Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Bill_Ng
Collaborator
Jump to solution

FW object rule report

All,

We are on R80.10 management station.

Any one know of a way to get FW object information across our policies in a readable format?  The where used function works but it only lists out the rule number.  I guess we would like a more detailed version which spits out the groups the object is in and instead of the rule numbers it lists out the actual rule (src, dst, service port), and on which policy the rule is in?  I've used '$MDS_FWDIR/scripts/web_api_show_package.sh'  to export policies but painstakingly do searches within each policy for the specific objects. 

Thanks in advance,

Bill

0 Kudos
1 Solution

Accepted Solutions
Tomer_Sole
Mentor
Mentor

Just to compare, attached below typical output of R8x show-package tool. As you can see, information completely replaces the same functionality of R7x Web Visualization Tool.

This thread however discusses how to get full rule information when searching for usages of objects.

Option 1: run "where used", collect the UID's of the rules, then run "show access-rule" for each rule UID.

Option 2: run "where used" with "details-level full". This will show the full objects that use the given object. However, it will show a lot of other information and may result with a slow response. 

Option 3: run "where used", collect the rule positions, then look at the show-package HTML output (see image above) and locate the rule.

Let's demonstrate option 1:

Step 1: where used for host "Marco". We want to see its indirect usages, because Marco belongs to a network group which appears in some rules. From the output we would like to isolate the rule UID and the layer UID because both parameters are required for the next step. So we will use JQ to parse the output and select only the things that we care about.

mgmt_cli where-used name Marco indirect true -s id.txt --format json | jq -r '."used-indirectly"."access-control-rules"[] | (.rule.name // "no rule name", .rule.uid, .layer.name, .layer.uid)'
no rule name
97ed7f41-f56d-4ef5-99e9-9f698ad55902
FinanceSolutions Network
19942103-1419-4e71-b655-e1aad4c82535
no rule name
86f56fc4-7652-4518-8d94-3f9ec6ced892
FinanceSolutions Network
19942103-1419-4e71-b655-e1aad4c82535
no rule name
1030a2d1-7663-462f-b43b-8825abf39e21
FinanceSolutions Network
19942103-1419-4e71-b655-e1aad4c82535
no rule name
c0d19b8f-10d7-4ea2-8684-61968c7e94d7
FinanceSolutions Network
19942103-1419-4e71-b655-e1aad4c82535
no rule name
69ea551c-ad13-4a5f-8b68-897928119da8
FinanceSolutions Network
19942103-1419-4e71-b655-e1aad4c82535
no rule name
5f0d2800-1e9d-44f6-9f39-7953a33b82a2
FinanceSolutions Network
19942103-1419-4e71-b655-e1aad4c82535
no rule name
0fb52774-487a-4e3c-afcc-65d1ccbaffb7
FinanceSolutions Network
19942103-1419-4e71-b655-e1aad4c82535

We got groups of 4 - rule name (which shows "no rule name" in case it has no name), rule UID, layer name, layer UID.

Now we can run show access-rule on each result to see the full rule. For example, for the first result:

mgmt_cli show access-rule uid 69ea551c-ad13-4a5f-8b68-897928119da8 layer 19942103-1419-4e71-b655-e1aad4c82535 -s id.txt

View solution in original post

11 Replies
Robert_Decker
Advisor

This kind of information can be obtained by combining several API commands and mining the required information.

First, you should use the "where-used" command to get the policy/rulebase information (uid is enough), and then use the "show-access-rule" command with that preliminary info to retrieve the specific details about the rule.

Robert.

0 Kudos
Bill_Ng
Collaborator

Hi Robert,

Thanks for pointing me in the right direction.  We are in process of using powershell from the modules that tkoopman created to extract that info.  I found a guy on my team that's really good with Powershell.

0 Kudos
Robert_Decker
Advisor

No problem, glad to help.

Robert.

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee

Tufin is the answer. It's simply awesome for stuff like that Smiley Happy

0 Kudos
Robert_Decker
Advisor

Tufin is a good option with products on the shelf that cost.

We should provide here answers that are for free.

Robert.

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee

I was just pulling a small joke Robert Smiley Happy 

0 Kudos
Tomer_Sole
Mentor
Mentor

wow, we actually took it seriously.. lol.. Tufin is an excellent product and a great technology partner with Check Point. But if you are willing to customize and automate your Check Point Management workflow yourself using the Check Point Management API's we are here to help.

0 Kudos
Phan_Tuan_Loi
Explorer

You may search Web Visualization Tool then try it Smiley Happy

It can list rules, objects (network and service), ... as the samples below

Rules

Objects

Astardzhiev
Contributor

Hi Phan,

Unfortunately Web Virtualization Tool is not supported for R80 and above:

Important Note: This solution refers for R77.x versions only. For R80 and higher use "Show Package Tool" described in sk120342.

And looking at the question Bill is already on R80.x

0 Kudos
Phan_Tuan_Loi
Explorer

Thank you Alexander for you comment.

0 Kudos
Tomer_Sole
Mentor
Mentor

Just to compare, attached below typical output of R8x show-package tool. As you can see, information completely replaces the same functionality of R7x Web Visualization Tool.

This thread however discusses how to get full rule information when searching for usages of objects.

Option 1: run "where used", collect the UID's of the rules, then run "show access-rule" for each rule UID.

Option 2: run "where used" with "details-level full". This will show the full objects that use the given object. However, it will show a lot of other information and may result with a slow response. 

Option 3: run "where used", collect the rule positions, then look at the show-package HTML output (see image above) and locate the rule.

Let's demonstrate option 1:

Step 1: where used for host "Marco". We want to see its indirect usages, because Marco belongs to a network group which appears in some rules. From the output we would like to isolate the rule UID and the layer UID because both parameters are required for the next step. So we will use JQ to parse the output and select only the things that we care about.

mgmt_cli where-used name Marco indirect true -s id.txt --format json | jq -r '."used-indirectly"."access-control-rules"[] | (.rule.name // "no rule name", .rule.uid, .layer.name, .layer.uid)'
no rule name
97ed7f41-f56d-4ef5-99e9-9f698ad55902
FinanceSolutions Network
19942103-1419-4e71-b655-e1aad4c82535
no rule name
86f56fc4-7652-4518-8d94-3f9ec6ced892
FinanceSolutions Network
19942103-1419-4e71-b655-e1aad4c82535
no rule name
1030a2d1-7663-462f-b43b-8825abf39e21
FinanceSolutions Network
19942103-1419-4e71-b655-e1aad4c82535
no rule name
c0d19b8f-10d7-4ea2-8684-61968c7e94d7
FinanceSolutions Network
19942103-1419-4e71-b655-e1aad4c82535
no rule name
69ea551c-ad13-4a5f-8b68-897928119da8
FinanceSolutions Network
19942103-1419-4e71-b655-e1aad4c82535
no rule name
5f0d2800-1e9d-44f6-9f39-7953a33b82a2
FinanceSolutions Network
19942103-1419-4e71-b655-e1aad4c82535
no rule name
0fb52774-487a-4e3c-afcc-65d1ccbaffb7
FinanceSolutions Network
19942103-1419-4e71-b655-e1aad4c82535

We got groups of 4 - rule name (which shows "no rule name" in case it has no name), rule UID, layer name, layer UID.

Now we can run show access-rule on each result to see the full rule. For example, for the first result:

mgmt_cli show access-rule uid 69ea551c-ad13-4a5f-8b68-897928119da8 layer 19942103-1419-4e71-b655-e1aad4c82535 -s id.txt

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events