Solved: Re: How to check who moved a rule in policies

Rob_Ert · ‎2023-04-17

Hi,

I have SmartConsole R81.10 and I would need to check in the logs who moved one rule, I have its UID.

Specifically, the rule was number 200 but someone will move it and it is now number 150.45, and because it was a bad inline rule could not execute and the move was droped by cleanup. Since the rule has no name (some oversight) I can only use the rule UID.

Ask for a hint on how to find out who moved it and when.

Timothy_Hall · ‎2023-04-17

Quickest way is to go to the Logs & Monitor tab, open a new tab, and select Audit Log. You can search the list of changes the same way you can a traffic log. For other techniques to figure out what changes were made and by whom see here: R80+ Change Control: A Visual Guide

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

View solution in original post

Timothy_Hall · ‎2023-04-17

Quickest way is to go to the Logs & Monitor tab, open a new tab, and select Audit Log. You can search the list of changes the same way you can a traffic log. For other techniques to figure out what changes were made and by whom see here: R80+ Change Control: A Visual Guide

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

Rob_Ert · ‎2023-04-17

I tried "Change Report" but according to SK166435 (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...) "Moving a rule in the policy will not appear in the report"

I tried to look for it in Audit logs but there are a lot of changes and I would need to filter it to have results only for a specific rule UID, is there such a filter? or where can i find information about all available filters?

Rob_Ert · ‎2023-04-17

ok, looks like some sms error. I created a test rule, copied the UID and pasted it in Audit Logs in the serch field. It found all the changes I made.

I don't know why but for the rule I'm looking for (using its UID) the last changes it finds are those from 2 years ago. But according to Installation History, the rule was moved 14 days ago.

Does anyone have any idea why I can't see this change?

the_rock · ‎2023-04-17

Can you send a screenshot how you did a filter search?

Best,
Andy

Rob_Ert · ‎2023-04-17

Attached is the test rule and the correct one which changes I am looking for

I just pasted the rule UID and it searches for the right entries

the_rock · ‎2023-04-17

Its important to follow below to make sure UUID is 100% right

https://sc1.checkpoint.com/documents/latest/APIs/#cli/show-access-rule~v1.9%20

I took some screenshots from my lab.

Andy

Best,
Andy

Rob_Ert · ‎2023-04-18

Using Audit Log is not a solution to my problem. I currently have an open ticket at checkpoint, after the remote session they also found that there was an error. They are currently trying to replicate the misbehavior in their lab. For some reason, only the changes made by one user 12 days ago are not shown in the adit log (at least that's the only one I know of, because there may be more).

I was hoping someone here had had a similar problem and found a solution.

the_rock · ‎2023-04-18

You can review /var/log/audit files and see if there is anything of interest there.

Best,
Andy

Are you a member of CheckMates?

How to check who moved a rule in policies