Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Marc0523
Participant

Forcing Comments in Rulebase

Hi Guys.

For auditing reasons my company needs a comment for every rule in the rule base.

The issue is a lot of staff don't put them in, meaning I have to add them before an audit.

 

Is there any option I can enable to enforce the comment field before a rule can be added?

If not, could we look into getting this feature added to future versions?

17 Replies
delToro1
Contributor

Hello,

Maybe you can achieve it using Smart Tasks in SmartConsole. 

 

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SecurityManagement_AdminGuide/Topi...

 

BR!

Marc0523
Participant

Never knew this existed!

Smart Tasks could trigger a script to check, but I'd still need the script. Writing one which checked for comments in all rule bases is beyond me.

Danny
Champion Champion
Champion

SmartTasks in our Toolbox.
You can easily go from there and adjust those to your needs.

PhoneBoy
Admin
Admin

You would actually check the rules modified by the current session to see if they have a comment or not.
However, if you're looking for an out-of-the-box feature, then you should use Compliance Blade which has this built in.

Paul_Warnagiris
Advisor

I don't like this.  Every auditor checks for this and you get dinged without it.  This is such a simple thing to do and every other FW vendor allows this.  The compliance work around is not an answer its a band aid.  How hard is it to get an RFE for this considering its a standard requirement, best practice and basic good hygiene?

the_rock
Legend
Legend

You are correct in saying other fw vendors allow it, BUT, there is a hack to get around it, an easy one too, mind you : - )

Andy

Chris_Atkinson
Employee Employee
Employee

RFE process is well known, please discuss with your local SE.

With R81.20 the SmartWorkflow / Approval Cycle could also help if you have challenges with change management policy conformance, please refer: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuid...

Further more, you can enforce session descriptions should you so choose.

Navigate to Advance Session settings and check the "All Session must have a name and description" check box. 

See also: https://community.checkpoint.com/t5/SmartTasks/Session-description-check/td-p/177546

CCSM R77/R80/ELITE
Paul_Warnagiris
Advisor

Will do.  Because something that should be a simple click box is turned into a whole new workflow doesn't make sense and its not a good answer.  I could live with the session enforcement mechanism if it could enforce rule comments.  That would be an acceptable work around.  But to create a 7 step work flow and require multiple people to do something that a click box could accomplish is silly. 

Chris_Atkinson
Employee Employee
Employee

To confirm you are already using the Compliance Blade?

compliance comment.jpg

CCSM R77/R80/ELITE
Marc0523
Participant

Sadly no, we don’t have the compliance blade. 

the_rock
Legend
Legend

You can apply eval and test it for 30 days.

Andy

the_rock
Legend
Legend

Let me test this in my lab, I believe it can be achieved with compliance blade as Chris indicated.

Andy

the_rock
Legend
Legend

K, got it, here is what you need to do. I attached all the screenshots to this reply.

Best,

Andy

 

Marc0523
Participant

This looks perfect, but involves the compliance blade. 
I’ll have to see if we are allowed to purchase it. 

the_rock
Legend
Legend

Im sure if you approached your local Sales person, they would be willing to help you out with this. Compliance blade is really good, I strongly recommend it.

Best,

Andy

Danny
Champion Champion
Champion

Hi Andy, does this work for all policy types?

  • Access Control
  • NAT
  • Threat Prevention
  • HTTPS Inspection
  • Mobile Access
  • DLP

etc.

the_rock
Legend
Legend

Hey Danny,

I tested it yesterday and worked for any rule type, correct.

Best,

Andy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events