topic Re: Verification of rules in API / CLI Discussion

Verification of rules

Jun_Liang_Seow — Tue, 03 Jan 2017 17:35:49 GMT

Hi,

I'm trying to verify rules that I have created. I understand that I can create rules through /add-access-rule. I also understand that Checkpoint can verify if the published rule can be installed by verifying policy (this can be done in GUI). I think it is not possible to do this function through API after reading through the API document. Would like to check on the possibility?

In addition, would like to check if there's no such function, is there a good practice other than dragging out the entire rule-base for a policy through /show-access-rulebase and checking against the output?

My thought process now is to create a rule, verify policy and delete the rule if the verification flags error (easiest way to check).

Re: Verification of rules

Igal_Rivin — Wed, 04 Jan 2017 06:45:49 GMT

Hi Jun Liang Seow,

The API to verify the policy package is added to the R-80.10.

If it's possible it's better to wait until R-80.10 is released.

-Igal

Re: Verification of rules

phlrnnr — Thu, 07 Jun 2018 18:55:27 GMT

Can policy verification be done before publishing? For example, I have a script that adds a rule using the REST API. I would then want to verify the policy before publishing and installing. If verification fails, then I'd want to discard changes instead of publishing them. Is this possible?

Re: Verification of rules

Robert_Decker — Thu, 07 Jun 2018 19:44:18 GMT

Hi Phillip,

No, it is not possible. Policy verification via API works the same as in the GUI - first publish, then verify.

Robert.

Re: Verification of rules

phlrnnr — Fri, 08 Jun 2018 17:39:36 GMT

So, then, from an automation perspective, is the recommended approach to create a new rule via API, publish it, verify the ruleset, and if verification fails remove the rule that was created and finally re-publish?

Re: Verification of rules

Robert_Decker — Fri, 08 Jun 2018 20:29:08 GMT

Phillip,

Creation and verification process of a security policy is more complex then just a trial and error approach.

You do not publish and verify per a single rule, you should be aware of a whole rulebase you are creating.

You can automate the creation process of the rulebase, publish and verify. If the verification fails, you will need to switch to manual work in GUI and examine what went wrong.

Robert.

Re: Verification of rules

Tomer_Sole — Sun, 10 Jun 2018 05:27:00 GMT

This is good feedback Phillip. In the current releases, verifying things like "rule-hide-rule" and more are occurring post-publish. We have plans to assist on verification pre-publish in the next releases.

If you are afraid that your automation often breaks policy verification, perhaps put it in stealth mode and consider not publishing the auto-created rules, and having someone log into that session, look at the change, publish or correct them. Once you see that your tools make better changes, you could add the publish step to the automation.