Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Kris_Meldrum
Contributor
Jump to solution

IPS policy installation timestamp

Hi All,

I'm looking for a way within R80.10 to see a timestamp for when the last Threat Prevention (but more specifically, IPS) policy was installed. I know I can see firewall through fw stat. IPS stat only shows me that it is enabled and the signature update number which doesn't help for my use case. Is there a way to see when IPS or Threat Prevention policy was installed last? Thanks!

1 Solution

Accepted Solutions
Norbert_Bohusch
Advisor

There is in an easy way:

# fw stat -b AMW

This is the information from cpview:

So to compare, the fw stat -b AMW shows the "Threat Prevention Policy Install Time", but in cpview you see the Online Updates of the services updating automatically.

There is not something like "IPS Policy" as you call it. IPS Signatures are applied via Threat Prevent Policy, but Core-Protections and Inspection-Setttings are applied via Access Policy. So both are relevant for you!

View solution in original post

15 Replies
Ni_c
Contributor

You can check this in installation history under Threat Tools in Threat Prevention policy. 

0 Kudos
Kris_Meldrum
Contributor

Thanks for the reply. I should've mentioned I need a way to verify this from the gateway.

0 Kudos
Tomer_Sole
Mentor
Mentor

Why?

The Check Point way is to use the centralized management for that.

MGMT also has this with REST API.

0 Kudos
PhoneBoy
Admin
Admin

Think of it as a troubleshooting/trust but verify step Smiley Happy

Kris_Meldrum
Contributor

Exactly! I need a way to verify outside of the management what policy is running on the gateway. 

If it is the Check Point way, then why did Check Point build a command to view the firewall policy name and install time into the gateway?

0 Kudos
PhoneBoy
Admin
Admin

It looks like cpstat will show this.

However, on my gateway (R80.10), the "update time" is N/A...

I also checked with cpstat -f ips blades (which should theoretically also show it) but I get an error on my system.

Maybe it works for you, though? 

0 Kudos
Kris_Meldrum
Contributor

My gateway shows the same behavior, NA in CPVIEW and cpstat -f ips blades gives me an invalid flavour error. Works if I do cpstat -f fw blades but for some reason doesn't recognize the ips flavour.

0 Kudos
Brian_Deutmeyer
Collaborator

'ips stat' will also show the IPS version installed on the gateway.

0 Kudos
Kris_Meldrum
Contributor

When I run ips stat it only shows me that IPS is enabled and the signature being used. No timestamp of install time

0 Kudos
Brian_Deutmeyer
Collaborator

Correct. Like I mentioned before, it will show the IPS version, which you could match to management. 

0 Kudos
Kris_Meldrum
Contributor

So the problem is this shows me the current version of the signature database. I need to see the last time the policy was installed. So for example, if I go make a change within my IPS policy, say setting a signature from detect to prevent, or even changing the complete profile from strict to optimized it still shows me the same IPS signature database version. I need a way to show when the last policy was installed. I know it seems overly picky but I need to be able to show a reference for the IPS policy was last installed.

0 Kudos
Brian_Deutmeyer
Collaborator

I understand what you are trying to do.  While I agree with others that SmartConsole would be best for getting this data or using the API to track this, I get there should be a way from the CLI.  This is in no way an approved or verified method and please use at your own risk.  The following command seems to return the date/time of the last IPS install.

ls -l /var/opt/CPsuite-R80/fw1/state/<gw_or_cluster_name>/AMW/* | grep IPS | awk '{print $6" "$7" "$8}'

0 Kudos
Norbert_Bohusch
Advisor

There is in an easy way:

# fw stat -b AMW

This is the information from cpview:

So to compare, the fw stat -b AMW shows the "Threat Prevention Policy Install Time", but in cpview you see the Online Updates of the services updating automatically.

There is not something like "IPS Policy" as you call it. IPS Signatures are applied via Threat Prevent Policy, but Core-Protections and Inspection-Setttings are applied via Access Policy. So both are relevant for you!

Kris_Meldrum
Contributor

Hi Norbert,

Thanks for the reply, that was exactly what I needed! Just tested it out and it shows the Threat Prevention policy install separate from the Firewall policy install.

0 Kudos
Bigll1
Explorer

Hi All.

Please advise do I need read/write account to run such command or I could do it with read-only?

Thank you.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events