Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Michael_Goehrin
Participant
Jump to solution

How to revert a Policy or discard changes?

Hello,

i am looking for two important features:

1.) Use Case "dicard / revert changes"

Admin1 did some changes and published them. Admin2 did also some changes and check all the changes before Policy installation.

Admin2 recognise that Admin1 did a mistake, how can Admin2 discard the change from Admin1 before Policy installation?

2.) Use Case "revert Policy"

The much more important Use Case is to revert to an older Policy Revision with all the changes.

For Example: An Administrator use the API and change lot of Objects via script an publish at the last line.

In Verions prior R80 i can use the "Database Revision Control" what can i use with R80?

Thank you for an answer.

1 Solution

Accepted Solutions
Tomer_Sole
Mentor
Mentor

Hi Michael,

R80 Management architecture includes built-in revisions. A new revision is created automatically every time a user publishes his changes. The revisions' representation in the security management database is based on only the objects which were changed, not all objects, and therefore more efficient than R7x revisions.

1.) Use Case "dicard / revert changes"

Admin1 did some changes and published them. Admin2 did also some changes and check all the changes before Policy installation.

Admin2 recognise that Admin1 did a mistake, how can Admin2 discard the change from Admin1 before Policy installation?

For R80 or R80.10, there are some features which can assist with change management.

- install policy dialog lists changes in rules and objects since the last installation on the selected Gateway.

- Manage & Settings --> Revisions shows every revision made by any user. Clicking a revision shows the audit logs in the bottom pane. From the audit logs you can decide whether you wish to accept the changes or manually revert each change.

- R80.10 API has diff API method which allows selecting an object and seeing its history.

SmartWorkflow-equivalent features such as session approval will be added in our next releases.

2.) Use Case "revert Policy"

The much more important Use Case is to revert to an older Policy Revision with all the changes.

For Example: An Administrator use the API and change lot of Objects via script an publish at the last line.

In Verions prior R80 i can use the "Database Revision Control" what can i use with R80?

In case a policy installation was made after all these changes, with R80 and R80.10, there is an option to revert changes on the Gateway while keeping them in the Management server. This case is covered by the "Installation History" page. It is located inside Security Policies under the "Access Tools" in the bottom part of the left-side navigation. This view shows the occurrences of policy installation per gateway, and it has the option to install an older revision on a gateway without modifying the database in the Management server.

The other change management tools that I mentioned with your "case 1" can also assist in case of unexpected changes on the Management server, before installing a policy.

View solution in original post

10 Replies
Tomer_Sole
Mentor
Mentor

Hi Michael,

R80 Management architecture includes built-in revisions. A new revision is created automatically every time a user publishes his changes. The revisions' representation in the security management database is based on only the objects which were changed, not all objects, and therefore more efficient than R7x revisions.

1.) Use Case "dicard / revert changes"

Admin1 did some changes and published them. Admin2 did also some changes and check all the changes before Policy installation.

Admin2 recognise that Admin1 did a mistake, how can Admin2 discard the change from Admin1 before Policy installation?

For R80 or R80.10, there are some features which can assist with change management.

- install policy dialog lists changes in rules and objects since the last installation on the selected Gateway.

- Manage & Settings --> Revisions shows every revision made by any user. Clicking a revision shows the audit logs in the bottom pane. From the audit logs you can decide whether you wish to accept the changes or manually revert each change.

- R80.10 API has diff API method which allows selecting an object and seeing its history.

SmartWorkflow-equivalent features such as session approval will be added in our next releases.

2.) Use Case "revert Policy"

The much more important Use Case is to revert to an older Policy Revision with all the changes.

For Example: An Administrator use the API and change lot of Objects via script an publish at the last line.

In Verions prior R80 i can use the "Database Revision Control" what can i use with R80?

In case a policy installation was made after all these changes, with R80 and R80.10, there is an option to revert changes on the Gateway while keeping them in the Management server. This case is covered by the "Installation History" page. It is located inside Security Policies under the "Access Tools" in the bottom part of the left-side navigation. This view shows the occurrences of policy installation per gateway, and it has the option to install an older revision on a gateway without modifying the database in the Management server.

