Object Names| same name, different case and different content -> checkpoint rules wrong

[mjardeli]

Hi Martin,
Sorry to bother you again, I think this one is important.

I have one case of same object name but different case on config I am parsing. This is allowed on Cisco configs but not allowed on CheckPoint.
I did few tests, and this can lead to a complete different rule on checkpoint.

There are two objects on checkpoint database ( importing using attached customer_network_objects.xml
customer_network_objects.xml.txt
).

Please pay close attention to object names and case ( this is causing all this mess).

CheckPoint Database:
host dns_1 - 1.1.1.1
group dns_servers containing only dns_1.

Cisco config to parse

object network dns_1
 host 192.168.71.41
object-group network dns_servers
 network-object host 1.1.1.1
 network-object object dns_1
 network-object host 172.16.11.64
object-group network DNS_SERVERS
 network-object host 172.16.11.110
 network-object host 172.16.11.111
 network-object host 172.16.11.24
 network-object host 172.16.11.112
object-group network DM_INLINE_NETWORK_17
 group-object DNS_SERVERS
 group-object dns_servers

Parsing output:

CiscoHost(name=H_172.16.11.64,ipAddr=172.16.11.64,desc=,alias=)
CiscoNetGroup(name=dns_servers,desc=,nbMembers=3,alias=)
 CiscoHost(name=dns_1,ipAddr=1.1.1.1,desc=,alias=)
 CiscoHost(name=dns_1,ipAddr=1.1.1.1,desc=,alias=)
 CiscoHost(name=H_172.16.11.64,ipAddr=172.16.11.64,desc=,alias=)
 Verify: <ASAObjGroupNetwork # 2 'object-group network dns_servers'>
CiscoHost(name=H_172.16.11.110,ipAddr=172.16.11.110,desc=,alias=)
CiscoHost(name=H_172.16.11.111,ipAddr=172.16.11.111,desc=,alias=)
CiscoHost(name=H_172.16.11.24,ipAddr=172.16.11.24,desc=,alias=)
CiscoHost(name=H_172.16.11.112,ipAddr=172.16.11.112,desc=,alias=)
CiscoNetGroup(name=DNS_SERVERS,desc=,nbMembers=4,alias=)
 CiscoHost(name=H_172.16.11.110,ipAddr=172.16.11.110,desc=,alias=)
 CiscoHost(name=H_172.16.11.111,ipAddr=172.16.11.111,desc=,alias=)
 CiscoHost(name=H_172.16.11.24,ipAddr=172.16.11.24,desc=,alias=)
 CiscoHost(name=H_172.16.11.112,ipAddr=172.16.11.112,desc=,alias=)
 Verify: <ASAObjGroupNetwork # 6 'object-group network DNS_SERVERS'>
CiscoNetGroup(name=DM_INLINE_NETWORK_17,desc=,nbMembers=2,alias=)
 CiscoNetGroup(name=dns_servers,desc=,nbMembers=3,alias=)
   CiscoHost(name=dns_1,ipAddr=1.1.1.1,desc=,alias=)
   CiscoHost(name=dns_1,ipAddr=1.1.1.1,desc=,alias=)
   CiscoHost(name=H_172.16.11.64,ipAddr=172.16.11.64,desc=,alias=)
 CiscoNetGroup(name=dns_servers,desc=,nbMembers=3,alias=)
   CiscoHost(name=dns_1,ipAddr=1.1.1.1,desc=,alias=)
   CiscoHost(name=dns_1,ipAddr=1.1.1.1,desc=,alias=)
   CiscoHost(name=H_172.16.11.64,ipAddr=172.16.11.64,desc=,alias=)
 Verify: <ASAObjGroupNetwork # 11 'object-group network DM_INLINE_NETWORK_17'>

Also as the checkpoint group with small case "dns_servers" was not recognized/loaded, it will fail to import using dbedit as a duplicated object will be found.

kind regards,

[martindube]

Hi mjardeli,

I did a patch but there are some caveats you should be aware.

When an object is found in checkpoint xml AND in a cisco file, the one from checkpoint only is kept. I cannot simply rename the one from the cisco file as it will never be used or referenced. This is the expected behaviour to consider the checkpoint database as a reference.

In such cases, I suggest that you do a mass rename of the conflicting cisco object.

This change is introducing modification at lower level. Hopefully, it won't affect the rest too much but you should test as much as possible.

Thanks,

[mjardeli]

Thank you Martin!

Is there a way to create a log or a warning when that happens? The worse part is to identify conflicting objects.

Can I suggest a file to be added? Maybe configuration_adjustments.txt icmp can be added. I can create/ populate this file.

I'll test and let you know!

Cheers

[martindube]

It is is printed near the "Importing" messages. Try with --debugif it doesn't show up.

#[+] Importing all hosts.
#[-]   Importing: <ASAObjNetwork # 0 'object network dns_1'>
#[+] Object "CiscoHost(name=dns_1,ipAddr=192.168.71.41,desc=,alias=)" was not imported as it already exist.
#[+] Importing all networks.
#[+] Importing all ranges.
#[+] Fixing duplicate names
#[+] Fixing duplicate IP addresses
#[+] Fixing duplicate subnets
#[+] Fixing duplicate ranges

[mjardeli]

Hi Martin,
Thank you for your time and partially solving issue.

I just tested, for object host issue is solved. Its detecting/warning dup with checkpoint object.

Can it also be done for network group, service and service group?

I created the same objects on checkpoint here follow files(customer_network_objects.xml.txt
customer_service_objects.xml.txt)

Here follow config example for each one:

object service TCP_printer
 service tcp destination eq 191 
object-group network dns_servers
 network-object host 1.1.1.2
object-group network DM_INLINE_NETWORK_17
 group-object dns_servers
object-group service same_name
 service-object tcp destination eq 8089 

I created on checkpoint objects: same_name,dns_servers and TCP_printer. They all have different values than the ones on cisco config

actual parsing output:

CiscoServicePort(name=TCP_printer,port=191,desc=,alias=)
CiscoHost(name=H_1.1.1.2,ipAddr=1.1.1.2,desc=,alias=)
CiscoNetGroup(name=dns_servers,desc=,nbMembers=1,alias=)
 CiscoHost(name=H_1.1.1.2,ipAddr=1.1.1.2,desc=,alias=)
 Verify: <ASAObjGroupNetwork # 4 'object-group network dns_servers'>
CiscoNetGroup(name=DM_INLINE_NETWORK_17,desc=,nbMembers=1,alias=)
 CiscoNetGroup(name=dns_servers,desc=,nbMembers=1,alias=)
   CiscoHost(name=H_1.1.1.2,ipAddr=1.1.1.2,desc=,alias=)
 Verify: <ASAObjGroupNetwork # 6 'object-group network DM_INLINE_NETWORK_17'>
CiscoServicePort(name=TCP_8089,port=8089,desc=,alias=)
CiscoServiceGroup(name=same_name,desc=,nbMembers=1)
 CiscoServicePort(name=TCP_8089,port=8089,desc=,alias=)
 Verify: <ASAObjGroupService # 8 'same_name'>

Objects being detected as duplicated with checkpoint database will allow manual adjustments before importing config.

thank you,