Re: API call to see if rule already exists

C_M · ‎2019-10-25

Is there an API call to see if a rule already exists? Something better than where-used? Something more along the lines of Packet Mode on the GUI.

masher · ‎2019-10-25

The "show access-rulebase" command has an option to filter in a similar manner as packet mode in Smartconsole.

Using demo mode in R80.20:

show access-rulebase name "Network" package "Corporate_Policy" filter "200.200.200.200" filter-settings.search-mode packet limit 2

Response (shortened):

uid: "b406b732-2437-4848-9741-6eae1f5bf112"
name: "Network"
rulebase: 
- uid: "dedb6e70-fe6c-45be-bcd3-18fab46c02dd"
  name: "Security Gateways Access"
  type: "access-section"
  from: 1
  to: 1
  rulebase: 
  - uid: "39d0e851-0f12-46c9-bd85-b402d1181fba"
    name: "Stealth rule"
    type: "access-rule"
    domain: 
      uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
      name: "SMC User"
      domain-type: "domain"
    rule-number: 2
    filter-match-details: 
    - column: "source"
      objects: 
      - "97aeb369-9aea-11d5-bd16-0090272ccb30"
   ...
    source: 
    - "97aeb369-9aea-11d5-bd16-0090272ccb30"
    source-negate: false
    destination: 
    - "4a773692-84b5-4b81-a8da-320bf64081c0"
    destination-negate: false
    service: 
    - "97aeb369-9aea-11d5-bd16-0090272ccb30"
    service-negate: false

.....

More information can be found using the management API documention from the following links.

- https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/show-access-rulebase~v1.2%20

C_M · ‎2019-10-25

Thanks, I'm looking for something human-readable. Is there a way to see the rules over the CLI?

PhoneBoy · ‎2019-10-25

All the API calls can be made over CLI.
However, the output is like above.
You can have mgmt_cli output in JSON then use jq to parse the output a bit, giving you only the information you want.

JozkoMrkvicka · ‎2019-12-23

Is there any easy way how to "convert" UIDs to names? In "show access-rulebase" there are all data, but for example source names are listed as uid, instead of names.

I am aware of "show object" command, but in case I have 100 sources...

The only idea I have is to check UID of specific rule and show the content via "show access-rule".

Any better way possible?

Kind regards,
Jozko Mrkvicka

PhoneBoy · ‎2019-12-23

You can try adding a details-level full to the command to see if it gives you the name as well.

JozkoMrkvicka · ‎2019-12-23

full details-level wont give you the names. I also expected that, but this is not the case.

Hint from Masher is correct way - you need to use "use-object-dictionary false" parameter to give you the name.

Kind regards,
Jozko Mrkvicka

masher · ‎2019-12-23

You can add the use-object-dictionary false option to include the names object names.

[admin@vMgmt01]# mgmt_cli -s session.id show access-rulebase name "gw01 Network" offset 12 limit 1 use-object-dictionary false
uid: "5bfb5361-84d8-4b55-a0b6-a1c309dab52b"
name: "gw01 Network"
rulebase:
- uid: "2ca377fb-003e-4890-99fa-6128112083a8"
name: "Allowed Internet Access"
type: "access-section"
from: 13
to: 13
rulebase:
- uid: "49e3ebbd-9761-4381-8951-ec2972f517a3"
name: "HTTP/HTTPS"
...
source:
- uid: "fb7f60bd-d4df-4f2d-adf8-664251f8954a"
name: "NET-10.22.33.0"
type: "network"
domain:
...
service:
- uid: "97aeb3d4-9aea-11d5-bd16-0090272ccb30"
name: "http"
type: "service-tcp"
domain:
uid: "a0bbbc99-adef-4ef8-bb6d-defdefdefdef"
name: "Check Point Data"
domain-type: "data domain"
port: "80"
- uid: "97aeb443-9aea-11d5-bd16-0090272ccb30"
name: "https"
type: "service-tcp"
...

JozkoMrkvicka · ‎2019-12-23

Thanks for the hint, Masher !
Exactly what I was looking for 🙂

Kind regards,
Jozko Mrkvicka

yogesh_uit08 · ‎2020-04-16

Hi

I tried to use

use-object-dictionary as false but still object name is not coming only getting uid ,can any one help me .

below the rest api and option i am using

url: "https://{{mserver_hostname}}/web_api/show-access-rulebase"
validate_certs: False
method: POST
headers:
X-chkp-sid: "{{ login.json.sid }}"
body:
offset: 0
limit: 20
name: "Network"
use-object-dictionary: "false"
details-level: full

Appreciate your help in advance

FraP · ‎2020-04-16

If you are usign this api inside a script, you can levarage on the use-object-dictionray to convert the uid to an object name, or if you prefer you can use the following api call

mgmt_cli show object uid "ef82887c-d08f-49a3-a18f-a376be633848" --format json

to get the name and type for every object you need.

Can you share your api call and response please?

yogesh_uit08 · ‎2020-04-23

Thanks for your reply .

I used the use-object-dictionary true but for some object i did not get the name.

yogesh_uit08 · ‎2020-04-23

Hi,

I am making call to rule base api and using filter to grab the matching rule for source destination and port.,however the issue is for some cases i am getting correct output where source destination and port is there but in some cases i am not getting the desired result.

i mean all other rule coming for destination but source is not coming in output.

I have one query for for using filer in packet mode do we required the live traffic on the gateway. can this packet mode filter will work on rulebase database without the live traffic.?

My api call-

- name: Checking rule base for source and destiantion
uri:
url: "https://{{mserver_hostname}}/web_api/show-access-rulebase"
validate_certs: False
method: POST
headers:
x-chkp-sid: "{{ login.json.sid }}"
body:
offset: 0
limit: 500
name: "Network"
details-level: "full"
use-object-dictionary: true
filter: "src:10.70.101.188 AND dst:10.9.17.65 AND svc:30000 AND action:6c488338-8eec-4103-ad21-cd461ac2c472"
body_format: json
register: rule_search

- set_fact:
rule_search_result: "{{rule_search | to_json}}"

- debug:

var: rule_search_result

and how to parse the output for specific source destination and port ?

Appreciate your help in advanced . I am totally stuck over here please help me.

FraP · ‎2020-04-24

What do you mean by live traffic?
The api call does a query for rules currently defined on the manager: your gateway could have a different version of the rulebase, if you edited it and not installed...

For sure, you can achieve the "rule lookup", using packed mode and the filter-setting(take a look to the API guide)...
In case you need to resolve ie the "uid" for the action object, i suggest you to use the api call "show object" with the uid as input

For specifc issue, please share a picture of want you want 🙂

yogesh_uit08 · ‎2020-05-12

Thanks Nickel for your reply.

however what I have observed whenever i am using the packet mode and filter the source destination and port not getting the consistent output . that is the main issue.

I am querying the rulebase base API and applying the below mentioned filter

-

filter: "src:10.70.101.188 AND dst:10.9.17.65 AND svc:30000 AND action:6c488338-8eec-4103-ad21-cd461ac2c472"

Are you a member of CheckMates?

API call to see if rule already exists