topic Re: Query 'Any' network- and service-objects by uid in API / CLI Discussion

Query 'Any' network- and service-objects by uid

nildi — Mon, 03 Jul 2023 13:33:33 GMT

Greetings!

I am currently trying to export a rulebase via the web-api via

'show-access-rulebase', {'name': 'my firewall rulebase'}

This results in a json representation of my ruleset. A rule in this result set might look like this (uids manually changed):

{ "uid": "11111111-2222-3333-4444-555555555555", "name": "Test-Rule", "type": "access-rule", "domain": { "uid": "11111111-2222-3333-4444-555555555555", "name": "SMC User", "domain-type": "domain" }, "rule-number": 40, "track": {...} "source": [ "11111111-2222-3333-4444-555555555555" ], "source-negate": false, "destination": [ "11111111-2222-3333-4444-555555555555" ], "destination-negate": false, "service": [ "11111111-2222-3333-4444-555555555555" ], "service-negate": false, "service-resource": "", "vpn": [ "11111111-2222-3333-4444-555555555555" ], "action": "11111111-2222-3333-4444-555555555555", "action-settings": { "enable-identity-captive-portal": false }, "content": [ "11111111-2222-3333-4444-555555555555" ], "content-negate": false, ... }

I can resolve the uids given in the "source", "destination" and "service" fields via commands like

'show-host', {'uid': '11111111-2222-3333-4444-555555555555'}

or similar (show-group, show-network, ...) commands.

Some uids however I can not resolve via these commands. Even the command 'show-object' does not work for these uids. When I check the rules in the Smart Console, the source, destination or service fields contain the 'Any' object.

How can I query these 'Any' objects via the web-api by their uid?

Tank you very much in advance!

Regards,

Nils

Re: Query 'Any' network- and service-objects by uid

abraxxa — Mon, 03 Jul 2023 13:35:20 GMT

We're currently facing the same issue.

The show-objects API does return the CpmiAnyObject when queried for its uid, which seems to be 97aeb369-9aea-11d5-bd16-0090272ccb30 on all our managers. We still don't want to hardcode it for rule generation as it might change.

Re: Query 'Any' network- and service-objects by uid

Bob_Zimmerman — Mon, 03 Jul 2023 14:12:31 GMT

'show object' definitely works for the UUID for Any:

[Expert@DallasSA]# mgmt_cli -f json -r true show object uid 97aeb369-9aea-11d5-bd16-0090272ccb30 { "object" : { "uid" : "97aeb369-9aea-11d5-bd16-0090272ccb30", "name" : "Any", "type" : "CpmiAnyObject", "domain" : { "uid" : "a0bbbc99-adef-4ef8-bb6d-defdefdefdef", "name" : "Check Point Data", "domain-type" : "data domain" }, "icon" : "General/globalsAny", "color" : "black" } }

There are a number of special objects like that:

6c488338-8eec-4103-ad21-cd461ac2c476: Policy Targets 85c0f50f-6d8a-4528-88ab-5fb11d8fe16c: Original 97aeb36a-9aea-11d5-bd16-0090272ccb30: None 97aeb36a-9aeb-11d5-bd16-0090272ccb30: All Users 97aeb36a-9aed-11d5-bd16-0090272ccb30: All_GwToGw (all site-to-site VPNs) 97aeb368-9aea-11d5-bd16-0090272ccb30: All 97aeb369-9aea-11d5-bd16-0090272ccb30: Any 213f0a22-49da-4719-94b3-f2d74623f3fb: Policy HTTPS Targets

There are probably some others which I haven't run into yet.

Re: Query 'Any' network- and service-objects by uid

abraxxa — Mon, 03 Jul 2023 14:35:33 GMT

Yes, but the question is how to get its UID without knowing it.

Re: Query 'Any' network- and service-objects by uid

nildi — Mon, 03 Jul 2023 15:03:16 GMT

Thank you for your responses!

First of all: You are correct Bob. The 'show-object' command resolves these objects. Thank you for pointing this out. I was sure to have testet for it.

Nevertheless abraxxa is correct, that there is no way to query the 'Any' object before it is encountered in the policy afaik.

For performance reasons I query all network and service objects before querying the ruleset, so I can resolve all uids I encounter on the fly. Only the 'Any' objects are not queryable beforehand, so I need to dynamically load them while parsing the ruleset.

I just rechecked: The 'show-objects' command does not show the 'Any' objects.

'show-objects', {'filter': 'Any'}

So is there a way to query these 'Any' objects via the web-api before knowing their uid?

Re: Query 'Any' network- and service-objects by uid

Bob_Zimmerman — Mon, 03 Jul 2023 15:04:21 GMT

No it's not. The question as originally stated:

@nildi wrote:

Some uids however I can not resolve via these commands. Even the command 'show-object' does not work for these uids. When I check the rules in the Smart Console, the source, destination or service fields contain the 'Any' object.

How can I query these 'Any' objects via the web-api by their uid?

And the answer is to use 'show object' with the UUID. It definitely works. I've used it for Any back to R80.20, though I don't have any management servers that old anymore to confirm the other UUIDs in my list, but I would expect all of them to work as well.

The objects referenced in rules should also show up in the 'show access-rulebase' call's objects dictionary. The objects I listed above don't show up in 'show objects' and may not show up in rules, but they're still valid destinations for certain object relationships.

Re: Query 'Any' network- and service-objects by uid

Bob_Zimmerman — Mon, 03 Jul 2023 16:05:44 GMT

'show objects' does not include these, yes. It also doesn't include rule actions (Accept, Drop, etc. all have UUIDs), rule track settings (Log, Alert, etc.), tags, or a few other things. The list of UUIDs I provided is what I've found I have to download by hand to ensure I have every valid option for the various fields.

I forget if QoS limits show up in 'show objects', but I do end up with them after recursively downloading everything I can.

I definitely wouldn't mind a 'show special-objects' or similar call which shows all of the weird things like these. I requested something like that a while ago, but never heard if it's on the roadmap. Fortunately, their UUIDs never change since they're built-in, so I just built that manual list to download.

Re: Query 'Any' network- and service-objects by uid

nildi — Tue, 04 Jul 2023 06:45:56 GMT

Thank you very much for the clarification. Seems I will hard-code these objects into my code for now, until there is such a 'show-special-objects' function.