topic Re: Forcing Comments in Rulebase in Firewall and Security Management

Forcing Comments in Rulebase

Marc0523 — Tue, 06 Feb 2024 09:01:29 GMT

Hi Guys.

For auditing reasons my company needs a comment for every rule in the rule base.

The issue is a lot of staff don't put them in, meaning I have to add them before an audit.

Is there any option I can enable to enforce the comment field before a rule can be added?

If not, could we look into getting this feature added to future versions?

Re: Forcing Comments in Rulebase

delToro1 — Tue, 06 Feb 2024 09:12:34 GMT

Hello,

Maybe you can achieve it using Smart Tasks in SmartConsole.

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SecurityManagement_AdminGuide/Topics-SECMG/SmartTasks.htm

BR!

Re: Forcing Comments in Rulebase

Marc0523 — Tue, 06 Feb 2024 10:07:28 GMT

Never knew this existed!

Smart Tasks could trigger a script to check, but I'd still need the script. Writing one which checked for comments in all rule bases is beyond me.

Re: Forcing Comments in Rulebase

Chris_Atkinson — Tue, 06 Feb 2024 12:50:28 GMT

To confirm you are already using the Compliance Blade?

Re: Forcing Comments in Rulebase

Danny — Tue, 06 Feb 2024 14:18:29 GMT

SmartTasks in our Toolbox.
You can easily go from there and adjust those to your needs.

Re: Forcing Comments in Rulebase

the_rock — Tue, 06 Feb 2024 15:01:09 GMT

Let me test this in my lab, I believe it can be achieved with compliance blade as Chris indicated.

Andy

Re: Forcing Comments in Rulebase

the_rock — Tue, 06 Feb 2024 18:45:32 GMT

K, got it, here is what you need to do. I attached all the screenshots to this reply.

Best,

Andy

Re: Forcing Comments in Rulebase

PhoneBoy — Tue, 06 Feb 2024 19:41:55 GMT

You would actually check the rules modified by the current session to see if they have a comment or not.
However, if you're looking for an out-of-the-box feature, then you should use Compliance Blade which has this built in.

Re: Forcing Comments in Rulebase

Marc0523 — Wed, 07 Feb 2024 13:56:28 GMT

Sadly no, we don’t have the compliance blade.

Re: Forcing Comments in Rulebase

Marc0523 — Wed, 07 Feb 2024 13:57:20 GMT

This looks perfect, but involves the compliance blade.
I’ll have to see if we are allowed to purchase it.

Re: Forcing Comments in Rulebase

the_rock — Wed, 07 Feb 2024 13:57:34 GMT

You can apply eval and test it for 30 days.

Andy

Re: Forcing Comments in Rulebase

the_rock — Wed, 07 Feb 2024 15:16:03 GMT

Im sure if you approached your local Sales person, they would be willing to help you out with this. Compliance blade is really good, I strongly recommend it.

Best,

Andy

Re: Forcing Comments in Rulebase

Danny — Wed, 07 Feb 2024 15:50:02 GMT

Hi Andy, does this work for all policy types?

Access Control
NAT
Threat Prevention
HTTPS Inspection
Mobile Access
DLP

etc.

Re: Forcing Comments in Rulebase

the_rock — Wed, 07 Feb 2024 15:53:44 GMT

Hey Danny,

I tested it yesterday and worked for any rule type, correct.

Best,

Andy

Re: Forcing Comments in Rulebase

Paul_Warnagiris — Fri, 15 Mar 2024 02:19:49 GMT

I don't like this. Every auditor checks for this and you get dinged without it. This is such a simple thing to do and every other FW vendor allows this. The compliance work around is not an answer its a band aid. How hard is it to get an RFE for this considering its a standard requirement, best practice and basic good hygiene?

Re: Forcing Comments in Rulebase

the_rock — Fri, 15 Mar 2024 22:12:54 GMT

You are correct in saying other fw vendors allow it, BUT, there is a hack to get around it, an easy one too, mind you : - )

Andy

Re: Forcing Comments in Rulebase

Chris_Atkinson — Sat, 16 Mar 2024 15:02:42 GMT

RFE process is well known, please discuss with your local SE.

With R81.20 the SmartWorkflow / Approval Cycle could also help if you have challenges with change management policy conformance, please refer: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuide/Content/Topics-SECMG/Session-flow-for-Administrators.htm?cshid=ID103#ApprovalCycle

Further more, you can enforce session descriptions should you so choose.

Navigate to Advance Session settings and check the "All Session must have a name and description" check box.

Re: Forcing Comments in Rulebase

Paul_Warnagiris — Sat, 16 Mar 2024 16:55:33 GMT

Will do. Because something that should be a simple click box is turned into a whole new workflow doesn't make sense and its not a good answer. I could live with the session enforcement mechanism if it could enforce rule comments. That would be an acceptable work around. But to create a 7 step work flow and require multiple people to do something that a click box could accomplish is silly.