Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Employee+
Employee+

SmartTask - Restrict use of specific objects in Access Control Policy

This SmartTask allows to block usage of specific objects in source and destination fields of Access Control Policy. it intercepts the session on publish attempt ("Pre Publish" trigger) and runs a script that looks for objects defined in Custom Data field of SmartTask (see below).

It can be very useful if you want to avoid rules with "Any" in source and/or destination (in this case you'll need to exclude Stealth and Cleanup rules) and restricting access to/from sensitive resources.

 

image.png

6 Replies
Highlighted
Explorer

Hello @Dima_M,

thank you a lot for your example. It is really nice. I would like to ask you for some advice regarding my use case. Let's say that we have some highly sensitive rules. Nobody should be able to add rule above them to break their drop meaning. I was thinking tu use smart task and before publish trigger for checking of this concept.

Concept of checking of modified/deleted/added objects in rule base is really nice.

{

  • "operations":{
    • "modified-objects":,
    • "deleted-objects":,
    • "added-objects":[]
    },
  • "session":

}

 

We would totally be able to check if rules were edited. But during the testing I tried to move "permit any" rule above those "highly sensitive rules". I was checking parameters of publish event, and when I changed rule order and published information, the only info in JSONs was about session itself, no info about rule number change. So I have no evidence about changing of order of rules while publishing new rule base and running some smart task on it. Is this information somewhere hidden? How can I get to this information during "before publish" event? 

 

Thank you a lot for your reply.

 

{

  • "session":{
    • "session-uid":"104cd16c-dcbc-4749-9758-89f04d8d7c30",
    • "session-name":"admin@02.04.2020",
    • "user-name":"admin",
    • "application":"SmartConsole",
    • "domain-info":{
      • "uid":"41e821a0-3720-11e3-aa6e-0800200c9fde",
      • "name":"SMC User",
      • "domain-type":"Domain"
      }
    }

}

Highlighted
Employee+
Employee+

Hi Martin @martin

Thanks for bring this up, looks like show-changes output displays only partial info when rules are swapped. We'll investigate it further on and update.

Highlighted
Employee+
Employee+

Tried to import this script and the maximum filesize that the GUI can import is 8Kb.  The filesize for this is 13Kb.  Why is there a limit?  

Highlighted
Employee
Employee

Hi @grandpafirewall 

How did you tried to import the smart tasks? it should be done using API, there is no way of importing smart task using GUI.

I imported it with API and it worked with no problem:

mgmt_cli import-smart-task file-path /home/admin/validate_rulebase_changes_on_publish.txt -r true

see API documentation here: https://sc1.checkpoint.com/documents/latest/APIs/#cli/import-smart-task~v1.6%20

 

Highlighted
Employee+
Employee+

That would be the issue.  Thanks.  I eventually want to try an do this from SmartCloud.

0 Kudos
Reply
Highlighted
Admin
Admin

You can still access the API with SmartCloud.

0 Kudos
Reply