This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
S_E_
Advisor
‎2024-03-11 10:00 AM
Jump to solution

mass change 'track' or 'install on' field

Hi,

need some tips regarding best practice in terms of mass change. Hundreds of access rules.

Goal: e.g.

change on Policy2 inside the MDS domain2 all rules. Set all rules to track none or set all rules to install on firewall2 ... or something like that.

My first guess was to use the show access-rulebase command and then set access-rule command.

However, I could not find out how to address only the Policy number '2' in the Domain '2'

mgmt_cli show access-rulebase offset 0 limit 1000 name "Network" details-level "standard" use-object-dictionary true -s id.txt

mgmt_cli set access-rule name "Rule 1" track "None"

 

If possible, I would like to avoid to rewrite the complete rule. It should simply replace 'log' with 'None'

Or is the approach wrong?

Regards

 

 

 

0 Kudos
2 Solutions

Accepted Solutions
Amir_Senn
Employee
Employee
‎2024-03-12 04:18 AM
Jump to solution

I didn't like the way the other solution edits fw files so I took a few minutes and created the following mgmt_cli bash script.

You write the number of rules you want it to change and it set the rules to track with a for loop using mgmt_cli.

Syntax: ./Change_Track_Log.sh <number_of_rules_in_DB>

You can change the value from logs to none, or other values.

This is for default layer/policy, if you want to adjust it you might need to change a few elements in the script itself.

If this will have good feedback I might improve it by giving default values to fall back on but can enter policy name and layer name.

Runtime example:

[Expert@Amir:0]# bash -x Change_Track_Log.sh 3
+ mgmt_cli login -r true
+ (( N=1 ))
+ (( ((1-1))<3 ))
+ mgmt_cli set access-rule layer Network rule-number 1 track.type log -s id.txt
+ (( N=((1+1)) ))
+ (( ((2-1))<3 ))
+ mgmt_cli set access-rule layer Network rule-number 2 track.type log -s id.txt
+ (( N=((2+1)) ))
+ (( ((3-1))<3 ))
+ mgmt_cli set access-rule layer Network rule-number 3 track.type log -s id.txt
+ (( N=((3+1)) ))
+ (( ((4-1))<3 ))
+ mgmt_cli publish -s id.txt


---------------------------------------------
Time: [13:09:00] 12/3/2024
---------------------------------------------
"Publish operation" succeeded (100%)
tasks:
- task-id: "01234567-89ab-cdef-acd6-454bfe5ed9bc"
task-name: "Publish operation"
status: "succeeded"
progress-percentage: 100
suppressed: false
task-details:
- publishResponse:
numberOfPublishedChanges: 3
mode: "async"
revision: "d4749534-3634-455e-88f2-851fd6774419"

 

Kind regards, Amir Senn

View solution in original post

Preview file
1 KB
0 Kudos
Amir_Senn
Employee
Employee
‎2024-03-13 05:01 AM
In response to S_E_
Jump to solution

Improved script.

Syntax: ./Change_Track_Log.sh <number_of_rules_in_DB> [policy_name] [domain_name]

Now an argument is mandatory but second and third arguments are optional. In order to put the third one you must put the second.

If no values are provided, policy and domain name will get fallback to default values (policy - we choose layer, default is simply "Network", for domain it's "System Data").

Will not work for inline layer.

Runtime example:

[Expert@192.168.13.35_MDS:0]# bash -x Change_Track_Log.sh 3 amirP Dom1
+ '[' -z 3 ']'
+ '[' -z amirP ']'
+ Layer_Name='amirP Network'
+ '[' -z Dom1 ']'
+ Domain_Name=Dom1
+ mgmt_cli login -r true --domain Dom1
+ (( N=1 ))
+ (( ((1-1))<3 ))
+ mgmt_cli set access-rule layer 'amirP Network' rule-number 1 track.type log --domain Dom1 -s id.txt
+ (( N=((1+1)) ))
+ (( ((2-1))<3 ))
+ mgmt_cli set access-rule layer 'amirP Network' rule-number 2 track.type log --domain Dom1 -s id.txt
+ (( N=((2+1)) ))
+ (( ((3-1))<3 ))
+ mgmt_cli set access-rule layer 'amirP Network' rule-number 3 track.type log --domain Dom1 -s id.txt
+ (( N=((3+1)) ))
+ (( ((4-1))<3 ))
+ mgmt_cli publish -s id.txt


---------------------------------------------
Time: [13:59:40] 13/3/2024
---------------------------------------------
"Publish operation" succeeded (100%)
tasks:
- task-id: "01234567-89ab-cdef-92ba-1181b2b6b003"
task-name: "Publish operation"
status: "succeeded"
progress-percentage: 100
suppressed: false
task-details:
- publishResponse:
numberOfPublishedChanges: 3
mode: "async"
revision: "af6a7e28-cf9b-4ba2-9974-140caa87691b"

Kind regards, Amir Senn

View solution in original post

Preview file
1 KB
10 Replies
Lesley
Authority Authority
Authority
‎2024-03-11 11:07 AM
Jump to solution

This is the SK for this question: 

How to change all Track fields in the policy to Log/None/Alert/

ProductQuantum Security Management
VersionAll
OSGaia
Last Modified2016-02-09

Solution

To change the Track fields of every rule in large policy (from "Account" to "Log" for example), perform:

  1. Run the cpstop command on the Security Management server.

  2. Run: sed -i 's/(current value)/(new value)/g' $FWDIR/conf/rulebases_5_0.fws

    Example:

    The below command will change all rules that log as 'Account' to "Log":

    sed -i 's/(Account)/(Log)/g' $FWDIR/conf/rulebases_5_0.fws

    If you want to change them to another value, use another available flags: Alert, Log, None, Mail, SnmpTrap.

