cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Employee
Employee

How to check if policy is changed but not installed?

Is there something in R80.10 that can be queried to verify if a policy has updated but not installed (pushed out) changes?

The use case is to incorporate the check in a policy install script, where only policies that have changes since the last install get installed.

In versions prior to R80, we queried for times in the fw_policies and install_statuses tables and monitored the last_modified time. I'm trying to replicate this logic in R80.10, but I'm not having luck finding a corresponding modified time variable that changes after I publish a change. I've been looking at show package with details-level set at full, but nothing changes in the output json file once I publish changes.

Labels (2)
12 Replies

Re: How to check if policy is changed but not installed?

There is a "View Changes" button on the install policy screen in R80+ that shows the difference between what is about to be pushed to the gateway vs. what the gateway has currently loaded.  Not sure if this info is somehow available in the mgmt_cli but might be worth investigating.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
Employee
Employee

Re: How to check if policy is changed but not installed?

That's it!

Under the "show changes" API call, there is a "session publish time" that gets updated whenever the policy is published. Exactly what I needed.

mgmt_cli show changes --domain Test01 --root true --format json | jq -r '.tasks[] | ."task-details"[] | .changes[] | .session."publish-time".posix'

Thank you.

Re: How to check if policy is changed but not installed?

This is great, but which policy was edited/changed

 

I am trying to determine which policies have been edited(which policies need to be installed).

 

0 Kudos
Employee++
Employee++

Re: How to check if policy is changed but not installed?

Hi Rob,

It is possible to accomplish your request if you combine data from several API commands.

I'll post the answer (bash script) shortly.

Robert.

0 Kudos
Employee++
Employee++

Re: How to check if policy is changed but not installed?

Re: How to check if policy is changed but not installed?

I have come across an issue on my mgmt

The time stamps are the same prior and after a publish

[Expert@r80:0]# mgmt_cli  show-package name t_policy --format json -s id.txt |jq -r '.["meta-info"]["last-modify-time"]["posix"]'
1516633060917
[Expert@r80:0]# mgmt_cli  show-package name t_policy --format json -s id.txt |jq -r '.["meta-info"]["last-modify-time"]["posix"]'
1516633060917  which is January 22, 2018 2:57:40.917 PM

I know this is wrong as the policy was change today

0 Kudos
Employee++
Employee++

Re: How to check if policy is changed but not installed?

And what about the "iso-8601" field? Does it also show the same date and time?

Robert.

0 Kudos

Re: How to check if policy is changed but not installed?

It does, this was the date the policy was created.

 mgmt_cli  show-package name t_policy --format json -s id.txt |jq -r '.["meta-info"]["last-modify-time"]["iso-8601"]'
2018-01-22T09:57-0500

 cpinfo -y all

This is Check Point CPinfo Build 914000176 for GAIA
[IDA]
   HOTFIX_R80_10

[KAV]
   HOTFIX_R80_10

[CPFC]
   HOTFIX_R80_10
   HOTFIX_R80_10_JUMBO_HF    Take: 56

[FW1]
   HOTFIX_R80_10
   HOTFIX_R80_10_JUMBO_HF    Take: 56

FW1 build number:
This is Check Point Security Management Server R80.10 - Build 007
This is Check Point's software version R80.10 - Build 027

0 Kudos
Employee++
Employee++

Re: How to check if policy is changed but not installed?

This is very strange.

The policy creation time is saved in another field - "meta-info.creation-time.iso-8601". Can you please verify this field's value?

Robert.

0 Kudos

Re: How to check if policy is changed but not installed?

 mgmt_cli  show-package name t_policy --format json -s id.txt |jq -r '.["meta-info"]
> '
{
  "lock": "unlocked",
  "validation-state": "ok",
  "last-modify-time": {
    "posix": 1516633060917,
    "iso-8601": "2018-01-22T09:57-0500"
  },
  "last-modifier": "csg",
  "creation-time": {
    "posix": 1516633060917,
    "iso-8601": "2018-01-22T09:57-0500"
  },
  "creator": "csg"
}

0 Kudos
Employee++
Employee++

Re: How to check if policy is changed but not installed?

Wow, I'm speechless...

I suggest contacting our TAC for further investigation.

Robert.

0 Kudos
Employee++
Employee++

Re: How to check if policy is changed but not installed?

Hi Rob,

I was just informed that the policy package object is not updated when the changes are published.

Therefore, its last-modify-time field is never updated.

As Ryan Puckett posted above, the show-changes command has the information about the published sessions, but the output of this command doesn't state which policy was published...

It seems that the script I wrote will not work due to this limitation.

I'll try to find another solution for this problem.

Robert.