This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
Legend
Legend
‎2025-02-26 08:27 AM
Jump to solution

Scheduled policy install

Hey guys,

 

I know this was asked before and I do know you can try do this with time objects for specific rules and also install policy on successful ips update, BUT, I cant find anywhere an option to schedule policy push on specific date time like below in forti manager for Fortigate firewalls?

Thoughts?

Andy

Screenshot_2.png
Preview file
55 KB
Screenshot_1.png
Preview file
247 KB
0 Kudos
3 Solutions

Accepted Solutions
Lesley
Mentor Mentor
Mentor
‎2025-02-26 09:38 AM
In response to the_rock
Jump to solution

Here is the API part:

https://sc1.checkpoint.com/documents/latest/APIs/#cli/install-policy~v2%20

mgmt_cli install-policy policy-package "standard" access true threat-prevention true targets.1 "corporate-gateway"  --format json
 • "--format json" is optional. By default the output is presented in plain text.

I would not recommend to auto policy push at one point it will give issues. 

The cronjob with inside the API and custom script: 

mgmt_cli install-policy --batch /home/admin/gateways.csv --format json -u username -p PW

-------
If you like this post please give a thumbs up(kudo)! 🙂

View solution in original post

the_rock
Legend
Legend
‎2025-02-26 10:24 AM
Jump to solution

Thanks everyone for your responses, always greatly appreciated.

@D_W @Bob_Zimmerman @Tal_Paz-Fridman @Tal_Paz-Fridman 

I was more thinking there was a way to enable option to check like one I uploaded from Forti manager to schedule policy install, but guess thats not possible as of yet via smart console. Anyway, not a huge deal, I ended up submitting an RFE for it.

Thanks again everyone.

Andy

View solution in original post

0 Kudos
18 Replies
the_rock
Legend
Legend
‎2025-02-26 08:45 AM
In response to Tal_Paz-Fridman
Jump to solution

Thanks Tal. We dont have any customers using MDS, so any way to do this on regular mgmt?

Andy

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2025-02-26 09:03 AM
In response to Tal_Paz-Fridman
Jump to solution

One hazard with policy presets: they stick around after they've fired, and they reference objects. I was recently involved in upgrading an MDS which had hundreds of these left over referencing firewalls which had been decommissioned years earlier. The references to objects which no longer exist tanked the upgrade, and there doesn't appear to be API support for managing policy presets, so we had to manually delete them.

I wrote a script for recurring policy installations several years ago. I'll clean it up a little and share in a bit. In the main environment I currently manage, we install almost every policy every day Monday through Friday. We find it helps us identify problems more quickly, since we have fewer changes to review since the last push.

Bob_Zimmerman
Authority
Authority
‎2025-02-26 10:17 AM
In response to Bob_Zimmerman
Jump to solution

I've just added two scripts to one of my Github repos:

https://github.com/Bob-Zimmerman/CPFirewallScripts

Check out autoPushWorker.sh and autoPush_Dev-QA.sh (which I call a "window script"). A cron job starts the window script, the window script sets up the data and passes it to the worker script. The worker script then sends a notification it's starting, pushes the policy, and sends an email with the results when it's done.

the_rock
Legend
Legend
‎2025-02-26 10:18 AM
In response to Bob_Zimmerman
Jump to solution

Thanks Bob! I will test it.

Andy

0 Kudos
D_W
Advisor
‎2025-02-26 08:50 AM
Jump to solution

Create a cron job on the management server and via mgmt api install the policy.

 

why do you need this?

0 Kudos
the_rock
Legend
Legend
‎2025-02-26 08:53 AM
In response to D_W
Jump to solution

If you could give me an example, would be great! Customer asked me about it recently, possibly they may want to have it installed at night after so many changes.

Andy

0 Kudos
Tal_Paz-Fridman
Employee
Employee
‎2025-02-26 09:03 AM
In response to the_rock
Jump to solution

You can also create a SmartTask in SmartConsole that will run a predefined script after a predefined trigger like Publish.

https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_SecurityManagement_AdminGuide/Cont...

 

0 Kudos
the_rock
Legend
Legend
‎2025-02-26 09:05 AM
In response to Tal_Paz-Fridman
Jump to solution

Thanks Tal. I actually saw that the other day, but does not sadly have an option for policy install : - (

Andy

0 Kudos
Lesley
Mentor Mentor
Mentor
‎2025-02-26 09:38 AM
In response to the_rock
Jump to solution

Here is the API part:

https://sc1.checkpoint.com/documents/latest/APIs/#cli/install-policy~v2%20

mgmt_cli install-policy policy-package "standard" access true threat-prevention true targets.1 "corporate-gateway"  --format json
 • "--format json" is optional. By default the output is presented in plain text.

I would not recommend to auto policy push at one point it will give issues. 

The cronjob with inside the API and custom script: 

mgmt_cli install-policy --batch /home/admin/gateways.csv --format json -u username -p PW

-------
If you like this post please give a thumbs up(kudo)! 🙂
the_rock
Legend
Legend
‎2025-02-26 09:46 AM
In response to Lesley
Jump to solution

Hey Lesley,

Right, I know that part, but still does not show or gives an example of how you would run if on a specific schedule.

Andy

0 Kudos
Lesley
Mentor Mentor
Mentor
‎2025-02-26 11:24 AM
In response to the_rock
Jump to solution

cronjob will do that for you. if you want it to run more then once a day there is a SK how to change a cronjob to run it more often

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
the_rock
Legend
Legend
‎2025-02-26 12:05 PM
In response to Lesley
Jump to solution

So you mean something like this under job scheduler in gaia? and then set job to run every so often?

 

mgmt_cli install-policy policy-package "standard" access true threat-prevention true targets.1 "corporate-gateway" 

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2025-02-26 12:33 PM
In response to the_rock
Jump to solution

You would need a wrapper script to set up the environment variables (. /etc/profile.d/CP.sh) so mgmt_cli can work, and that exact command wouldn't work (for a cronjob, you need to use the full path, plus you need to pass static credentials to mgmt_cli or use '-r true').

Adding a separate cronjob per firewall you want to push to gets ugly fast.

And there's no way to suspend it temporarily. You would have to delete the cronjob, then add it back when you want to resume.

 

0 Kudos
Lesley
Mentor Mentor
Mentor
‎2025-02-26 12:38 PM
In response to the_rock
Jump to solution

correct use gaia cron job to run the script you want.

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
the_rock
Legend
Legend
‎2025-02-26 10:24 AM
Jump to solution

Thanks everyone for your responses, always greatly appreciated.

@D_W @Bob_Zimmerman @Tal_Paz-Fridman @Tal_Paz-Fridman 

I was more thinking there was a way to enable option to check like one I uploaded from Forti manager to schedule policy install, but guess thats not possible as of yet via smart console. Anyway, not a huge deal, I ended up submitting an RFE for it.

Thanks again everyone.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top