Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
CepKpy
Explorer

How to check if there are changes in the policy?

How to check if there are changes in the policy?
I only want to install the policy if there have been changes.

Accounts for VPN users can be created during the day. And at the end of the day, I need to apply a policy so that users from home can connect.

I use Management API v1.6.1

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

That means you're on R80.40 with a recent JHF.
Means you can leverage this: https://community.checkpoint.com/t5/SmartConsole-Extensions/Change-Report/m-p/87322
See also discussion about the show-changes API here: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Show-changes-from-session-gt-from...

0 Kudos
CepKpy
Explorer

it doesn't answer my question. I need to find out via the API: have changes been posted since the last installation of the policies?

1.jpg

0 Kudos
Timothy_Hall
Champion
Champion

There doesn't seem to be a simple way to do this, but I think this would work:

1) Pull date of last policy install to the gateway with cpstat -f policy fw, field "Policy Install Time".  There doesn't seem to be a way to pull this info directly from the API that I can find; was hoping to get this from the audit logs but they don't seem to be available at all via the API.  This policy install date info can be found easily on the Gateways & Servers tab of the SmartConsole GUI, so it may be somehow available through the management API although I couldn't figure out how.

2) Once you have the last policy install date, invoke the show changes from-date API call to see a list of changes since last policy install date.  Note that similarly to the display on the Install Policy confirmation screen, this shows you the total number of changes since last policy install, but all those changes are not necessarily relevant to the gateway in question.

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos