Delete Multiple Policies Via CLI
Deleting policy packages through the dashboard works fine but when you have 136 to delete it can take a long time. This article describes how to automate this via the CLI for a swift solution.
Using putty to access the Smartcenter:
1. Export all the policies to .pol files just in case:
[Expert@firewall] cp_merge export_policy
Successfully exported policy collection 'policy1'.
Successfully exported policy collection 'policy2'.
Successfully exported policy collection 'policy3'.
2. List all the policies into a file:
[Expert@firewall] cp_merge list_policy -s localhost | cut -d "'" -f 2 > policies.txt
This copies the policy names into a file named policies.txt and gets rid of any preceding or trailing characters.
3. Read in the file line by line and perform a delete_policy on it.
First of all, issue a “cpstop” command to stop the Checkpoint services on the management centre.
[Expert@firewall]# cpstop
[Expert@firewall]# while read line; do cp_merge delete_policy -s localhost -u admin -p password -n "$line"; done < policies.txt
The output will look something like this:
Successfully deleted policy collection 'policy1'.
Successfully deleted policy collection 'policy2'.
Successfully deleted policy collection 'policy3'.
Details for cp_merge:
[Expert@firewall]# cp_merge -help
This is Check Point Database Merge tool NG Build NGX (R65) – Build 423.
Usage:
cp_merge merge_objects [-s <db server>] [-u <user> | -c <certificate file>] [-p <password>] -d <input directory> [-t]
cp_merge export_policy [-s <db server>] [-u <user> | -c <certificate file>] [-p <password>] [-n <package name> | -l <policy name> [-f <output file>]] [-d <output directory>] [-r]
cp_merge import_policy [-s <db server>] [-u <user> | -c <certificate file>] [-p <password>] [-n <package name>] [-d <input directory>] -f <input file> [-v]
cp_merge delete_policy [-s <db server>] [-u <user> | -c <certificate file>] [-p <password>] -n <package name>
cp_merge list_policy [-s <db server>] [-u <user> | -c <certificate file>] [-p <password>]
cp_merge restore_policy [-s <db server>] [-u <user> | -c <certificate file>] [-p <password>] [-n <package name>] [-d <input directory>] -f <input file> -v
cp_merge delimited_policy [-s <db server>] [-u <user> | -c <certificate_file>] [-p <password>] [-l <policyname>] [-f <file name>] [-a export | import_new | import_override | import_append ] [-k security | nat | all ]
Run cp_merge -help for detailed usage
-s <server> specify database server IP / name
-c <certificate file> path to certificate file
-u <user> database administrator user name
-p <password> user's password
-d <directory> specify working directory
-help print this summary
Objects Merge options:
-t test mode - does not save
Policy Export options:
-n <package name> policy package to export
-l <policy name> export policy package which <policy name> belongs to.
-r remove the original policy from the repository
-f <file name> specify output file name (default: <policy name>.pol)
(If both '-n' and '-l' are omitted all policies are exported)
Policy Import options:
-f <file name> specify input file name
-v override existing policy if found
-n <policy name> rename policy to <policy name> when importing
Policy Restore options:
-f <file name> specify input file name
-v override existing policy if found
-n <policy name> rename policy to <policy name> when importing
Note: Restore will work only when run locally on managment server.
Policy Delete options:
-n <policy name> policy to delete
Delimited Policy Import/Export options:
-a export export policy
import_new import a new policy
import_override imported policy will replace current
import_append imported policy's rules will be appended to current
-l <policy name> policy to export to/from
-f <file name> file to export to/from
-k security | nat | all types of policy to operate on
Note: security policy file is file_name.sec, NaT policy file is file_name.nat.