cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
Iron

Automated Policy Install Verification

Jump to solution

Howdy All,

I am currently scripting/automating our access control policy installation, to run nightly.  This is working great, but I am trying to figure out a good way to send out an automatic update like "Policy has been installed on the following:  "

I am currently using the script itself to dump to a log, and checking that every morning, but would prefer an email or something similar.

Thanks in advance for any insight!

0 Kudos
1 Solution

Accepted Solutions
Highlighted

Re: Automated Policy Install Verification

Jump to solution

I figured out that the Check Point SMS already has the msmtp client built into it. You can create a config file under /etc/msmtprc that specifies an SMTP server to connect to and send mail through. If memory serves, this config file is not there by default. You can read up a little bit on how to structure the config file here

I accomplish this by collecting the results of the Policy Installation in a temporary file called "pushlog.txt"; which it sounds like you already have since you check that log manually. Then, once the results of all the Policy Installs have been collected, I run the following actions at the end of my script to generate another temp file "tmp_email_report.txt" to assemble the actual body of the e-mail communication:

# Prepare to send e-mail
echo "Subject: Firewall Policy Install Results" > /home/admin/scripts/tmp_email_report.txt
echo >> /home/admin/scripts/tmp_email_report.txt
echo >> /home/admin/scripts/tmp_email_report.txt
cat /home/admin/scripts/pushlog.txt >> /home/admin/scripts/tmp_email_report.txt

# Send E-Mails
cat /home/admin/scripts/tmp_email_report.txt |msmtp --debug --from=user@yourdomain.com -t recipient@yourdomain.com

# Clean-up Scratch File
rm /home/admin/scripts/tmp_email_report.txt
rm /home/admin/scripts/push_result.txt

Hope this helps!

 

R80 CCSA / CCSE

View solution in original post

7 Replies
Highlighted

Re: Automated Policy Install Verification

Jump to solution

I figured out that the Check Point SMS already has the msmtp client built into it. You can create a config file under /etc/msmtprc that specifies an SMTP server to connect to and send mail through. If memory serves, this config file is not there by default. You can read up a little bit on how to structure the config file here

I accomplish this by collecting the results of the Policy Installation in a temporary file called "pushlog.txt"; which it sounds like you already have since you check that log manually. Then, once the results of all the Policy Installs have been collected, I run the following actions at the end of my script to generate another temp file "tmp_email_report.txt" to assemble the actual body of the e-mail communication:

# Prepare to send e-mail
echo "Subject: Firewall Policy Install Results" > /home/admin/scripts/tmp_email_report.txt
echo >> /home/admin/scripts/tmp_email_report.txt
echo >> /home/admin/scripts/tmp_email_report.txt
cat /home/admin/scripts/pushlog.txt >> /home/admin/scripts/tmp_email_report.txt

# Send E-Mails
cat /home/admin/scripts/tmp_email_report.txt |msmtp --debug --from=user@yourdomain.com -t recipient@yourdomain.com

# Clean-up Scratch File
rm /home/admin/scripts/tmp_email_report.txt
rm /home/admin/scripts/push_result.txt

Hope this helps!

 

R80 CCSA / CCSE

View solution in original post

Highlighted
Iron

Re: Automated Policy Install Verification

Jump to solution
That did the trick, never knew about msmtp!
Highlighted
Admin
Admin

Re: Automated Policy Install Verification

Jump to solution
This is the kind of thing that SmartTasks will allow for, planned for R80.40.
Specifically triggering an action after a Policy Install action completes.
Highlighted
Ivory

Re: Automated Policy Install Verification

Jump to solution

can you please share your automated policy install solution?

0 Kudos
Highlighted

Re: Automated Policy Install Verification

Jump to solution

Undoubtedly,  you could probably ask this question here and get a number of different answers. However, this method would pair with the notification script I referenced in the earlier post.

#/bin/bash
#
# Push Firewall Policies
#
# You need this in order to run the script as a cron job
source /opt/CPshrd-R80.30/tmp/.CPprofile.sh

#Log Into API
mgmt_cli login user <username> password <pw> > /home/admin/scripts/id.txt

# Push Policies

# If you only want to push the access policy portion:
mgmt_cli install-policy policy-package "<your policy package name>" access true -s /home/admin/scripts/id.txt > /home/admin/scripts/push_result.txt
cat /home/admin/scripts/push_result.txt |grep "Installation" > /home/admin/scripts/pushlog.txt

# If you want to push both Access Policy and Threat Prevention Policy, use this:
mgmt_cli install-policy policy-package "<your policy package name>" access true threat-prevention true -s /home/admin/scripts/id.txt > /home/admin/scripts/push_result.txt
cat /home/admin/scripts/push_result.txt |grep "Installation" >> /home/admin/scripts/pushlog.txt

# Log Out Of API
mgmt_cli logout -s /home/admin/scripts/id.txt

A couple of notes here,
1.) The source "/opt/CPshrd-R80.30/tmp/.CPprofile.sh" line needs to be modified to match the version of your management server.
2.) The output of the entire mgmt_cli command is captured in /home/admin/scripts/push_result.txtOnce it completes, I grep for "Installation" to single out the line from the output that indicates whether the installation Failed or Succeeded. I write the results of that to pushlog.txt
The contends of this file are used in the notification script I referenced above. If you aren't looking to do any notifications, you can disregard all this and just focus on the mgmt_cli commands.
3.) If you are performing multiple policy installs in one script, I would make sure you change the output to ">>" so it appends to that file instead of overwriting it.
4.) Be sure to use full paths to files in scripts you intend to run under the task scheduler in GAIA or CRON. Its easy to forget to do this and suddenly things don't work as a scheduled task that worked when you ran it locally from some directory on the system. 
5.) It is possible to create a user solely with Install Policy permissions. I created a specific user with those limited permissions as a little bit of a safeguard for this task.

Hope this helps!

R80 CCSA / CCSE
Highlighted
Ivory

Re: Automated Policy Install Verification

Jump to solution

Thanks a lot! much appreciated.

0 Kudos
Highlighted

Re: Automated Policy Install Verification

Jump to solution

Glad it helped!

R80 CCSA / CCSE
0 Kudos