topic Re: API call to see if rule already exists in API / CLI Discussion

API call to see if rule already exists

C_M — Fri, 25 Oct 2019 20:56:05 GMT

Is there an API call to see if a rule already exists? Something better than where-used? Something more along the lines of Packet Mode on the GUI.

Re: API call to see if rule already exists

masher — Fri, 25 Oct 2019 21:23:06 GMT

The "show access-rulebase" command has an option to filter in a similar manner as packet mode in Smartconsole.

Using demo mode in R80.20:

show access-rulebase name "Network" package "Corporate_Policy" filter "200.200.200.200" filter-settings.search-mode packet limit 2

Response (shortened):

uid: "b406b732-2437-4848-9741-6eae1f5bf112" name: "Network" rulebase: - uid: "dedb6e70-fe6c-45be-bcd3-18fab46c02dd" name: "Security Gateways Access" type: "access-section" from: 1 to: 1 rulebase: - uid: "39d0e851-0f12-46c9-bd85-b402d1181fba" name: "Stealth rule" type: "access-rule" domain: uid: "41e821a0-3720-11e3-aa6e-0800200c9fde" name: "SMC User" domain-type: "domain" rule-number: 2 filter-match-details: - column: "source" objects: - "97aeb369-9aea-11d5-bd16-0090272ccb30" ... source: - "97aeb369-9aea-11d5-bd16-0090272ccb30" source-negate: false destination: - "4a773692-84b5-4b81-a8da-320bf64081c0" destination-negate: false service: - "97aeb369-9aea-11d5-bd16-0090272ccb30" service-negate: false .....

More information can be found using the management API documention from the following links.

- https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/show-access-rulebase~v1.2%20

Re: API call to see if rule already exists

C_M — Fri, 25 Oct 2019 21:48:02 GMT

Thanks, I'm looking for something human-readable. Is there a way to see the rules over the CLI?

Re: API call to see if rule already exists

PhoneBoy — Sat, 26 Oct 2019 01:33:02 GMT

All the API calls can be made over CLI.
However, the output is like above.
You can have mgmt_cli output in JSON then use jq to parse the output a bit, giving you only the information you want.

Re: API call to see if rule already exists

JozkoMrkvicka — Mon, 23 Dec 2019 20:11:26 GMT

Is there any easy way how to "convert" UIDs to names? In "show access-rulebase" there are all data, but for example source names are listed as uid, instead of names.

I am aware of "show object" command, but in case I have 100 sources...

The only idea I have is to check UID of specific rule and show the content via "show access-rule".

Any better way possible?

Re: API call to see if rule already exists

PhoneBoy — Mon, 23 Dec 2019 20:12:35 GMT

You can try adding a details-level full to the command to see if it gives you the name as well.

Re: API call to see if rule already exists

masher — Mon, 23 Dec 2019 21:01:29 GMT

You can add the use-object-dictionary false option to include the names object names.

[admin@vMgmt01]# mgmt_cli -s session.id show access-rulebase name "gw01 Network" offset 12 limit 1 use-object-dictionary false
uid: "5bfb5361-84d8-4b55-a0b6-a1c309dab52b"
name: "gw01 Network"
rulebase:
- uid: "2ca377fb-003e-4890-99fa-6128112083a8"
name: "Allowed Internet Access"
type: "access-section"
from: 13
to: 13
rulebase:
- uid: "49e3ebbd-9761-4381-8951-ec2972f517a3"
name: "HTTP/HTTPS"
...
source:
- uid: "fb7f60bd-d4df-4f2d-adf8-664251f8954a"
name: "NET-10.22.33.0"
type: "network"
domain:
...
service:
- uid: "97aeb3d4-9aea-11d5-bd16-0090272ccb30"
name: "http"
type: "service-tcp"
domain:
uid: "a0bbbc99-adef-4ef8-bb6d-defdefdefdef"
name: "Check Point Data"
domain-type: "data domain"
port: "80"
- uid: "97aeb443-9aea-11d5-bd16-0090272ccb30"
name: "https"
type: "service-tcp"
...

