cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Highlighted

Verification of rules

Hi,

I'm trying to verify rules that I have created. I understand that I can create rules through /add-access-rule. I also understand that Checkpoint can verify if the published rule can be installed by verifying policy (this can be done in GUI). I think it is not possible to do this function through API after reading through the API document. Would like to check on the possibility?

In addition, would like to check  if there's no such function, is there a good practice other than dragging out the entire rule-base for a policy through /show-access-rulebase and checking against the output?

My thought process now is to create a rule, verify policy and delete the rule if the verification flags error (easiest way to check).

Labels (1)
Tags (2)
0 Kudos
6 Replies
Employee+
Employee+

Re: Verification of rules

Hi Jun Liang Seow,

The API to verify the policy package is added to the R-80.10.

If it's possible it's better to wait until R-80.10 is released.

-Igal

0 Kudos
phlrnnr
Copper

Re: Verification of rules

Can policy verification be done before publishing?  For example, I have a script that adds a rule using the REST API.  I would then want to verify the policy before publishing and installing.  If verification fails, then I'd want to discard changes instead of publishing them.  Is this possible?

0 Kudos
Employee++
Employee++

Re: Verification of rules

Hi Phillip,

No, it is not possible. Policy verification via API works the same as in the GUI - first publish, then verify.

Robert.

0 Kudos
phlrnnr
Copper

Re: Verification of rules

So, then, from an automation perspective, is the recommended approach to create a new rule via API, publish it, verify the ruleset, and if verification fails remove the rule that was created and  finally re-publish?

0 Kudos
Employee++
Employee++

Re: Verification of rules

Phillip,

Creation and verification process of a security policy is more complex then just a trial and error approach.

You do not publish and verify per a single rule, you should be aware of a whole rulebase you are creating.

You can automate the creation process of the rulebase, publish and verify. If the verification fails, you will need to switch to manual work in GUI and examine what went wrong.

Robert.

0 Kudos

Re: Verification of rules

This is good feedback Phillip. In the current releases, verifying things like "rule-hide-rule" and more are occurring post-publish. We have plans to assist on verification pre-publish in the next releases.

If you are afraid that your automation often breaks policy verification, perhaps put it in stealth mode and consider not publishing the auto-created rules, and having someone log into that session, look at the change, publish or correct them. Once you see that your tools make better changes, you could add the publish step to the automation.

0 Kudos