topic Re: API command to get the disable rule in API / CLI Discussion

API command to get the disable rule

Aathi — Fri, 05 Jun 2020 04:45:29 GMT

Hi Team,

I am trying to get the disabled rules in checkpoint rule base by using API or mgmt_cli commands , the way we are getting the zero hit count rule.

can you share the command to get the disabled rules from rulebases.

Thanks in advance.

Regards

Aathi

Re: API command to get the disable rule

PhoneBoy — Fri, 05 Jun 2020 05:40:01 GMT

There is not a specific API to retrieve disabled rules.
However, you can retrieve the rulebase via mgmt_cli and use jq to filter the results using a select statement.

Re: API command to get the disable rule

Aathi — Tue, 22 Sep 2020 12:03:56 GMT

Hi PhoneBoy,

By using Jq filter i got the UID and also .i need to get the Source ,destination and port as well( need to get the exact rulebase by using UID or something) .is it possible to get those.if yes can you please share the exact syntax for the same.

Thanks in advance.

Re: API command to get the disable rule

PhoneBoy — Tue, 22 Sep 2020 20:48:01 GMT

What CLI do you have so far?

Re: API command to get the disable rule

Sigbjorn — Wed, 23 Sep 2020 06:56:37 GMT

Quick Powershell example code to extract the disabled rules.

As for the actual source/destination/service, these are UID's of the actual object, so you would need to do another query in the foreach loop to resolve them to names if that's what you're looking for.

[string]$BaseUri = "https://10.10.1.1/web_api" [string]$domain = "Domainname" # Only used for MDS servers [string]$user = "username" [string]$pass = "password" $loginData = @{ "user" = $user "password" = $pass "domain" = $domain # Only used for MDS servers } | ConvertTo-Json Write-Output "Invoking Login" $login = Invoke-RestMethod -Method Post -Uri "$BaseUri/login" -Body $loginData -Headers @{ "content-type" = "application/json" } $headers = @{ "content-type" = "application/json" "x-chkp-sid" = $login.sid } # Get RuleBase Write-Output "Getting rulebase" $body = @{ "name" = "demo-policy Network" } | ConvertTo-Json $rules = Invoke-RestMethod -Method Post -Uri "$BaseUri/show-access-rulebase" -Body $body -Headers $headers foreach ($i in $rules.rulebase.rulebase) { if ($i.enabled -like "False") { Write-Output "Rulename: $($i.name), Source: $($i.source), Destination: $($i.destination), Service: $($i.service), Enabled: $($i.enabled)" } } Write-Output "Disconnect session $($login.uid)" $null = Invoke-RestMethod -Method Post -Uri "$BaseUri/disconnect" -Headers $headers -Body (@{ "uid" = $login.uid } | ConvertTo-Json)

Re: API command to get the disable rule

Aathi — Wed, 23 Sep 2020 09:07:35 GMT

Hi Phoneboy.

Its Mgmt_cli.

Re: API command to get the disable rule

Aathi — Mon, 28 Sep 2020 10:25:21 GMT

Hi Sigbjorn,

i tried to get source name and destination name and service using for each loop but getting the error,can you share the exact syntax to get the same.

Thanks in advance.

Re: API command to get the disable rule

Sigbjorn — Mon, 28 Sep 2020 11:55:24 GMT

Hi,

This should do it:

# Get RuleBase Write-Output "Getting rulebase" $body = @{ "name" = $layer } | ConvertTo-Json $rules = Invoke-RestMethod -Method Post -Uri "$BaseUri/show-access-rulebase" -Body $body -Headers $headers foreach ($y in $rules.rulebase.rulebase) { $body = @{ "uid" = $($y.uid) "layer" = $layer } |ConvertTo-Json $rule = Invoke-RestMethod -Method Post -Uri "$BaseUri/show-access-rule" -Body $body -Headers $headers if ($($rule.enabled) -like "False") { Write-output "Disabled rule, Rulename: $($rule.name), Enabled: $($rule.enabled), Rule UID: $($rule.uid), Source: $($rule.source.Name), Destination: $($rule.destination.Name), Service: $($rule.service.Name), Action: $($rule.action.Name)" } }

