Re: Automatic rule coding using OPSEC

Kishorilal_CJ · ‎2018-01-24

Hello

we are well aware that R80.10 has got API to perform multiple automation stuffs, whereas we are looking for something in R77.30 , since it takes sometime for us to upgrade the version to R80.10 and I just wanted to check if any possibilities of adding the policy rules from Tufin tool(as one of the approved OPSEC product), to check point policy database, when communication from checkpoint to tufin is possible

thanks in adavnce

PhoneBoy · ‎2018-01-26

The OPSEC API does have ways to modify the rulebase.

Heck, I wrote scripts to modify the rulebase with dbedit

I believe Tufin can do this, but you should check with them on the specifics.

Kishorilal_CJ · ‎2018-01-28

Thank you for your comments.. would you please share the script link

PhoneBoy · ‎2018-01-28

The scripts I wrote were for specific customers.

Most of the specific are covered in the R77 CLI Guide: Command Line Interface R77 Reference Guide

Keep in mind that while modifying existing rules with dbedit is relatively straightforward, adding a new rule is not since it requires multiple delete/add operations.

The R80 APIs have significantly improved APIs for rulebase manipulation.

JozkoMrkvicka · ‎2019-01-24

Hi Dameon Welch-Abernathy‌,

Do you remember if the script you wrote using dbedit included also LDAP user groups ? I am struggling how can I add new LDAP group to the existing rule via dbedit (R77.30).

https://community.checkpoint.com/message/35147-r7730-adding-ldap-group-to-the-existing-rule-using-db...

Kind regards,
Jozko Mrkvicka

PhoneBoy · ‎2019-01-24

I did not do that in any of my scripts, but will see if I can get someone from R&D to help on the thread you pointed me at.

JozkoMrkvicka · ‎2019-01-25

Thank you very much

Kind regards,
Jozko Mrkvicka