Re: API call to see if rule already exists

JozkoMrkvicka — Mon, 23 Dec 2019 22:37:00 GMT

Thanks for the hint, Masher !
Exactly what I was looking for 🙂

Re: API call to see if rule already exists

JozkoMrkvicka — Mon, 23 Dec 2019 22:40:26 GMT

full details-level wont give you the names. I also expected that, but this is not the case.

Hint from Masher is correct way - you need to use "use-object-dictionary false" parameter to give you the name.

Re: API call to see if rule already exists

yogesh_uit08 — Thu, 16 Apr 2020 13:13:32 GMT

I tried to use

use-object-dictionary as false but still object name is not coming only getting uid ,can any one help me .

below the rest api and option i am using

url: "https://{{mserver_hostname}}/web_api/show-access-rulebase"
validate_certs: False
method: POST
headers:
X-chkp-sid: "{{ login.json.sid }}"
body:
offset: 0
limit: 20
name: "Network"
use-object-dictionary: "false"
details-level: full

Appreciate your help in advance

Re: API call to see if rule already exists

FraP — Thu, 16 Apr 2020 14:35:18 GMT

If you are usign this api inside a script, you can levarage on the use-object-dictionray to convert the uid to an object name, or if you prefer you can use the following api call

mgmt_cli show object uid "ef82887c-d08f-49a3-a18f-a376be633848" --format json

to get the name and type for every object you need.

Can you share your api call and response please?

Re: API call to see if rule already exists

yogesh_uit08 — Thu, 23 Apr 2020 18:54:15 GMT

Thanks for your reply .

I used the use-object-dictionary true but for some object i did not get the name.

Re: API call to see if rule already exists

yogesh_uit08 — Thu, 23 Apr 2020 19:18:08 GMT

Hi,

I am making call to rule base api and using filter to grab the matching rule for source destination and port.,however the issue is for some cases i am getting correct output where source destination and port is there but in some cases i am not getting the desired result.

i mean all other rule coming for destination but source is not coming in output.

I have one query for for using filer in packet mode do we required the live traffic on the gateway. can this packet mode filter will work on rulebase database without the live traffic.?

My api call-

- name: Checking rule base for source and destiantion
uri:
url: "https://{{mserver_hostname}}/web_api/show-access-rulebase"
validate_certs: False
method: POST
headers:
x-chkp-sid: "{{ login.json.sid }}"
body:
offset: 0
limit: 500
name: "Network"
details-level: "full"
use-object-dictionary: true
filter: "src:10.70.101.188 AND dst:10.9.17.65 AND svc:30000 AND action:6c488338-8eec-4103-ad21-cd461ac2c472"
body_format: json
register: rule_search

- set_fact:
rule_search_result: "{{rule_search | to_json}}"

- debug:

var: rule_search_result

and how to parse the output for specific source destination and port ?

Appreciate your help in advanced . I am totally stuck over here please help me.

Re: API call to see if rule already exists

FraP — Fri, 24 Apr 2020 18:43:32 GMT

What do you mean by live traffic?
The api call does a query for rules currently defined on the manager: your gateway could have a different version of the rulebase, if you edited it and not installed...

For sure, you can achieve the "rule lookup", using packed mode and the filter-setting(take a look to the API guide)...
In case you need to resolve ie the "uid" for the action object, i suggest you to use the api call "show object" with the uid as input

For specifc issue, please share a picture of want you want 🙂

Re: API call to see if rule already exists

yogesh_uit08 — Tue, 12 May 2020 22:51:04 GMT

Thanks Nickel for your reply.

however what I have observed whenever i am using the packet mode and filter the source destination and port not getting the consistent output . that is the main issue.

I am querying the rulebase base API and applying the below mentioned filter

filter: "src:10.70.101.188 AND dst:10.9.17.65 AND svc:30000 AND action:6c488338-8eec-4103-ad21-cd461ac2c472"