Re: API command to get the disable rule

REDW0LF — Tue, 29 Sep 2020 15:14:33 GMT

Here is a mgmt_cli API call you can try. I modified it from a call I use to grab zero hits rules. If you are not running a multi-domain management server you can remove the -d option. This will send the results to a csv file as well. You may be having the problem retrieving source and destination if they have more than one object. the [] specifies those fields are arrays. The one limitation I haven't been able to get around is those fields return UID values rather than their plain text names.

mgmt_cli -d <domain> show access-rulebase offset 0 limit 2000 uid "<rulebase UID>" details-level "standard" use-object-dictionary true --format json -u <username> |jq -r '.rulebase[].rulebase[]|select(.enabled = "False")| [."uid", ."name", ."comments", ."enabled", .source[], .destination[], .service[]]|@csv' > <csvfilename>.csv

Ron

Re: API command to get the disable rule

Aathi — Mon, 09 Aug 2021 08:14:08 GMT

Hi REDWOLF,

Thanks for the update.i tried but getting below error can you help on this

[Expert@XXX:0]# mgmt_cli show access-rulebase offset 0 limit 2000 uid "cafc790f-681d-49ea-b44c-b618dc937c66" details-level "standard" use-object-dictionary true --format json -u admin|jq -r '.rulebase[].rulebase[]|select(.enabled = "False")| [."uid", ."name", ."comments", ."enabled", .source[], .destination[], .service[]]|@csv' > aathi.csv
Password:

jq: error: Cannot iterate over null

can u help on this

Re: API command to get the disable rule

Aathi — Mon, 09 Aug 2021 12:49:55 GMT

Hi SIG,

Thank you so much for sharing the script.

This script only check the first 50 rules from rulebase ,is there any way to check all the rulebases

Thanks

Re: API command to get the disable rule

PhoneBoy — Mon, 09 Aug 2021 15:17:43 GMT

The API only returns a limited number of results by design.
That is true even if you specify a higher limit in the API call.
You would have to make multiple calls to the same API using the offset parameter iteratively to get all the results.

Re: API command to get the disable rule

Aathi — Mon, 23 Aug 2021 10:39:51 GMT

Hi Sigbjorn,

Thanks for sharing the scripts.Can you help us to get the already expired Rule base list.

Thanks in advance.

Re: API command to get the disable rule

Sigbjorn — Mon, 23 Aug 2021 14:15:03 GMT

Hi Aathi, I'm not entirely sure what you're looking for.

Could you elaborate?

Re: API command to get the disable rule

PhoneBoy — Mon, 23 Aug 2021 21:44:24 GMT

That means there's an error in the jq statement.
You've got .rulebase[] in there twice.
Also it looks like the select doesn't do what you want.
Most of the results return a UID, which I assume you want in some sort of human readable format.
Also, setting the limit to 2000 will not return all results, you will need to make multiple calls using the offset parameter to get the next 50 results (or so).
Not exactly right, but this is a lot closer:

mgmt_cli -s sid.txt show access-rulebase name "LayerName" details-level full --format json | jq -r '.rulebase[] | select (.enabled == false)| .uid' | while read X; do
mgmt_cli -s sid.txt --format json show access-rule uid $X layer "LayerName" |
jq -r '[.uid, .name, .source[].name, .destination[].name, .service[].name, .action.name]|@csv'
done

At a high level, this is:

Getting the UID of the rules that are disabled (note you will need to use limit/offset in this command and call it multiple times to get all the rules.
For each rule UID, get human readable source/destination/service/action and output in something that looks like a CSV file (though each source/destination/service will create a column).

There may be some way to clean up the jq further here so you get a cleaner CSV file.

Re: API command to get the disable rule

Aathi — Wed, 25 Aug 2021 07:40:30 GMT

Hi Sigbjorn,

I want to get the rules which are already expired like we got for disabled rules from checkpoint rulebase.

Please let us know if any scripts for the same.

Regards

Aathi