Checkpoint Database and Policy

checkpoint policy deployment and rollback

29 July 2017   2 min read

The Checkpoint database holds the network objects whereas the policy is how those objects are used.

Publish: Sends all SmartConsole modifications to other administrators to make all the changes made by a user in a private session public
Install the database: Modifies network objects, such as servers, users, services, or IPS profiles, but not the Rule Base. Updates are installed on management and log servers
Install a policy (rulebase): The Security Management Server installs the updated policy and the entire database on Security Gateways, even if the network objects were not modified.

Before a session is published you cant see the changes in audit log but can discard them. Once published you can see the changes in the audit log but can no longer discard the changes. In my view this is a major shortfall that Checkpoint need to address. It is also worth noting that the audit logs can be buggy, I have seen many occasions were it shows previous changes by other users already committed.

You can view all changes in the audit log or see specific revision changes from within Manage & Settings » Revisions.
Manage & Settings » sessions shows whose logged in and the number of changes made.

The purge button deletes all revisions up to one selected, I don’t see any real use for it.

In older code you could restore a complete policy including objects (by making a backup). However in R80 only the policy (rulebase) is rolled back, changes to objects (new nodes or group membership) are not.

Revert policy only on Gateway

Security Polices » Access Tools » Installation History

Will install the selected Rule Base on the gateway, however it doesn’t modify it on the management server.
This is useful if you want to rollback but keep the rules on the manager so can edit and reinstall. If you don’t make any further changes, the next policy push will once again install the changes on the gateway.

Revert policy on Gateway and Manager

Security Polices » Access Control» Policy » Actions » History

This will revert the Rule Base on both the gateway and manger, however it still doesn’t revert any changes made to nodes or object membership (the database). This can be done for the whole policy or individually for either just the Firewall Policy or Application Control Policy.

A few useful posts regards rollback:\_Check\_Point\_CLI\_commands