Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Dima_M
Employee
Employee

SmartTask - Restrict use of specific objects in Access Control Policy

This SmartTask allows to block usage of specific objects in source and destination fields of Access Control Policy. it intercepts the session on publish attempt ("Pre Publish" trigger) and runs a script that looks for objects defined in Custom Data field of SmartTask (see below).

It can be very useful if you want to avoid rules with "Any" in source and/or destination (in this case you'll need to exclude Stealth and Cleanup rules) and restricting access to/from sensitive resources.

 

image.png

8 Replies
martinkiska
Explorer

Hello @Dima_M,

thank you a lot for your example. It is really nice. I would like to ask you for some advice regarding my use case. Let's say that we have some highly sensitive rules. Nobody should be able to add rule above them to break their drop meaning. I was thinking tu use smart task and before publish trigger for checking of this concept.

Concept of checking of modified/deleted/added objects in rule base is really nice.

{

  • "operations":{
    • "modified-objects":,
    • "deleted-objects":,
    • "added-objects":[]
    },
  • "session":

}

 

We would totally be able to check if rules were edited. But during the testing I tried to move "permit any" rule above those "highly sensitive rules". I was checking parameters of publish event, and when I changed rule order and published information, the only info in JSONs was about session itself, no info about rule number change. So I have no evidence about changing of order of rules while publishing new rule base and running some smart task on it. Is this information somewhere hidden? How can I get to this information during "before publish" event? 

 

Thank you a lot for your reply.

 

{

  • "session":{
    • "session-uid":"104cd16c-dcbc-4749-9758-89f04d8d7c30",
    • "session-name":"admin@02.04.2020",
    • "user-name":"admin",
    • "application":"SmartConsole",
    • "domain-info":{
      • "uid":"41e821a0-3720-11e3-aa6e-0800200c9fde",
      • "name":"SMC User",
      • "domain-type":"Domain"
      }
    }

}

Dima_M
Employee
Employee

Hi Martin @martin

Thanks for bring this up, looks like show-changes output displays only partial info when rules are swapped. We'll investigate it further on and update.

grandpafirewall
Collaborator

Tried to import this script and the maximum filesize that the GUI can import is 8Kb.  The filesize for this is 13Kb.  Why is there a limit?  

Efrat
Employee
Employee

Hi @grandpafirewall 

How did you tried to import the smart tasks? it should be done using API, there is no way of importing smart task using GUI.

I imported it with API and it worked with no problem:

mgmt_cli import-smart-task file-path /home/admin/validate_rulebase_changes_on_publish.txt -r true

see API documentation here: https://sc1.checkpoint.com/documents/latest/APIs/#cli/import-smart-task~v1.6%20

 

grandpafirewall
Collaborator

That would be the issue.  Thanks.  I eventually want to try an do this from SmartCloud.

0 Kudos
PhoneBoy
Admin
Admin

You can still access the API with SmartCloud.

0 Kudos
Zahier_Madhar
Employee
Employee

This worked for on a standalone setup. But it did not worked on multi domain. How can I upload the script into smart task with multi domain. 

0 Kudos
Simon_Macpherso
Advisor

Hi, 

Does this analyze every policy or only policies that have been changed? 

Regards,

Simon

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events