Solved: Re: Change Match for Any Default value

MR_K · ‎2019-08-28

Hi community,

I am looking for a way to change the default value of "Match for Any" for new Service Objects. We have a R80.20 MDM and mostly have to use "basic" service objects (TCP/UDP, no Protocol-detection and default timeouts) for our policies, a Match for Any is not needed for 95% of our objects.

Since every new object that is created has Match for Any enabled we get loads of warnings "Services port conflict. port X (udp/tcp) serves both <obejct1> and <object2>. Uncheck 'Match for Any' checkbox in the 'Advanced' dialogue for one of them." when installing the policy. A cleanup takes ages and after some months it starts all over again due to new objects having been created.

Many Thanks

Marcus

HeikoAnkenbrand · ‎2019-09-07

Hi @JozkoMrkvicka

In this case I am use the management CLI

1) grep for all service names via port 5560-5570 in a for loop

2) unset „match for any“ for all this services

3) publish the policy via CLI

View solution in original post

JozkoMrkvicka · ‎2019-09-07

As I am an old school R77.30 guy, I would do it this way:

Relevant for MDS only.

1. Switch to the relevant CMA

mdsenv <cma_name>

2. Find all services which have selected "Match For Any"

$MDSDIR/bin/cpmiquerybin attr "" services "include_in_any='true'" -a __name__

3. From given output gather all relevant services which I would like to disable "Match For Any" feature, and save it to some file

4. Create a small script which will iterate over all services in a created file and perform the change using dbedit

#!/bin/bash

SERVICES_MATCH_FOR_ANY=services_to_be_modified.txt

if [[ ! -f $SERVICES_MATCH_FOR_ANY ]];
then
  echo "File $SERVICES_MATCH_FOR_ANY does NOT exist, cannot continue."
  exit 0
fi

if [[ ! -s $SERVICES_MATCH_FOR_ANY ]];
then
  echo "File $SERVICES_MATCH_FOR_ANY is EMPTY, cannot continue."
  exit 1
fi

# export all Check Point environment variables
. /opt/CPshared/5.0/tmp/.CPprofile.sh

echo "Please type affected CMA Name/CMA IP:"
read CMA
echo "Going to switch to CMA with name/IP $CMA."
mdsenv $CMA
status=$?
if [ $status -eq 0 ]
then
  echo "Switched to the $CMA correctly."
else
  echo "CMA with name/IP $CMA does not exist !!!" >&2
  exit 1
fi
for Port in $(cat $SERVICES_MATCH_FOR_ANY)
        do
           echo -e "modify services $Port include_in_any false\n-q\n" | dbedit -local
        done
exit 0

Kind regards,
Jozko Mrkvicka

View solution in original post

PhoneBoy · ‎2019-09-06

In short: no.
Also, it's really not best practice to have multiple service objects defined for the same port/protocol.

Lari_Luoma · ‎2019-09-06

If you get that conflict warning it means that you have two similar services. You only need one. I don't know why you should create a lot of services objects if the service you need is there already...

JozkoMrkvicka · ‎2019-09-06

Because of port ranges ?

One application needs just tcp port 5565, another needs tcp ports 5560-5570.

Instead of creation 9 new tcp ports, I will create just one portrange where is already included port tcp 5565, which will cause "conflict".

Kind regards,
Jozko Mrkvicka

HeikoAnkenbrand · ‎2019-09-07

Hi @JozkoMrkvicka

In this case I am use the management CLI

1) grep for all service names via port 5560-5570 in a for loop

2) unset „match for any“ for all this services

3) publish the policy via CLI

View solution in original post

JozkoMrkvicka · ‎2019-09-07

As I am an old school R77.30 guy, I would do it this way:

Relevant for MDS only.

1. Switch to the relevant CMA

mdsenv <cma_name>

2. Find all services which have selected "Match For Any"

$MDSDIR/bin/cpmiquerybin attr "" services "include_in_any='true'" -a __name__

3. From given output gather all relevant services which I would like to disable "Match For Any" feature, and save it to some file

4. Create a small script which will iterate over all services in a created file and perform the change using dbedit

#!/bin/bash

SERVICES_MATCH_FOR_ANY=services_to_be_modified.txt

if [[ ! -f $SERVICES_MATCH_FOR_ANY ]];
then
  echo "File $SERVICES_MATCH_FOR_ANY does NOT exist, cannot continue."
  exit 0
fi

if [[ ! -s $SERVICES_MATCH_FOR_ANY ]];
then
  echo "File $SERVICES_MATCH_FOR_ANY is EMPTY, cannot continue."
  exit 1
fi

# export all Check Point environment variables
. /opt/CPshared/5.0/tmp/.CPprofile.sh

echo "Please type affected CMA Name/CMA IP:"
read CMA
echo "Going to switch to CMA with name/IP $CMA."
mdsenv $CMA
status=$?
if [ $status -eq 0 ]
then
  echo "Switched to the $CMA correctly."
else
  echo "CMA with name/IP $CMA does not exist !!!" >&2
  exit 1
fi
for Port in $(cat $SERVICES_MATCH_FOR_ANY)
        do
           echo -e "modify services $Port include_in_any false\n-q\n" | dbedit -local
        done
exit 0

Kind regards,
Jozko Mrkvicka

View solution in original post

HeikoAnkenbrand · ‎2019-09-07

Hi @JozkoMrkvicka

great job.

Alon_Alapi · ‎2019-10-08

Hi,

We consider changing the default for "Match for 'Any' services to be false in R80.40.

We will add a notification for this behavior change in the new service window.

I would like to hear your thoughts in regards to this change. Is there a reason we should not go forward with this change?

Regards

Alon - Security Management Products Group Manager

PhoneBoy · ‎2019-10-24

If you do make this change for newly created services, I suggest adding the following check to SmartConsole: if a user creates/edits a service that has a Protocol Handler associated with it (which I suspect will happen only rarely), we should warn the end user when this service is created/edited if "Match for Any" is not checked.