This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Marc0523
Participant
‎2024-02-06 01:01 AM

Forcing Comments in Rulebase

Hi Guys.

For auditing reasons my company needs a comment for every rule in the rule base.

The issue is a lot of staff don't put them in, meaning I have to add them before an audit.

 

Is there any option I can enable to enforce the comment field before a rule can be added?

If not, could we look into getting this feature added to future versions?

Labels
0 Kudos
17 Replies
delToro1
Contributor
‎2024-02-06 01:12 AM

Hello,

Maybe you can achieve it using Smart Tasks in SmartConsole. 

 

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SecurityManagement_AdminGuide/Topi...

 

BR!

0 Kudos
Marc0523
Participant
‎2024-02-06 02:07 AM
In response to delToro1

Never knew this existed!

Smart Tasks could trigger a script to check, but I'd still need the script. Writing one which checked for comments in all rule bases is beyond me.

0 Kudos
Danny
Champion Champion
Champion
‎2024-02-06 06:18 AM
In response to Marc0523

SmartTasks in our Toolbox.
You can easily go from there and adjust those to your needs.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-02-06 11:41 AM
In response to Marc0523

You would actually check the rules modified by the current session to see if they have a comment or not.
However, if you're looking for an out-of-the-box feature, then you should use Compliance Blade which has this built in.

0 Kudos
Paul_Warnagiris
Advisor
‎2024-03-14 07:19 PM
In response to PhoneBoy

I don't like this.  Every auditor checks for this and you get dinged without it.  This is such a simple thing to do and every other FW vendor allows this.  The compliance work around is not an answer its a band aid.  How hard is it to get an RFE for this considering its a standard requirement, best practice and basic good hygiene?

the_rock
Legend
Legend
‎2024-03-15 03:12 PM
In response to Paul_Warnagiris

You are correct in saying other fw vendors allow it, BUT, there is a hack to get around it, an easy one too, mind you : - )

Andy

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2024-03-16 07:58 AM
In response to the_rock

RFE process is well known, please discuss with your local SE.

With R81.20 the SmartWorkflow / Approval Cycle could also help if you have challenges with change management policy conformance, please refer: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuid...

Further more, you can enforce session descriptions should you so choose.

Navigate to Advance Session settings and check the "All Session must have a name and description" check box. 

See also: https://community.checkpoint.com/t5/SmartTasks/Session-description-check/td-p/177546

CCSM R77/R80/ELITE
0 Kudos
Paul_Warnagiris
Advisor
‎2024-03-16 09:55 AM
In response to Chris_Atkinson

Will do.  Because something that should be a simple click box is turned into a whole new workflow doesn't make sense and its not a good answer.  I could live with the session enforcement mechanism if it could enforce rule comments.  That would be an acceptable work around.  But to create a 7 step work flow and require multiple people to do something that a click box could accomplish is silly. 

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2024-02-06 04:38 AM

To confirm you are already using the Compliance Blade?

compliance comment.jpg

CCSM R77/R80/ELITE
Marc0523
Participant
‎2024-02-07 05:56 AM
In response to Chris_Atkinson

Sadly no, we don’t have the compliance blade. 

0 Kudos
the_rock
Legend
Legend
‎2024-02-07 05:57 AM
In response to Marc0523

You can apply eval and test it for 30 days.

Andy

0 Kudos
the_rock
Legend
Legend
‎2024-02-06 07:01 AM

Let me test this in my lab, I believe it can be achieved with compliance blade as Chris indicated.

Andy

0 Kudos
the_rock
Legend
Legend
‎2024-02-06 10:45 AM

K, got it, here is what you need to do. I attached all the screenshots to this reply.

Best,

Andy

 

Preview file
464 KB
Marc0523
Participant
‎2024-02-07 05:57 AM
In response to the_rock

This looks perfect, but involves the compliance blade. 
I’ll have to see if we are allowed to purchase it. 

0 Kudos
the_rock
Legend
Legend
‎2024-02-07 07:16 AM
In response to Marc0523

Im sure if you approached your local Sales person, they would be willing to help you out with this. Compliance blade is really good, I strongly recommend it.

Best,

Andy

0 Kudos
Danny
Champion Champion
Champion
‎2024-02-07 07:50 AM
In response to the_rock

Hi Andy, does this work for all policy types?

  • Access Control
  • NAT
  • Threat Prevention
  • HTTPS Inspection
  • Mobile Access
  • DLP

etc.

0 Kudos
the_rock
Legend
Legend
‎2024-02-07 07:53 AM
In response to Danny

Hey Danny,

I tested it yesterday and worked for any rule type, correct.

Best,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events