Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Maik
Advisor
Jump to solution

Show changes from session => from a single session

Hello guys,

 

I want to write a small script that lists all the created, deleted and modified rules and host objects for a given session/revision uid. The management API reference guide includes two possible commands that should do the job:

 

- show session uid <session_uid>

>> This lists all the general details of a session like e.g. the user, the change sum, the description, the application that has been used in order to publish the given session etc. Here everything is working as expected

 

- show changes from-session <session_uid> to-session <session_uid>

>> This command lists all changes in a given time or session frame... so this means I can use the above mentioned "from-session" => "two-sessions" arguments or the "from-date" => "to-date" arguments. However it seems like that it is not possible to list all changes from just one single session. The seemingly required arguments have default values if no UIDs for the sessions are specified:

from-session

string
Default: The session before to-session

 

to-sessionstring
Default: The last published session

 

But here lays another problem - as the from-session defaults to "the session before to-session" while the to-session argument defaults to "the last published session", this leads to the result that the command gives you the last two sessions if you do not specify any arguments. Still, it does not allow you to just see the changes from a single session. My idea was to give the from and to argument the same session uid, but this results in the following error:

 

> show changes from-session <my_session_uid1> to-session <my_session_uid1>

---------------------------------------------
Time: [15:43:07] 27/3/2019
---------------------------------------------
"Show Changes"  failed  (100%)  
tasks: 
- task-id: "abcdef01-2345-6789-b58a-3559264bf1dc"
  task-name: "Show Changes"
  status: "failed"
  progress-percentage: 100
  progress-description: "Diff operation failed: Unable to build the diff reply."
  suppressed: false

So the command requires a diff in between both parameters while a simple "show changes from-uid" or "show changes uid" does not exist. Do I miss something or is there really no possibility to track the changes of a given single session?

 

Regards,

Maik

0 Kudos
2 Solutions

Accepted Solutions
Adam_Forester
Ambassador
Ambassador
I think I got it... I tested a few different session in the lab this morning and it did what I think you want.

If you run: mgmt_cli show changes to-session UID

Then it will compare the session to the previously published session right before it. I know it seems really backwards but if you read the API guide it is oddly worded that way. If you don't specify the 'from-session' then it defaults: The session before to-session

Make sure to set your details-level to get the detail you want

View solution in original post

Nurit_Gr
Employee Alumnus
Employee Alumnus

Hi Maik, everyone,

 

We haven't released Changes Report extension officially yet since we are creasing out a few last issues.

In the meantime you are invited to start using it and provide us with your feedback.

 

In order to install it, please follow the below instructions:

1. On SmartConsole, got to Manage & Settings > Preferences > SmartConsole Extensions > +. 

The “Import SmartConsole Extension…” window opens.

Enter the web-service manifest URL for the manifest file:

https://extensions.checkpoint.com/changes-report/extension.json

Click ‘OK’.

2. A verification message will pop-up – press ‘OK’.

 

The extension is now installed.

“Changes” button will appear at:

  • The upper toolbar in Security Policies tab and in Gateways and Servers tab - showing changes performed in the current private session
  • The upper toolbar in Manage & Settings > Sessions > Session view - showing the changes performed in the selected session
  • A “Changes” menu will appear at the upper toolbar in Manage & Settings > Sessions > Revisions view. It allows you to compare the selected revision with its previous, or with the current revision.

The extension is supported on top of R80.30 and up.

 

Let me know what you think 🙂

View solution in original post

24 Replies
Adam_Forester
Ambassador
Ambassador

Maik,

if you just run 'show changes' it will compare the last published session vs the session prior to it. Which would show you the changes of the last published session. I just tested it after adding a single network and publishing;

 

mgmt_cli -r true show changes

 

 

---------------------------------------------

Time: [07:25:43] 27/3/2019

---------------------------------------------

"Show Changes"  succeeded  (100%) 

tasks:

- task-id: "abcdef01-2345-6789-81ad-4d56c2e27f11"

  task-name: "Show Changes"

  status: "succeeded"

  progress-percentage: 100

  progress-description: "Operation Complete"

  suppressed: false

  task-details:

