topic Re: How to check if policy is changed but not installed? in API / CLI Discussion

How to check if policy is changed but not installed?

Ryan_Puckett — Thu, 10 Aug 2017 01:14:10 GMT

Is there something in R80.10 that can be queried to verify if a policy has updated but not installed (pushed out) changes?

The use case is to incorporate the check in a policy install script, where only policies that have changes since the last install get installed.

In versions prior to R80, we queried for times in the fw_policies and install_statuses tables and monitored the last_modified time. I'm trying to replicate this logic in R80.10, but I'm not having luck finding a corresponding modified time variable that changes after I publish a change. I've been looking at show package with details-level set at full, but nothing changes in the output json file once I publish changes.

Re: How to check if policy is changed but not installed?

Timothy_Hall — Fri, 11 Aug 2017 12:42:00 GMT

There is a "View Changes" button on the install policy screen in R80+ that shows the difference between what is about to be pushed to the gateway vs. what the gateway has currently loaded. Not sure if this info is somehow available in the mgmt_cli but might be worth investigating.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Re: How to check if policy is changed but not installed?

Ryan_Puckett — Fri, 11 Aug 2017 20:05:44 GMT

That's it!

Under the "show changes" API call, there is a "session publish time" that gets updated whenever the policy is published. Exactly what I needed.

mgmt_cli show changes --domain Test01 --root true --format json | jq -r '.tasks[] | ."task-details"[] | .changes[] | .session."publish-time".posix'

Thank you.

Re: How to check if policy is changed but not installed?

Rob_Napholz — Wed, 22 Nov 2017 15:05:30 GMT

This is great, but which policy was edited/changed

I am trying to determine which policies have been edited(which policies need to be installed).

Re: How to check if policy is changed but not installed?

Robert_Decker — Tue, 27 Mar 2018 13:27:20 GMT

Hi Rob,

It is possible to accomplish your request if you combine data from several API commands.

I'll post the answer (bash script) shortly.

Robert.

Re: How to check if policy is changed but not installed?

Robert_Decker — Wed, 28 Mar 2018 15:28:44 GMT

here you go - https://community.checkpoint.com/docs/DOC-2816.

Robert.

Re: How to check if policy is changed but not installed?

Rob_Napholz — Wed, 28 Mar 2018 21:31:54 GMT

I have come across an issue on my mgmt

The time stamps are the same prior and after a publish

[Expert@r80:0]# mgmt_cli show-package name t_policy --format json -s id.txt |jq -r '.["meta-info"]["last-modify-time"]["posix"]'
1516633060917
[Expert@r80:0]# mgmt_cli show-package name t_policy --format json -s id.txt |jq -r '.["meta-info"]["last-modify-time"]["posix"]'
1516633060917 which is January 22, 2018 2:57:40.917 PM

I know this is wrong as the policy was change today

Re: How to check if policy is changed but not installed?

Robert_Decker — Thu, 29 Mar 2018 05:47:19 GMT

And what about the "iso-8601" field? Does it also show the same date and time?

Robert.

Re: How to check if policy is changed but not installed?

Rob_Napholz — Thu, 29 Mar 2018 19:08:48 GMT

It does, this was the date the policy was created.

mgmt_cli show-package name t_policy --format json -s id.txt |jq -r '.["meta-info"]["last-modify-time"]["iso-8601"]'
2018-01-22T09:57-0500

cpinfo -y all

This is Check Point CPinfo Build 914000176 for GAIA
[IDA]
HOTFIX_R80_10

[KAV]
HOTFIX_R80_10

[CPFC]
HOTFIX_R80_10
HOTFIX_R80_10_JUMBO_HF Take: 56

[FW1]
HOTFIX_R80_10
HOTFIX_R80_10_JUMBO_HF Take: 56

FW1 build number:
This is Check Point Security Management Server R80.10 - Build 007
This is Check Point's software version R80.10 - Build 027

Re: How to check if policy is changed but not installed?

Robert_Decker — Thu, 29 Mar 2018 19:39:34 GMT

This is very strange.

The policy creation time is saved in another field - "meta-info.creation-time.iso-8601". Can you please verify this field's value?

Robert.

Re: How to check if policy is changed but not installed?

Rob_Napholz — Thu, 29 Mar 2018 19:49:07 GMT

mgmt_cli show-package name t_policy --format json -s id.txt |jq -r '.["meta-info"]
> '
{
"lock": "unlocked",
"validation-state": "ok",
"last-modify-time": {
    "posix": 1516633060917,
    "iso-8601": "2018-01-22T09:57-0500"
},
"last-modifier": "csg",
"creation-time": {
    "posix": 1516633060917,
    "iso-8601": "2018-01-22T09:57-0500"
},
"creator": "csg"
}

Re: How to check if policy is changed but not installed?

Robert_Decker — Thu, 29 Mar 2018 20:51:48 GMT

Wow, I'm speechless...

I suggest contacting our TAC for further investigation.

Robert.

Re: How to check if policy is changed but not installed?

Robert_Decker — Sun, 01 Apr 2018 09:44:38 GMT

Hi Rob,

I was just informed that the policy package object is not updated when the changes are published.

Therefore, its last-modify-time field is never updated.

As Ryan Puckett posted above, the show-changes command has the information about the published sessions, but the output of this command doesn't state which policy was published...

It seems that the script I wrote will not work due to this limitation.

I'll try to find another solution for this problem.

Robert.

Re: How to check if policy is changed but not installed?

Aakashvaani_74 — Mon, 04 Apr 2022 14:14:28 GMT

Hi Puckett,

I'm looking for the same kind of requirement with bash script. Could you pls help me with show changes cli command along with policy name if it is available?

How did you incorporate policy change in show changes cli command ? which field was captured

Re: How to check if policy is changed but not installed?

Aakashvaani_74 — Mon, 04 Apr 2022 14:17:09 GMT

Hi Robert,

Did you get a chance to find the script ? I'm looking for a bash script with same requirement