This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
LazarusG
Advisor
Advisor
‎2025-11-06 02:42 AM
Jump to solution

does reverting to a policy revision make that version the current policy on the mgmt server?

If someone makes a policy change, then cant push policy.

And you go to policies/installation history and push the last known good policy - and it works!

The policy that exists on the management server is still the bad one right?

How do you revert the one on the management server to the last known good version? Do you need to do a database revision under manage&settings/Sessions/Revisions?

This would blatt all the objects created since that revision right?

In some cases we have customers with hundreds of gateways and multiple admins making concurrent changes all the time - a db revision is not feasible to fix one smb.

I found this SK to revert to the version on the gateway which is interesting - but again - this would make the policy on the mgmt server out of sync right? At least you can see the current revision number with this tool but how to correlate that to the mgmt server? The revision number isnt listed under revisions or installation history (as far as I can see);

sk181437 - Access Control Policy Revert Tool (policy_rev_tool)

[Expert@GW1:0]# policy_rev_tool list

Revision ID Policy Date Policy Name
----------- ----------- -----------
1760977277 Mon Oct 20 17:21:17 BST 2025 all_gateways_policy
1760977421 Mon Oct 20 17:23:41 BST 2025 all_gateways_policy
1760977922 [c] Mon Oct 20 17:32:02 BST 2025 all_gateways_policy

[c] - current policy

 

The manual is 'light' on the implications

 

"To work with the Policy installation history:

  1. In SmartConsole

    , go to Security Policies.

  2. From the Access Tools or the Threat Prevention Tools, select Installation History.

  3. In the Gateways section, select a Security Gateway.

  4. In the Policy Installation History section, select an installation date.

  5. Perform the applicable action:

    • To see the revisions that were installed and who made them:

      Click View installed changes.

    • To see the changes that were installed and who made them :

      Click View.

    • To revert to a specific version of the policy:

      Click Install specific version."

Thanks

 

 

0 Kudos
2 Solutions

Accepted Solutions
Tal_Paz-Fridman
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2025-11-06 04:00 AM
Jump to solution

Access Control Policy Revert Tool (policy_rev_tool) installs only the Access Control policies stored locally on the Gateway. It is not synchronized with the Security Management Server.

This means you will still need to address the issue on the Management side - either by using Revision Control or by manually reverting the changes that caused the problem.

As a useful aid, you can use the Changes Report between revisions to view modifications made by a specific administrator and identify what was changed.

View solution in original post

PhoneBoy
Admin
Admin
‎2025-11-07 09:56 AM
In response to LazarusG
Jump to solution

Correct, installation history only stores a compiled version of the policy.
It does not change the policy on the management, which can only be reverted with a Database Revision.

View solution in original post

(1)
7 Replies
Tal_Paz-Fridman
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2025-11-06 04:00 AM
Jump to solution

Access Control Policy Revert Tool (policy_rev_tool) installs only the Access Control policies stored locally on the Gateway. It is not synchronized with the Security Management Server.

This means you will still need to address the issue on the Management side - either by using Revision Control or by manually reverting the changes that caused the problem.

As a useful aid, you can use the Changes Report between revisions to view modifications made by a specific administrator and identify what was changed.

the_rock
MVP Platinum
MVP Platinum
‎2025-11-06 04:17 AM
In response to Tal_Paz-Fridman
Jump to solution

Learnt something new, never even knew that existing...thank you @Tal_Paz-Fridman 

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-11-06 05:24 AM
In response to Tal_Paz-Fridman
Jump to solution

One cool thing I also learnt (though I may had seen this before, long time ago) is if you are in expert mode and hit tab twice, you get below, so shows all the commands possible:

[Expert@CP-GW:0]#
Display all 2344 possibilities? (y or n)

Best,
Andy
0 Kudos
LazarusG
Advisor
Advisor
‎2025-11-07 02:21 AM
In response to the_rock
Jump to solution

cool - you can also do this if helpful(?)

[Expert@R82_mgmt_192.168.197.10:0]# clish -c "show commands" > commands.txt
[Expert@R82_mgmt_192.168.197.10:0]# less commands.txt

or cat or grep commands.txt etc

0 Kudos
LazarusG
Advisor
Advisor
‎2025-11-07 01:24 AM
In response to Tal_Paz-Fridman
Jump to solution

Thanks - in this instance, they had enabled the vpn blade then renewed the cert = then disabled the blade to fix a cosmetic error on many smbs, but one wouldnt then install policy - so really not clear how to manually revert that change in the policy as its not as simple as deleting a rule.  Also advised them to follow sk182616 going forwards (as I was taught on a previous checkmates post). Thanks for the response. 

However my question is still the same - If I use installation history to install last good poicy, but dont do a database revision, the policy on the management server and the one on the gateway will still be out of synch right? (as mentioned its not feasible to do db revision as there are about 50 admins making concurrent changes to 100s of gateways).

0 Kudos
PhoneBoy
Admin
Admin
‎2025-11-07 09:56 AM
In response to LazarusG
Jump to solution

Correct, installation history only stores a compiled version of the policy.
It does not change the policy on the management, which can only be reverted with a Database Revision.

(1)
LazarusG
Advisor
Advisor
‎2025-11-10 02:05 AM
In response to PhoneBoy
Jump to solution

thank you

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events