This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SimonMeadows
Participant
‎2021-10-19 04:07 AM

Smart Connect Domain objects and Groups with exclusion

Hi,

I have a few more - pull request #27

  • 5dcac1d - Domain objects that already exist are imported with '_1' suffix
    • Domain objects 'Name' is the fqdn that is meaningful for dns etc.
    • I have changed it to forcibly not rename and skip any domains that already exist
    • This means any rules with the fqdn will use the already existing object
  • bd0f6cd - GroupWithExclusion does not have any ['Members']
    • The GroupWithExclusion has an ['Include'] and ['Except'] but no ['Members']
    • I have added a check for when the code reached the processGroupWithMembers function to skip it if it is a GroupWithExclusion
  • 726b02c - any not accepted as an object for rules ** IMPORTANT - not fully tested **
    • on multiple occasions I get 'WARN: Requested object [any] not found'
    • to fix I must replace all instances of "any" with "Any" in the cp_objects.json file
    • The change changes the default any object from "any" to "Any"
    • This has worked for my purposes using the smartconnector method of importing a single cisco config file
    • I have not tested with bash scripts and am sure I have not used all the places "Any" would be output by SmartMove
4 Replies
Ofir_Shikolski
Employee Alumnus
Employee Alumnus
‎2021-10-25 03:13 AM

Thanks a lot!.

We completed the code review and testing.

We updated the version and released it.

0 Kudos
Ofir_Shikolski
Employee Alumnus
Employee Alumnus
‎2021-11-21 02:03 AM

Hi @SimonMeadows ,

Did you get our gift ?

0 Kudos
SimonMeadows
Participant
‎2021-11-22 12:34 AM
In response to Ofir_Shikolski

Hi @Ofir_Shikolski ,

I did, thank you very much.

I have another conversion from ASA to do in a few weeks so I'll do a bit more testing on the new version.

 

0 Kudos
SimonMeadows
Participant
‎2021-11-23 08:50 AM
In response to Ofir_Shikolski

Hi @Ofir_Shikolski 

I found an issue with the mapping of networks where a subnet will be mapped to a larger supernet if appears in the search result list before the subnet.

The debug output shows:

  processing network: network_172.24.47.160_29
WARN: More than one object named 'network_172.24.47.160_29' exists.
WARN: More than one network has the same IP 172.24.47.160/255.255.255.248
  REPORT: CP object network_172.16.0.0_12 is used instead of network_172.24.47.160_29
 
You can see a /29 subnet is mapped to a /12, which is undesirable.
 
I have submitted a pull request for a fix that I have tested on an import form a Cisco ASA
It adds an extra condition to match on both subnet and subnet-mask
Upcoming Events

    CheckMates Events
    Top