- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Why do Hackers Love IoT Devices so Much?
Join our TechTalk on Aug 17, at 5PM CET | 11AM EST
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hi community,
I am looking for a way to change the default value of "Match for Any" for new Service Objects. We have a R80.20 MDM and mostly have to use "basic" service objects (TCP/UDP, no Protocol-detection and default timeouts) for our policies, a Match for Any is not needed for 95% of our objects.
Since every new object that is created has Match for Any enabled we get loads of warnings "Services port conflict. port X (udp/tcp) serves both <obejct1> and <object2>. Uncheck 'Match for Any' checkbox in the 'Advanced' dialogue for one of them." when installing the policy. A cleanup takes ages and after some months it starts all over again due to new objects having been created.
Many Thanks
Marcus
In this case I am use the management CLI
1) grep for all service names via port 5560-5570 in a for loop
2) unset „match for any“ for all this services
3) publish the policy via CLI
As I am an old school R77.30 guy, I would do it this way:
Relevant for MDS only.
1. Switch to the relevant CMA
mdsenv <cma_name>
2. Find all services which have selected "Match For Any"
$MDSDIR/bin/cpmiquerybin attr "" services "include_in_any='true'" -a __name__
3. From given output gather all relevant services which I would like to disable "Match For Any" feature, and save it to some file
4. Create a small script which will iterate over all services in a created file and perform the change using dbedit
#!/bin/bash
SERVICES_MATCH_FOR_ANY=services_to_be_modified.txt
if [[ ! -f $SERVICES_MATCH_FOR_ANY ]];
then
echo "File $SERVICES_MATCH_FOR_ANY does NOT exist, cannot continue."
exit 0
fi
if [[ ! -s $SERVICES_MATCH_FOR_ANY ]];
then
echo "File $SERVICES_MATCH_FOR_ANY is EMPTY, cannot continue."
exit 1
fi
# export all Check Point environment variables
. /opt/CPshared/5.0/tmp/.CPprofile.sh
echo "Please type affected CMA Name/CMA IP:"
read CMA
echo "Going to switch to CMA with name/IP $CMA."
mdsenv $CMA
status=$?
if [ $status -eq 0 ]
then
echo "Switched to the $CMA correctly."
else
echo "CMA with name/IP $CMA does not exist !!!" >&2
exit 1
fi
for Port in $(cat $SERVICES_MATCH_FOR_ANY)
do
echo -e "modify services $Port include_in_any false\n-q\n" | dbedit -local
done
exit 0
If you get that conflict warning it means that you have two similar services. You only need one. I don't know why you should create a lot of services objects if the service you need is there already...
Because of port ranges ?
One application needs just tcp port 5565, another needs tcp ports 5560-5570.
Instead of creation 9 new tcp ports, I will create just one portrange where is already included port tcp 5565, which will cause "conflict".
In this case I am use the management CLI
1) grep for all service names via port 5560-5570 in a for loop
2) unset „match for any“ for all this services
3) publish the policy via CLI
As I am an old school R77.30 guy, I would do it this way:
Relevant for MDS only.
1. Switch to the relevant CMA
mdsenv <cma_name>
2. Find all services which have selected "Match For Any"
$MDSDIR/bin/cpmiquerybin attr "" services "include_in_any='true'" -a __name__
3. From given output gather all relevant services which I would like to disable "Match For Any" feature, and save it to some file
4. Create a small script which will iterate over all services in a created file and perform the change using dbedit
#!/bin/bash
SERVICES_MATCH_FOR_ANY=services_to_be_modified.txt
if [[ ! -f $SERVICES_MATCH_FOR_ANY ]];
then
echo "File $SERVICES_MATCH_FOR_ANY does NOT exist, cannot continue."
exit 0
fi
if [[ ! -s $SERVICES_MATCH_FOR_ANY ]];
then
echo "File $SERVICES_MATCH_FOR_ANY is EMPTY, cannot continue."
exit 1
fi
# export all Check Point environment variables
. /opt/CPshared/5.0/tmp/.CPprofile.sh
echo "Please type affected CMA Name/CMA IP:"
read CMA
echo "Going to switch to CMA with name/IP $CMA."
mdsenv $CMA
status=$?
if [ $status -eq 0 ]
then
echo "Switched to the $CMA correctly."
else
echo "CMA with name/IP $CMA does not exist !!!" >&2
exit 1
fi
for Port in $(cat $SERVICES_MATCH_FOR_ANY)
do
echo -e "modify services $Port include_in_any false\n-q\n" | dbedit -local
done
exit 0
great job.
Hi,
We consider changing the default for "Match for 'Any' services to be false in R80.40.
We will add a notification for this behavior change in the new service window.
I would like to hear your thoughts in regards to this change. Is there a reason we should not go forward with this change?
Regards
Alon - Security Management Products Group Manager
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY