cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Unused Objects Cleanup

Jump to solution

Is there an easy way in R80.10 to cleanup all unused objects or at least identify them? Our object database has been steadily growing for years and I know there are a lot of stale objects and don't want to have to do manually do a"Where Used" on every object just to find the stale ones.


Thanks!

Tags (2)
0 Kudos
1 Solution

Accepted Solutions

Re: Unused Objects Cleanup

Jump to solution

Just tried this in R80.10 & R80.30 demo mode.  Created a new host object in the SmartConsole with no auto-NAT and it came up as unused in Objects Explorer.  Set an automatic NAT for the object and it immediately disappeared from the list of unused objects.  Turned the NAT back off and it reappeared in the unused list.  Looks like it has already been resolved. 

 

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos
17 Replies

Re: Unused Objects Cleanup

Jump to solution

Yes, you can do this in the R80.10 Object Explorer. Open the Object Explorer pane and click on the * All drop down. You can change it to Unused Objects from there.

Re: Unused Objects Cleanup

Jump to solution

Will these unused objects exists in firewall, logically if the object entity is not referenced in firewall policy will not pushed to Gateway.. can anyone confirm on this point

thanks in advance

0 Kudos

Re: Unused Objects Cleanup

Jump to solution

The reason why all network objects get sent to the gateway, even if they are not referenced, directly or indirectly, is because sometimes there are implications without referencing these objects in the rule-base. For example, using then in the VPN Domain for a Gateway properties, or changing a Service object and then using it in the Inspection Settings.

Please note that the number of network objects that are pushed to a gateway does not impact performance on a gateway.

Re: Unused Objects Cleanup

Jump to solution

 Is it true for R77.30 too?

I have a management server, where objects_5_0.C file is ~40 MB (legacy reasons, of course). It would be a bad idea to send the whole list of objects to 5 clusters during policy installation.

I didn't notice any very big files in $FWDIR/state/<fw_name>/FW1/. Are objects converted and compiled into much smaller files for transfer to gateways? <policy>.pf file has only rules, I suppose. Are objects included into .cpp file? How can I check the size of only objects that are send to a gateway?

0 Kudos

Re: Unused Objects Cleanup

Jump to solution

Aleksei Shelepov wrote:

 Is it true for R77.30 too?

 

I have a management server, where objects_5_0.C file is ~40 MB (legacy reasons, of course). It would be a bad idea to send the whole list of objects to 5 clusters during policy installation.

 

why do you think it's a bad idea? check point gateways handle massive amount of data even if the user defined data is tiny.

0 Kudos

Re: Unused Objects Cleanup

Jump to solution

I think it is bad idea not because I doubt in gateways' performance, but because an external link for some gateways might be only 1-2 Mb/s. And this branch office has its own traffic flowing on the same link. It would mean that only objects transfer for policy installation can take quite a lot of time.

Are all objects on the management server sent to all gateways? Or only objects used in one policy package, or something like that?

Let's assume we have one management server with 100 MB objects file for branch office appliances (with 2 Mbit/s connection) and datacenter appliances, but policy packages are separate. Will all 100 MB of objects be transferred to branch office gateways? Maybe objects converted into much smaller files?

Actually, until now I was sure that only objects which are used in rules for a specific gateway are transferred to it.

Re: Unused Objects Cleanup

Jump to solution

policy is compiled on the Management server, then gets sent to the gateway.

0 Kudos

Re: Unused Objects Cleanup

Jump to solution

I understand that.

Ok Tomer, maybe it is just a misunderstanding or misinterpretation on the language level. I am really confused right now. So, let's get back on the same page again.

Could you please explain what you mean by this phrase?

The reason why all network objects get sent to the gateway, even if they are not referenced, directly or indirectly, is because sometimes there are implications without referencing these objects in the rule-base. 

I try to understand if a gateway "knows" about totally all network objects configured on its management server. Even if an object is unused (confirmed with "where used?"), even if object is not used in this policy package, even if an object is in a rule for a different gateway (column "Install on" in rules)... Will a gateway still have information about all these objects?

And if the first part is true, and if our current file with all objects on the management server (object_5_0.C) is around 50 MB (or 100 MB, or just 2-3 millions of objects on the server), then how big would be the compiled policy with all objects that is sent to a gateway (approximately)?

What about service objects and groups? Are they also all sent to a gateway?

0 Kudos
Admin
Admin

Re: Unused Objects Cleanup

Jump to solution

As far as I know, they are also sent to the gateway as well.

0 Kudos

Re: Unused Objects Cleanup

Jump to solution

Hello All

Thanks for your feedback.. More over Do we have any limitations in holding the Object entities and policy rules as like Juniper and fortigates where its limted to create as per device model

0 Kudos

Re: Unused Objects Cleanup

Jump to solution

There are no limitations.

Hope this helps.

0 Kudos

Re: Unused Objects Cleanup

Jump to solution

Correct all objects even if unused are sent to the gateway as part of its compiled policy, you can see this for yourself by inspecting the $FWDIR/state/__tmp/local.objects file on the firewall.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
Employee+
Employee+

Re: Unused Objects Cleanup

Jump to solution

There is no logic that cleans the unused objects from objects.C

( The file that represents the network objects on the gateway ).

0 Kudos

Re: Unused Objects Cleanup

Jump to solution

Hello!

Can anybody confirm this:

The view "unused objects" does not check if there is a auto-nat configured in one objects. So if the object is not used in a rule (but there is a auto-nat configured) the object is marked as "unused".

 

Is there an other chance how I can find out real unused objects (NO auto-nat configuration)?

 

Maybe Check Point can improve this feature. 🙂

 

Best regards

 

Martin

Re: Unused Objects Cleanup

Jump to solution

Just tried this in R80.10 & R80.30 demo mode.  Created a new host object in the SmartConsole with no auto-NAT and it came up as unused in Objects Explorer.  Set an automatic NAT for the object and it immediately disappeared from the list of unused objects.  Turned the NAT back off and it reappeared in the unused list.  Looks like it has already been resolved. 

 

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos

Re: Unused Objects Cleanup

Jump to solution

Hello!

Great, thank you for the test.

Best regards

Martin

0 Kudos

Re: Unused Objects Cleanup

Jump to solution

Is there any way to access that via API or the directory?

0 Kudos