Re: [FW-1] Merging objects from one fwall to another

[Jim MacLeod <jmacleod@FW1-NOSPAMEARTHLING.NET>]

There's really not going to be an easy way to merge the two rulebases
together automatically, since the rules are processed sequentially in the
rulebase.  Simply "shuffling" two rules together will almost definitely not
give you the results you want.

OTOH, if your rulebase structures are similar, e.g.:
[firewall access rules - allow]
[firewall stealth rule - drop]
[network access rules -allow]
[cleanup rule - drop]

Then it's possible that your rules might not interfere with each other
inside those categories.

The way I would do this is to look at the .W file for each rulebase.  If
you treat the raw policy file as a programming language, you can manipulate
the rules in a quality text editor.  Just make sure to move the entire
rule, from the rule: tag to the closing parenthesis.

Back on the firewall, compile the rule and add it to the GUI using the fwm
command.

Of course YMMV, kids don't try this at home.

At 06:40 PM 3/4/2002, you wrote:
> OK, I got the objects all merged into the new firewalls.
>
> Now I want to get the old rulebase file merged into the new one.
>
> Your command line below:
>
> 3. rule base merge - fwm -g ../conf/*.W
>
> Doesn't quite make sense to me. What does the above do? I want to squeeze
> one rulebase into another rulebase. How does the above merge the rules?
>
> Thanks again,
>
> Mike H
>
> > -----Original Message-----
> > From: Amin Tora [SMTP:Amin@EPLUS.COM]
> > Sent: Monday, March 04, 2002 12:14 AM
> > To:   FW-1-MAILINGLIST@beethoven.us.checkpoint.com
> > Subject:      Re: [FW-1] Merging objects from one fwall to another
> >
> > 1. user migration
> >
> > on old
> >
> > fw dbexport -f users.export
> >
> > on new
> >
> > fw dbimport -v -f users.export
> >
> > 2. objects merge
> >
> > fw confmerge objects1.c objects2.c > objects.c
> >
> > 3. rule base merge
> >
> > -unix
> >
> > fwm -g ../conf/*.W
> >
> > -nt
> >
> > c:\winnt\fw1\4.1\conf> for %i in (*.W) do fw fwm -g %i
> >
> >
> > -Amin
> >
> >
> > > -----Original Message-----
> > > From: Costaras Steve - stcost [mailto:Steve.Costaras@ACXIOM.COM]
> > > Sent: Saturday, March 02, 2002 3:06 PM
> > > To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com
> > > Subject: Re: [FW-1] Merging objects from one fwall to another
> > >
> > >
> > > I'm also looking at doing this.   We have 3 firewall setups
> > > that I want
> > > to merge together on the same Mgmt station.  I've got a good
> > > 500+ objects on
> > > each.
> > >
> > > Steve
> > >
> > > -----Original Message-----
> > > From: Hawkins, Michael [mailto:MHawkins@TULLIB.COM]
> > > Sent: Friday, March 01, 2002 6:51 PM
> > > To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com
> > > Subject: Re: [FW-1] Merging objects from one fwall to another
> > >
> > >
> > > Sorry, I wasn't quite specific enough about my problem.
> > >
> > > We have been running two firewall pairs for a while. Our
> > > intention is to get
> > > rid of the old pair completely by migrating all the rules to
> > > the new pair.
> > > The new pair already has a huge number of rules, objects, services
> > > configured.
> > >
> > > So the problem is that we need to somehow get all of the
> > > existing rules,
> > > objects, services from the old firewalls into the new firewalls while
> > > keeping the new firewalls objects, rules and services intact.
> > >
> > > So when I said "merge", I really meant merge in the true
> > > sense of taking two
> > > data sets and merging them into one so that a have a set that
> > > inclues both
> > > subsets.
> > >
> > > Any help would be much appreciated.
> > >
> > > Mike H
> > >
> > > > -----Original Message-----
> > > > From: Don Guyer [SMTP:dguyer@CITADELFCU.ORG]
> > > > Sent: Friday, March 01, 2002 3:35 PM
> > > > To:   FW-1-MAILINGLIST@beethoven.us.checkpoint.com
> > > > Subject:      Re: [FW-1] Merging objects from one fwall to another
> > > >
> > > > Michael,
> > > >
> > > >          I keep our live and backup firewalls
> > > "synchronized" by copying
> > > > the *.W, *.pf, *.C, and rulebases.fws files from the live
> > > to the backup.
> > > > The 2 boxes must be at the same version and build.
> > > >
> > > > HTH,
> > > >
> > > > Don Guyer
> > > > Information Systems
> > > > Citadel Federal Credit Union
> > > > dguyer@citadelfcu.org
> > > > Ph:> > > Fax:> > > www.citadelfcu.org
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Hawkins, Michael [ <mailto:MHawkins@TULLIB.COM>]
> > > > Sent: Friday, March 01, 2002 10:59 AM
> > > > To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com
> > > > Subject: [FW-1] Merging objects from one fwall to another
> > > >
> > > >
> > > > I also have a need to do some merging!
> > > >
> > > > I have an old 4.0 firewall cluster and we are migrating the
> > > rule base one
> > > > rule at a time, one object at a time, one service at a
> > > time, from the old
> > > > to
> > > > the new firewalls using the GUI-client.
> > > >
> > > > This is extraordinarily time consuming and painful on my
> > > eyes and right
> > > > index finger (click, click, click...). It even hurts my brain!
> > > >
> > > > I tried to copy some objects from objects.C in the old to the new
> > > > firewalls
> > > > but I got "out of scope" errors when I tried to restart
> > > fw-1 on the new
> > > > firewalls. So rather than break things I just returned to
> > > my original
> > > > objects.C file and accepted my fate. That I would have to
> > > do it via the
> > > > GUI.
> > > >
> > > > Does anyone have a technique for merging objects from one
> > > objects.C to
> > > > another.
> > > >
> > > > I have many, many special services configured along with
> > > many objects
> > > > along
> > > > with many rules.
> > > >
> > > > Being able to merge at least one of these groups would be a
> > > huge benefit.
> > > >
> > > > Thanks
> > > >
> > > > Mike H
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: John Chua [SMTP:chuayl@POP.ALLOMAIL.COM]
> > > > > Sent: Friday, March 01, 2002 5:32 AM
> > > > > To:    FW-1-MAILINGLIST@beethoven.us.checkpoint.com
> > > > > Subject:       [FW-1] How to merge multiple firewall