  - limit: 10

    offset: 0

    from: 1

    to: 2

    total: 2

    changes:

    - session:

        session-uid: "5ca78a82-4e2b-4315-ab73-7fede5598e81"

        user-name: "WEB_API"

        publish-time:

          posix: 1553689514200

          iso-8601: "2019-03-27T07:25-0500"

        domain-info:

          uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"

          name: "SMC User"

          domain-type: "domain"

      operations:

        added-objects:

        - uid: "3f8fde7a-077b-4ab3-ae45-cac29e36a20a"

          name: "net-1.1.1.1"

          type: "network"

          domain:

            uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"

            name: "SMC User"

            domain-type: "domain"

          subnet4: "1.1.1.0"

          mask-length4: 24

          subnet-mask: "255.255.255.0"

        modified-objects: []

        deleted-objects: []

 

Maik
Advisor

Hello Adam,

Thanks for your reply and suggestion. But this still does not allow me to view the changes of a specific given session - it just lists the last one. This is a step in the direction that I am aiming for but still not the actual goal.

Maybe some background; I have created a script that validates some management CLI strings and gives you feedback on found errors or just says that the string is okay to push if no errors are found. In the end you will receive a list of all created objects (access rules + their related policies to be pricise) as well as a string and the revision id that can be copy pasted into a change ticket that is linked to the changes. Now I want to create an additional script that should allow an "easy review" of a given change by just giving the session (or revision) uid as a parameter in order to do a "four eyes check" of the changes via the cli and not the smartconsole. Thats why I require the change uid of not the latest session, or of multiple sessions but just one specific one.

Best regards,

Maik

PhoneBoy
Admin
Admin
What you're describing might be better accomplished with SmartTasks, a feature we are launching later this year.
You'll be able to trigger an action when someone attempts to publish a session.(e.g. Run a script).
Adam_Forester
Ambassador
Ambassador
Got ya. PhoneBoy is right on the task piece. Saw that at CPX and it was very very nice. But I get what you are trying to do, let me chew on that this weekend and get back to you
Maik
Advisor

Thanks PhoneBoy and Adam 🙂

Especially for thinking over it again on the weekend. Would be great to find a solution - even if it will be a little bit more trickier to achieve than with just running one api call. Have a great weekend and looking forward to hearing from you.

 

By the way, as it is possible to paste a  session uid into the audit log in order to receive all required objects it should be possible with the api as well I guess? Maybe I could use the generic object api somehow... but I need to dig deeper into the usage of it as I have zero experience regarding generic api call so far.

Adam_Forester
Ambassador
Ambassador
I think I got it... I tested a few different session in the lab this morning and it did what I think you want.

If you run: mgmt_cli show changes to-session UID

Then it will compare the session to the previously published session right before it. I know it seems really backwards but if you read the API guide it is oddly worded that way. If you don't specify the 'from-session' then it defaults: The session before to-session

Make sure to set your details-level to get the detail you want
Ron_Izraeli
Employee
Employee

Following the upcoming release of R80.30, we will publish the 'Changes Report' SmartConsole extension which uses the show-changes API command to visualize single session (private/published) changes.

The extension source code would be published as well in our GitHub repository post its release.

Check out How to extend and enhance SmartConsole? 

diff.png

0 Kudos
Ivan_Eriksen
Explorer

The smartconsole extension looks very interesting - R80.30 has been out for some time now, is there any chance you could release the code for this extension?

0 Kudos
Simon_Macpherso
Advisor
Hi, when will this be published on the GitHub repository?
0 Kudos
PhoneBoy
Admin
Admin
From what I can tell (at least on the link I have), this report only shows changes you've made in the current unpublished session and NOT, say, the delta between one session and another.
Not sure if that was the final GA version, though, I will have to check.
0 Kudos
Simon_Macpherso
Advisor

I would be needing to view the delta changes between the most recent and last published session. 

Regards,

Simon 

0 Kudos
JozkoMrkvicka
Authority
Authority

or, even better, to show all changes between 2 selected time period.

