Cisco2Checkpoint
Cisco2Checkpoint copied to clipboard
GoSecure
Object Names| same name, different case and different content -> checkpoint rules wrong
Hi Martin, Sorry to bother you again, I think this one is important.
I have one case of same object name but different case on config I am parsing. This is allowed on Cisco configs but not allowed on CheckPoint. I did few tests, and this can lead to a complete different rule on checkpoint.
There are two objects on checkpoint database ( importing using attached customer_network_objects.xml customer_network_objects.xml.txt ).
Please pay close attention to object names and case ( this is causing all this mess).
CheckPoint Database: host dns_1 - 1.1.1.1 group dns_servers containing only dns_1.
Cisco config to parse
object network dns_1
host 192.168.71.41
object-group network dns_servers
network-object host 1.1.1.1
network-object object dns_1
network-object host 172.16.11.64
object-group network DNS_SERVERS
network-object host 172.16.11.110
network-object host 172.16.11.111
network-object host 172.16.11.24
network-object host 172.16.11.112
object-group network DM_INLINE_NETWORK_17
group-object DNS_SERVERS
group-object dns_servers
Parsing output:
CiscoHost(name=H_172.16.11.64,ipAddr=172.16.11.64,desc=,alias=)
CiscoNetGroup(name=dns_servers,desc=,nbMembers=3,alias=)
CiscoHost(name=dns_1,ipAddr=1.1.1.1,desc=,alias=)
CiscoHost(name=dns_1,ipAddr=1.1.1.1,desc=,alias=)
CiscoHost(name=H_172.16.11.64,ipAddr=172.16.11.64,desc=,alias=)
Verify: <ASAObjGroupNetwork # 2 'object-group network dns_servers'>
CiscoHost(name=H_172.16.11.110,ipAddr=172.16.11.110,desc=,alias=)
CiscoHost(name=H_172.16.11.111,ipAddr=172.16.11.111,desc=,alias=)
CiscoHost(name=H_172.16.11.24,ipAddr=172.16.11.24,desc=,alias=)
CiscoHost(name=H_172.16.11.112,ipAddr=172.16.11.112,desc=,alias=)
CiscoNetGroup(name=DNS_SERVERS,desc=,nbMembers=4,alias=)
CiscoHost(name=H_172.16.11.110,ipAddr=172.16.11.110,desc=,alias=)
CiscoHost(name=H_172.16.11.111,ipAddr=172.16.11.111,desc=,alias=)
CiscoHost(name=H_172.16.11.24,ipAddr=172.16.11.24,desc=,alias=)
CiscoHost(name=H_172.16.11.112,ipAddr=172.16.11.112,desc=,alias=)
Verify: <ASAObjGroupNetwork # 6 'object-group network DNS_SERVERS'>
CiscoNetGroup(name=DM_INLINE_NETWORK_17,desc=,nbMembers=2,alias=)
CiscoNetGroup(name=dns_servers,desc=,nbMembers=3,alias=)
CiscoHost(name=dns_1,ipAddr=1.1.1.1,desc=,alias=)
CiscoHost(name=dns_1,ipAddr=1.1.1.1,desc=,alias=)
CiscoHost(name=H_172.16.11.64,ipAddr=172.16.11.64,desc=,alias=)
CiscoNetGroup(name=dns_servers,desc=,nbMembers=3,alias=)
CiscoHost(name=dns_1,ipAddr=1.1.1.1,desc=,alias=)
CiscoHost(name=dns_1,ipAddr=1.1.1.1,desc=,alias=)
CiscoHost(name=H_172.16.11.64,ipAddr=172.16.11.64,desc=,alias=)
Verify: <ASAObjGroupNetwork # 11 'object-group network DM_INLINE_NETWORK_17'>
Also as the checkpoint group with small case "dns_servers" was not recognized/loaded, it will fail to import using dbedit as a duplicated object will be found.
kind regards,
Hi mjardeli,
I did a patch but there are some caveats you should be aware.
When an object is found in checkpoint xml AND in a cisco file, the one from checkpoint only is kept. I cannot simply rename the one from the cisco file as it will never be used or referenced. This is the expected behaviour to consider the checkpoint database as a reference.
In such cases, I suggest that you do a mass rename of the conflicting cisco object.
This change is introducing modification at lower level. Hopefully, it won't affect the rest too much but you should test as much as possible.
Thanks,
Thank you Martin!
Is there a way to create a log or a warning when that happens? The worse part is to identify conflicting objects.
Can I suggest a file to be added? Maybe configuration_adjustments.txt icmp can be added. I can create/ populate this file.
I'll test and let you know!
Cheers
It is is printed near the "Importing" messages. Try with --debugif it doesn't show up.
#[+] Importing all hosts.
#[-] Importing: <ASAObjNetwork # 0 'object network dns_1'>
#[+] Object "CiscoHost(name=dns_1,ipAddr=192.168.71.41,desc=,alias=)" was not imported as it already exist.
#[+] Importing all networks.
#[+] Importing all ranges.
#[+] Fixing duplicate names
#[+] Fixing duplicate IP addresses
#[+] Fixing duplicate subnets
#[+] Fixing duplicate ranges
Hi Martin, Thank you for your time and partially solving issue.
I just tested, for object host issue is solved. Its detecting/warning dup with checkpoint object.
Can it also be done for network group, service and service group?
I created the same objects on checkpoint here follow files(customer_network_objects.xml.txt customer_service_objects.xml.txt)
Here follow config example for each one:
object service TCP_printer
service tcp destination eq 191
object-group network dns_servers
network-object host 1.1.1.2
object-group network DM_INLINE_NETWORK_17
group-object dns_servers
object-group service same_name
service-object tcp destination eq 8089
I created on checkpoint objects: same_name,dns_servers and TCP_printer. They all have different values than the ones on cisco config
actual parsing output:
CiscoServicePort(name=TCP_printer,port=191,desc=,alias=)
CiscoHost(name=H_1.1.1.2,ipAddr=1.1.1.2,desc=,alias=)
CiscoNetGroup(name=dns_servers,desc=,nbMembers=1,alias=)
CiscoHost(name=H_1.1.1.2,ipAddr=1.1.1.2,desc=,alias=)
Verify: <ASAObjGroupNetwork # 4 'object-group network dns_servers'>
CiscoNetGroup(name=DM_INLINE_NETWORK_17,desc=,nbMembers=1,alias=)
CiscoNetGroup(name=dns_servers,desc=,nbMembers=1,alias=)
CiscoHost(name=H_1.1.1.2,ipAddr=1.1.1.2,desc=,alias=)
Verify: <ASAObjGroupNetwork # 6 'object-group network DM_INLINE_NETWORK_17'>
CiscoServicePort(name=TCP_8089,port=8089,desc=,alias=)
CiscoServiceGroup(name=same_name,desc=,nbMembers=1)
CiscoServicePort(name=TCP_8089,port=8089,desc=,alias=)
Verify: <ASAObjGroupService # 8 'same_name'>
Objects being detected as duplicated with checkpoint database will allow manual adjustments before importing config.
thank you,