topic Re: list networks behind a firewall in Firewall and Security Management

list networks behind a firewall

CrossCheck — Fri, 25 Sep 2020 16:28:22 GMT

Is there a way with the API to export a list of all the networks behind a firewall?

Re: list networks behind a firewall

Bob_Zimmerman — Fri, 25 Sep 2020 17:27:00 GMT

Probably yes, but it depends on what exactly you mean by "behind". To a lesser degree, it also depends on what management version you are running and what firewall version you are running.

For most useful definitions of "networks behind a firewall", the routing table is the way to go. The GAiA API can dump that for you for non-VSX firewalls. No management involvement needed, but the GAiA API is relatively new. While I use VSX a lot, I have not yet tried using the GAiA API together with VSX, so I don't personally know whether they can work together.

For some definitions of "networks behind a firewall", you will need the antispoofing topology, which you can get via the management API. A few simple API commands ('show gateways-and-servers' to find the firewall you want, then 'show object uuid ____' to get the contents of the object) should give you all the raw data you need, though some quick jq would pare it down to only the topology. These API commands are available from R80 up, but I don't know if they return enough information about the firewall's interfaces to find the antispoofing topology in earlier versions. I know in R80.20 and up, they do.

Re: list networks behind a firewall

CrossCheck — Fri, 25 Sep 2020 18:43:49 GMT

Thanks what I am looking for is an exportable list of what is shown on the Network Management page under the gateway cluster properties in console.

Re: list networks behind a firewall

Timothy_Hall — Fri, 25 Sep 2020 22:57:02 GMT

Check out the address spoofing troubleshooting one-liner, it uses the compiled INSPECT policy to extract this information instead of the API:

https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/One-liner-for-Address-Spoofing-Troubleshooting/m-p/33204

The policy files are typically accessed directly on the gateway by the script, but compiled policies for all gateways are cached on the SMS and could all just be accessed there.

Re: list networks behind a firewall

Bob_Zimmerman — Sat, 26 Sep 2020 15:04:22 GMT

If you just want to have the information in text form without having to type all of it out yourself, this is a great option.

If you actually need it via the API for some reason (such as you need someone who can't log into the CLI to get it, or you are building some kind of integration), there isn't a single command to get it, but it's simple enough to build.

Re: list networks behind a firewall

CrossCheck — Mon, 28 Sep 2020 12:30:28 GMT

Yes this works but I was hoping to be able to do it from the Console so i didn't need to log into each of the firewalls. Thats why I thought Maybe the API could do that based on a firewalls name and then it could be exported to a file.

Re: list networks behind a firewall

Danny — Mon, 28 Sep 2020 12:56:24 GMT

Then use my SmartConsole Extension.

Re: list networks behind a firewall

Timothy_Hall — Mon, 28 Sep 2020 13:12:15 GMT

You don't need to log into each of the firewalls. From the SMS in expert mode run the anti-spoofing one-liner against the directories where the installed firewall policy is cached for all managed gateways, directory $FWDIR/state/(gateway object name)/FW1/.