This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Michael_Goehrin
Participant
‎2017-05-06 09:54 AM
Jump to solution

How to revert a Policy or discard changes?

Hello,

i am looking for two important features:

1.) Use Case "dicard / revert changes"

Admin1 did some changes and published them. Admin2 did also some changes and check all the changes before Policy installation.

Admin2 recognise that Admin1 did a mistake, how can Admin2 discard the change from Admin1 before Policy installation?

2.) Use Case "revert Policy"

The much more important Use Case is to revert to an older Policy Revision with all the changes.

For Example: An Administrator use the API and change lot of Objects via script an publish at the last line.

In Verions prior R80 i can use the "Database Revision Control" what can i use with R80?

Thank you for an answer.

1 Solution

Accepted Solutions
Tomer_Sole
Mentor
Mentor
‎2017-05-06 10:50 PM
Jump to solution

Hi Michael,

R80 Management architecture includes built-in revisions. A new revision is created automatically every time a user publishes his changes. The revisions' representation in the security management database is based on only the objects which were changed, not all objects, and therefore more efficient than R7x revisions.

1.) Use Case "dicard / revert changes"

Admin1 did some changes and published them. Admin2 did also some changes and check all the changes before Policy installation.

Admin2 recognise that Admin1 did a mistake, how can Admin2 discard the change from Admin1 before Policy installation?

For R80 or R80.10, there are some features which can assist with change management.

- install policy dialog lists changes in rules and objects since the last installation on the selected Gateway.

- Manage & Settings --> Revisions shows every revision made by any user. Clicking a revision shows the audit logs in the bottom pane. From the audit logs you can decide whether you wish to accept the changes or manually revert each change.

- R80.10 API has diff API method which allows selecting an object and seeing its history.

SmartWorkflow-equivalent features such as session approval will be added in our next releases.

2.) Use Case "revert Policy"

The much more important Use Case is to revert to an older Policy Revision with all the changes.

For Example: An Administrator use the API and change lot of Objects via script an publish at the last line.

In Verions prior R80 i can use the "Database Revision Control" what can i use with R80?

In case a policy installation was made after all these changes, with R80 and R80.10, there is an option to revert changes on the Gateway while keeping them in the Management server. This case is covered by the "Installation History" page. It is located inside Security Policies under the "Access Tools" in the bottom part of the left-side navigation. This view shows the occurrences of policy installation per gateway, and it has the option to install an older revision on a gateway without modifying the database in the Management server.

The other change management tools that I mentioned with your "case 1" can also assist in case of unexpected changes on the Management server, before installing a policy.

View solution in original post

10 Replies
Tomer_Sole
Mentor
Mentor
‎2017-05-06 10:50 PM
Jump to solution

Hi Michael,

R80 Management architecture includes built-in revisions. A new revision is created automatically every time a user publishes his changes. The revisions' representation in the security management database is based on only the objects which were changed, not all objects, and therefore more efficient than R7x revisions.

1.) Use Case "dicard / revert changes"

Admin1 did some changes and published them. Admin2 did also some changes and check all the changes before Policy installation.

Admin2 recognise that Admin1 did a mistake, how can Admin2 discard the change from Admin1 before Policy installation?

For R80 or R80.10, there are some features which can assist with change management.

- install policy dialog lists changes in rules and objects since the last installation on the selected Gateway.

- Manage & Settings --> Revisions shows every revision made by any user. Clicking a revision shows the audit logs in the bottom pane. From the audit logs you can decide whether you wish to accept the changes or manually revert each change.

- R80.10 API has diff API method which allows selecting an object and seeing its history.

SmartWorkflow-equivalent features such as session approval will be added in our next releases.

2.) Use Case "revert Policy"

The much more important Use Case is to revert to an older Policy Revision with all the changes.

For Example: An Administrator use the API and change lot of Objects via script an publish at the last line.

In Verions prior R80 i can use the "Database Revision Control" what can i use with R80?

In case a policy installation was made after all these changes, with R80 and R80.10, there is an option to revert changes on the Gateway while keeping them in the Management server. This case is covered by the "Installation History" page. It is located inside Security Policies under the "Access Tools" in the bottom part of the left-side navigation. This view shows the occurrences of policy installation per gateway, and it has the option to install an older revision on a gateway without modifying the database in the Management server.

The other change management tools that I mentioned with your "case 1" can also assist in case of unexpected changes on the Management server, before installing a policy.

