Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
TomasFy
Explorer

Wrong Policy installed on a gateway

Hi All,

Few days ago we experienced an incident when one of our firewalls stopped responding and passing traffic.
After short while it turned out that one of admins installed wrong Policy to the gateway.

It was verified earlier, but I checked and confirmed that all Policies have Installation Targets setup correctly.
Initially we thought that it may be a human error, but I tried to recreate this scenario and there is no way to install wrong Policy on a gateway, other than this:
-> Click ‘Install Policy’ (the dark button on the top edge of the SmartConsole window);
-> Select Policy from drop-down list;
-> Click ‘Policy Targets’
-> Manually change gateway selection by removing default and adding other gateway;

This is too complicated to trick experienced Check Point admin into this kind of error.

Thus I have few questions:
-> Do you know any similar case? Is it possible that SmartConsole may cause something like that?
-> Is there any setting which would produce a warning before installing different Policy on a gateway, replacing existing one. This kind of mechanism was present by default in R77.x and apparently is not in R80.x? (at least not by default)

0 Kudos
6 Replies
Danny
Champion Champion
Champion

Which steps did the admin in charge perform to install the wrong policy?

0 Kudos
TomasFy
Explorer

Hi,

The whole thing is that he installed Policy the perfectly normal way. And I believe him.

This is also backed by Audit Logs.

0 Kudos
mdjmcnally
Advisor

You say this but I have seen it done in R77.30

 

Policy Installation Targets set correctly so to go through this then you have too as you say

A) Change the Policy Installation Target on the Policy so that can install the Policy to the Gateway

B) Acknowledge the Message stating that installing a different policy 

Person that did it had several years experience of administering Check Point firewalls so it CAN happen.

Found out who did it through the Audit Log and found the actions for the user in question

 

In R80 then will show up in the AuditLog and look something like this

 

Subject: Object Manipulation

Operation: Modify Object

Object Type: PoliciesCollection

Performed On:   policy_name

Changes: Policy package installation targets: Removed 'FirewallA'; Added 'FirewallB'

 

Will tell you the Admin as well as the client IP who made the change.

Would suggest that look through the Audit Log and double check that no such entries.

0 Kudos
TomasFy
Explorer

Hi,

There is no sign of anything like this in Audit Logs.

The sequence of events is that he created some objects, modified one existing, created a new rule, published and installed Policy. There is no sign of Policy installation target change in Audit Logs.

First log entry after Publish is "Install Policy" with wrong gateway and next is correct Policy install, i.e. with matching Policy-gateway pair. No changes of target in between.

This is why I decided to write on Forum because I have never seen anything like this and wonder how it could happen.

Other question (still not answered) is if there is any setting which would cause producing a warning before installing different Policy on a gateway?

0 Kudos
Maik
Advisor

As mdjmcnally already wrote - there is a warning screen once you try to install a policy on a gateway which is different to the currently installed one (policy wise - not content wise). You need to acknowledge this warning before you can even install a different policy on a given gateway. Not sure if there are other options beyond this warning. But you could script something that checks the name of the currently installed policy by running "fw stat" on a regular basis in order to verify the Policy name.

 

Edit:

Maybe this is what you are looking for?

0 Kudos
TomasFy
Explorer

Apparently in this case the message didn't appear 😕

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events