Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Aathi
Contributor

API command to get the disable rule

Jump to solution

Hi Team,

 

I am trying to get the disabled rules in checkpoint rule base by using API or mgmt_cli commands , the way we are getting the zero hit count rule.

can you share the command to get the disabled rules from rulebases.

Thanks in advance.

 

Regards

Aathi

 

0 Kudos
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin
There is not a specific API to retrieve disabled rules.
However, you can retrieve the rulebase via mgmt_cli and use jq to filter the results using a select statement.

View solution in original post

0 Kudos
Sigbjorn
Advisor

Quick Powershell example code to extract the disabled rules.

As for the actual source/destination/service, these are UID's of the actual object, so you would need to do another query in the foreach loop to resolve them to names if that's what you're looking for.

 

[string]$BaseUri = "https://10.10.1.1/web_api"
[string]$domain = "Domainname"  # Only used for MDS servers
[string]$user = "username"
[string]$pass = "password"

$loginData = @{
    "user" = $user
    "password" = $pass
    "domain" = $domain # Only used for MDS servers
} | ConvertTo-Json

Write-Output "Invoking Login"
$login = Invoke-RestMethod -Method Post -Uri "$BaseUri/login" -Body $loginData -Headers @{ "content-type" = "application/json" }

$headers = @{
    "content-type" = "application/json"
    "x-chkp-sid" = $login.sid
}



# Get RuleBase
Write-Output "Getting rulebase"
$body = @{
    "name" = "demo-policy Network"
    } | ConvertTo-Json
$rules = Invoke-RestMethod -Method Post -Uri "$BaseUri/show-access-rulebase" -Body $body -Headers $headers

foreach ($i in $rules.rulebase.rulebase) {  
    if ($i.enabled -like "False") {
        Write-Output "Rulename: $($i.name), Source: $($i.source), Destination: $($i.destination), Service: $($i.service), Enabled: $($i.enabled)"
        }
}


Write-Output "Disconnect session $($login.uid)"
$null = Invoke-RestMethod -Method Post -Uri "$BaseUri/disconnect" -Headers $headers -Body (@{ "uid" = $login.uid } | ConvertTo-Json)

View solution in original post

15 Replies
PhoneBoy
Admin
Admin
There is not a specific API to retrieve disabled rules.
However, you can retrieve the rulebase via mgmt_cli and use jq to filter the results using a select statement.
0 Kudos
Aathi
Contributor

Hi PhoneBoy,

By using Jq filter i got the UID and also .i need to get the Source ,destination and port as well( need to get the exact rulebase  by using UID or something) .is it possible to get those.if yes can you please share the exact syntax for the same.

Thanks in advance.

 

0 Kudos
PhoneBoy
Admin
Admin

What CLI do you have so far?

0 Kudos
Aathi
Contributor

Hi Phoneboy.

Its Mgmt_cli.

 

0 Kudos
Sigbjorn
Advisor

Quick Powershell example code to extract the disabled rules.

As for the actual source/destination/service, these are UID's of the actual object, so you would need to do another query in the foreach loop to resolve them to names if that's what you're looking for.

 

[string]$BaseUri = "https://10.10.1.1/web_api"
[string]$domain = "Domainname"  # Only used for MDS servers
[string]$user = "username"
[string]$pass = "password"

$loginData = @{
    "user" = $user
    "password" = $pass
    "domain" = $domain # Only used for MDS servers
} | ConvertTo-Json

Write-Output "Invoking Login"
$login = Invoke-RestMethod -Method Post -Uri "$BaseUri/login" -Body $loginData -Headers @{ "content-type" = "application/json" }

$headers = @{
    "content-type" = "application/json"
    "x-chkp-sid" = $login.sid
}



# Get RuleBase
Write-Output "Getting rulebase"
$body = @{
    "name" = "demo-policy Network"
    } | ConvertTo-Json
$rules = Invoke-RestMethod -Method Post -Uri "$BaseUri/show-access-rulebase" -Body $body -Headers $headers

foreach ($i in $rules.rulebase.rulebase) {  
    if ($i.enabled -like "False") {
        Write-Output "Rulename: $($i.name), Source: $($i.source), Destination: $($i.destination), Service: $($i.service), Enabled: $($i.enabled)"
        }
}


Write-Output "Disconnect session $($login.uid)"
$null = Invoke-RestMethod -Method Post -Uri "$BaseUri/disconnect" -Headers $headers -Body (@{ "uid" = $login.uid } | ConvertTo-Json)
Aathi
Contributor

Hi Sigbjorn,

i tried to get source name and destination name and service using for each  loop but getting the error,can you share the exact syntax to get the same.