Michael_Goehrin
Participant
‎2017-05-20 08:30 AM
In response to Tomer_Sole
Jump to solution

Hello,

thank you for the detailed answer, but if i can´t revert a published change before i installed the policy, i see a big problem.

The Revert feature is only available for installed version - correct?

But if Admin2 delete different Objects with impact of several Groups, Rules and Policies (for example via API)  it is really difficult to reconfigure the objects manually.

What can i do in this case?

0 Kudos
Tomer_Sole
Mentor
Mentor
‎2017-05-21 12:45 AM
In response to Michael_Goehrin
Jump to solution

The Revert feature is available for the installed version on the Gateway.

For your case, the following tools are available to resolve such issues:

- Manage & Settings-->Revisions view provide details for every published revision. Clicking a revision shows the audit logs for it. An audit log is created for every change in a network object with all the modified fields. Other audit logs are created per rule, per install policy, etc.

- Security Policies-->when looking at a layer's rules, from the toolbar at the top click Actions-->History... to see the relevant revisions and audit logs per layer, and the layer's objects. This is the same view as "Revisions" only filtered for the ones relevant to your currently viewed layer.

- Change control - If you find the API approach as a possible risk with no accountability, perhaps consider not calling the Publish web-method and instead keep the session with unpublished changes. Then go to Manage & Settings-->Sessions, see the sessions created by the API, observe the changes, and manually decide to publish the changes or discard them. The same can be said for administrator approval cycle.

We are open for feedback on that subject.

Tomer.

0 Kudos
Ivo_Hrbacek
Contributor
Contributor
‎2017-08-31 04:47 AM
In response to Tomer_Sole
Jump to solution

Hi Tomer,

little improvement should be to add possibility revert only one particular change in whole unpublished contentSmiley Happy

example: Doing rules sections and doing it badly by pasting new section under existed one, rules from previous section are moved to new section when new section is created  - 100 rules means I have to mark them, make new rule in previous section, paste marked rules there and delete new unused rule I created since without it you can not paste rules to section - that means 4 steps, but could be done in one session activity revert Smiley Happy  ... I was wondering if Check Point Session Lab TAB will do the trick, but it does not .. what are real plans you have with Lab Tab?

0 Kudos
Tomer_Sole
Mentor
Mentor
‎2017-08-31 06:06 AM
In response to Ivo_Hrbacek
Jump to solution

This is in the works.

For your case - what about the Discard button?

0 Kudos
Ivo_Hrbacek
Contributor
Contributor
‎2017-09-01 06:08 AM
In response to Tomer_Sole
Jump to solution

hmmm well you know, when I have 20 changes and wanna remove just one at position 18 for example, its bad because discard button will remove all changes .. but I can see light at the end of the tunnel if you have it on roadmap Smiley Happy

thx

0 Kudos
phlrnnr
Advisor
‎2018-12-21 11:45 AM
In response to Tomer_Sole
Jump to solution

How do you revert a policy that is published, but causes policy installation to fail?  I'd like to "un-publish" back to a known good policy so I can install policy again.  I don't always know exactly what caused policy to become un-installable (eg. I have a TAC case open for an issue like this currently).  It would be super convenient to be able to just pick a revision and "revert" back to that revision immediately.

In this case, the 'Installation History' won't work because the policy can't actually be installed.  

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2018-12-21 02:00 PM
In response to phlrnnr
Jump to solution

Have you seen my article here:

 

R80+ Change Control: A Visual Guide 

 

I think you want the Revert function detailed at the end of Part 3.

 

Edit: The "Revert to this Revision" feature added in R80.40 may be helpful as well.

 

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
phlrnnr
Advisor
‎2018-12-26 07:04 AM
In response to Timothy_Hall
Jump to solution

Thanks!  That makes a lot of sense.  The problem I am having, however, based on audit logs, I believe I have narrowed down to an IPS policy change with custom snort signatures.  In this case, the IPS administrator is gone, and I don't know exactly what he did, or how to undo it, so I'd rather revert it back to a known good state.  However, 'Actions -> History' doesn't exist under the Threat Prevention policy.  If I look under all revisions, I know exactly which revision caused the issue; there just doesn't seem to be an easy way to revert to the previous one.  Unfortunately, I believe 'Purge' does the opposite of what I want 😉  I'd love to have a 'Revert' option under the 'Revisions' tab.

Ramchand_Somaya
Employee Alumnus
Employee Alumnus
‎2019-05-10 09:56 AM
In response to Timothy_Hall
Jump to solution

Is there a way to restore deleted policy package after publish?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events