This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
Legend
Legend
3 hours ago
Jump to solution

Scheduled policy install

Hey guys,

 

I know this was asked before and I do know you can try do this with time objects for specific rules and also install policy on successful ips update, BUT, I cant find anywhere an option to schedule policy push on specific date time like below in forti manager for Fortigate firewalls?

Thoughts?

Andy

Preview file
55 KB
Preview file
247 KB
0 Kudos
1 Solution

Accepted Solutions
the_rock
Legend
Legend
an hour ago
Jump to solution

Thanks everyone for your responses, always greatly appreciated.

@D_W @Bob_Zimmerman @Tal_Paz-Fridman @Tal_Paz-Fridman 

I was more thinking there was a way to enable option to check like one I uploaded from Forti manager to schedule policy install, but guess thats not possible as of yet via smart console. Anyway, not a huge deal, I ended up submitting an RFE for it.

Thanks again everyone.

Andy

View solution in original post

0 Kudos
14 Replies
Tal_Paz-Fridman
Employee
Employee
3 hours ago
Jump to solution

Hi Andy

This is possible in Multi-Domain Security Management using Policy Presets:

https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_Multi-DomainSecurityManagement_Adm...

0 Kudos
the_rock
Legend
Legend
3 hours ago
In response to Tal_Paz-Fridman
Jump to solution

Thanks Tal. We dont have any customers using MDS, so any way to do this on regular mgmt?

Andy

0 Kudos
Bob_Zimmerman
Authority
Authority
2 hours ago
In response to Tal_Paz-Fridman
Jump to solution

One hazard with policy presets: they stick around after they've fired, and they reference objects. I was recently involved in upgrading an MDS which had hundreds of these left over referencing firewalls which had been decommissioned years earlier. The references to objects which no longer exist tanked the upgrade, and there doesn't appear to be API support for managing policy presets, so we had to manually delete them.

I wrote a script for recurring policy installations several years ago. I'll clean it up a little and share in a bit. In the main environment I currently manage, we install almost every policy every day Monday through Friday. We find it helps us identify problems more quickly, since we have fewer changes to review since the last push.

(1)
the_rock
Legend
Legend
2 hours ago
In response to Bob_Zimmerman
Jump to solution

Thats super VALID point @Bob_Zimmerman 

0 Kudos
Bob_Zimmerman
Authority
Authority
an hour ago
In response to Bob_Zimmerman
Jump to solution

I've just added two scripts to one of my Github repos:

https://github.com/Bob-Zimmerman/CPFirewallScripts

Check out autoPushWorker.sh and autoPush_Dev-QA.sh (which I call a "window script"). A cron job starts the window script, the window script sets up the data and passes it to the worker script. The worker script then sends a notification it's starting, pushes the policy, and sends an email with the results when it's done.

(1)
the_rock
Legend
Legend
an hour ago
In response to Bob_Zimmerman
Jump to solution

Thanks Bob! I will test it.

Andy

0 Kudos
D_W
Advisor
3 hours ago
Jump to solution

Create a cron job on the management server and via mgmt api install the policy.

 

why do you need this?

0 Kudos
the_rock
Legend
Legend
3 hours ago
In response to D_W
Jump to solution

If you could give me an example, would be great! Customer asked me about it recently, possibly they may want to have it installed at night after so many changes.

Andy

0 Kudos
Tal_Paz-Fridman
Employee
Employee
2 hours ago
In response to the_rock
Jump to solution

You can also create a SmartTask in SmartConsole that will run a predefined script after a predefined trigger like Publish.

https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_SecurityManagement_AdminGuide/Cont...

 

0 Kudos
the_rock
Legend
Legend
2 hours ago
In response to Tal_Paz-Fridman
Jump to solution

Thanks Tal. I actually saw that the other day, but does not sadly have an option for policy install : - (

Andy

0 Kudos
Lesley
Mentor Mentor
Mentor
2 hours ago
In response to the_rock
Jump to solution

Here is the API part:

https://sc1.checkpoint.com/documents/latest/APIs/#cli/install-policy~v2%20

mgmt_cli install-policy policy-package "standard" access true threat-prevention true targets.1 "corporate-gateway"  --format json
 • "--format json" is optional. By default the output is presented in plain text.

I would not recommend to auto policy push at one point it will give issues. 

The cronjob with inside the API and custom script: 

mgmt_cli install-policy --batch /home/admin/gateways.csv --format json -u username -p PW

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
the_rock
Legend
Legend
2 hours ago
In response to Lesley
Jump to solution

Hey Lesley,

Right, I know that part, but still does not show or gives an example of how you would run if on a specific schedule.

Andy

0 Kudos
Lesley
Mentor Mentor
Mentor
8m ago
In response to the_rock
Jump to solution

cronjob will do that for you. if you want it to run more then once a day there is a SK how to change a cronjob to run it more often

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
the_rock
Legend
Legend
an hour ago
Jump to solution

Thanks everyone for your responses, always greatly appreciated.

@D_W @Bob_Zimmerman @Tal_Paz-Fridman @Tal_Paz-Fridman 

I was more thinking there was a way to enable option to check like one I uploaded from Forti manager to schedule policy install, but guess thats not possible as of yet via smart console. Anyway, not a huge deal, I ended up submitting an RFE for it.

Thanks again everyone.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events