The PhoneBoy Blog

Simplifying Telecom, Mobile Phones, Gadgets, Health, and More!

FireWall-1 FAQ: How do I edit objects.C or objects_5_0.C properly?

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.

I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.

If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)

Editing objects.C is a lot more successful when there are no GUI clients (fwpolicy, fwlog, fwstatus) running against the management console. You can ensure that this is the case by killing the ‘fwm’ process using the command cpwd_admin stop -name FWM in NG or fw kill fwm in 4.1 and earlier. You can restart it by typing cpwd_admin start -name FWM in NG or fw fwm in 4.1. You should also remove objects.C.sav and objects.C.bak since if they have a more recent timestamp than objects.C, FireWall-1 will replace objects.C with one of these files. If your management console is on Windows, then make sure you use DOS edit or Wordpad. Do not use notepad!

Check Point generally recommends you fwstop or cpstop your management console when applying manual changes to objects.C, then typing fwstart or cpstart.

All changes to objects.C generally require re-installing the policy for them to take effect.

In NG, it is generally recommended that you use a utility called dbedit to edit the objects_5_0.C file. A graphical version of this utility called GUIdbedit is also available from Check Point’s site. If your management console is on a Nokia platform and you are using a version of NG prior to FP3, dbedit is known to be unstable and should not be used. In these cases, use GUIdbedit or manually edit the file. An example of using dbedit is provided below.

    c:> <b>dbedit</b>
    Enter Server name (ENTER for 'localhost'): <b></b>
    Enter User Name: <b>dwelch</b>
    Enter User Password: <b>abc123</b>
    Please enter a command, -h for help or -q to quit:
    dbedit> <b>modify properties firewall_properties nat_dst_client_side_manual true</b>
    dbedit> <b>update properties firewall_properties firewall_properties updated successfully.</b>
    dbedit> <b>quit</b>

Alternatively, you may wish to use the Check Point Database Tool (guidbedit), available from the Check Point Utilities Download Page.

#Cybersecurity Evangelist, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.