> > > rules into one ?
> > > > >
> > > > > Hi
> > > > >
> > > > > Urgent, I need to know how to merge firewall rules from multiple
> > > > firewall
> > > > > mahines into a single rule base. Can anyone enlighten me. Thanks.
> > > > >
> > > > >
> > > > <<Disclaimer>>
> > > >
> > > > This electronic mail is intended only for the use of the
> > > addressee(s)
> > > > named
> > > > herein. Unless otherwise specifically stated, the views
> > > contained and
> > > > expressed in this electronic mail are strictly those of the
> > > individual
> > > > sender and are not the views of the Company or any of its
> > > Directors or
> > > > other
> > > > employees. If you are not the intended recipient of this
> > > electronic mail,
> > > > you are hereby notified that any dissemination,
> > > distribution or coping of
> > > > this electronic mail is strictly prohibited. If you received this
> > > > electronic
> > > > mail in error please immediately notify us by return
> > > electronic mail and
> > > > delete this electronic mail from your system.
> > > >
> > > > =================================================
> > > > To set vacation, Out Of Office, or away messages,
> > > > send an email to LISTSERV@lists.us.checkpoint.com
> > > > in the BODY of the email add:
> > > > set fw-1-mailinglist nomail
> > > > =================================================
> > > > To unsubscribe from this mailing list,
> > > > please see the instructions at
> > > > <http://www.checkpoint.com/services/mailing.html>
> > > > =================================================
> > > > If you have any questions on how to change your
> > > > subscription options, email
> > > > fw-1-owner@ts.checkpoint.com
> > > > =================================================
> > > >
> > > >
> > > >
> > > <<Disclaimer>>
> > >
> > > This electronic mail is intended only for the use of the
> > > addressee(s) named
> > > herein. Unless otherwise specifically stated, the views contained and
> > > expressed in this electronic mail are strictly those of the individual
> > > sender and are not the views of the Company or any of its
> > > Directors or other
> > > employees. If you are not the intended recipient of this
> > > electronic mail,
> > > you are hereby notified that any dissemination, distribution
> > > or coping of
> > > this electronic mail is strictly prohibited. If you received
> > > this electronic
> > > mail in error please immediately notify us by return
> > > electronic mail and
> > > delete this electronic mail from your system.
> > >
> > > =================================================
> > > To set vacation, Out Of Office, or away messages,
> > > send an email to LISTSERV@lists.us.checkpoint.com
> > > in the BODY of the email add:
> > > set fw-1-mailinglist nomail
> > > =================================================
> > > To unsubscribe from this mailing list,
> > > please see the instructions at
> > > http://www.checkpoint.com/services/mailing.html
> > > =================================================
> > > If you have any questions on how to change your
> > > subscription options, email
> > > fw-1-owner@ts.checkpoint.com
> > > =================================================
> > >
> > >
> > > *********************************************************************
> > >
> > > The information contained in this communication is
> > > confidential, is intended only for the use of the recipient
> > > named above, and may be legally privileged.
> > > If the reader of this message is not the intended
> > > recipient, you are hereby notified that any dissemination,
> > > distribution, or copying of this communication is strictly
> > > prohibited.
> > > If you have received this communication in error,
> > > please re-send this communication to the sender and
> > > delete the original message or any copy of it from your
> > > computer system. Thank You.
> > >
> > > =================================================
> > > To set vacation, Out Of Office, or away messages,
> > > send an email to LISTSERV@lists.us.checkpoint.com
> > > in the BODY of the email add:
> > > set fw-1-mailinglist nomail
> > > =================================================
> > > To unsubscribe from this mailing list,
> > > please see the instructions at
> > > http://www.checkpoint.com/services/mailing.html
> > > =================================================
> > > If you have any questions on how to change your
> > > subscription options, email
> > > fw-1-owner@ts.checkpoint.com
> > > =================================================
> > >
> >
> > =================================================
> > To set vacation, Out Of Office, or away messages,
> > send an email to LISTSERV@lists.us.checkpoint.com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > fw-1-owner@ts.checkpoint.com
> > =================================================
> >
> >
> <<Disclaimer>>
>
> This electronic mail is intended only for the use of the addressee(s) named
> herein. Unless otherwise specifically stated, the views contained and
> expressed in this electronic mail are strictly those of the individual
> sender and are not the views of the Company or any of its Directors or other
> employees. If you are not the intended recipient of this electronic mail,
> you are hereby notified that any dissemination, distribution or coping of
> this electronic mail is strictly prohibited. If you received this electronic
> mail in error please immediately notify us by return electronic mail and
> delete this electronic mail from your system.
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to LISTSERV@lists.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner@ts.checkpoint.com
> =================================================

Don't be irreplaceable-if you can't be replaced, you can't be promoted.
- Attributed to Scott Adams, Dilbert's Rules of Order

Following the rules will not get the job done.
- ibid

=================================================
To set vacation, Out Of Office, or away messages,
send an email to LISTSERV@lists.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner@ts.checkpoint.com
=================================================