Re: SmartTask - Restrict use of specific objects i...

Dima_M · ‎2020-03-10

This SmartTask allows to block usage of specific objects in source and destination fields of Access Control Policy. it intercepts the session on publish attempt ("Pre Publish" trigger) and runs a script that looks for objects defined in Custom Data field of SmartTask (see below).

It can be very useful if you want to avoid rules with "Any" in source and/or destination (in this case you'll need to exclude Stealth and Cleanup rules) and restricting access to/from sensitive resources.

martinkiska · ‎2020-04-02

Hello @Dima_M,

thank you a lot for your example. It is really nice. I would like to ask you for some advice regarding my use case. Let's say that we have some highly sensitive rules. Nobody should be able to add rule above them to break their drop meaning. I was thinking tu use smart task and before publish trigger for checking of this concept.

Concept of checking of modified/deleted/added objects in rule base is really nice.

{

"operations":{
- "modified-objects":[],
- "deleted-objects":[],
- "added-objects":[]
},
"session":{}

}

We would totally be able to check if rules were edited. But during the testing I tried to move "permit any" rule above those "highly sensitive rules". I was checking parameters of publish event, and when I changed rule order and published information, the only info in JSONs was about session itself, no info about rule number change. So I have no evidence about changing of order of rules while publishing new rule base and running some smart task on it. Is this information somewhere hidden? How can I get to this information during "before publish" event?

Thank you a lot for your reply.

{

"session":{
- "session-uid":"104cd16c-dcbc-4749-9758-89f04d8d7c30",
- "session-name":"admin@02.04.2020",
- "user-name":"admin",
- "application":"SmartConsole",
- "domain-info":{
  - "uid":"41e821a0-3720-11e3-aa6e-0800200c9fde",
  - "name":"SMC User",
  - "domain-type":"Domain"
  }
}

}

Dima_M · ‎2020-04-07

Hi Martin @martin

Thanks for bring this up, looks like show-changes output displays only partial info when rules are swapped. We'll investigate it further on and update.

grandpafirewall · ‎2020-08-26

Tried to import this script and the maximum filesize that the GUI can import is 8Kb. The filesize for this is 13Kb. Why is there a limit?

Efrat · ‎2020-11-01

Hi @grandpafirewall

How did you tried to import the smart tasks? it should be done using API, there is no way of importing smart task using GUI.

I imported it with API and it worked with no problem:

mgmt_cli import-smart-task file-path /home/admin/validate_rulebase_changes_on_publish.txt -r true

see API documentation here: https://sc1.checkpoint.com/documents/latest/APIs/#cli/import-smart-task~v1.6%20

grandpafirewall · ‎2020-11-02

That would be the issue. Thanks. I eventually want to try an do this from SmartCloud.

PhoneBoy · ‎2020-11-08

You can still access the API with SmartCloud.

Zahier_Madhar · ‎2021-02-26

This worked for on a standalone setup. But it did not worked on multi domain. How can I upload the script into smart task with multi domain.

Simon_Macpherso · ‎2021-04-11

Hi,

Does this analyze every policy or only policies that have been changed?

Regards,

Simon

Are you a member of CheckMates?

SmartTask - Restrict use of specific objects in Access Control Policy