bk-cs
commented
8 months ago I've updated Import-FalconConfig to properly remove rule_group_ids that aren't tied to FirewallRuleGroup items that are also created during the FirewallPolicy import, which fixes the issue. If you'd like to resolve it for your local module before release, you can replace public\psf-config.ps1 using the steps outlined below.
Import-Module -Name PSFalcon
$ModulePath = (Show-FalconModule).ModulePath
(Invoke-WebRequest -Uri https://raw.githubusercontent.com/CrowdStrike/psfalcon/c62b661ec2183dcd1cfcfbf831b9ad4f0ef85c37/public/psf-config.ps1 -UseBasicParsing).Content > (Join-Path (Join-Path $ModulePath public) psf-config.ps1)Once the command has been updated, please ensure that you close and re-open PowerShell, and re-import PSFalcon.
If you have an existing Firewall policy that can't be removed (or otherwise modified) due to assignment of invalid rule_group_ids, it can be removed by removing the assigned groups (and disabling the policy if currently enabled):
$Policy = Get-FalconFirewallPolicy -Filter "name:'broken policy'" -Include settings
Edit-FalconFirewallSetting -RuleGroupId @() -Id $Policy.id
if ($Policy.enabled -eq $true) { $Policy | Invoke-FalconFirewallPolicyAction -Name disable }
$Policy | Remove-FalconFirewallPolicy
Describe the bug Creating a
FirewallPolicywithImport-FalconConfigassignsrule_group_idsfrom the import, instead of removing and/or replacing those identifiers with ones associated with new or existingFirewallGroupitemsTo Reproduce Use
Export-FalconConfigto exportFirewallPolicy, modify anidundersettings.rule_group_idsandImport-FalconConfigto create the policy in a CID. The UI will show norule_group_idsassigned, and any attempt to assign a rule group will generate aChanges not saved. Please try again.error. The policy will also be unable to be deleted.Expected behavior Creation of the
FirewallPolicywithout assignedrule_group_ids, or with values that are updated to match any createdFirewallGroupitems.Environment (please complete the following information):