know there are a lot of stale objects and don't want to have to do manually do a"Where Used" on every object just to find the stale ones.


Thanks!

0 Kudos
Reply
1 Solution

Accepted Solutions
Timothy_Hall
Champion
Champion

Just tried this in R80.10 & R80.30 demo mode.  Created a new host object in the SmartConsole with no auto-NAT and it came up as unused in Objects Explorer.  Set an automatic NAT for the object and it immediately disappeared from the list of unused objects.  Turned the NAT back off and it reappeared in the unused list.  Looks like it has already been resolved. 

 

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com

View solution in original post

17 Replies
Daniel_Taney
Advisor

Yes, you can do this in the R80.10 Object Explorer. Open the Object Explorer pane and click on the * All drop down. You can change it to Unused Objects from there.

R80 CCSA / CCSE
Kishorilal_CJ
Participant

Will these unused objects exists in firewall, logically if the object entity is not referenced in firewall policy will not pushed to Gateway.. can anyone confirm on this point

thanks in advance

0 Kudos
Reply

The reason why all network objects get sent to the gateway, even if they are not referenced, directly or indirectly, is because sometimes there are implications without referencing these objects in the rule-base. For example, using then in the VPN Domain for a Gateway properties, or changing a Service object and then using it in the Inspection Settings.

Please note that the number of network objects that are pushed to a gateway does not impact performance on a gateway.

AlekseiShelepov
Advisor

 Is it true for R77.30 too?

I have a management server, where objects_5_0.C file is ~40 MB (legacy reasons, of course). It would be a bad idea to send the whole list of objects to 5 clusters during policy installation.

I didn't notice any very big files in $FWDIR/state/<fw_name>/FW1/. Are objects converted and compiled into much smaller files for transfer to gateways? <policy>.pf file has only rules, I suppose. Are objects included into .cpp file? How can I check the size of only objects that are send to a gateway?

0 Kudos
Reply

Aleksei Shelepov wrote:

 Is it true for R77.30 too?

 

I have a management server, where objects_5_0.C file is ~40 MB (legacy reasons, of course). It would be a bad idea to send the whole list of objects to 5 clusters during policy installation.

 

why do you think it's a bad idea? check point gateways handle massive amount of data even if the user defined data is tiny.

0 Kudos
Reply
AlekseiShelepov
Advisor

I think it is bad idea not because I doubt in gateways' performance, but because an external link for some gateways might be only 1-2 Mb/s. And this branch office has its own traffic flowing on the same link. It would mean that only objects transfer for policy installation can take quite a lot of time.

Are all objects on the management server sent to all gateways? Or only objects used in one policy package, or something like that?

Let's assume we have one management server with 100 MB objects file for branch office appliances (with 2 Mbit/s connection) and datacenter appliances, but policy packages are separate. Will all 100 MB of objects be transferred to branch office gateways? Maybe objects converted into much smaller files?

Actually, until now I was sure that only objects which are used in rules for a specific gateway are transferred to it.

policy is compiled on the Management server, then gets sent to the gateway.

0 Kudos
Reply
AlekseiShelepov
Advisor

I understand that.

Ok Tomer, maybe it is just a misunderstanding or misinterpretation on the language level. I am really confused right now. So, let's get back on the same page again.

Could you please explain what you mean by this phrase?

The reason why all network objects get sent to the gateway, even if they are not referenced, directly or indirectly, is because sometimes there are implications without referencing these objects in the rule-base. 

I try to understand if a gateway "knows" about totally all network objects configured on its management server. Even if an object is unused (confirmed with "where used?"), even if object is not used in this policy package, even if an object is in a rule for a different gateway (column "Install on" in rules)... Will a gateway still have information about all these objects?

And if the first part is true, and if our current file with all objects on the management server (object_5_0.C) is around 50 MB (or 100 MB, or just 2-3 millions of objects on the server), then how big would be the compiled policy with all objects that is sent to a gateway (approximately)?

What about service objects and groups? Are they also all sent to a gateway?

0 Kudos
Reply
PhoneBoy
Admin
Admin

As far as I know, they are also sent to the gateway as well.

0 Kudos
Reply
Kishorilal_CJ
Participant

Hello All

Thanks for your feedback.. More over Do we have any limitations in holding the Object entities and policy rules as like Juniper and fortigates where its limted to create as per device model

0 Kudos
Reply

There are no limitations.

Hope this helps.

0 Kudos
Reply
Timothy_Hall
Champion
Champion

Correct all objects even if unused are sent to the gateway as part of its compiled policy, you can see this for yourself by inspecting the $FWDIR/state/__tmp/local.objects file on the firewall.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
Dan_Zaidman
Employee
Employee

There is no logic that cleans the unused objects from objects.C

( The file that represents the network objects on the gateway ).

0 Kudos
Reply
Martin_Peinsipp
Contributor

Hello!

Can anybody confirm this:

The view "unused objects" does not check if there is a auto-nat configured in one objects. So if the object is not used in a rule (but there is a auto-nat configured) the object is marked as "unused".

 

Is there an other chance how I can find out real unused objects (NO auto-nat configuration)?

 

Maybe Check Point can improve this feature. 🙂

 

Best regards

 

Martin

Timothy_Hall
Champion
Champion

Just tried this in R80.10 & R80.30 demo mode.  Created a new host object in the SmartConsole with no auto-NAT and it came up as unused in Objects Explorer.  Set an automatic NAT for the object and it immediately disappeared from the list of unused objects.  Turned the NAT back off and it reappeared in the unused list.  Looks like it has already been resolved. 

 

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com

View solution in original post

Martin_Peinsipp
Contributor

Hello!

Great, thank you for the test.

Best regards

Martin

0 Kudos
Reply
Tom_McBrinn
Explorer

Is there any way to access that via API or the directory?

0 Kudos
Reply