cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
J_Saun
Nickel

Deleting old/unused policies - R77 and below. Best practices?

Jump to solution

I have multiple firewall management stations (mix of R65, R77 - NO R80). Each fw mgmt station has a bunch of old, unused firewall policies that I wish to remove/delete.

I have done some research and am confused about the best way to do it. Below are the 2 options I have found:

- use commands "./migrate export <filename>" and "backup"

- just use DB revision control

From my understanding, neither would retain any new changes made to other active policies if we did revert - which is fine.

From the above 2 mentioned procedures, which would be the best and easiest to roll back to if we figure out we need to bring one of the old policies back (likely not going to be an issue, just want to make sure I have a backout or revert plan).

Thanks

0 Kudos
1 Solution

Accepted Solutions
Highlighted
Employee+
Employee+

Re: Deleting old/unused policies - R77 and below. Best practices?

Jump to solution

Correct. Take DB revision prior deleting a policy. You can then restore it afterwards if needed.

11 Replies

Re: Deleting old/unused policies - R77 and below. Best practices?

Jump to solution

It almost sounds like you are creating new policy packages in lieu of database revision control, would this be correct?

Migrate export takes all objects and policies and wraps them up into a zipped file (including all database revisions you may have). Database revisions I believe take all policy packages and would be nice because you can view previous revisions/packages in the GUI without actually reverting your database back.

J_Saun
Nickel

Re: Deleting old/unused policies - R77 and below. Best practices?

Jump to solution

"It almost sounds like you are creating new policy packages in lieu of database revision control, would this be correct?"

No. I wish to delete old, unused policies. In the event that I need to bring one or two back online within a week or so after deleting I just want to know what the best practice is to prevent total loss of the old policies.

0 Kudos
Employee+
Employee+

Re: Deleting old/unused policies - R77 and below. Best practices?

Jump to solution

Are you going to merge your management servers and thus need to move security policies and objects from server to another?

There are two tools for this:

pre-R80-versions: cp_merge (Using cp_merge utility )

R80 and newer versions: Python tool for exporting/importing a policy package or parts of it 

What comes to deleting unused policies you can simply do that from the SmartConsole/SmartDashboard. Using Database Revision Control in pre-R80 will back up the current database and policies.
In R80 and newer the db revision control has changed. See the following post for more information:
https://community.checkpoint.com/docs/DOC-2467-r80-change-control-a-visual-guide 

In more complex moves and changes I recommend to engage Check Point Professional Services to do the work.

0 Kudos
J_Saun
Nickel

Re: Deleting old/unused policies - R77 and below. Best practices?

Jump to solution

No. We are not merging anything. I simply want to make sure I have an efficient way to bring back the deleted policies in case there is an issue.

So it sounds like DB Revision is my best route?

- I make a DB revision backup

- delete my unused policies

- if someone decides 'hey! we needed that policy you deleted" I can just go back to that DB revision and everything will be as it was before I deleted

0 Kudos
Highlighted
Employee+
Employee+

Re: Deleting old/unused policies - R77 and below. Best practices?

Jump to solution

Correct. Take DB revision prior deleting a policy. You can then restore it afterwards if needed.

JozkoMrkvicka
Platinum

Re: Deleting old/unused policies - R77 and below. Best practices?

Jump to solution

Lari, may I have use this thread to ask some additional question about DB revision ?

I will do DB revision. Will it include all policy packages, including all objects created ?

I want to know if I create some new objects within DashBoard, include them in some rules. After policy is installed I will perform revert of DB revision. Will newly created objects be deleted and removed from all rules ?

Kind regards,
Jozko Mrkvicka
0 Kudos
Employee+
Employee+

Re: Deleting old/unused policies - R77 and below. Best practices?

Jump to solution

Yes, the object database and policies will be reverted to the state of the restored revision. Thus all objects/rules created after that revision was taken are removed. Exception here is that if you have VSX objects database revision control in pre-R80 versions is not supported.

JozkoMrkvicka
Platinum

Re: Deleting old/unused policies - R77 and below. Best practices?

Jump to solution

Thank you for the swift reaction.

Meanwhile I have confirmed the desired behaviour in my LAB Smiley Happy

Kind regards,
Jozko Mrkvicka
0 Kudos
J_Saun
Nickel

Re: Deleting old/unused policies - R77 and below. Best practices?

Jump to solution

One other note that a colleague suggested. Taking a DB revision will only save you if the DB revision is in tact. If the DB becomes corrupt then you may not be able to restore. Thus taking the extra step of a backup may be a good idea as well.

0 Kudos
Employee+
Employee+

Re: Deleting old/unused policies - R77 and below. Best practices?

Jump to solution

You are correct. DB revision control doesn't replace regular backups of the system. However, DB revisions are much easier to restore than a full backup. Take db revisions every time you make major changes to your policy or objects (like deleting objects or policies). Still take weekly or daily backups of your management server depending on the number of changes you make.

Note, that these instructions are relevant to pre-R80 versions only. In R80 and newer DB revision control is automatic as discussed before.

0 Kudos
J_Saun
Nickel

Re: Deleting old/unused policies - R77 and below. Best practices?

Jump to solution

Additional question:

NOTE: this is for R65 and R77

After we remove the unused policies we would like to delete the unused objects as well. After doing some reading it appears that some of the gotcha's are:

- objects that use automatic NAT will show up in the unused object list

- some VPN objects may also appear in the unused object list

Is this correct?

0 Kudos