The PhoneBoy Blog

Simplifying Telecom, Mobile Phones, Gadgets, Health, and More!

FireWall-1 FAQ: Merging objects.C files

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.

I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.

If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)

FireWall-1 4.1 and earlier supports a command called “fw confmerge” that will allow you to merge multiple objects.C files into one file (this is how the fwinstall script does an upgrade). The syntax is:

    fw confmerge obj1.C obj2.C > objects.C

Which merges obj1.C and obj2.C into the file objects.C. The proper procedure for performing this merge is as follows:

  • Stop the firewall (fwstop).
  • Make a backup of the $FWDIR/conf directory.
  • Copy your objects.C files into a temp directory, giving them different names (e.g. obj1.C, obj2.C).
  • Run the command ‘fw confmerge obj1.C obj2.C > objects.C’
  • Remove objects.C, objects.C.sav, objects.C.bak from $FWDIR/conf
  • Copy the new objects.C file into $FWDIR/conf.
  • Start the firewall (fwstart).

I have found this works best when one of the objects.C file is “clean,” i.e. from a fresh install. This is what the FireWall-1 upgrade process does.

Make sure that if you’re converting from Windows to Unix (or vice versa) that you change the line endings, otherwise you will get errors when executing this command.

When merging the objects from a 3.0b management console to a 4.1 management console using fw confmerge, the interfaces tab on the FireWall objects do not get populated and has to be entered manually, SNMP may or may not work. This is also true for any object that requires the interface tab to be populated. (i.e. routers and switches). Version information may not carry over. In this case, you will have to delete and recreate the objects so that they are created properly.

Warning: confmerge has been proven to put duplicate entries in the objects.C file. If two objects have the same name, but different colors, they are duplicated.

#Cybersecurity Evangelist, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.