Hi PhoneBoy,

By using Jq filter i got the UID and also .i need to get the Source ,destination and port as well( need to get the exact rulebase  by using UID or something) .is it possible to get those.if yes can you please share the exact syntax for the same.

Thanks in advance.

What CLI do you have so far?

Hi Phoneboy.

Its Mgmt_cli.

Hi Sigbjorn,

i tried to get source name and destination name and service using for each  loop but getting the error,can you share the exact syntax to get the same.

Thanks in advance.

Hi,

This should do it:

# Get RuleBase
Write-Output "Getting rulebase"
$body = @{
    "name" = $layer
    } | ConvertTo-Json
$rules = Invoke-RestMethod -Method Post -Uri "$BaseUri/show-access-rulebase" -Body $body -Headers $headers

foreach ($y in $rules.rulebase.rulebase) {  
        $body = @{
        "uid" = $($y.uid)
        "layer" = $layer
        } |ConvertTo-Json
        $rule = Invoke-RestMethod -Method Post -Uri "$BaseUri/show-access-rule" -Body $body -Headers $headers
        if ($($rule.enabled) -like "False") {
            Write-output "Disabled rule, Rulename: $($rule.name), Enabled: $($rule.enabled), Rule UID: $($rule.uid), Source: $($rule.source.Name), Destination: $($rule.destination.Name), Service: $($rule.service.Name), Action: $($rule.action.Name)"
            }
}

Hi Sigbjorn,

Thanks for sharing the scripts.Can you help us to get the  already expired Rule base list.

Thanks in advance.

Hi Aathi, I'm not entirely sure what you're looking for.

Could you elaborate?

Hi Sigbjorn,

I want to get the rules which are already expired like we got for disabled rules from checkpoint rulebase.

Please let us know if any scripts for the same.

Regards

Aathi

Here is a mgmt_cli API call you can try. I modified it from a call I use to grab zero hits rules. If you are not running a multi-domain management server you can remove the -d option. This will send the results to a csv file as well. You may be having the problem retrieving source and destination if they have more than one object. the [] specifies those fields are arrays. The one limitation I haven't been able to get around is those fields return UID values rather than their plain text names.

mgmt_cli -d <domain> show access-rulebase offset 0 limit 2000 uid "<rulebase UID>" details-level "standard" use-object-dictionary true --format json -u <username> |jq -r '.rulebase[].rulebase[]|select(.enabled = "False")| [."uid", ."name", ."comments", ."enabled", .source[], .destination[], .service[]]|@csv' > <csvfilename>.csv

Ron

Hi REDWOLF,

Thanks for the update.i tried but getting below error can you help on this

[Expert@XXX:0]# mgmt_cli show access-rulebase offset 0 limit 2000 uid "cafc790f-681d-49ea-b44c-b618dc937c66" details-level "standard" use-object-dictionary true --format json -u admin|jq -r '.rulebase[].rulebase[]|select(.enabled = "False")| [."uid", ."name", ."comments", ."enabled", .source[], .destination[], .service[]]|@csv' > aathi.csv
Password:

jq: error: Cannot iterate over null

can u help on this

That means there's an error in the jq statement.
You've got .rulebase[] in there twice.
Also it looks like the select doesn't do what you want.
Most of the results return a UID, which I assume you want in some sort of human readable format.
Also, setting the limit to 2000 will not return all results, you will need to make multiple calls using the offset parameter to get the next 50 results (or so).
Not exactly right, but this is a lot closer:

mgmt_cli -s sid.txt show access-rulebase name "LayerName" details-level full --format json | jq -r '.rulebase[] | select (.enabled == false)| .uid' | while read X; do
  mgmt_cli -s sid.txt --format json show access-rule uid $X layer "LayerName" |
    jq -r '[.uid, .name, .source[].name, .destination[].name, .service[].name, .action.name]|@csv'
done

At a high level, this is:

• Getting the UID of the rules that are disabled (note you will need to use limit/offset in this command and call it multiple times to get all the rules.
• For each rule UID, get human readable source/destination/service/action and output in something that looks like a CSV file (though each source/destination/service will create a column).

There may be some way to clean up the jq further here so you get a cleaner CSV file.

Hi SIG,

Thank you so much for sharing the script.

This script only check the first 50 rules from rulebase ,is there any way to check all the rulebases 

Thanks 

The API only returns a limited number of results by design.
That is true even if you specify a higher limit in the API call.
You would have to make multiple calls to the same API using the offset parameter iteratively to get all the results.