This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
C_M
Contributor
‎2019-10-25 01:47 PM

API call to see if rule already exists

Is there an API call to see if a rule already exists? Something better than where-used? Something more along the lines of Packet Mode on the GUI.

 

0 Kudos
14 Replies
masher
Employee
Employee
‎2019-10-25 02:23 PM

The "show access-rulebase" command has an option to filter in a similar manner as packet mode in Smartconsole.

Using demo mode in R80.20:

show access-rulebase name "Network" package "Corporate_Policy" filter "200.200.200.200" filter-settings.search-mode packet limit 2

Response (shortened):

uid: "b406b732-2437-4848-9741-6eae1f5bf112"
name: "Network"
rulebase: 
- uid: "dedb6e70-fe6c-45be-bcd3-18fab46c02dd"
  name: "Security Gateways Access"
  type: "access-section"
  from: 1
  to: 1
  rulebase: 
  - uid: "39d0e851-0f12-46c9-bd85-b402d1181fba"
    name: "Stealth rule"
    type: "access-rule"
    domain: 
      uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
      name: "SMC User"
      domain-type: "domain"
    rule-number: 2
    filter-match-details: 
    - column: "source"
      objects: 
      - "97aeb369-9aea-11d5-bd16-0090272ccb30"
   ...
    source: 
    - "97aeb369-9aea-11d5-bd16-0090272ccb30"
    source-negate: false
    destination: 
    - "4a773692-84b5-4b81-a8da-320bf64081c0"
    destination-negate: false
    service: 
    - "97aeb369-9aea-11d5-bd16-0090272ccb30"
    service-negate: false

.....

 

More information can be found using the management API documention from the following links.

- https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/show-access-rulebase~v1.2%20 

0 Kudos
C_M
Contributor
‎2019-10-25 02:48 PM
In response to masher

Thanks, I'm looking for something human-readable. Is there a way to see the rules over the CLI?

0 Kudos
PhoneBoy
Admin
Admin
‎2019-10-25 06:33 PM
In response to C_M

All the API calls can be made over CLI.
However, the output is like above.
You can have mgmt_cli output in JSON then use jq to parse the output a bit, giving you only the information you want.
0 Kudos
JozkoMrkvicka
Authority
Authority
‎2019-12-23 12:09 PM
In response to PhoneBoy

Is there any easy way how to "convert" UIDs to names? In "show access-rulebase" there are all data, but for example source names are listed as uid, instead of names.

I am aware of "show object" command, but in case I have 100 sources...

The only idea I have is to check UID of specific rule and show the content via "show access-rule".

Any better way possible?

Kind regards,
Jozko Mrkvicka
0 Kudos
PhoneBoy
Admin
Admin
‎2019-12-23 12:12 PM
In response to JozkoMrkvicka

You can try adding a details-level full to the command to see if it gives you the name as well.
0 Kudos
JozkoMrkvicka
Authority
Authority
‎2019-12-23 02:40 PM
In response to PhoneBoy

full details-level wont give you the names. I also expected that, but this is not the case.

Hint from Masher is correct way - you need to use "use-object-dictionary false" parameter to give you the name.
Kind regards,
Jozko Mrkvicka
0 Kudos
masher
Employee
Employee
‎2019-12-23 01:01 PM
In response to JozkoMrkvicka

You can add the use-object-dictionary false option to include the names object names.

 

[admin@vMgmt01]# mgmt_cli -s session.id show access-rulebase name "gw01 Network" offset 12 limit 1 use-object-dictionary false
uid: "5bfb5361-84d8-4b55-a0b6-a1c309dab52b"
name: "gw01 Network"
rulebase:
- uid: "2ca377fb-003e-4890-99fa-6128112083a8"
name: "Allowed Internet Access"
type: "access-section"
from: 13
to: 13
rulebase:
- uid: "49e3ebbd-9761-4381-8951-ec2972f517a3"
name: "HTTP/HTTPS"
...
source:
- uid: "fb7f60bd-d4df-4f2d-adf8-664251f8954a"
name: "NET-10.22.33.0"
type: "network"
domain:
...
service:
- uid: "97aeb3d4-9aea-11d5-bd16-0090272ccb30"
name: "http"
type: "service-tcp"
domain:
uid: "a0bbbc99-adef-4ef8-bb6d-defdefdefdef"
name: "Check Point Data"
domain-type: "data domain"
port: "80"
- uid: "97aeb443-9aea-11d5-bd16-0090272ccb30"
name: "https"
type: "service-tcp"
...
JozkoMrkvicka
Authority
Authority
‎2019-12-23 02:37 PM
In response to masher

