Re: Forcing Comments in Rulebase

Marc0523 · ‎2024-02-06

Hi Guys.

For auditing reasons my company needs a comment for every rule in the rule base.

The issue is a lot of staff don't put them in, meaning I have to add them before an audit.

Is there any option I can enable to enforce the comment field before a rule can be added?

If not, could we look into getting this feature added to future versions?

delToro1 · ‎2024-02-06

Hello,

Maybe you can achieve it using Smart Tasks in SmartConsole.

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SecurityManagement_AdminGuide/Topi...

BR!

Marc0523 · ‎2024-02-06

Never knew this existed!

Smart Tasks could trigger a script to check, but I'd still need the script. Writing one which checked for comments in all rule bases is beyond me.

Danny · ‎2024-02-06

SmartTasks in our Toolbox.
You can easily go from there and adjust those to your needs.

PhoneBoy · ‎2024-02-06

You would actually check the rules modified by the current session to see if they have a comment or not.
However, if you're looking for an out-of-the-box feature, then you should use Compliance Blade which has this built in.

Paul_Warnagiris · ‎2024-03-14

I don't like this. Every auditor checks for this and you get dinged without it. This is such a simple thing to do and every other FW vendor allows this. The compliance work around is not an answer its a band aid. How hard is it to get an RFE for this considering its a standard requirement, best practice and basic good hygiene?

the_rock · ‎2024-03-15

You are correct in saying other fw vendors allow it, BUT, there is a hack to get around it, an easy one too, mind you : - )

Andy

Chris_Atkinson · ‎2024-03-16

RFE process is well known, please discuss with your local SE.

With R81.20 the SmartWorkflow / Approval Cycle could also help if you have challenges with change management policy conformance, please refer: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuid...

Further more, you can enforce session descriptions should you so choose.

Navigate to Advance Session settings and check the "All Session must have a name and description" check box.

See also: https://community.checkpoint.com/t5/SmartTasks/Session-description-check/td-p/177546

CCSM R77/R80/ELITE

Paul_Warnagiris · ‎2024-03-16

Will do. Because something that should be a simple click box is turned into a whole new workflow doesn't make sense and its not a good answer. I could live with the session enforcement mechanism if it could enforce rule comments. That would be an acceptable work around. But to create a 7 step work flow and require multiple people to do something that a click box could accomplish is silly.

Chris_Atkinson · ‎2024-02-06

To confirm you are already using the Compliance Blade?

compliance comment.jpg

CCSM R77/R80/ELITE

Marc0523 · ‎2024-02-07

Sadly no, we don’t have the compliance blade.

the_rock · ‎2024-02-07

You can apply eval and test it for 30 days.

Andy

the_rock · ‎2024-02-06

Let me test this in my lab, I believe it can be achieved with compliance blade as Chris indicated.

Andy

the_rock · ‎2024-02-06

K, got it, here is what you need to do. I attached all the screenshots to this reply.

Best,

Andy

Marc0523 · ‎2024-02-07

This looks perfect, but involves the compliance blade.
I’ll have to see if we are allowed to purchase it.

the_rock · ‎2024-02-07

Im sure if you approached your local Sales person, they would be willing to help you out with this. Compliance blade is really good, I strongly recommend it.

Best,

Andy

Danny · ‎2024-02-07

Hi Andy, does this work for all policy types?

Access Control
NAT
Threat Prevention
HTTPS Inspection
Mobile Access
DLP

etc.

the_rock · ‎2024-02-07

Hey Danny,

I tested it yesterday and worked for any rule type, correct.

Best,

Andy

Are you a member of CheckMates?

Forcing Comments in Rulebase