Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Employee
Employee

Create list of IPS protections set for packet capture in a specific profile

Used mgmt_cli to generate a json formatted file (ips.json) of all IPS protections (mgmt_cli show threat-protections details-level full) but cannot figure out how to parse out only the profiles with packet capture enabled.

cat ips.json | jq ".protections [] | [.name, .profiles]"

0 Kudos
1 Reply
Highlighted
Admin
Admin

This is set at the profile level, yet you're looking at the individual threat protections.
You should look at the profile you're interested in.
Here's what I came up with:

mgmt_cli -r true --format json show threat-profile name "Optimized PhoneBoy" | jq '.overrides[] | {name: .protection, capture: .final["capture-packets"]} | select (.capture == "true")'

When you look at the different protections in a profile, there are three different settings: Original (what the protection is set to by default), Override (what the override says to do), and Final (what policy will ultimately apply).

Also note your dump of IPS protections likely only includes a limited number of protections (50) unless you called it multiple times with limit/offset.
0 Kudos