Thanks for the hint, Masher !
Exactly what I was looking for 🙂
Kind regards,
Jozko Mrkvicka
0 Kudos
yogesh_uit08
Explorer
‎2020-04-16 06:13 AM
In response to masher

Hi 

I tried to use 

use-object-dictionary as false but still  object name  is not coming  only getting uid ,can any one help me .

below the rest api and option i am using


url: "https://{{mserver_hostname}}/web_api/show-access-rulebase"
validate_certs: False
method: POST
headers:
X-chkp-sid: "{{ login.json.sid }}"
body:
offset: 0
limit: 20
name: "Network"
use-object-dictionary: "false"
details-level: full

Appreciate  your help in advance

0 Kudos
FraP
Contributor
‎2020-04-16 07:32 AM
In response to yogesh_uit08

If you are usign this api inside a script, you can levarage on the use-object-dictionray to convert the uid to an object name, or if you prefer you can use the following api call

mgmt_cli show object uid "ef82887c-d08f-49a3-a18f-a376be633848" --format json

to get the name and type for every object you need.

 

Can you share your api call and response please?

0 Kudos
yogesh_uit08
Explorer
‎2020-04-23 11:54 AM
In response to yogesh_uit08

Thanks for your reply . 

I used the use-object-dictionary true but for some object i did not get the name.

0 Kudos
yogesh_uit08
Explorer
‎2020-04-23 12:11 PM
In response to PhoneBoy

Hi,

I am making call to rule base api and  using filter to grab the matching rule for source destination and port.,however the issue is for some cases i am getting correct output where source destination and port is  there but in some cases i am not getting the desired result.

i mean all other rule coming for destination but source is not coming in output.

I have one query for for using filer in packet mode do we required the live traffic on the gateway. can this packet mode filter will work on rulebase database without the live traffic.?

My api call-

- name: Checking rule base for source and destiantion
uri:
url: "https://{{mserver_hostname}}/web_api/show-access-rulebase"
validate_certs: False
method: POST
headers:
x-chkp-sid: "{{ login.json.sid }}"
body:
offset: 0
limit: 500
name: "Network"
details-level: "full"
use-object-dictionary: true
filter: "src:10.70.101.188 AND dst:10.9.17.65 AND svc:30000 AND action:6c488338-8eec-4103-ad21-cd461ac2c472"
body_format: json
register: rule_search

- set_fact:
  rule_search_result: "{{rule_search | to_json}}"

- debug:

    var: rule_search_result

 

and how to parse the output  for specific source destination and port ?

Appreciate  your help in advanced . I am totally stuck over here please help me.

 

 

0 Kudos
FraP
Contributor
‎2020-04-24 11:42 AM
In response to yogesh_uit08

What do you mean by live traffic?
The api call does a query for rules currently defined on the manager: your gateway could have a different version of the rulebase, if you edited it and not installed...

For sure, you can achieve the "rule lookup", using packed mode and the filter-setting(take a look to the API guide)...
In case you need to resolve ie the "uid" for the action object, i suggest you to use the api call "show object" with the uid as input

For specifc issue, please share a picture of want you want 🙂

0 Kudos
yogesh_uit08
Explorer
‎2020-05-12 03:51 PM
In response to FraP

Thanks Nickel for your reply.

however what I have observed whenever i am using the packet  mode  and filter the source destination and port  not getting the consistent output . that is the main issue.

I am querying the rulebase base API and applying the below mentioned filter

-

filter: "src:10.70.101.188 AND dst:10.9.17.65 AND svc:30000 AND action:6c488338-8eec-4103-ad21-cd461ac2c472" 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events