Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
MR_K
Contributor
Jump to solution

Change Match for Any Default value

Hi community,

I am looking for a way to change the default value of "Match for Any" for new Service Objects. We have a R80.20 MDM and mostly have to use "basic" service objects (TCP/UDP, no Protocol-detection and default timeouts) for our policies, a Match for Any is not needed for 95% of our objects.

Since every new object that is created has Match for Any enabled we get loads of warnings "Services port conflict. port X (udp/tcp) serves both <obejct1> and <object2>. Uncheck 'Match for Any' checkbox in the 'Advanced' dialogue for one of them." when installing the policy. A cleanup takes ages and after some months it starts all over again due to new objects having been created.

 

Many Thanks

Marcus

2 Solutions

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion

Hi @JozkoMrkvicka 

In this case I am use the management CLI

1) grep for all service names via port 5560-5570 in a for loop

2) unset  „match for any“ for all this services

3) publish the policy via CLI

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

JozkoMrkvicka
Mentor
Mentor

As I am an old school R77.30 guy, I would do it this way:

Relevant for MDS only.

1. Switch to the relevant CMA

mdsenv <cma_name>

2. Find all services which have selected "Match For Any"

$MDSDIR/bin/cpmiquerybin attr "" services "include_in_any='true'" -a __name__

3. From given output gather all relevant services which I would like to disable "Match For Any" feature, and save it to some file 

4. Create a small script which will iterate over all services in a created file and perform the change using dbedit

#!/bin/bash

SERVICES_MATCH_FOR_ANY=services_to_be_modified.txt

if [[ ! -f $SERVICES_MATCH_FOR_ANY ]];
then
  echo "File $SERVICES_MATCH_FOR_ANY does NOT exist, cannot continue."
  exit 0
fi

if [[ ! -s $SERVICES_MATCH_FOR_ANY ]];
then
  echo "File $SERVICES_MATCH_FOR_ANY is EMPTY, cannot continue."
  exit 1
fi

# export all Check Point environment variables
. /opt/CPshared/5.0/tmp/.CPprofile.sh

echo "Please type affected CMA Name/CMA IP:"
read CMA
echo "Going to switch to CMA with name/IP $CMA."
mdsenv $CMA
status=$?
if [ $status -eq 0 ]
then
  echo "Switched to the $CMA correctly."
else
  echo "CMA with name/IP $CMA does not exist !!!" >&2
  exit 1
fi
for Port in $(cat $SERVICES_MATCH_FOR_ANY)
        do
           echo -e "modify services $Port include_in_any false\n-q\n" | dbedit -local
        done
exit 0

 

Kind regards,
Jozko Mrkvicka

View solution in original post

8 Replies
PhoneBoy
Admin
Admin
In short: no.
Also, it's really not best practice to have multiple service objects defined for the same port/protocol.
Lari_Luoma
Ambassador Ambassador
Ambassador

If you get that conflict warning it means that you have two similar services. You only need one. I don't know why you should create a lot of services objects if the service you need is there already...

0 Kudos
JozkoMrkvicka
Mentor
Mentor

Because of port ranges ?

One application needs just tcp port 5565, another needs tcp ports 5560-5570.

Instead of creation 9 new tcp ports, I will create just one portrange where is already included port tcp 5565, which will cause "conflict".

Kind regards,
Jozko Mrkvicka
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

Hi @JozkoMrkvicka 

In this case I am use the management CLI

1) grep for all service names via port 5560-5570 in a for loop

2) unset  „match for any“ for all this services

3) publish the policy via CLI

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
JozkoMrkvicka
Mentor
Mentor

As I am an old school R77.30 guy, I would do it this way:

Relevant for MDS only.

1. Switch to the relevant CMA

mdsenv <cma_name>

2. Find all services which have selected "Match For Any"

$MDSDIR/bin/cpmiquerybin attr "" services "include_in_any='true'" -a __name__

3. From given output gather all relevant services which I would like to disable "Match For Any" feature, and save it to some file 

4. Create a small script which will iterate over all services in a created file and perform the change using dbedit

#!/bin/bash

SERVICES_MATCH_FOR_ANY=services_to_be_modified.txt

if [[ ! -f $SERVICES_MATCH_FOR_ANY ]];
then
  echo "File $SERVICES_MATCH_FOR_ANY does NOT exist, cannot continue."
  exit 0
fi

if [[ ! -s $SERVICES_MATCH_FOR_ANY ]];
then
  echo "File $SERVICES_MATCH_FOR_ANY is EMPTY, cannot continue."
  exit 1
fi

# export all Check Point environment variables
. /opt/CPshared/5.0/tmp/.CPprofile.sh

echo "Please type affected CMA Name/CMA IP:"
read CMA
echo "Going to switch to CMA with name/IP $CMA."
mdsenv $CMA
status=$?
if [ $status -eq 0 ]
then
  echo "Switched to the $CMA correctly."
else
  echo "CMA with name/IP $CMA does not exist !!!" >&2
  exit 1
fi
for Port in $(cat $SERVICES_MATCH_FOR_ANY)
        do
           echo -e "modify services $Port include_in_any false\n-q\n" | dbedit -local
        done
exit 0

 

Kind regards,
Jozko Mrkvicka
HeikoAnkenbrand
Champion Champion
Champion

Hi @JozkoMrkvicka 

great job.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Alon_Alapi
Employee Alumnus
Employee Alumnus

Hi,

We consider changing the default for "Match for 'Any' services to be false in R80.40.

We will add a notification for this behavior change in the new service window.

I would like to hear your thoughts in regards to this change. Is there a reason we should not go forward with this change? 

Regards 

Alon - Security Management Products Group Manager

 

0 Kudos
PhoneBoy
Admin
Admin
If you do make this change for newly created services, I suggest adding the following check to SmartConsole: if a user creates/edits a service that has a Protocol Handler associated with it (which I suspect will happen only rarely), we should warn the end user when this service is created/edited if "Match for Any" is not checked.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events