I think because of the publish, despite policy installation failed the publish normally will always successful.

Thats true, but someone not familiar with Check Point may simply assume that changes took effect, which is actually NOT the case,until successful policy install.

Andy

It happens, all good : - )

Now you know for the next time, hehe.

Andy

Buddy 😄

If the "Install Policies" fails, but I see my changes in the SmartConsole, can I assume that everything "went well"?
If, for example, my change is to add an IP to block it, will the GW start blocking it, even though the policy installation failed?

Greetings.

No you can NOT assume that lol. What happens is this...say IF changes were published, but policy fails, changes wont apply and same old policy will still be enforced on the gateway, which easily can be verified by running either fw stat OR fw stat -b AMW

example in my lab:

quantum-firewall> exit
[Expert@quantum-firewall:0]# fw stat -b AMW
Anti Bot: Disabled (network signatures=0 behavioral=0)
Anti Virus: Disabled (network signatures=0 behavioral=0)
IPS: Enabled (use "ips stat")
Threat Emulation: Disabled
Threat Extraction: Disabled
Mail policy: Off
Zero Phishing: Off
files: http=0 ftp=0 smb=0 smtp=0 pop3=0
more: fileapp_ctx_enabled=0 ifi=1 http_dynamic_enabled=0 icap_server_enabled=0 min_severity=2 min_confidence=0
Policy: LAB-POLICY Mon May 29 09:39:08 2023 (traditional=1)
[Expert@quantum-firewall:0]#

I understand.

One more doubt, I understand that there is an option in the SmartConsole, which is to "verify" the installation of policies, right?

I could use it, to validate, if there will be no problem, when I use the option to install policies, right?

🙂

Yup, I usually do that when I make lots of changes. Also, maybe enable below, so you can see changes there as well.

Andy

Do you recommend using the "Verify policy installation", before clicking on the "Install policy" button, as a security measure?

If I decide to apply this good practice, I should hit the "Verify" option after I "publish" the new changes I intend to send to my computers, right?

If the "verification" is successful, I can have the "peace of mind" to just send to Install policies, right?

Am I right in the flow?

🙂

You are right, BUT...there is always a but haha. So here is the thing...policy verification ONLY verifies changes made within the policy and NOT any changes made on the objects themselves, so as long as you only made policy changes, then I would say its not a bad idea to do so, as verifying will also do the publish as well.

Hope that helps.

Andy

Haaaa,

Imagine I have a policy in place to block malicious IPs.

And in this policy as DST, I have a group of IPs, named "Blacklist_IPs", and constantly, we add IPs to this group, to be blocked.

In this scenario, there is no need to do a "Policy Check" ????

😕

If I were you, I would not bother doing policy verify in that case. Chances it would fail are very small (I would say less than 1%), specially given the fact you simply keep adding bad IPs. We dod that for multiple customers and never had any issues.

Cheers,

Andy

Btw, there are other way to add bad IPs...one is also mgmt_cli and you can also create generic data center object and point to the file on mgmt server (can send you the file). I tested in the lab and it contains all know bad IP addresses you can use then those objects in the policy.

See example below in my lab.

Andy

mgmt_cli example:

mgmt_cli add host name "BAD_185.206.27.13" ip-address "185.206.27.13" --format json

Generic data center example:

Andy,

Where can I find the "Generic Data Center" object?

I am interested in deploying this solution in my environment.

What is the URL to put in this object?

Greetings.

Just for you bro, I put screenshots below...NO CHARGE ; - )

Andy

HAHAHA 😄

I understand that the "malicious" IPs that you add are "hosted" in the SMS itself, right?
To use this option, is it advisable to validate HARDWARE issues of the equipment?

Cheers. 😄

No sir, I use VM in the lab, works like a charm ;). Btw, if interested, happy to send you the 3 files I use, "slap" them in any dir on mgmt, say create dir called ios in /var/log, then move them to /var/log/ioc, then you enter whole path in the data center object, once done, right click, import and you will get bunch of data center objects you can use in the rules. Again, see screenshots (next time, I may start charging 10$ per screenshot...for now, I take USA money, not Canadian, unless they default, then our money might be worth more LOL)

Andy

HAHAHAHA.

It is very expensive for me to convert my currency to American or Canadian currency, HAHAHAHA.

Maybe a traditional "Ceviche" from my country. 😄

Can you share those lab files you mention?

I have to enter by CLI or WinSCP to my MGMT, and create the directory, that you mentioned as an example, right?

Greetings.

Well, if you have some Kuwaiti dinars, thats strogest currency in the world...embarrassed to say I never knew that until I went there haha. Anyway, I emailed you the files and YES, you just move the files to dir on mgmt server and follow the screenshots I sent. It will work, guaranteed!

Andy

My bad, could not attach them via private message. Here they are.

Cheers,

Andy

Also, keep in mind, this has been available since R81

Accelerated policy install 

Andy

It is becoming clearer to me.

So, this "Verify" option, it is better to use it when you make changes directly in the security policies (like deleting/adding, new objects in source, target, services, type of logs), right?

You told me, that this option also sends you to "Publish" the changes you intend to send, right?

So, if I change the SRC OBJECT of my policy, I click on "Verify", and this will do its job, plus the fact of "publishing" that change, right?

Thanks for your help, Buddy.

EXACTLY 🙂