topic Re: Automated Policy Install Verification in API / CLI Discussion

Automated Policy Install Verification

kevin_t — Wed, 31 Jul 2019 17:52:40 GMT

Howdy All,

I am currently scripting/automating our access control policy installation, to run nightly. This is working great, but I am trying to figure out a good way to send out an automatic update like "Policy has been installed on the following: "

I am currently using the script itself to dump to a log, and checking that every morning, but would prefer an email or something similar.

Thanks in advance for any insight!

Re: Automated Policy Install Verification

Daniel_Taney — Wed, 31 Jul 2019 20:10:57 GMT

I figured out that the Check Point SMS already has the msmtp client built into it. You can create a config file under /etc/msmtprc that specifies an SMTP server to connect to and send mail through. If memory serves, this config file is not there by default. You can read up a little bit on how to structure the config file here.

I accomplish this by collecting the results of the Policy Installation in a temporary file called "pushlog.txt"; which it sounds like you already have since you check that log manually. Then, once the results of all the Policy Installs have been collected, I run the following actions at the end of my script to generate another temp file "tmp_email_report.txt" to assemble the actual body of the e-mail communication:

# Prepare to send e-mail
echo "Subject: Firewall Policy Install Results" > /home/admin/scripts/tmp_email_report.txt
echo >> /home/admin/scripts/tmp_email_report.txt
echo >> /home/admin/scripts/tmp_email_report.txt
cat /home/admin/scripts/pushlog.txt >> /home/admin/scripts/tmp_email_report.txt

# Send E-Mails
cat /home/admin/scripts/tmp_email_report.txt |msmtp --debug --from=user@yourdomain.com -t recipient@yourdomain.com

# Clean-up Scratch File
rm /home/admin/scripts/tmp_email_report.txt
rm /home/admin/scripts/push_result.txt

Hope this helps!

Re: Automated Policy Install Verification

kevin_t — Thu, 01 Aug 2019 18:43:15 GMT

That did the trick, never knew about msmtp!

Re: Automated Policy Install Verification

PhoneBoy — Fri, 02 Aug 2019 19:02:06 GMT

This is the kind of thing that SmartTasks will allow for, planned for R80.40.
Specifically triggering an action after a Policy Install action completes.

Re: Automated Policy Install Verification

motiami — Mon, 23 Mar 2020 08:12:00 GMT

can you please share your automated policy install solution?

Re: Automated Policy Install Verification

Daniel_Taney — Mon, 23 Mar 2020 16:31:41 GMT

Undoubtedly, you could probably ask this question here and get a number of different answers. However, this method would pair with the notification script I referenced in the earlier post.

#/bin/bash
#
# Push Firewall Policies
#
# You need this in order to run the script as a cron job
source /opt/CPshrd-R80.30/tmp/.CPprofile.sh

#Log Into API
mgmt_cli login user <username> password <pw> > /home/admin/scripts/id.txt

# Push Policies

# If you only want to push the access policy portion:
mgmt_cli install-policy policy-package "<your policy package name>" access true -s /home/admin/scripts/id.txt > /home/admin/scripts/push_result.txt
cat /home/admin/scripts/push_result.txt |grep "Installation" > /home/admin/scripts/pushlog.txt

# If you want to push both Access Policy and Threat Prevention Policy, use this:
mgmt_cli install-policy policy-package "<your policy package name>" access true threat-prevention true -s /home/admin/scripts/id.txt > /home/admin/scripts/push_result.txt
cat /home/admin/scripts/push_result.txt |grep "Installation" >> /home/admin/scripts/pushlog.txt

# Log Out Of API
mgmt_cli logout -s /home/admin/scripts/id.txt

A couple of notes here,
1.) The source "/opt/CPshrd-R80.30/tmp/.CPprofile.sh" line needs to be modified to match the version of your management server.
2.) The output of the entire mgmt_cli command is captured in /home/admin/scripts/push_result.txt. Once it completes, I grep for "Installation" to single out the line from the output that indicates whether the installation Failed or Succeeded. I write the results of that to pushlog.txt.
The contends of this file are used in the notification script I referenced above. If you aren't looking to do any notifications, you can disregard all this and just focus on the mgmt_cli commands.
3.) If you are performing multiple policy installs in one script, I would make sure you change the output to ">>" so it appends to that file instead of overwriting it.
4.) Be sure to use full paths to files in scripts you intend to run under the task scheduler in GAIA or CRON. Its easy to forget to do this and suddenly things don't work as a scheduled task that worked when you ran it locally from some directory on the system.
5.) It is possible to create a user solely with Install Policy permissions. I created a specific user with those limited permissions as a little bit of a safeguard for this task.

Hope this helps!

Re: Automated Policy Install Verification

motiami — Tue, 24 Mar 2020 07:40:24 GMT

Thanks a lot! much appreciated.

Re: Automated Policy Install Verification

Daniel_Taney — Tue, 24 Mar 2020 12:45:09 GMT

Glad it helped!