This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Simon_Macpherso
Advisor
‎2021-05-11 07:43 PM

R80.40 Automated Policy Installation

Hi Checkmates

We have recently automated policy installation via Ansible using the Checkpoint Ansible Management collection.

At the moment we have specified and arbitrary time delay (10 minutes) between each policy installation as there is no support for concurrent policy installation in r80.40.

We are uploading all policies on a schedule, including policies that may not necessarily have had any published changes since they were last uploaded.

  • Are there any caveats, specifically in relation to connectivity and resource consumption, you know of that may negatively impact an active unit in Cluster XL HA in this scenario?
  • Our goal is to determine which policies have had changes since they were last uploaded and only upload those policies. The would potentially reduce the duration of our scheduled policy upload windows.
    • To achieve this we need a way to compare the last-modify-time parameter on a policy package object against the last time a policy package was installed.
    • Is the last-modify-time parameter in the package object updated when a change is published to it?
    • Can we somehow query the last policy package installation time? I don’t see an endpoint for this in the 1.6.1 API reference.

I have a script which determines which policies were impacted by changes made in the last published session. But this does not show changes made to all published sessions over a specific period i.e. since the policy was last uploaded.

Can you suggest an alternate method by which we can achieve this outcome?

Regards,

Simon

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2021-05-11 10:22 PM

Policy installation in general used to be a bit more disruptive since it basically caused SecureXL to be reloaded in the process.
This is no longer the case, that said there is always a risk on a heavily loaded gateway of an issue.

I believe the last-modify-time relates to changes to the actual rules in the policy package.
If an object in that policy package was changed (which can also impact multiple policy packages), it probably won't be reflected in the last-modify-time of the policy package.

The only way I am aware of to review the last time the policy was pushed would be to use show-tasks and parse the output of that.
There's no direct API for that and, even checking the gateway itself, the only thing that might be remotely accurate is the timestamp of the files in $FWDIR/state. 

0 Kudos
Simon_Macpherso
Advisor
‎2021-05-12 05:40 PM
In response to PhoneBoy

Thanks.

Do you know of a way to get the last published time data for a policy package?

0 Kudos
PhoneBoy
Admin
Admin
‎2021-05-12 06:40 PM
In response to Simon_Macpherso

Any change to the rules/configuration of the policy package would have to be published, thus would be reflected in last-modified-time.
Maybe @Omer_Kleinstern can elaborate if there are other times when this is updated.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events