cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Disable a rule on R80.10 using Python Web API

Jump to solution

Hello,

I have a management server running R80.10, which has almost 20 devices connected and has hundreds of rules defined. I wanted to disable rules that are not in use currently via Web API using Python script. Please guide me if there is way to do the same.

Please help me.

Tags (2)
1 Solution

Accepted Solutions
Admin
Admin

Re: Disable a rule on R80.10 using Python Web API

Jump to solution

set-access-rule has an option to enable/disable the rule.

0 Kudos
14 Replies
Admin
Admin

Re: Disable a rule on R80.10 using Python Web API

Jump to solution

There's an example of this already: 

Nüüül
Silver

Re: Disable a rule on R80.10 using Python Web API

Jump to solution

Hi

someone already did a script like that here.

https://community.checkpoint.com/docs/DOC-2640?commentID=3239#comment-3239 

If you want to script it by yourself. You could use the SDK from Check Point, which then is handling your session.

GitHub - CheckPointSW/cp_mgmt_api_python_sdk: Check Point API Python Development Kit 

There are some examples included like "adding host" and so.

Daniel

Highlighted

Re: Disable a rule on R80.10 using Python Web API

Jump to solution

We are working on a comprehensive tool (python) to disable/delete rules based on hitcount.

Tool will run in few modes: plan , apply , apply without publish

You will be able to set global thresholds of "non hit period" for disable / delete rules and you will be able to override them per rule. In addition you will be able to skip specific rules / packages. You will get json output for all deleted/disabled/skipped rules (and the reason they were skipped, for example, rule with GW that its hitcount is off).

You will be able to adjust our script to fit your logic (for example, set rule at the bottom of policy afetr disabling it)

We are planning to release this tool by mid October. 

Re: Disable a rule on R80.10 using Python Web API

Jump to solution

Hello,

Is this released Amiad Stern‌ ? If so, where can i find that.

Thanks a lot.

Sam

0 Kudos

Re: Disable a rule on R80.10 using Python Web API

Jump to solution

We have some delays. We are in final stages of approvals. I will add comment to this thread as well upon tool release. 

Re: Disable a rule on R80.10 using Python Web API

Jump to solution

Updating that we released it GitHub - CheckPointSW/PolicyCleanUp  

0 Kudos

Re: Disable a rule on R80.10 using Python Web API

Jump to solution

Thank you very much for the link provided here. It helped a lot. 

Actually i am writing python code which fetches JSON data using web_api. The issue i am reporting here is:

If i do api call with below code, i usually get details about all the rules inside each rulebase. 

https://{{server}}/show-access-rulebase

{
"offset" : 0,
"limit" : 500,
"name" : "rulebase_name",
"details-level" : "standard",
"use-object-dictionary" : true
}

however looking at each rule inside it, if i want to fetch values from "source, destination,service" etc., i get only encrypted id's but not the actual names. 

"rule-number": 1,                        # contents have been deleted those not related with the issue
"source": [
"697bb7e0-0dfe-4070-a21a-68858fhkdaae98c",
"349fb05c-99b2-4fb2-aea6-7b447dhyt0e661c"
],
"source-negate": true,
"destination": [
"97aeb369-9aea-11d5-bd16-00902fgt72ccb30"
],
"destination-negate": false,
"service": [
"ef245528-9a3d-11d6-9eaa-3e5a6fvgtdd6a6a",
"dff4f7ba-9a3d-11d6-91c1-3e5a6fdd5lpo151",
"24bee257-6b37-49bb-99aa-557d993akol0e48",
"97aeb45c-9aea-11d5-bd16-0090272ciuycb30",
"97aeb471-9aea-11d5-bd16-0090272treccb30"
],
"service-negate": false,
"vpn": [
"97aeb369-9aea-11d5-bd16-0090272ccmkqb30"
],
"action": "6c488338-8eec-4103-ad21-cd4sov61ac2c473",
"action-settings": {},
"content": [
"97aeb369-9aea-11d5-bd16-0090272ftmccb30"
],
"content-negate": false,
"content-direction": "any",
"comments": "My Comment",
"enabled": true,
"uid": "fcc5a2c8-3a78-4cc5-9fd3-e7bd5gyp9eb36ba",
"name": "sam@gmail.com",
"type": "access-rule",
},

But the same is available if I do api call to "show-access-rule" with specific rule

{                                         # contents have been deleted those not related with the issue
"uid": "fcc5a2c8-3a78-4cc5-9fd3-e7bd59ebfgy36ba",
"name": "sam@gmail.com",
"type": "access-rule",
"source": [
{
"uid": "293ef5ba-5235-464e-9247-bda2frt6229a998",
"name": "abcd.example.com",
"type": "host",
"ipv4-address": "192.168.1.40"
},
"destination": [
{
"uid": "b17d4573-ad1a-4126-ae6d-c874efoqa919cda",
"name": "efgh.example.com",
"type": "CpmiClusterMember",
}
],
"service": [
{
"uid": "18ec9eaa-1657-4240-ab97-5f234623336b",
"name": "ssh",
"type": "service-tcp",
"port": "22"
}
],

Question: Is there any way that can show the actual data while doing api call using show-access-rulebase ? 