  3. Run: rm $FWDIR/conf/CPMIL*

  4. Run the cpstart command.
-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
S_E_
Advisor
‎2024-03-11 11:32 AM
In response to Lesley
Jump to solution

hi

Interesting. Thanks a lot

sk109766 last modified in  2016. sk108538 in 2015

Means more or less R77.30

But I will try in our lab.

Thanks

Regards

0 Kudos
PhoneBoy
Admin
Admin
‎2024-03-12 08:01 AM
In response to Lesley
Jump to solution

This doesn't apply for R8x releases.

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2024-03-11 11:47 AM
Jump to solution

You can get your policy packages using the 'show-packages details-level full' call. Within the package, you need the key 'access-layers', which contains a list of objects. Each access layer object has a UUID in the 'uid' key. With that, you can use the 'show-access-rulebase uid <layer UUID>' call to get the rules in that layer. 'limit' only goes up to 500.

You would filter the list for the rules for ones with the property you care about, then use the 'set-access-rule uid <rule UUID> layer <layer UUID>' call to change the rule. That call doesn't need anything else except what you are changing. That is, if you aren't setting the rule's source, you don't need to specify the source in the API call.

Amir_Senn
Employee
Employee
‎2024-03-12 04:18 AM
Jump to solution

I didn't like the way the other solution edits fw files so I took a few minutes and created the following mgmt_cli bash script.

You write the number of rules you want it to change and it set the rules to track with a for loop using mgmt_cli.

Syntax: ./Change_Track_Log.sh <number_of_rules_in_DB>

You can change the value from logs to none, or other values.

This is for default layer/policy, if you want to adjust it you might need to change a few elements in the script itself.

If this will have good feedback I might improve it by giving default values to fall back on but can enter policy name and layer name.

Runtime example:

[Expert@Amir:0]# bash -x Change_Track_Log.sh 3
+ mgmt_cli login -r true
+ (( N=1 ))
+ (( ((1-1))<3 ))
+ mgmt_cli set access-rule layer Network rule-number 1 track.type log -s id.txt
+ (( N=((1+1)) ))
+ (( ((2-1))<3 ))
+ mgmt_cli set access-rule layer Network rule-number 2 track.type log -s id.txt
+ (( N=((2+1)) ))
+ (( ((3-1))<3 ))
+ mgmt_cli set access-rule layer Network rule-number 3 track.type log -s id.txt
+ (( N=((3+1)) ))
+ (( ((4-1))<3 ))
+ mgmt_cli publish -s id.txt


---------------------------------------------
Time: [13:09:00] 12/3/2024
---------------------------------------------
"Publish operation" succeeded (100%)
tasks:
- task-id: "01234567-89ab-cdef-acd6-454bfe5ed9bc"
task-name: "Publish operation"
status: "succeeded"
progress-percentage: 100
suppressed: false
task-details:
- publishResponse:
numberOfPublishedChanges: 3
mode: "async"
revision: "d4749534-3634-455e-88f2-851fd6774419"

 

Kind regards, Amir Senn
Preview file
1 KB
0 Kudos
S_E_
Advisor
‎2024-03-13 02:14 AM
In response to Amir_Senn
Jump to solution

Hi,

tried multiple times on a test SmartCenter and in general, the script works as expected. Great !

I tried with 100 Rules.


[Expert@SMS-R8120:0]# ./Change_Track_Log.sh 100

---------------------------------------------
Time: [08:55:52] 13/3/2024
---------------------------------------------
"Publish operation" in progress (10%)


---------------------------------------------
Time: [08:56:02] 13/3/2024
---------------------------------------------
"Publish operation" succeeded (100%)
tasks:
- task-id: "01234567-89ab-cdef-9629-e463b308f098"
task-name: "Publish operation"
status: "succeeded"
progress-percentage: 100
suppressed: false
task-details:
- publishResponse:
numberOfPublishedChanges: 100
mode: "async"
revision: "e3d9bad4-9f63-4a17-9fe3-fcd6a0b79d9c"

 

 

 

I did not try it for 2000 rules, yet.

Need to find out first how to address "Policy 3" on MDS Domain "Domain 3"

https://sc1.checkpoint.com/documents/latest/APIs/index.html?#cli/set-access-rule~v1.9%20

The parameter "name" is obviously not the policy name.

