topic Re: Getting rule numbers where Access roles are used in API / CLI Discussion

Getting rule numbers where Access roles are used

Hllrdm — Tue, 19 Sep 2023 07:58:00 GMT

We have a large security policy written that utilizes Access roles. Is there some script or api so we can see the rule numbers where access roles are used so we don't have to manually review 3000+ rules?

Re: Getting rule numbers where Access roles are used

Alex- — Tue, 19 Sep 2023 18:01:52 GMT

Here's a basic script that lists access-roles UID and iterates a where-used on the UID.

You will need to filter the JSON output further and play with offsets for going over 500 items.

#!/bin/bash ar_uid=$(mgmt_cli -r true show-access-roles --format json | jq -r ".objects[] | .uid") declare -a name_array while IFS= read -r line; do name_array+=("$line") done <<< "$ar_uid" for ar_uid in "${name_array[@]}"; do echo "Processing: $ar_uid" ar_uid_where_used=$(mgmt_cli -r true where-used uid "$ar_uid" --format json) echo $ar_uid_where_used done

Re: Getting rule numbers where Access roles are used

Hllrdm — Tue, 19 Sep 2023 09:02:46 GMT

Thanks for the reply, we will try to use it.
We are additionally using MDS and different policy packages, is there any way to make the script download the rule numbers from a specific CMA and from a specific policy package?

Re: Getting rule numbers where Access roles are used

Alex- — Tue, 19 Sep 2023 09:30:44 GMT

I don't have access to an MDS but it looks like you have to log in to the CMA after logging into the System Domain on the MDS so the code would need to be expanded a bit.

Check Point - Management API reference

Otherwise, you can expand the script to remove the clutter like "Proccessing: " and save everything in a file where you can use further tooling to filter and sort. This script in itself is a basic iteration in an environment with few access roles where a visual check is enough.

Re: Getting rule numbers where Access roles are used

Bob_Zimmerman — Tue, 19 Sep 2023 11:55:32 GMT

Are any of the access roles you're interested in defined at the global level, or are they all defined in the CMAs?

Re: Getting rule numbers where Access roles are used

Hllrdm — Fri, 22 Sep 2023 08:43:30 GMT

All objects are defined in the CMA in one policy package

Re: Getting rule numbers where Access roles are used

Bob_Zimmerman — Fri, 22 Sep 2023 18:44:33 GMT

In that case, you just need to add a quick '-d "CMA name"' to each mgmt_cli call above. For example:

mgmt_cli -d "CMA name" -r true where-used uid "$ar_uid" --format json

Replacing the literal string 'CMA name' with the name of the CMA you want to check.