Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ryan_Puckett
Employee
Employee

How to check if policy is changed but not installed?

Is there something in R80.10 that can be queried to verify if a policy has updated but not installed (pushed out) changes?

The use case is to incorporate the check in a policy install script, where only policies that have changes since the last install get installed.

In versions prior to R80, we queried for times in the fw_policies and install_statuses tables and monitored the last_modified time. I'm trying to replicate this logic in R80.10, but I'm not having luck finding a corresponding modified time variable that changes after I publish a change. I've been looking at show package with details-level set at full, but nothing changes in the output json file once I publish changes.

14 Replies
Timothy_Hall
Champion
Champion

There is a "View Changes" button on the install policy screen in R80+ that shows the difference between what is about to be pushed to the gateway vs. what the gateway has currently loaded.  Not sure if this info is somehow available in the mgmt_cli but might be worth investigating.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Ryan_Puckett
Employee
Employee

That's it!

Under the "show changes" API call, there is a "session publish time" that gets updated whenever the policy is published. Exactly what I needed.

mgmt_cli show changes --domain Test01 --root true --format json | jq -r '.tasks[] | ."task-details"[] | .changes[] | .session."publish-time".posix'

Thank you.

Rob_Napholz
Participant

This is great, but which policy was edited/changed

 

I am trying to determine which policies have been edited(which policies need to be installed).

 

0 Kudos
Robert_Decker
Advisor

Hi Rob,

It is possible to accomplish your request if you combine data from several API commands.

I'll post the answer (bash script) shortly.

Robert.

0 Kudos
Robert_Decker
Advisor

Rob_Napholz
Participant

I have come across an issue on my mgmt

The time stamps are the same prior and after a publish

[Expert@r80:0]# mgmt_cli  show-package name t_policy --format json -s id.txt |jq -r '.["meta-info"]["last-modify-time"]["posix"]'
1516633060917
[Expert@r80:0]# mgmt_cli  show-package name t_policy --format json -s id.txt |jq -r '.["meta-info"]["last-modify-time"]["posix"]'
1516633060917  which is January 22, 2018 2:57:40.917 PM

I know this is wrong as the policy was change today

0 Kudos
Robert_Decker
Advisor

And what about the "iso-8601" field? Does it also show the same date and time?

Robert.

0 Kudos
Rob_Napholz
Participant

It does, this was the date the policy was created.

 mgmt_cli  show-package name t_policy --format json -s id.txt |jq -r '.["meta-info"]["last-modify-time"]["iso-8601"]'
2018-01-22T09:57-0500

 cpinfo -y all

This is Check Point CPinfo Build 914000176 for GAIA
[IDA]
   HOTFIX_R80_10

[KAV]
   HOTFIX_R80_10

[CPFC]
   HOTFIX_R80_10
   HOTFIX_R80_10_JUMBO_HF    Take: 56

[FW1]
   HOTFIX_R80_10
   HOTFIX_R80_10_JUMBO_HF    Take: 56

FW1 build number:
This is Check Point Security Management Server R80.10 - Build 007
This is Check Point's software version R80.10 - Build 027

0 Kudos
Robert_Decker
Advisor

This is very strange.

The policy creation time is saved in another field - "meta-info.creation-time.iso-8601". Can you please verify this field's value?

Robert.

0 Kudos
Rob_Napholz
Participant

 mgmt_cli  show-package name t_policy --format json -s id.txt |jq -r '.["meta-info"]
> '
{
  "lock": "unlocked",
  "validation-state": "ok",
  "last-modify-time": {
    "posix": 1516633060917,
    "iso-8601": "2018-01-22T09:57-0500"
  },
  "last-modifier": "csg",
  "creation-time": {
    "posix": 1516633060917,
    "iso-8601": "2018-01-22T09:57-0500"
  },
  "creator": "csg"
}

0 Kudos
Robert_Decker
Advisor

Wow, I'm speechless...

I suggest contacting our TAC for further investigation.

Robert.

0 Kudos
Robert_Decker
Advisor

Hi Rob,

I was just informed that the policy package object is not updated when the changes are published.

Therefore, its last-modify-time field is never updated.

As Ryan Puckett posted above, the show-changes command has the information about the published sessions, but the output of this command doesn't state which policy was published...

It seems that the script I wrote will not work due to this limitation.

I'll try to find another solution for this problem.

Robert.

Aakashvaani_74
Explorer

Hi Robert,

Did you get a chance to find the script ? I'm looking for a bash script with same requirement 

0 Kudos
Aakashvaani_74
Explorer

Hi Puckett,

I'm looking for the same kind of requirement with bash script. Could you pls help me with show changes cli command along with policy name if it is available?

How did you incorporate policy change in show changes cli command ? which field was captured

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events