 

Thanks

Regards

 

0 Kudos
Amir_Senn
Employee
Employee
‎2024-03-13 05:01 AM
In response to S_E_
Jump to solution

Improved script.

Syntax: ./Change_Track_Log.sh <number_of_rules_in_DB> [policy_name] [domain_name]

Now an argument is mandatory but second and third arguments are optional. In order to put the third one you must put the second.

If no values are provided, policy and domain name will get fallback to default values (policy - we choose layer, default is simply "Network", for domain it's "System Data").

Will not work for inline layer.

Runtime example:

[Expert@192.168.13.35_MDS:0]# bash -x Change_Track_Log.sh 3 amirP Dom1
+ '[' -z 3 ']'
+ '[' -z amirP ']'
+ Layer_Name='amirP Network'
+ '[' -z Dom1 ']'
+ Domain_Name=Dom1
+ mgmt_cli login -r true --domain Dom1
+ (( N=1 ))
+ (( ((1-1))<3 ))
+ mgmt_cli set access-rule layer 'amirP Network' rule-number 1 track.type log --domain Dom1 -s id.txt
+ (( N=((1+1)) ))
+ (( ((2-1))<3 ))
+ mgmt_cli set access-rule layer 'amirP Network' rule-number 2 track.type log --domain Dom1 -s id.txt
+ (( N=((2+1)) ))
+ (( ((3-1))<3 ))
+ mgmt_cli set access-rule layer 'amirP Network' rule-number 3 track.type log --domain Dom1 -s id.txt
+ (( N=((3+1)) ))
+ (( ((4-1))<3 ))
+ mgmt_cli publish -s id.txt


---------------------------------------------
Time: [13:59:40] 13/3/2024
---------------------------------------------
"Publish operation" succeeded (100%)
tasks:
- task-id: "01234567-89ab-cdef-92ba-1181b2b6b003"
task-name: "Publish operation"
status: "succeeded"
progress-percentage: 100
suppressed: false
task-details:
- publishResponse:
numberOfPublishedChanges: 3
mode: "async"
revision: "af6a7e28-cf9b-4ba2-9974-140caa87691b"

Kind regards, Amir Senn
Preview file
1 KB
S_E_
Advisor
‎2024-03-19 09:00 AM
In response to Amir_Senn
Jump to solution

 
Hi,
 
quick update.
I made now some tests on a MDSM. It took a while to recognize that the 'name' of a rule is different. 
I saw Network, Security or Application. No idea why it is different.
After adjusting the script with the correct 'name' keyword, it did work as expected.
Thanks a lot for your help!!
Regards
 
 
 
---------------------------------------------
Time: [15:27:50] 19/3/2024
---------------------------------------------
"Publish operation"  succeeded  (100%)
tasks:
- task-id: "01234567-89ab-cdef-a9e1-6dbdb37642af"
  task-name: "Publish operation"
  status: "succeeded"
  progress-percentage: 100
  suppressed: false
  task-details:
  - publishResponse:
      numberOfPublishedChanges: 2993
      mode: "async"
    revision: "fa790a61-0d87-4ca1-a5b4-996d720071cc"
 
 
 
e.g.: 'name'
 
[Expert@MDS-01:0]# mgmt_cli show access-layers -s id.txt | grep name
  name: "NG"
    name: "DOM6"
  name: "Global_Policy Security"
    name: "Global"
  name: "NG2"
    name: "DOM6"
  name: "Policy_B Network"
    name: "DOM6"
  name: "Policy_C Network"
    name: "DOM6"
  name: "Policy_C Network"
    name: "DOM6"
  name: "Policy_X Network"
    name: "DOM6"
  name: "NG-T"
    name: "DOM6"
 
 
[Expert@MDS-01:0]# mgmt_cli show access-layers -s id.txt | grep name
  name: "Global_Policy Security"
    name: "Global"
  name: "Policy_1 Application"
    name: "DOM2"
  name: "Policy_1 Security"
    name: "DOM2"
  name: "Policy_2 Application"
    name: "DOM2"
  name: "Policy_2 Security"
    name: "DOM2"
 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2024-03-12 08:05 AM
Jump to solution

First of all, asking the API for 1000 rules via "limit" will probably not result in 1000 rules being returned.
You need to properly use the limit/offset parameters in a loop to correctly process all the rules.
Further, I would perform a "publish" action periodically (every ~100 changes or so) for performance reasons.

A complete sample of what you tried to do (starting from the login command) would be helpful.
It is probably better to refer to the rule by UID instead of name since every rule is guaranteed to have one (whereas a name doesn't even have to be unique).
However, I believe you're on the right track using set access-rule.

JozkoMrkvicka
Authority
Authority
‎2024-03-19 02:57 PM
Jump to solution

for track/log field, only option is to use API script.

for "Install On", you can edit whole policy package to use specific "installation targets".

Another option would be to create new network group which will be used on needed rules as "Install on". The content of this network group will be all desired gateways. If some gateway is removed or created, you just need to edit one network group, nothing else.

Kind regards,
Jozko Mrkvicka
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events