Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
kevin_t
Participant
Jump to solution

Automated Policy Install Verification

Howdy All,

I am currently scripting/automating our access control policy installation, to run nightly.  This is working great, but I am trying to figure out a good way to send out an automatic update like "Policy has been installed on the following:  "

I am currently using the script itself to dump to a log, and checking that every morning, but would prefer an email or something similar.

Thanks in advance for any insight!

0 Kudos
1 Solution

Accepted Solutions
Daniel_Taney
Advisor

I figured out that the Check Point SMS already has the msmtp client built into it. You can create a config file under /etc/msmtprc that specifies an SMTP server to connect to and send mail through. If memory serves, this config file is not there by default. You can read up a little bit on how to structure the config file here

I accomplish this by collecting the results of the Policy Installation in a temporary file called "pushlog.txt"; which it sounds like you already have since you check that log manually. Then, once the results of all the Policy Installs have been collected, I run the following actions at the end of my script to generate another temp file "tmp_email_report.txt" to assemble the actual body of the e-mail communication:

# Prepare to send e-mail
echo "Subject: Firewall Policy Install Results" > /home/admin/scripts/tmp_email_report.txt
echo >> /home/admin/scripts/tmp_email_report.txt
echo >> /home/admin/scripts/tmp_email_report.txt
cat /home/admin/scripts/pushlog.txt >> /home/admin/scripts/tmp_email_report.txt

# Send E-Mails
cat /home/admin/scripts/tmp_email_report.txt |msmtp --debug --from=user@yourdomain.com -t recipient@yourdomain.com

# Clean-up Scratch File
rm /home/admin/scripts/tmp_email_report.txt
rm /home/admin/scripts/push_result.txt

Hope this helps!

 

R80 CCSA / CCSE

View solution in original post

7 Replies
Daniel_Taney
Advisor

I figured out that the Check Point SMS already has the msmtp client built into it. You can create a config file under /etc/msmtprc that specifies an SMTP server to connect to and send mail through. If memory serves, this config file is not there by default. You can read up a little bit on how to structure the config file here

I accomplish this by collecting the results of the Policy Installation in a temporary file called "pushlog.txt"; which it sounds like you already have since you check that log manually. Then, once the results of all the Policy Installs have been collected, I run the following actions at the end of my script to generate another temp file "tmp_email_report.txt" to assemble the actual body of the e-mail communication:

# Prepare to send e-mail
echo "Subject: Firewall Policy Install Results" > /home/admin/scripts/tmp_email_report.txt
echo >> /home/admin/scripts/tmp_email_report.txt
echo >> /home/admin/scripts/tmp_email_report.txt
cat /home/admin/scripts/pushlog.txt >> /home/admin/scripts/tmp_email_report.txt

# Send E-Mails
cat /home/admin/scripts/tmp_email_report.txt |msmtp --debug --from=user@yourdomain.com -t recipient@yourdomain.com

# Clean-up Scratch File
rm /home/admin/scripts/tmp_email_report.txt
rm /home/admin/scripts/push_result.txt

Hope this helps!

 

R80 CCSA / CCSE
kevin_t
Participant
That did the trick, never knew about msmtp!
PhoneBoy
Admin
Admin
This is the kind of thing that SmartTasks will allow for, planned for R80.40.
Specifically triggering an action after a Policy Install action completes.
motiami
Contributor

can you please share your automated policy install solution?

0 Kudos
Daniel_Taney
Advisor

Undoubtedly,  you could probably ask this question here and get a number of different answers. However, this method would pair with the notification script I referenced in the earlier post.

#/bin/bash
#
# Push Firewall Policies
#
# You need this in order to run the script as a cron job
source /opt/CPshrd-R80.30/tmp/.CPprofile.sh

#Log Into API
mgmt_cli login user <username> password <pw> > /home/admin/scripts/id.txt

# Push Policies

# If you only want to push the access policy portion:
mgmt_cli install-policy policy-package "<your policy package name>" access true -s /home/admin/scripts/id.txt > /home/admin/scripts/push_result.txt
cat /home/admin/scripts/push_result.txt |grep "Installation" > /home/admin/scripts/pushlog.txt

# If you want to push both Access Policy and Threat Prevention Policy, use this:
mgmt_cli install-policy policy-package "<your policy package name>" access true threat-prevention true -s /home/admin/scripts/id.txt > /home/admin/scripts/push_result.txt
cat /home/admin/scripts/push_result.txt |grep "Installation" >> /home/admin/scripts/pushlog.txt

# Log Out Of API
mgmt_cli logout -s /home/admin/scripts/id.txt

A couple of notes here,
1.) The source "/opt/CPshrd-R80.30/tmp/.CPprofile.sh" line needs to be modified to match the version of your management server.
2.) The output of the entire mgmt_cli command is captured in /home/admin/scripts/push_result.txtOnce it completes, I grep for "Installation" to single out the line from the output that indicates whether the installation Failed or Succeeded. I write the results of that to pushlog.txt
The contends of this file are used in the notification script I referenced above. If you aren't looking to do any notifications, you can disregard all this and just focus on the mgmt_cli commands.
3.) If you are performing multiple policy installs in one script, I would make sure you change the output to ">>" so it appends to that file instead of overwriting it.
4.) Be sure to use full paths to files in scripts you intend to run under the task scheduler in GAIA or CRON. Its easy to forget to do this and suddenly things don't work as a scheduled task that worked when you ran it locally from some directory on the system. 
5.) It is possible to create a user solely with Install Policy permissions. I created a specific user with those limited permissions as a little bit of a safeguard for this task.

Hope this helps!

R80 CCSA / CCSE
motiami
Contributor

Thanks a lot! much appreciated.

0 Kudos
Daniel_Taney
Advisor

Glad it helped!

R80 CCSA / CCSE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events