This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jin_Zhou
Contributor
‎2018-06-15 12:09 PM

Is there a command line batch change a large list of IPS protections to prevent?

Is there a way to change a list of IPS protections in .csv file from current state to prevent or detect with a command batch mode like adding network objects in batch? We are on R80.10. Thanks.

11 Replies
Vincent_Bacher
Advisor
Advisor
‎2018-06-15 11:44 PM

Maybe using API and overrides? 

For instance (from api reference)

mgmt_cli - r true mgmt set threat-protection name "FTP Commands" overrides.1.profile "New Profile 1" overrides.1.action "prevent "

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
Jin_Zhou
Contributor
‎2018-06-18 12:18 PM
In response to Vincent_Bacher

It looks very promising. But I got the following error when running it:

code: "generic_err_command_not_found"
message: "Requested API command: [mgmt] not found"

Do you have document URL on this? Thanks.

0 Kudos
Tomer_Sole
Mentor
Mentor
‎2018-06-18 12:35 PM
In response to Jin_Zhou

Yes, there are many documents Smiley Happy

The API reference is here: Check Point - Management API reference 

it seems that you tried to run the Gaia Shell option in the SmartConsole CLI window. In the reference link (above) it will explain the differences for running each API call.

I also recommend on the rather long but step-by-step guide webinar Leveraging the R80.10 API to Automate and Streamline Security Operations 

0 Kudos
Jin_Zhou
Contributor
‎2018-06-18 12:53 PM
In response to Tomer_Sole

The command worked. I had to add -d option. In our case I tested in Global domain.

mgmt_cli set threat-protection name "Adobe PageMaker Key Strings Stack Buffer Overflow" overrides.1.profile "g_Optimized_test" overrides.1.action "detect" -r true -d Global

Thank both of you!

Tomer_Sole
Mentor
Mentor
‎2018-06-18 01:02 PM
In response to Jin_Zhou

glad we could help! The Excel trick may look like a hack but it's actually common to see people using it for that

you could also add -domain Global during login and then save the -d Global part for each row.

0 Kudos
Jin_Zhou
Contributor
‎2018-06-21 08:42 AM
In response to Tomer_Sole

Thanks. I tested in our lab. It works with batch but very slow, slower than I do it manually. But it is at least more error-proof when you do  hundreds of them, I hope. The follow up question is how do I show and confirm the result in command line or better yet, batch mode. From the reference manual, I figured out the following command:

 mgmt_cli show threat-protection -r true  -d Global name "Squid Proxy strHdrAcptLangGetItem Value Denial of Service"

It shows  the detail of the signature for all profiles. How can I show just one profile or even better if I can limit the output to only action field--prevent, detect or inactive? Tried -p option and did not work.

0 Kudos
Tomer_Sole
Mentor
Mentor
‎2018-06-16 10:40 PM

I have a question on this - where are the decided protections to activate/deactivate coming from? If they come from some 3rd party vulnerability assessment tool, perhaps it's better to tune your IPS Profile and activate/deactivate all protections associated to specific tags - based on OS/protocol/vendor. See https://community.checkpoint.com/thread/5565-automating-ips 

Let me know if this use-case fits as usually the request to change protections doesn't come from nowhere Smiley Happy

0 Kudos
Jin_Zhou
Contributor
‎2018-06-18 12:23 PM
In response to Tomer_Sole

Thanks. Unfortunately the use-case does not help me here.The list comes from our internal review. Currently I have to change them manually through SmartConsole one by one.

0 Kudos
Tomer_Sole
Mentor
Mentor
‎2018-06-18 12:31 PM
In response to Jin_Zhou

you can also ctrl+select as long as you don't do that to over 200 protections at the same time.

but it's probably smarter to edit your CSV in Excel and add a calculated column that creates an API command.

In this example let's say you're at line 4 and you put protection name at column A, profile name at column C and desired new action at column B:

=CONCATENATE("set threat-protection name \""",A4,"\"" overrides.add.1.profile \""",C4,"\"" overrides.1.add.action ",B4)

the calculated API call in this cell, and the other cells below it, can then be copied and pasted into the SmartConsole command-line window.

what do you think?

0 Kudos
Jin_Zhou
Contributor
‎2018-06-18 12:55 PM
In response to Tomer_Sole

Thanks. I will try batch mode on mgmt.-cli batch mode with csv like I did in adding hosts.

0 Kudos
Huseyin_Rencber
Collaborator
‎2018-06-17 12:05 AM

You can import snort signatures and each time you can delete all snort signatures then import the bulk change signature set easily. Without snort signatures maybe API will help like Vincent Bacher said 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events