psfalcon icon indicating copy to clipboard operation
psfalcon copied to clipboard

Published 20 hours ago verified publisher icon CrowdStrike

[ BUG ] `Import-FalconConfig` improperly assigns non-existent `rule_group_ids` when creating `FilewallPolicy`

Open bk-cs opened this issue 1 year ago • 1 comments

Describe the bug Creating a FirewallPolicy with Import-FalconConfig assigns rule_group_ids from the import, instead of removing and/or replacing those identifiers with ones associated with new or existing FirewallGroup items

To Reproduce Use Export-FalconConfig to export FirewallPolicy, modify an id under settings.rule_group_ids and Import-FalconConfig to create the policy in a CID. The UI will show no rule_group_ids assigned, and any attempt to assign a rule group will generate a Changes not saved. Please try again. error. The policy will also be unable to be deleted.

Expected behavior Creation of the FirewallPolicy without assigned rule_group_ids, or with values that are updated to match any created FirewallGroup items.

Environment (please complete the following information):

  • PSFalcon: 2.2.6

bk-cs avatar Mar 07 '24 20:03 bk-cs

I've updated Import-FalconConfig to properly remove rule_group_ids that aren't tied to FirewallRuleGroup items that are also created during the FirewallPolicy import, which fixes the issue. If you'd like to resolve it for your local module before release, you can replace public\psf-config.ps1 using the steps outlined below.

Import-Module -Name PSFalcon
$ModulePath = (Show-FalconModule).ModulePath
(Invoke-WebRequest -Uri https://raw.githubusercontent.com/CrowdStrike/psfalcon/c62b661ec2183dcd1cfcfbf831b9ad4f0ef85c37/public/psf-config.ps1 -UseBasicParsing).Content > (Join-Path (Join-Path $ModulePath public) psf-config.ps1)

Once the command has been updated, please ensure that you close and re-open PowerShell, and re-import PSFalcon.

If you have an existing Firewall policy that can't be removed (or otherwise modified) due to assignment of invalid rule_group_ids, it can be removed by removing the assigned groups (and disabling the policy if currently enabled):

$Policy = Get-FalconFirewallPolicy -Filter "name:'broken policy'" -Include settings
Edit-FalconFirewallSetting -RuleGroupId @() -Id $Policy.id
if ($Policy.enabled -eq $true) { $Policy | Invoke-FalconFirewallPolicyAction -Name disable }
$Policy | Remove-FalconFirewallPolicy

bk-cs avatar Mar 08 '24 19:03 bk-cs

This fix is included in the 2.2.7 release.

bk-cs avatar Sep 04 '24 16:09 bk-cs