Will these unused objects exists in firewall, logically if the object entity is not referenced in firewall policy will not pushed to Gateway.. can anyone confirm on this point

thanks in advance

The reason why all network objects get sent to the gateway, even if they are not referenced, directly or indirectly, is because sometimes there are implications without referencing these objects in the rule-base. For example, using then in the VPN Domain for a Gateway properties, or changing a Service object and then using it in the Inspection Settings.

Please note that the number of network objects that are pushed to a gateway does not impact performance on a gateway.

 Is it true for R77.30 too?

I have a management server, where objects_5_0.C file is ~40 MB (legacy reasons, of course). It would be a bad idea to send the whole list of objects to 5 clusters during policy installation.

I didn't notice any very big files in $FWDIR/state/<fw_name>/FW1/. Are objects converted and compiled into much smaller files for transfer to gateways? <policy>.pf file has only rules, I suppose. Are objects included into .cpp file? How can I check the size of only objects that are send to a gateway?

Aleksei Shelepov wrote:

 Is it true for R77.30 too?

 

I have a management server, where objects_5_0.C file is ~40 MB (legacy reasons, of course). It would be a bad idea to send the whole list of objects to 5 clusters during policy installation.

 

why do you think it's a bad idea? check point gateways handle massive amount of data even if the user defined data is tiny.

I think it is bad idea not because I doubt in gateways' performance, but because an external link for some gateways might be only 1-2 Mb/s. And this branch office has its own traffic flowing on the same link. It would mean that only objects transfer for policy installation can take quite a lot of time.

Are all objects on the management server sent to all gateways? Or only objects used in one policy package, or something like that?

Let's assume we have one management server with 100 MB objects file for branch office appliances (with 2 Mbit/s connection) and datacenter appliances, but policy packages are separate. Will all 100 MB of objects be transferred to branch office gateways? Maybe objects converted into much smaller files?

Actually, until now I was sure that only objects which are used in rules for a specific gateway are transferred to it.

policy is compiled on the Management server, then gets sent to the gateway.

I understand that.

Ok Tomer, maybe it is just a misunderstanding or misinterpretation on the language level. I am really confused right now. So, let's get back on the same page again.

Could you please explain what you mean by this phrase?

The reason why all network objects get sent to the gateway, even if they are not referenced, directly or indirectly, is because sometimes there are implications without referencing these objects in the rule-base. 

I try to understand if a gateway "knows" about totally all network objects configured on its management server. Even if an object is unused (confirmed with "where used?"), even if object is not used in this policy package, even if an object is in a rule for a different gateway (column "Install on" in rules)... Will a gateway still have information about all these objects?

And if the first part is true, and if our current file with all objects on the management server (object_5_0.C) is around 50 MB (or 100 MB, or just 2-3 millions of objects on the server), then how big would be the compiled policy with all objects that is sent to a gateway (approximately)?

What about service objects and groups? Are they also all sent to a gateway?

As far as I know, they are also sent to the gateway as well.

Hello All

Thanks for your feedback.. More over Do we have any limitations in holding the Object entities and policy rules as like Juniper and fortigates where its limted to create as per device model

There are no limitations.

Hope this helps.

Correct all objects even if unused are sent to the gateway as part of its compiled policy, you can see this for yourself by inspecting the $FWDIR/state/__tmp/local.objects file on the firewall.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

There is no logic that cleans the unused objects from objects.C

( The file that represents the network objects on the gateway ).

Hello!

Can anybody confirm this:

The view "unused objects" does not check if there is a auto-nat configured in one objects. So if the object is not used in a rule (but there is a auto-nat configured) the object is marked as "unused".

Is there an other chance how I can find out real unused objects (NO auto-nat configuration)?

Maybe Check Point can improve this feature. 🙂

Best regards

Martin

Hello!

Great, thank you for the test.

Best regards

Martin

Is there any way to access that via API or the directory?