Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Simon_Macpherso
Contributor

R80.40 Automated Policy Installation

Hi Checkmates

We have recently automated policy installation via Ansible using the Checkpoint Ansible Management collection.

At the moment we have specified and arbitrary time delay (10 minutes) between each policy installation as there is no support for concurrent policy installation in r80.40.

We are uploading all policies on a schedule, including policies that may not necessarily have had any published changes since they were last uploaded.

  • Are there any caveats, specifically in relation to connectivity and resource consumption, you know of that may negatively impact an active unit in Cluster XL HA in this scenario?
  • Our goal is to determine which policies have had changes since they were last uploaded and only upload those policies. The would potentially reduce the duration of our scheduled policy upload windows.
    • To achieve this we need a way to compare the last-modify-time parameter on a policy package object against the last time a policy package was installed.
    • Is the last-modify-time parameter in the package object updated when a change is published to it?
    • Can we somehow query the last policy package installation time? I don’t see an endpoint for this in the 1.6.1 API reference.

I have a script which determines which policies were impacted by changes made in the last published session. But this does not show changes made to all published sessions over a specific period i.e. since the policy was last uploaded.

Can you suggest an alternate method by which we can achieve this outcome?

Regards,

Simon

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

Policy installation in general used to be a bit more disruptive since it basically caused SecureXL to be reloaded in the process.
This is no longer the case, that said there is always a risk on a heavily loaded gateway of an issue.

I believe the last-modify-time relates to changes to the actual rules in the policy package.
If an object in that policy package was changed (which can also impact multiple policy packages), it probably won't be reflected in the last-modify-time of the policy package.

The only way I am aware of to review the last time the policy was pushed would be to use show-tasks and parse the output of that.
There's no direct API for that and, even checking the gateway itself, the only thing that might be remotely accurate is the timestamp of the files in $FWDIR/state. 

0 Kudos
Simon_Macpherso
Contributor

Thanks.

Do you know of a way to get the last published time data for a policy package?

0 Kudos
PhoneBoy
Admin
Admin

Any change to the rules/configuration of the policy package would have to be published, thus would be reflected in last-modified-time.
Maybe @Omer_Kleinstern can elaborate if there are other times when this is updated.

0 Kudos