CheckPoint: Delete Multiple Policies Via CLI

Delete Multiple Policies Via CLI

Deleting policy packages through the dashboard works fine but when you have 136 to delete it can take a long time. This article describes how to automate this via the CLI for a swift solution.

Using putty to access the Smartcenter:

1. Export all the policies to .pol files just in case:

[Expert@firewall] cp_merge export_policy

Successfully exported policy collection 'policy1'.
Successfully exported policy collection 'policy2'.
Successfully exported policy collection 'policy3'.

2. List all the policies into a file:

[Expert@firewall] cp_merge list_policy -s localhost | cut -d "'" -f 2 > policies.txt

This copies the policy names into a file named policies.txt and gets rid of any preceding or trailing characters.

3. Read in the file line by line and perform a delete_policy on it.

First of all, issue a “cpstop” command to stop the Checkpoint services on the management centre.

[Expert@firewall]# cpstop

[Expert@firewall]# while read line; do cp_merge delete_policy -s localhost -u admin -p password -n "$line"; done < policies.txt

The output will look something like this:
Successfully deleted policy collection 'policy1'.
Successfully deleted policy collection 'policy2'.
Successfully deleted policy collection 'policy3'.

Details for cp_merge:

[Expert@firewall]# cp_merge -help
This is Check Point Database Merge tool NG Build NGX (R65) – Build 423.

Usage:
cp_merge merge_objects [-s <db server>] [-u <user> | -c <certificate file>] [-p <password>] -d <input directory> [-t]

cp_merge export_policy [-s <db server>] [-u <user> | -c <certificate file>] [-p <password>] [-n <package name> | -l <policy name> [-f <output file>]] [-d <output directory>] [-r]

cp_merge import_policy [-s <db server>] [-u <user> | -c <certificate file>] [-p <password>] [-n <package name>] [-d <input directory>] -f <input file> [-v]

cp_merge delete_policy [-s <db server>] [-u <user> | -c <certificate file>] [-p <password>] -n <package name>

cp_merge list_policy [-s <db server>] [-u <user> | -c <certificate file>] [-p <password>]

cp_merge restore_policy [-s <db server>] [-u <user> | -c <certificate file>] [-p <password>] [-n <package name>] [-d <input directory>] -f <input file> -v

cp_merge delimited_policy [-s <db server>] [-u <user> | -c <certificate_file>] [-p <password>] [-l <policyname>] [-f <file name>]  [-a export | import_new | import_override | import_append ] [-k security | nat | all ]

Run cp_merge -help for detailed usage

-s <server>            specify database server IP / name
-c <certificate file>  path to certificate file
-u <user>              database administrator user name
-p <password>          user's password
-d <directory>         specify working directory
-help                  print this summary

Objects Merge options:
-t                                      test mode - does not save

Policy Export options:
-n <package name>      policy package to export
-l <policy name>       export policy package which <policy name> belongs to.
-r                     remove the original policy from the repository
-f <file name>         specify output file name (default: <policy name>.pol)
(If both '-n' and '-l' are omitted all policies are exported)

Policy Import options:
-f <file name>         specify input file name
-v                     override existing policy if found
-n <policy name>       rename policy to <policy name> when importing

Policy Restore options:
-f <file name>         specify input file name
-v                     override existing policy if found
-n <policy name>       rename policy to <policy name> when importing
Note: Restore will work only when run locally on managment server.

Policy Delete options:
-n <policy name>       policy to delete

Delimited Policy Import/Export options:
-a export                 export policy
import_new             import a new policy
import_override        imported policy will replace current
import_append          imported policy's rules will be appended to current
-l <policy name>          policy to export to/from
-f <file name>            file to export to/from
-k security | nat | all   types of policy to operate on
Note: security policy file is file_name.sec, NaT policy file is file_name.nat.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.