The other change management tools that I mentioned with your "case 1" can also assist in case of unexpected changes on the Management server, before installing a policy.

Michael_Goehrin
Participant

Hello,

thank you for the detailed answer, but if i can´t revert a published change before i installed the policy, i see a big problem.

The Revert feature is only available for installed version - correct?

But if Admin2 delete different Objects with impact of several Groups, Rules and Policies (for example via API)  it is really difficult to reconfigure the objects manually.

What can i do in this case?

0 Kudos
Tomer_Sole
Mentor
Mentor

The Revert feature is available for the installed version on the Gateway.

For your case, the following tools are available to resolve such issues:

- Manage & Settings-->Revisions view provide details for every published revision. Clicking a revision shows the audit logs for it. An audit log is created for every change in a network object with all the modified fields. Other audit logs are created per rule, per install policy, etc.

- Security Policies-->when looking at a layer's rules, from the toolbar at the top click Actions-->History... to see the relevant revisions and audit logs per layer, and the layer's objects. This is the same view as "Revisions" only filtered for the ones relevant to your currently viewed layer.

- Change control - If you find the API approach as a possible risk with no accountability, perhaps consider not calling the Publish web-method and instead keep the session with unpublished changes. Then go to Manage & Settings-->Sessions, see the sessions created by the API, observe the changes, and manually decide to publish the changes or discard them. The same can be said for administrator approval cycle.

We are open for feedback on that subject.

Tomer.

0 Kudos
Ivo_Hrbacek
Contributor
Contributor

Hi Tomer,

little improvement should be to add possibility revert only one particular change in whole unpublished contentSmiley Happy

example: Doing rules sections and doing it badly by pasting new section under existed one, rules from previous section are moved to new section when new section is created  - 100 rules means I have to mark them, make new rule in previous section, paste marked rules there and delete new unused rule I created since without it you can not paste rules to section - that means 4 steps, but could be done in one session activity revert Smiley Happy  ... I was wondering if Check Point Session Lab TAB will do the trick, but it does not .. what are real plans you have with Lab Tab?

0 Kudos
Tomer_Sole
Mentor
Mentor

This is in the works.

For your case - what about the Discard button?

0 Kudos
Ivo_Hrbacek
Contributor
Contributor

hmmm well you know, when I have 20 changes and wanna remove just one at position 18 for example, its bad because discard button will remove all changes .. but I can see light at the end of the tunnel if you have it on roadmap Smiley Happy

thx

0 Kudos
phlrnnr
Advisor

How do you revert a policy that is published, but causes policy installation to fail?  I'd like to "un-publish" back to a known good policy so I can install policy again.  I don't always know exactly what caused policy to become un-installable (eg. I have a TAC case open for an issue like this currently).  It would be super convenient to be able to just pick a revision and "revert" back to that revision immediately.

In this case, the 'Installation History' won't work because the policy can't actually be installed.  

0 Kudos
Timothy_Hall
Legend Legend
Legend

Have you seen my article here:

 

R80+ Change Control: A Visual Guide 

 

I think you want the Revert function detailed at the end of Part 3.

 

Edit: The "Revert to this Revision" feature added in R80.40 may be helpful as well.

 

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
phlrnnr
Advisor

Thanks!  That makes a lot of sense.  The problem I am having, however, based on audit logs, I believe I have narrowed down to an IPS policy change with custom snort signatures.  In this case, the IPS administrator is gone, and I don't know exactly what he did, or how to undo it, so I'd rather revert it back to a known good state.  However, 'Actions -> History' doesn't exist under the Threat Prevention policy.  If I look under all revisions, I know exactly which revision caused the issue; there just doesn't seem to be an easy way to revert to the previous one.  Unfortunately, I believe 'Purge' does the opposite of what I want 😉  I'd love to have a 'Revert' option under the 'Revisions' tab.

Ramchand_Somaya
Employee Alumnus
Employee Alumnus

Is there a way to restore deleted policy package after publish?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events