This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Luis_Miguel_Mig
Advisor
‎2024-07-04 06:23 AM

sam_alert -f

by default sam_alert install in all the firewalls.
How could I exclude same firewall or clusters?
Or how could I include only specific firewalls or clusters? What is the syntax to install it in a list of fw/clusters?

https://support.checkpoint.com/results/sk/sk110873

would something like this work?

sam_alert -f gw1, gw2

sam_alert -f cluster1, cluster2

0 Kudos
11 Replies
Amir_Senn
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2024-07-04 07:35 AM

From what I know, syntax doesn't support 2 targets. You need to run it multiple times if you want different GWs to have it.

You can also do "dry runs" and look at "SmartView Monitor" to see the policy:

Capture.PNG

Kind regards, Amir Senn
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-07-04 07:46 AM

It works, but only 1 gw is possible in the command.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Luis_Miguel_Mig
Advisor
‎2024-07-04 07:56 AM
In response to the_rock

so If I can't configure multiple targets, could I disable SAM in certain gateways? So when I run the default install in all, it only gets installed in the gateways I want. How?

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-07-04 07:57 AM
In response to Luis_Miguel_Mig

You mean disable ability to create sam rule on specific gateway?

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Luis_Miguel_Mig
Advisor
‎2024-07-04 07:59 AM
In response to the_rock

yes

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-07-04 08:06 AM
In response to Luis_Miguel_Mig

That Im not sure, sorry. Maybe @Amir_Senn can confirm.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Amir_Senn
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2024-07-04 08:58 AM
In response to the_rock

I will need to look at documentation and experiment in my lab to provide an answer to that. Will try to get to it when I can.

WA I suggest is using script with desired GWs in a list and instead of using regular commands and let the script go over it.

Kind regards, Amir Senn
0 Kudos
Luis_Miguel_Mig
Advisor
‎2024-07-05 01:21 AM
In response to Amir_Senn

would something like this at  <global properties - log and alert - alerts - run userdefined script> work?

sam_alert -t 600 -I -src -f cluster1; sam_alert -t 600 -I -src -f cluster2

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-07-05 04:48 AM
In response to Luis_Miguel_Mig

Interesting idea...let me see if I can test it in the lab.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Luis_Miguel_Mig
Advisor
‎2024-07-08 02:30 AM
In response to the_rock

I have tested it and it doesn't work.
Now in terms of the script, I have read recommendation to run the script on path $FWDIR/bin. The problem with that path is that we will need to copy the script the new $FWDIR/bin everytime we do an upgrade, right? Is there any other path that will survive an upgrade?

I also have the impression that sam_alert reads a line of stdin and then goes to the next, so it is not possible to run to sam_alert with the same ip address to block and two different clusters.


$FWDIR/bin


script.sh
#!/bin/bash
sam_alert -t 600 -I -src -f cluster1
sam_alert -t 600 -I -src -f cluster2

chmod 755 script.sh

 

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-07-08 03:11 AM
In response to Luis_Miguel_Mig

For sure, script would need to be copied, as its not built in.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events