0 Kudos
Admin
Admin

Re: Disable a rule on R80.10 using Python Web API

Jump to solution

The result of the API call provides an objects-dictionary.

This can be used to deference all the object UIDs returned as part of the rulebase.

0 Kudos

Re: Disable a rule on R80.10 using Python Web API

Jump to solution

Thank you very much. I am able to figure this out now. 

However can you please let me know if there is anything i missed below. My only goal is to list only rules that has not been used after the "to-date" including rule that never used. 

With the below code if I change the "to-date" and run to test if that works, i am getting same rule with different "to-date" value. Which seems not actual. Ran the command with "show-access-rulebase" API call.

# Input with "to-date" : "2018-04-06"
#####################################
{
"offset" : 0,
"limit" : 500,
"name" : "my Security",
"details-level" : "standard",
"show-hits" : true,
"use-object-dictionary" : false,
"hits-settings" : {
   "from-date" : "2000-01-01",
   "to-date" : "2018-04-06"
   }
}
# Output with "to-date" : "2018-04-06"
######################################
"rule-number": 1,
"hits": {
   "percentage": "1%",
   "level": "low",
   "value": 38032181,
   "first-date": {
      "posix": 1473045718000,
      "iso-8601": "2016-09-04T22:21-0500"
   },
   "last-date": {
      "posix": 1523003466000,
      "iso-8601": "2018-04-06T03:31-0500"
   }
},

# Input with "to-date" : "2017-08-06"
#####################################
{
"offset" : 0,
"limit" : 500,
"name" : "my Security",
"details-level" : "standard",
"show-hits" : true,
"use-object-dictionary" : false,
"hits-settings" : {
   "from-date" : "2000-01-01",
   "to-date" : "2017-08-06"
   }
}
# Output with "to-date" : "2017-08-06"
######################################
"rule-number": 1,
"hits": {
   "percentage": "0%",
   "level": "low",
   "value": 31325295,
   "first-date": {
      "posix": 1473045718000,
      "iso-8601": "2016-09-04T22:21-0500"
   },
   "last-date": {
      "posix": 1502012563000,
      "iso-8601": "2017-08-06T04:42-0500"
   }
},

However with "show-access-rule" API if i try to fetch data for the rule#1 i get different output as below.

# Input
#########

{
"rule-number": 1,
"layer" : "my Security",
"show-hits" : true
}

# Output
#########

"hits": {
   "percentage": "1%",
   "level": "low",
   "value": 62724501,
   "first-date": {
      "posix": 1473045718000,
      "iso-8601": "2016-09-04T22:21-0500"
   },
   "last-date": {
      "posix": 1538583391000,
      "iso-8601": "2018-10-03T11:16-0500"
   }
},

0 Kudos
Admin
Admin

Re: Disable a rule on R80.10 using Python Web API

Jump to solution

That suggests a bug of some sort.

Please open a support ticket and we can have a look. 

0 Kudos
Admin
Admin

Re: Disable a rule on R80.10 using Python Web API

Jump to solution

I should note Samiron Mallick‌ that there is a new feature in API 1.3 (aligned with R80.20 release) that actually will allow you to output "the actual data" as you refer to it.

It's called "Show as Ranges" and it's a new parameter to the show-access-rulebase API call.

There are some limits to this (only allows output of 20 rules).

Re: Disable a rule on R80.10 using Python Web API

Jump to solution

I am having the last query to this thread.

I found "delete-access-rule" WebAPI command to delete access rule. But unable to find command to DISABLE rules. My requirement is to DISABLE rules via WebAPI.

Ex: https://my-management:port/web_api/delete-access-rule

Tried "disable-access-rule" but no luck as that is not a valid command.

Is it possible to disable access-rule via WebAPI ? if so what is the command.

Thanks,

Sam

0 Kudos
Admin
Admin

Re: Disable a rule on R80.10 using Python Web API

Jump to solution

set-access-rule has an option to enable/disable the rule.

0 Kudos

Re: Disable a rule on R80.10 using Python Web API

Jump to solution

Thank you this worked as expected.