This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kris_Meldrum
Contributor
‎2018-08-14 09:34 AM
Jump to solution

IPS policy installation timestamp

Hi All,

I'm looking for a way within R80.10 to see a timestamp for when the last Threat Prevention (but more specifically, IPS) policy was installed. I know I can see firewall through fw stat. IPS stat only shows me that it is enabled and the signature update number which doesn't help for my use case. Is there a way to see when IPS or Threat Prevention policy was installed last? Thanks!

1 Solution

Accepted Solutions
Norbert_Bohusch
Advisor
‎2018-08-24 11:18 AM
Jump to solution

There is in an easy way:

# fw stat -b AMW

This is the information from cpview:

So to compare, the fw stat -b AMW shows the "Threat Prevention Policy Install Time", but in cpview you see the Online Updates of the services updating automatically.

There is not something like "IPS Policy" as you call it. IPS Signatures are applied via Threat Prevent Policy, but Core-Protections and Inspection-Setttings are applied via Access Policy. So both are relevant for you!

View solution in original post

15 Replies
Ni_c
Contributor
‎2018-08-14 09:56 AM
Jump to solution

You can check this in installation history under Threat Tools in Threat Prevention policy. 

0 Kudos
Kris_Meldrum
Contributor
‎2018-08-14 09:59 AM
Jump to solution

Thanks for the reply. I should've mentioned I need a way to verify this from the gateway.

0 Kudos
Tomer_Sole
Mentor
Mentor
‎2018-08-18 11:08 PM
In response to Kris_Meldrum
Jump to solution

Why?

The Check Point way is to use the centralized management for that.

MGMT also has this with REST API.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-08-19 08:20 AM
In response to Tomer_Sole
Jump to solution

Think of it as a troubleshooting/trust but verify step Smiley Happy

Kris_Meldrum
Contributor
‎2018-08-20 08:14 AM
In response to Tomer_Sole
Jump to solution

Exactly! I need a way to verify outside of the management what policy is running on the gateway. 

If it is the Check Point way, then why did Check Point build a command to view the firewall policy name and install time into the gateway?

0 Kudos
PhoneBoy
Admin
Admin
‎2018-08-17 01:08 PM
Jump to solution

It looks like cpstat will show this.

However, on my gateway (R80.10), the "update time" is N/A...

I also checked with cpstat -f ips blades (which should theoretically also show it) but I get an error on my system.

Maybe it works for you, though? 

0 Kudos
Kris_Meldrum
Contributor
‎2018-08-17 01:25 PM
In response to PhoneBoy
Jump to solution

My gateway shows the same behavior, NA in CPVIEW and cpstat -f ips blades gives me an invalid flavour error. Works if I do cpstat -f fw blades but for some reason doesn't recognize the ips flavour.

0 Kudos
Brian_Deutmeyer
Collaborator
‎2018-08-23 12:38 PM
In response to PhoneBoy
Jump to solution

'ips stat' will also show the IPS version installed on the gateway.

0 Kudos
Kris_Meldrum
Contributor
‎2018-08-23 12:56 PM
In response to Brian_Deutmeyer
Jump to solution

When I run ips stat it only shows me that IPS is enabled and the signature being used. No timestamp of install time

0 Kudos
Brian_Deutmeyer
Collaborator
‎2018-08-23 01:27 PM
In response to Kris_Meldrum
Jump to solution

Correct. Like I mentioned before, it will show the IPS version, which you could match to management. 

0 Kudos
Kris_Meldrum
Contributor
‎2018-08-23 01:50 PM
In response to Brian_Deutmeyer
Jump to solution

So the problem is this shows me the current version of the signature database. I need to see the last time the policy was installed. So for example, if I go make a change within my IPS policy, say setting a signature from detect to prevent, or even changing the complete profile from strict to optimized it still shows me the same IPS signature database version. I need a way to show when the last policy was installed. I know it seems overly picky but I need to be able to show a reference for the IPS policy was last installed.

0 Kudos
Brian_Deutmeyer
Collaborator
‎2018-08-23 02:36 PM
In response to Kris_Meldrum
Jump to solution

I understand what you are trying to do.  While I agree with others that SmartConsole would be best for getting this data or using the API to track this, I get there should be a way from the CLI.  This is in no way an approved or verified method and please use at your own risk.  The following command seems to return the date/time of the last IPS install.

ls -l /var/opt/CPsuite-R80/fw1/state/<gw_or_cluster_name>/AMW/* | grep IPS | awk '{print $6" "$7" "$8}'

0 Kudos
Norbert_Bohusch
Advisor
‎2018-08-24 11:18 AM
Jump to solution

There is in an easy way:

# fw stat -b AMW

This is the information from cpview:

So to compare, the fw stat -b AMW shows the "Threat Prevention Policy Install Time", but in cpview you see the Online Updates of the services updating automatically.

There is not something like "IPS Policy" as you call it. IPS Signatures are applied via Threat Prevent Policy, but Core-Protections and Inspection-Setttings are applied via Access Policy. So both are relevant for you!

Kris_Meldrum
Contributor
‎2018-08-27 08:04 AM
In response to Norbert_Bohusch
Jump to solution

Hi Norbert,

Thanks for the reply, that was exactly what I needed! Just tested it out and it shows the Threat Prevention policy install separate from the Firewall policy install.

0 Kudos
Bigll1
Explorer
‎2022-02-11 06:29 AM
In response to Kris_Meldrum
Jump to solution

Hi All.

Please advise do I need read/write account to run such command or I could do it with read-only?

Thank you.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events