This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
MR_K
Contributor
‎2019-08-28 07:28 AM
Jump to solution

Change Match for Any Default value

Hi community,

I am looking for a way to change the default value of "Match for Any" for new Service Objects. We have a R80.20 MDM and mostly have to use "basic" service objects (TCP/UDP, no Protocol-detection and default timeouts) for our policies, a Match for Any is not needed for 95% of our objects.

Since every new object that is created has Match for Any enabled we get loads of warnings "Services port conflict. port X (udp/tcp) serves both <obejct1> and <object2>. Uncheck 'Match for Any' checkbox in the 'Advanced' dialogue for one of them." when installing the policy. A cleanup takes ages and after some months it starts all over again due to new objects having been created.

 

Many Thanks

Marcus

2 Solutions

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion
‎2019-09-07 12:16 AM
In response to JozkoMrkvicka
Jump to solution

Hi @JozkoMrkvicka 

In this case I am use the management CLI

1) grep for all service names via port 5560-5570 in a for loop

2) unset  „match for any“ for all this services

3) publish the policy via CLI

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

JozkoMrkvicka
Authority
Authority
‎2019-09-07 02:23 AM
In response to HeikoAnkenbrand
Jump to solution

As I am an old school R77.30 guy, I would do it this way:

Relevant for MDS only.

1. Switch to the relevant CMA

mdsenv <cma_name>

2. Find all services which have selected "Match For Any"

$MDSDIR/bin/cpmiquerybin attr "" services "include_in_any='true'" -a __name__

3. From given output gather all relevant services which I would like to disable "Match For Any" feature, and save it to some file 

4. Create a small script which will iterate over all services in a created file and perform the change using dbedit

#!/bin/bash

SERVICES_MATCH_FOR_ANY=services_to_be_modified.txt

if [[ ! -f $SERVICES_MATCH_FOR_ANY ]];
then
  echo "File $SERVICES_MATCH_FOR_ANY does NOT exist, cannot continue."
  exit 0
fi

if [[ ! -s $SERVICES_MATCH_FOR_ANY ]];
then
  echo "File $SERVICES_MATCH_FOR_ANY is EMPTY, cannot continue."
  exit 1
fi

# export all Check Point environment variables
. /opt/CPshared/5.0/tmp/.CPprofile.sh

echo "Please type affected CMA Name/CMA IP:"
read CMA
echo "Going to switch to CMA with name/IP $CMA."
mdsenv $CMA
status=$?
if [ $status -eq 0 ]
then
  echo "Switched to the $CMA correctly."
else
  echo "CMA with name/IP $CMA does not exist !!!" >&2
  exit 1
fi
for Port in $(cat $SERVICES_MATCH_FOR_ANY)
        do
           echo -e "modify services $Port include_in_any false\n-q\n" | dbedit -local
        done
exit 0

 

Kind regards,
Jozko Mrkvicka

View solution in original post

8 Replies
PhoneBoy
Admin
Admin
‎2019-09-06 03:57 PM
Jump to solution

In short: no.
Also, it's really not best practice to have multiple service objects defined for the same port/protocol.
Lari_Luoma
Ambassador Ambassador
Ambassador
‎2019-09-06 06:37 PM
Jump to solution

If you get that conflict warning it means that you have two similar services. You only need one. I don't know why you should create a lot of services objects if the service you need is there already...

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2019-09-06 11:43 PM
In response to Lari_Luoma
Jump to solution

Because of port ranges ?

One application needs just tcp port 5565, another needs tcp ports 5560-5570.

Instead of creation 9 new tcp ports, I will create just one portrange where is already included port tcp 5565, which will cause "conflict".

Kind regards,
Jozko Mrkvicka
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2019-09-07 12:16 AM
In response to JozkoMrkvicka
Jump to solution

Hi @JozkoMrkvicka 

In this case I am use the management CLI

1) grep for all service names via port 5560-5570 in a for loop

2) unset  „match for any“ for all this services

3) publish the policy via CLI

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
JozkoMrkvicka
Authority
Authority
‎2019-09-07 02:23 AM
In response to HeikoAnkenbrand
Jump to solution

As I am an old school R77.30 guy, I would do it this way:

Relevant for MDS only.

1. Switch to the relevant CMA

mdsenv <cma_name>

2. Find all services which have selected "Match For Any"

$MDSDIR/bin/cpmiquerybin attr "" services "include_in_any='true'" -a __name__

3. From given output gather all relevant services which I would like to disable "Match For Any" feature, and save it to some file 

4. Create a small script which will iterate over all services in a created file and perform the change using dbedit

#!/bin/bash

SERVICES_MATCH_FOR_ANY=services_to_be_modified.txt

if [[ ! -f $SERVICES_MATCH_FOR_ANY ]];
then
  echo "File $SERVICES_MATCH_FOR_ANY does NOT exist, cannot continue."
  exit 0
fi

if [[ ! -s $SERVICES_MATCH_FOR_ANY ]];
then
  echo "File $SERVICES_MATCH_FOR_ANY is EMPTY, cannot continue."
  exit 1
fi

# export all Check Point environment variables
. /opt/CPshared/5.0/tmp/.CPprofile.sh

echo "Please type affected CMA Name/CMA IP:"
read CMA
echo "Going to switch to CMA with name/IP $CMA."
mdsenv $CMA
status=$?
if [ $status -eq 0 ]
then
  echo "Switched to the $CMA correctly."
else
  echo "CMA with name/IP $CMA does not exist !!!" >&2
  exit 1
fi
for Port in $(cat $SERVICES_MATCH_FOR_ANY)
        do
           echo -e "modify services $Port include_in_any false\n-q\n" | dbedit -local
        done
exit 0

 

Kind regards,
Jozko Mrkvicka
HeikoAnkenbrand
Champion Champion
Champion
‎2019-09-07 03:36 AM
In response to JozkoMrkvicka
Jump to solution

Hi @JozkoMrkvicka 

great job.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Alon_Alapi
Employee Alumnus
Employee Alumnus
‎2019-10-08 12:43 AM
Jump to solution

Hi,

We consider changing the default for "Match for 'Any' services to be false in R80.40.

We will add a notification for this behavior change in the new service window.

I would like to hear your thoughts in regards to this change. Is there a reason we should not go forward with this change? 

Regards 

Alon - Security Management Products Group Manager

 

0 Kudos
PhoneBoy
Admin
Admin
‎2019-10-24 11:17 AM
In response to Alon_Alapi
Jump to solution

If you do make this change for newly created services, I suggest adding the following check to SmartConsole: if a user creates/edits a service that has a Protocol Handler associated with it (which I suspect will happen only rarely), we should warn the end user when this service is created/edited if "Match for Any" is not checked.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events