Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ BUG ] Import-FalconConfig improperly assigns non-existent rule_group_ids when creating FilewallPolicy #393

Open
bk-cs opened this issue Mar 7, 2024 · 1 comment
Open

[ BUG ] Import-FalconConfig improperly assigns non-existent rule_group_ids when creating FilewallPolicy #393

bk-cs opened this issue Mar 7, 2024 · 1 comment
Assignees
@bk-cs
Labels
bug Something isn't working fix available Self-applied fix available in issue

Comments

@bk-cs
Copy link
Collaborator

bk-cs commented Mar 7, 2024

Describe the bug
Creating a FirewallPolicy with Import-FalconConfig assigns rule_group_ids from the import, instead of removing and/or replacing those identifiers with ones associated with new or existing FirewallGroup items

To Reproduce
Use Export-FalconConfig to export FirewallPolicy, modify an id under settings.rule_group_ids and Import-FalconConfig to create the policy in a CID. The UI will show no rule_group_ids assigned, and any attempt to assign a rule group will generate a Changes not saved. Please try again. error. The policy will also be unable to be deleted.

Expected behavior
Creation of the FirewallPolicy without assigned rule_group_ids, or with values that are updated to match any created FirewallGroup items.

Environment (please complete the following information):

  • PSFalcon: 2.2.6
@bk-cs bk-cs added the bug Something isn't working label Mar 7, 2024
@bk-cs bk-cs self-assigned this Mar 7, 2024
bk-cs added a commit that referenced this issue Mar 8, 2024
@bk-cs
Issue #393
c62b661 
Fixed error in `Import-FalconConfig` where `settings` was not being properly targeted when checking `rule_group_ids` values under a `FirewallPolicy` during import.

Modified comparison of `rule_group_ids` assigned to `FirewallPolicy` during import to ensure that "unmatched" (rule groups that were not created during the same import in the target environment) values are removed.
@bk-cs
Copy link
Collaborator Author

bk-cs commented Mar 8, 2024
edited

I've updated Import-FalconConfig to properly remove rule_group_ids that aren't tied to FirewallRuleGroup items that are also created during the FirewallPolicy import, which fixes the issue. If you'd like to resolve it for your local module before release, you can replace public\psf-config.ps1 using the steps outlined below.

Import-Module -Name PSFalcon
$ModulePath = (Show-FalconModule).ModulePath
(Invoke-WebRequest -Uri https://raw.githubusercontent.com/CrowdStrike/psfalcon/c62b661ec2183dcd1cfcfbf831b9ad4f0ef85c37/public/psf-config.ps1 -UseBasicParsing).Content > (Join-Path (Join-Path $ModulePath public) psf-config.ps1)

Once the command has been updated, please ensure that you close and re-open PowerShell, and re-import PSFalcon.

If you have an existing Firewall policy that can't be removed (or otherwise modified) due to assignment of invalid rule_group_ids, it can be removed by removing the assigned groups (and disabling the policy if currently enabled):

$Policy = Get-FalconFirewallPolicy -Filter "name:'broken policy'" -Include settings
Edit-FalconFirewallSetting -RuleGroupId @() -Id $Policy.id
if ($Policy.enabled -eq $true) { $Policy | Invoke-FalconFirewallPolicyAction -Name disable }
$Policy | Remove-FalconFirewallPolicy

@bk-cs bk-cs added the fix available Self-applied fix available in issue label Mar 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bk-cs bk-cs

Labels
bug Something isn't working fix available Self-applied fix available in issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bk-cs