topic Re: FW object rule report in API / CLI Discussion

FW object rule report

Bill_Ng — Tue, 30 Jan 2018 19:15:43 GMT

All,

We are on R80.10 management station.

Any one know of a way to get FW object information across our policies in a readable format? The where used function works but it only lists out the rule number. I guess we would like a more detailed version which spits out the groups the object is in and instead of the rule numbers it lists out the actual rule (src, dst, service port), and on which policy the rule is in? I've used '$MDS_FWDIR/scripts/web_api_show_package.sh' to export policies but painstakingly do searches within each policy for the specific objects.

Thanks in advance,

Bill

Re: FW object rule report

Robert_Decker — Tue, 30 Jan 2018 20:50:59 GMT

This kind of information can be obtained by combining several API commands and mining the required information.

First, you should use the "where-used" command to get the policy/rulebase information (uid is enough), and then use the "show-access-rule" command with that preliminary info to retrieve the specific details about the rule.

Robert.

Re: FW object rule report

Kaspars_Zibarts — Wed, 31 Jan 2018 06:12:41 GMT

Tufin is the answer. It's simply awesome for stuff like that

Re: FW object rule report

Robert_Decker — Wed, 31 Jan 2018 08:22:42 GMT

Tufin is a good option with products on the shelf that cost.

We should provide here answers that are for free.

Robert.

Re: FW object rule report

Kaspars_Zibarts — Wed, 31 Jan 2018 08:28:43 GMT

I was just pulling a small joke Robert

Re: FW object rule report

Tomer_Sole — Wed, 31 Jan 2018 09:45:27 GMT

wow, we actually took it seriously.. lol.. Tufin is an excellent product and a great technology partner with Check Point. But if you are willing to customize and automate your Check Point Management workflow yourself using the Check Point Management API's we are here to help.

Re: FW object rule report

Phan_Tuan_Loi — Thu, 01 Feb 2018 00:55:52 GMT

You may search Web Visualization Tool then try it

It can list rules, objects (network and service), ... as the samples below

Re: FW object rule report

Astardzhiev — Thu, 01 Feb 2018 18:49:31 GMT

Hi Phan,

Unfortunately Web Virtualization Tool is not supported for R80 and above:

Important Note: This solution refers for R77.x versions only. For R80 and higher use "Show Package Tool" described in sk120342.

And looking at the question Bill is already on R80.x

Re: FW object rule report

Phan_Tuan_Loi — Fri, 02 Feb 2018 01:10:35 GMT

Thank you Alexander for you comment.

Re: FW object rule report

Bill_Ng — Fri, 02 Feb 2018 12:31:07 GMT

Hi Robert,

Thanks for pointing me in the right direction. We are in process of using powershell from the modules that tkoopman created to extract that info. I found a guy on my team that's really good with Powershell.

Re: FW object rule report

Tomer_Sole — Fri, 02 Feb 2018 15:14:47 GMT

Just to compare, attached below typical output of R8x show-package tool. As you can see, information completely replaces the same functionality of R7x Web Visualization Tool.

This thread however discusses how to get full rule information when searching for usages of objects.

Option 1: run "where used", collect the UID's of the rules, then run "show access-rule" for each rule UID.

Option 2: run "where used" with "details-level full". This will show the full objects that use the given object. However, it will show a lot of other information and may result with a slow response.

Option 3: run "where used", collect the rule positions, then look at the show-package HTML output (see image above) and locate the rule.

Let's demonstrate option 1:

Step 1: where used for host "Marco". We want to see its indirect usages, because Marco belongs to a network group which appears in some rules. From the output we would like to isolate the rule UID and the layer UID because both parameters are required for the next step. So we will use JQ to parse the output and select only the things that we care about.

mgmt_cli where-used name Marco indirect true -s id.txt --format json | jq -r '."used-indirectly"."access-control-rules"[] | (.rule.name // "no rule name", .rule.uid, .layer.name, .layer.uid)'
no rule name
97ed7f41-f56d-4ef5-99e9-9f698ad55902
FinanceSolutions Network
19942103-1419-4e71-b655-e1aad4c82535
no rule name
86f56fc4-7652-4518-8d94-3f9ec6ced892
FinanceSolutions Network
19942103-1419-4e71-b655-e1aad4c82535
no rule name
1030a2d1-7663-462f-b43b-8825abf39e21
FinanceSolutions Network
19942103-1419-4e71-b655-e1aad4c82535
no rule name
c0d19b8f-10d7-4ea2-8684-61968c7e94d7
FinanceSolutions Network
19942103-1419-4e71-b655-e1aad4c82535
no rule name
69ea551c-ad13-4a5f-8b68-897928119da8
FinanceSolutions Network
19942103-1419-4e71-b655-e1aad4c82535
no rule name
5f0d2800-1e9d-44f6-9f39-7953a33b82a2
FinanceSolutions Network
19942103-1419-4e71-b655-e1aad4c82535
no rule name
0fb52774-487a-4e3c-afcc-65d1ccbaffb7
FinanceSolutions Network
19942103-1419-4e71-b655-e1aad4c82535

We got groups of 4 - rule name (which shows "no rule name" in case it has no name), rule UID, layer name, layer UID.

Now we can run show access-rule on each result to see the full rule. For example, for the first result:

mgmt_cli show access-rule uid 69ea551c-ad13-4a5f-8b68-897928119da8 layer 19942103-1419-4e71-b655-e1aad4c82535 -s id.txt

Re: FW object rule report

Robert_Decker — Fri, 02 Feb 2018 15:35:44 GMT

No problem, glad to help.

Robert.