Thanks in advance.

 

 

 

0 Kudos
Sigbjorn
Advisor

Hi,

This should do it:

# Get RuleBase
Write-Output "Getting rulebase"
$body = @{
    "name" = $layer
    } | ConvertTo-Json
$rules = Invoke-RestMethod -Method Post -Uri "$BaseUri/show-access-rulebase" -Body $body -Headers $headers

foreach ($y in $rules.rulebase.rulebase) {  
        $body = @{
        "uid" = $($y.uid)
        "layer" = $layer
        } |ConvertTo-Json
        $rule = Invoke-RestMethod -Method Post -Uri "$BaseUri/show-access-rule" -Body $body -Headers $headers
        if ($($rule.enabled) -like "False") {
            Write-output "Disabled rule, Rulename: $($rule.name), Enabled: $($rule.enabled), Rule UID: $($rule.uid), Source: $($rule.source.Name), Destination: $($rule.destination.Name), Service: $($rule.service.Name), Action: $($rule.action.Name)"
            }
}
0 Kudos
Aathi
Contributor

Hi Sigbjorn,

Thanks for sharing the scripts.Can you help us to get the  already expired Rule base list.

Thanks in advance.

 

0 Kudos
Sigbjorn
Advisor

Hi Aathi, I'm not entirely sure what you're looking for.

Could you elaborate?

0 Kudos
Aathi
Contributor

Hi Sigbjorn,

 

I want to get the rules which are already expired like we got for disabled rules from checkpoint rulebase.

Please let us know if any scripts for the same.

Regards

Aathi

 

 

0 Kudos
REDW0LF
Explorer

Here is a mgmt_cli API call you can try. I modified it from a call I use to grab zero hits rules. If you are not running a multi-domain management server you can remove the -d option. This will send the results to a csv file as well. You may be having the problem retrieving source and destination if they have more than one object. the [] specifies those fields are arrays. The one limitation I haven't been able to get around is those fields return UID values rather than their plain text names.

mgmt_cli -d <domain> show access-rulebase offset 0 limit 2000 uid "<rulebase UID>" details-level "standard" use-object-dictionary true --format json -u <username> |jq -r '.rulebase[].rulebase[]|select(.enabled = "False")| [."uid", ."name", ."comments", ."enabled", .source[], .destination[], .service[]]|@csv' > <csvfilename>.csv

 

Ron

0 Kudos
Aathi
Contributor

Hi REDWOLF,

Thanks for the update.i tried but getting below error can you help on this

[Expert@XXX:0]# mgmt_cli show access-rulebase offset 0 limit 2000 uid "cafc790f-681d-49ea-b44c-b618dc937c66" details-level "standard" use-object-dictionary true --format json -u admin|jq -r '.rulebase[].rulebase[]|select(.enabled = "False")| [."uid", ."name", ."comments", ."enabled", .source[], .destination[], .service[]]|@csv' > aathi.csv
Password:

jq: error: Cannot iterate over null

can u help on this

0 Kudos
PhoneBoy
Admin
Admin

That means there's an error in the jq statement.
You've got .rulebase[] in there twice.
Also it looks like the select doesn't do what you want.
Most of the results return a UID, which I assume you want in some sort of human readable format.
Also, setting the limit to 2000 will not return all results, you will need to make multiple calls using the offset parameter to get the next 50 results (or so).
Not exactly right, but this is a lot closer:

mgmt_cli -s sid.txt show access-rulebase name "LayerName" details-level full --format json | jq -r '.rulebase[] | select (.enabled == false)| .uid' | while read X; do
  mgmt_cli -s sid.txt --format json show access-rule uid $X layer "LayerName" |
    jq -r '[.uid, .name, .source[].name, .destination[].name, .service[].name, .action.name]|@csv'
done

At a high level, this is:

  • Getting the UID of the rules that are disabled (note you will need to use limit/offset in this command and call it multiple times to get all the rules.
  • For each rule UID, get human readable source/destination/service/action and output in something that looks like a CSV file (though each source/destination/service will create a column).

There may be some way to clean up the jq further here so you get a cleaner CSV file.

0 Kudos
Aathi
Contributor

Hi SIG,

Thank you so much for sharing the script.

This script only check the first 50 rules from rulebase ,is there any way to check all the rulebases 

Thanks 

0 Kudos
PhoneBoy
Admin
Admin

The API only returns a limited number of results by design.
That is true even if you specify a higher limit in the API call.
You would have to make multiple calls to the same API using the offset parameter iteratively to get all the results.

0 Kudos