Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Arthur_Nadaryan
Explorer

Script that collects specific rules and exports them into csv/xml (R80.20)

I'm trying to make a script that collects rules with time objects and outputs them into an xml/csv file. The file must contain: the access policy package name the rules are behind and rules that have a time object. The rules with time objects will be listed if the rules are going to expire in 1 to 7 days (if a temporal rule expires in 8 days then it won't be listed, if it's 7 or less days then it will). What kind of info is shown about the rule when it's being exported? Number, Name, Source, Destination, VPN, Services & Applications, Time and Comments
0 Kudos
7 Replies
Adam_Forester
Ambassador
Ambassador

How is your time expiration objects built? Do you name them by their expiration date?

 

0 Kudos
Arthur_Nadaryan
Explorer

Yes, all time objects have a date as a name (numbers) and the format is day-month-year (29.07.2019).

 

0 Kudos
Adam_Forester
Ambassador
Ambassador

You can run a filter based on the time object.

 

mgmt_cli -r true show access-rulebase name "POLICY NAME" details-level "standard" use-object-dictionary true filter "TIME Object Name" --format json

 

You can then use JQ to export csv once you format the JSON to your needs.

0 Kudos
Adam_Forester
Ambassador
Ambassador

Wrote a quick sample bash script. It will search the object database for time objects that are +7 days from the current system date, you can change that easily by changing the +X date. Then it will filter the rulebase for those objects and output the in json. It's interactive to play with but you can hardset the variables. Should give you a starting point;

Script is expiring-rules.sh

https://github.com/WadesWeaponShed/Rulebase-Audit

Arthur_Nadaryan
Explorer

Thanks for the help but I have one question. The script outputs a lot of info about a specific rule. I'm having mixed results with jq and I would like to know how to filter the output to only show the following: Policy name, rule number, source, destination, service/applications, action, time and comments. ipv4-addresses included for src and dst. Comments for me appear as null. Trying to get other information will result in an error. Bellow is a basic sample that finds rules with "01.01.2020" that are behind a specific policy/FW. The output gives one result but there are 2 rules that contain "01.01.2020". mgmt_cli -r true show access-rulebase name "Policy-Name-Here" details-level "standard" use-object-dictionary true filter "01.01.2020" --format json | jq '{name: .name}' >>TEMPORALS.txt
0 Kudos
Adam_Forester
Ambassador
Ambassador

I updated on github, should give you a start. Show access-rulebase uses UID for objects and references the object tree so I changed it to take the UID of the rule and do show access-rule to get the detail then spit them out. Should give you a good start, If I get more time this week I'll look at it more to get better detail of what you are asking for, but I hope this is something you can start work with and tweak.

 

Arthur_Nadaryan
Explorer

So far I've managed to write a script that lists rules that contain a time object along with other minor details (requirements changed).

Currently the "rule will expire in X days" part isn't done.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events