Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
abihsot__
Advisor

policy search - negated cell

Hi there,

 

not a big deal, but a little bit annoying when searching in the policy for something you get result matching negated cell. Sure, the object is there, but negated cell logically means "NOT this object".

Using mode: Packet result is the same.

 

0 Kudos
Reply
8 Replies
PhoneBoy
Admin
Admin

When you search a layer for an object, you're searching for all occurrences of the object in the policy.
Since that object occurs in the policy (albeit with negation), it's still used in the policy.
I consider that expected behavior.

Packet Mode is probably doing the same kind of search against the policy layer.
There, it doesn't entirely make sense to show the negated result.
Recommend a TAC case to clarify this case.

0 Kudos
Reply
abihsot__
Advisor

I would disagree, because when you do search in the policy you are looking for applicable rules, not particular object. If you type "dst:10.1.1.1", host object might not be available, however rule with network covering that host will be displayed. Probably not many people using negated cells and that's why it is not bothering others.

0 Kudos
Reply
Bob_Zimmerman
Advisor

Meanwhile, when I search for an object, it's almost always because somebody built a copy of that server, and they didn't keep track of their own firewall tickets, so I have to add it everywhere the original exists. Thus, I want rules where it is in a negated cell.

0 Kudos
Reply
abihsot__
Advisor

Maybe I was always looking at policy search from different angle, but isn't it the function "where used" build to search for the object usage in the policy and there you can compare locations and click replace? 

0 Kudos
Reply
Bob_Zimmerman
Advisor

That works when all of the admins care about cleanliness and use existing objects rather than making new ones.

I have seen SmartCenters with twelve objects for 10.0.0.0/8. TWELVE. All used in different places. Two had automatic NAT (to different addresses, because why not), but most of the others were identical except for the names.

My current environment isn't quite that bad, but it's still bad.

0 Kudos
Reply
abihsot__
Advisor

I feel your pain 🙂 With multiple objects on the same IP/NET, I usually use "where used" and verify policy rule numbers to make exact match before removing duplicate. Of course, automatic NAT gives some additional "fun".

0 Kudos
Reply
Timothy_Hall
Champion
Champion

What version are you using?  Negated objects seem to get handled properly by packet mode searches in R80.40 for me:

 

packet_negate.png

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Reply
abihsot__
Advisor

Sorry, my bad. Indeed after another test, "mode: Packet" do not show negated rules.

So now the question what is the logic according to Checkpoint for regular rulebase search...

0 Kudos
Reply