This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
MR_K
Participant
‎2019-08-28 07:28 AM

Change Match for Any Default value

Jump to solution

Hi community,

I am looking for a way to change the default value of "Match for Any" for new Service Objects. We have a R80.20 MDM and mostly have to use "basic" service objects (TCP/UDP, no Protocol-detection and default timeouts) for our policies, a Match for Any is not needed for 95% of our objects.

Since every new object that is created has Match for Any enabled we get loads of warnings "Services port conflict. port X (udp/tcp) serves both <obejct1> and <object2>. Uncheck 'Match for Any' checkbox in the 'Advanced' dialogue for one of them." when installing the policy. A cleanup takes ages and after some months it starts all over again due to new objects having been created.

 

Many Thanks

Marcus

2 Solutions

Accepted Solutions
HeikoAnkenbrand
Champion
Champion
‎2019-09-07 12:16 AM
In response to JozkoMrkvicka

Jump to solution

Hi @JozkoMrkvicka 

In this case I am use the management CLI

1) grep for all service names via port 5560-5570 in a for loop

2) unset  „match for any“ for all this services

3) publish the policy via CLI

 

View solution in original post

JozkoMrkvicka
Leader
Leader
‎2019-09-07 02:23 AM
In response to HeikoAnkenbrand

Jump to solution

As I am an old school R77.30 guy, I would do it this way:

Relevant for MDS only.

1. Switch to the relevant CMA

mdsenv <cma_name>

2. Find all services which have selected "Match For Any"

$MDSDIR/bin/cpmiquerybin attr "" services "include_in_any='true'" -a __name__

3. From given output gather all relevant services which I would like to disable "Match For Any" feature, and save it to some file 

4. Create a small script which will iterate over all services in a created file and perform the change using dbedit

#!/bin/bash

SERVICES_MATCH_FOR_ANY=services_to_be_modified.txt

if [[ ! -f $SERVICES_MATCH_FOR_ANY ]];
then
  echo "File $SERVICES_MATCH_FOR_ANY does NOT exist, cannot continue."
  exit 0
fi

if [[ ! -s $SERVICES_MATCH_FOR_ANY ]];
then
  echo "File $SERVICES_MATCH_FOR_ANY is EMPTY, cannot continue."
  exit 1
fi

# export all Check Point environment variables
. /opt/CPshared/5.0/tmp/.CPprofile.sh

echo "Please type affected CMA Name/CMA IP:"
read CMA
echo "Going to switch to CMA with name/IP $CMA."
mdsenv $CMA
status=$?
if [ $status -eq 0 ]
then
  echo "Switched to the $CMA correctly."
else
  echo "CMA with name/IP $CMA does not exist !!!" >&2
  exit 1
fi
for Port in $(cat $SERVICES_MATCH_FOR_ANY)
        do
           echo -e "modify services $Port include_in_any false\n-q\n" | dbedit -local
        done
exit 0

 

Kind regards,
Jozko Mrkvicka

View solution in original post

8 Replies
PhoneBoy
Admin
Admin
‎2019-09-06 03:57 PM

Jump to solution
In short: no.
Also, it's really not best practice to have multiple service objects defined for the same port/protocol.
Lari_Luoma
Employee
Employee
‎2019-09-06 06:37 PM

Jump to solution

If you get that conflict warning it means that you have two similar services. You only need one. I don't know why you should create a lot of services objects if the service you need is there already...

0 Kudos
JozkoMrkvicka
Leader
Leader
‎2019-09-06 11:43 PM
In response to Lari_Luoma

Jump to solution

Because of port ranges ?

One application needs just tcp port 5565, another needs tcp ports 5560-5570.

Instead of creation 9 new tcp ports, I will create just one portrange where is already included port tcp 5565, which will cause "conflict".

Kind regards,
Jozko Mrkvicka
0 Kudos
HeikoAnkenbrand
Champion
Champion
‎2019-09-07 12:16 AM
In response to JozkoMrkvicka

Jump to solution

Hi @JozkoMrkvicka 

In this case I am use the management CLI

1) grep for all service names via port 5560-5570 in a for loop

2) unset  „match for any“ for all this services

3) publish the policy via CLI

 

JozkoMrkvicka
Leader
Leader
‎2019-09-07 02:23 AM
In response to HeikoAnkenbrand

Jump to solution

As I am an old school R77.30 guy, I would do it this way:

Relevant for MDS only.

1. Switch to the relevant CMA

mdsenv <cma_name>

2. Find all services which have selected "Match For Any"

$MDSDIR/bin/cpmiquerybin attr "" services "include_in_any='true'" -a __name__

3. From given output gather all relevant services which I would like to disable "Match For Any" feature, and save it to some file 

4. Create a small script which will iterate over all services in a created file and perform the change using dbedit

#!/bin/bash

SERVICES_MATCH_FOR_ANY=services_to_be_modified.txt

if [[ ! -f $SERVICES_MATCH_FOR_ANY ]];
then
  echo "File $SERVICES_MATCH_FOR_ANY does NOT exist, cannot continue."
  exit 0
fi

if [[ ! -s $SERVICES_MATCH_FOR_ANY ]];
then
  echo "File $SERVICES_MATCH_FOR_ANY is EMPTY, cannot continue."
  exit 1
fi

# export all Check Point environment variables
. /opt/CPshared/5.0/tmp/.CPprofile.sh

echo "Please type affected CMA Name/CMA IP:"
read CMA
echo "Going to switch to CMA with name/IP $CMA."
mdsenv $CMA
status=$?
if [ $status -eq 0 ]
then
  echo "Switched to the $CMA correctly."
else
  echo "CMA with name/IP $CMA does not exist !!!" >&2
  exit 1
fi
for Port in $(cat $SERVICES_MATCH_FOR_ANY)
        do
           echo -e "modify services $Port include_in_any false\n-q\n" | dbedit -local
        done
exit 0

 

Kind regards,
Jozko Mrkvicka
HeikoAnkenbrand
Champion
Champion
‎2019-09-07 03:36 AM
In response to JozkoMrkvicka

Jump to solution

Hi @JozkoMrkvicka 

great job.

0 Kudos
Alon_Alapi
Employee
Employee
‎2019-10-08 12:43 AM

Jump to solution

Hi,

We consider changing the default for "Match for 'Any' services to be false in R80.40.

We will add a notification for this behavior change in the new service window.

I would like to hear your thoughts in regards to this change. Is there a reason we should not go forward with this change? 

Regards 

Alon - Security Management Products Group Manager

 

0 Kudos
PhoneBoy
Admin
Admin
‎2019-10-24 11:17 AM
In response to Alon_Alapi

Jump to solution
If you do make this change for newly created services, I suggest adding the following check to SmartConsole: if a user creates/edits a service that has a Protocol Handler associated with it (which I suspect will happen only rarely), we should warn the end user when this service is created/edited if "Match for Any" is not checked.