This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
S_E_
Advisor
‎2024-03-28 12:48 AM

Possible to lock an object?

Hi,

a question came up if it is possible to lock an network object/group object to prevent this from 'overriding or modifying'.  I really mean on object level and not on admin permission profiles or similar.

So, basically the wish to add/use this object in any rule, but should not be possible to modify the object itself without a command/api call.

I tried the api call 'mgmt_cli lock-object'. However, after publishing the session, the lock was reset automatically.

-> see attachement

Is there any better idea/solution?

Thanks

Regards

 

 

Preview file
8 KB
6 Replies
_Val_
Admin
Admin
‎2024-04-02 05:30 AM

The whole idea of a locked object is not to publish that session. Did you try that?

0 Kudos
S_E_
Advisor
‎2024-04-02 07:50 AM
In response to _Val_

hi, not really.  The idea behind was that the object can't be overwritten by some admins or api calls.

Regards

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2024-04-02 07:54 AM
In response to S_E_

A lock on an object only lasts until the session holding the lock is published or discarded. You can lock the object and log out without publishing.

That said, someone might see the lock, see who has it locked, and discard the session so they can make a change. This isn't a way to restrict the ability to change an object, it's only a guardrail against accidental changes.

_Val_
Admin
Admin
‎2024-04-02 08:06 AM
In response to Bob_Zimmerman

Exactly what @Bob_Zimmerman said! Exit the script without publishing the session. The object will remain locked till you publish or discard that session. 

0 Kudos
Hugo_vd_Kooij
MVP Gold
MVP Gold
‎2024-04-02 10:34 PM
In response to Bob_Zimmerman

It becomes complicated if you want to do this for multiple objects.

Either you have 1 session per object left open and you will find that you run into problems due to the large number of open sessions.

Or you have to automate it and release the previous session and re lock the objects. with the inherent chance someone will beat you to it and lock one just before your script got to it.

So it is a sort of a finger in the dijk solution. It work with one small hole but ties you up as part of it. So choose wisely how to use it. I see way to many ways in which this can go wrong and turn against you.

The suggestion of a MDS with just 1 domain might have some merits for this purpose. Be it it has it's own challenges.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
CheckPointerXL
Advisor
Advisor
‎2024-04-02 06:33 AM

global objects in MDS enviroment 🙂 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events