Re: How to check if policy is changed but not inst...

Ryan_Puckett · ‎2017-08-09

Is there something in R80.10 that can be queried to verify if a policy has updated but not installed (pushed out) changes?

The use case is to incorporate the check in a policy install script, where only policies that have changes since the last install get installed.

In versions prior to R80, we queried for times in the fw_policies and install_statuses tables and monitored the last_modified time. I'm trying to replicate this logic in R80.10, but I'm not having luck finding a corresponding modified time variable that changes after I publish a change. I've been looking at show package with details-level set at full, but nothing changes in the output json file once I publish changes.

Timothy_Hall · ‎2017-08-11

There is a "View Changes" button on the install policy screen in R80+ that shows the difference between what is about to be pushed to the gateway vs. what the gateway has currently loaded. Not sure if this info is somehow available in the mgmt_cli but might be worth investigating.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

Ryan_Puckett · ‎2017-08-11

That's it!

Under the "show changes" API call, there is a "session publish time" that gets updated whenever the policy is published. Exactly what I needed.

mgmt_cli show changes --domain Test01 --root true --format json | jq -r '.tasks[] | ."task-details"[] | .changes[] | .session."publish-time".posix'

Thank you.

Rob_Napholz · ‎2017-11-22

This is great, but which policy was edited/changed

I am trying to determine which policies have been edited(which policies need to be installed).

Robert_Decker · ‎2018-03-27

Hi Rob,

It is possible to accomplish your request if you combine data from several API commands.

I'll post the answer (bash script) shortly.

Robert.

Robert_Decker · ‎2018-03-28

here you go - https://community.checkpoint.com/docs/DOC-2816.

Robert.

Rob_Napholz · ‎2018-03-28

I have come across an issue on my mgmt

The time stamps are the same prior and after a publish

[Expert@r80:0]# mgmt_cli show-package name t_policy --format json -s id.txt |jq -r '.["meta-info"]["last-modify-time"]["posix"]'
1516633060917
[Expert@r80:0]# mgmt_cli show-package name t_policy --format json -s id.txt |jq -r '.["meta-info"]["last-modify-time"]["posix"]'
1516633060917 which is January 22, 2018 2:57:40.917 PM

I know this is wrong as the policy was change today

Robert_Decker · ‎2018-03-28

And what about the "iso-8601" field? Does it also show the same date and time?

Robert.

Rob_Napholz · ‎2018-03-29

It does, this was the date the policy was created.

mgmt_cli show-package name t_policy --format json -s id.txt |jq -r '.["meta-info"]["last-modify-time"]["iso-8601"]'
2018-01-22T09:57-0500

cpinfo -y all

This is Check Point CPinfo Build 914000176 for GAIA
[IDA]
HOTFIX_R80_10

[KAV]
HOTFIX_R80_10

[CPFC]
HOTFIX_R80_10
HOTFIX_R80_10_JUMBO_HF Take: 56

[FW1]
HOTFIX_R80_10
HOTFIX_R80_10_JUMBO_HF Take: 56

FW1 build number:
This is Check Point Security Management Server R80.10 - Build 007
This is Check Point's software version R80.10 - Build 027

Robert_Decker · ‎2018-03-29

This is very strange.

The policy creation time is saved in another field - "meta-info.creation-time.iso-8601". Can you please verify this field's value?

Robert.

Rob_Napholz · ‎2018-03-29

mgmt_cli show-package name t_policy --format json -s id.txt |jq -r '.["meta-info"]
> '
{
"lock": "unlocked",
"validation-state": "ok",
"last-modify-time": {
    "posix": 1516633060917,
    "iso-8601": "2018-01-22T09:57-0500"
},
"last-modifier": "csg",
"creation-time": {
    "posix": 1516633060917,
    "iso-8601": "2018-01-22T09:57-0500"
},
"creator": "csg"
}

Robert_Decker · ‎2018-03-29

Wow, I'm speechless...

I suggest contacting our TAC for further investigation.

Robert.

Robert_Decker · ‎2018-04-01

Hi Rob,

I was just informed that the policy package object is not updated when the changes are published.

Therefore, its last-modify-time field is never updated.

As Ryan Puckett posted above, the show-changes command has the information about the published sessions, but the output of this command doesn't state which policy was published...

It seems that the script I wrote will not work due to this limitation.

I'll try to find another solution for this problem.

Robert.

Aakashvaani_74 · ‎2022-04-04

Hi Robert,

Did you get a chance to find the script ? I'm looking for a bash script with same requirement

Aakashvaani_74 · ‎2022-04-04

Hi Puckett,

I'm looking for the same kind of requirement with bash script. Could you pls help me with show changes cli command along with policy name if it is available?

How did you incorporate policy change in show changes cli command ? which field was captured

Are you a member of CheckMates?

How to check if policy is changed but not installed?