topic Re: SmartTask - Restrict use of specific objects in Access Control Policy in Firewall and Security Management

SmartTask - Restrict use of specific objects in Access Control Policy

Dima_M — Tue, 10 Mar 2020 07:39:18 GMT

This SmartTask allows to block usage of specific objects in source and destination fields of Access Control Policy. it intercepts the session on publish attempt ("Pre Publish" trigger) and runs a script that looks for objects defined in Custom Data field of SmartTask (see below).

It can be very useful if you want to avoid rules with "Any" in source and/or destination (in this case you'll need to exclude Stealth and Cleanup rules) and restricting access to/from sensitive resources.

Re: SmartTask - Restrict use of specific objects in Access Control Policy

martinkiska — Thu, 02 Apr 2020 12:57:44 GMT

Hello @Dima_M,

thank you a lot for your example. It is really nice. I would like to ask you for some advice regarding my use case. Let's say that we have some highly sensitive rules. Nobody should be able to add rule above them to break their drop meaning. I was thinking tu use smart task and before publish trigger for checking of this concept.

Concept of checking of modified/deleted/added objects in rule base is really nice.

{

"operations":{
- "modified-objects":[],
- "deleted-objects":[],
- "added-objects":[]
},
"session":{}

}

We would totally be able to check if rules were edited. But during the testing I tried to move "permit any" rule above those "highly sensitive rules". I was checking parameters of publish event, and when I changed rule order and published information, the only info in JSONs was about session itself, no info about rule number change. So I have no evidence about changing of order of rules while publishing new rule base and running some smart task on it. Is this information somewhere hidden? How can I get to this information during "before publish" event?

Thank you a lot for your reply.

{

"session":{
- "session-uid":"104cd16c-dcbc-4749-9758-89f04d8d7c30",
- "session-name":"admin@02.04.2020",
- "user-name":"admin",
- "application":"SmartConsole",
- "domain-info":{
  - "uid":"41e821a0-3720-11e3-aa6e-0800200c9fde",
  - "name":"SMC User",
  - "domain-type":"Domain"
  }
}

}

Re: SmartTask - Restrict use of specific objects in Access Control Policy

Dima_M — Tue, 07 Apr 2020 16:44:18 GMT

Hi Martin @martin

Thanks for bring this up, looks like show-changes output displays only partial info when rules are swapped. We'll investigate it further on and update.

Re: SmartTask - Restrict use of specific objects in Access Control Policy

grandpafirewall — Wed, 26 Aug 2020 11:14:07 GMT

Tried to import this script and the maximum filesize that the GUI can import is 8Kb. The filesize for this is 13Kb. Why is there a limit?

Re: SmartTask - Restrict use of specific objects in Access Control Policy

Efrat — Sun, 01 Nov 2020 09:22:27 GMT

Hi @grandpafirewall

How did you tried to import the smart tasks? it should be done using API, there is no way of importing smart task using GUI.

I imported it with API and it worked with no problem:

mgmt_cli import-smart-task file-path /home/admin/validate_rulebase_changes_on_publish.txt -r true

see API documentation here: https://sc1.checkpoint.com/documents/latest/APIs/#cli/import-smart-task~v1.6%20

Re: SmartTask - Restrict use of specific objects in Access Control Policy

grandpafirewall — Mon, 02 Nov 2020 14:08:02 GMT

That would be the issue. Thanks. I eventually want to try an do this from SmartCloud.

Re: SmartTask - Restrict use of specific objects in Access Control Policy

PhoneBoy — Mon, 09 Nov 2020 03:41:49 GMT

You can still access the API with SmartCloud.

Re: SmartTask - Restrict use of specific objects in Access Control Policy

Zahier_Madhar — Fri, 26 Feb 2021 15:18:42 GMT

This worked for on a standalone setup. But it did not worked on multi domain. How can I upload the script into smart task with multi domain.

Re: SmartTask - Restrict use of specific objects in Access Control Policy

Simon_Macpherso — Mon, 12 Apr 2021 06:54:10 GMT

Hi,

Does this analyze every policy or only policies that have been changed?

Regards,

Simon