Like all changes (NOT done only by me, instead by all admins (maybe report the name of admin) ) performed from 30.3.2020 10:00 till 1.4.2020 08:00. This makes the idea perfectly fit, also for auditing purposes.

Kind regards,
Jozko Mrkvicka
0 Kudos
Timothy_Hall
Legend Legend
Legend

There is no succinct report that will show all changes between two published sessions.  However what you can do is look at the individual Audit Logs for all sessions published between two particular sessions.  This is described in Part 3 of my article R80+ Change Control: A Visual Guide.

Another thing you could try is bringing up the raw Audit Log as described in Part 4, then implement a date range filter spanning the time period between the two sessions you want to compare.  Once again this would just be looking at individual Audit Logs and not a nice report as shown earlier in this thread.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Nurit_Gr
Employee Alumnus
Employee Alumnus

Hi Maik, everyone,

 

We haven't released Changes Report extension officially yet since we are creasing out a few last issues.

In the meantime you are invited to start using it and provide us with your feedback.

 

In order to install it, please follow the below instructions:

1. On SmartConsole, got to Manage & Settings > Preferences > SmartConsole Extensions > +. 

The “Import SmartConsole Extension…” window opens.

Enter the web-service manifest URL for the manifest file:

https://extensions.checkpoint.com/changes-report/extension.json

Click ‘OK’.

2. A verification message will pop-up – press ‘OK’.

 

The extension is now installed.

“Changes” button will appear at:

  • The upper toolbar in Security Policies tab and in Gateways and Servers tab - showing changes performed in the current private session
  • The upper toolbar in Manage & Settings > Sessions > Session view - showing the changes performed in the selected session
  • A “Changes” menu will appear at the upper toolbar in Manage & Settings > Sessions > Revisions view. It allows you to compare the selected revision with its previous, or with the current revision.

The extension is supported on top of R80.30 and up.

 

Let me know what you think 🙂

Kevin_Orrison
Collaborator
I just installed the extension. I make a few changes in policy, then click the "Changes" button and the page that comes up is blank. Am I missing something? R80.30
0 Kudos
Nurit_Gr
Employee Alumnus
Employee Alumnus

Hi,

We are currently having an issue with the latest update of the extension.

I'll update once it will be resolved.

Sorry for the inconvenience.

Nurit_Gr
Employee Alumnus
Employee Alumnus

Hi,

 

Issue is now resolved.

Please contact me if you have additional issues.

Sorry for the inconvenience.

0 Kudos
Kevin_Orrison
Collaborator
It looks like it tries to load, but then I get this: "Error: Unable to retrieve read-only session"
0 Kudos
Nurit_Gr
Employee Alumnus
Employee Alumnus

Hi,

Are you using a standalone environment? extensions are not supported on it.

If not, please verify that the correct ip is configured on your management object.

Also try to login to SmartConsole using the server ip instead of name. 

If all of the above doesn't help - please send me SmartConsole and server logs (cpm, fwm and api) so that we can investigate.

0 Kudos
Timothy_Hall
Legend Legend
Legend

> Are you using a standalone environment? extensions are not supported on it.

Ah thanks, just added a note to the Preface of my article R80+ Change Control: A Visual Guide noting this limitation.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Kevin_Orrison
Collaborator
Looks like it's working after logging into Smart Console with the IP address of the SMS instead of the DNS name. Why would this be an issue?
0 Kudos
Nurit_Gr
Employee Alumnus
Employee Alumnus
There is a server issue while attempting to login to a read only session that extensions use.
Supporting hostname/FQDN is in the server's roadmap for one of the future releases.
0 Kudos
Ivan_Eriksen
Explorer
I have a follow up on my previous question in this thread - is the extension itself running on Check Point's webservers or where is it serving it's data from? As far as I know, you need a web server to actually serve an extension. If it is running off of extensions.checkpoint.com, then how can we get a local copy?
0 Kudos
Nurit_Gr
Employee Alumnus
Employee Alumnus
The extension is currently served from a Check Point bucket on Google cloud.
It is not available for offline customers, but we plan to support it in the future (using a server hotfix).
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events