Solved: Re: API command to get the disable rule

Aathi · ‎2020-06-04

Hi Team,

I am trying to get the disabled rules in checkpoint rule base by using API or mgmt_cli commands , the way we are getting the zero hit count rule.

can you share the command to get the disabled rules from rulebases.

Thanks in advance.

Regards

Aathi

PhoneBoy · ‎2020-06-04

There is not a specific API to retrieve disabled rules.
However, you can retrieve the rulebase via mgmt_cli and use jq to filter the results using a select statement.

View solution in original post

Sigbjorn · ‎2020-09-22

Quick Powershell example code to extract the disabled rules.

As for the actual source/destination/service, these are UID's of the actual object, so you would need to do another query in the foreach loop to resolve them to names if that's what you're looking for.

[string]$BaseUri = "https://10.10.1.1/web_api"
[string]$domain = "Domainname"  # Only used for MDS servers
[string]$user = "username"
[string]$pass = "password"

$loginData = @{
    "user" = $user
    "password" = $pass
    "domain" = $domain # Only used for MDS servers
} | ConvertTo-Json

Write-Output "Invoking Login"
$login = Invoke-RestMethod -Method Post -Uri "$BaseUri/login" -Body $loginData -Headers @{ "content-type" = "application/json" }

$headers = @{
    "content-type" = "application/json"
    "x-chkp-sid" = $login.sid
}



# Get RuleBase
Write-Output "Getting rulebase"
$body = @{
    "name" = "demo-policy Network"
    } | ConvertTo-Json
$rules = Invoke-RestMethod -Method Post -Uri "$BaseUri/show-access-rulebase" -Body $body -Headers $headers

foreach ($i in $rules.rulebase.rulebase) {  
    if ($i.enabled -like "False") {
        Write-Output "Rulename: $($i.name), Source: $($i.source), Destination: $($i.destination), Service: $($i.service), Enabled: $($i.enabled)"
        }
}


Write-Output "Disconnect session $($login.uid)"
$null = Invoke-RestMethod -Method Post -Uri "$BaseUri/disconnect" -Headers $headers -Body (@{ "uid" = $login.uid } | ConvertTo-Json)

View solution in original post

PhoneBoy · ‎2020-06-04

There is not a specific API to retrieve disabled rules.
However, you can retrieve the rulebase via mgmt_cli and use jq to filter the results using a select statement.

Aathi · ‎2020-09-22

Hi PhoneBoy,

By using Jq filter i got the UID and also .i need to get the Source ,destination and port as well( need to get the exact rulebase by using UID or something) .is it possible to get those.if yes can you please share the exact syntax for the same.

Thanks in advance.

PhoneBoy · ‎2020-09-22

What CLI do you have so far?

Aathi · ‎2020-09-23

Hi Phoneboy.

Its Mgmt_cli.

Sigbjorn · ‎2020-09-22

Quick Powershell example code to extract the disabled rules.

As for the actual source/destination/service, these are UID's of the actual object, so you would need to do another query in the foreach loop to resolve them to names if that's what you're looking for.

[string]$BaseUri = "https://10.10.1.1/web_api"
[string]$domain = "Domainname"  # Only used for MDS servers
[string]$user = "username"
[string]$pass = "password"

$loginData = @{
    "user" = $user
    "password" = $pass
    "domain" = $domain # Only used for MDS servers
} | ConvertTo-Json

Write-Output "Invoking Login"
$login = Invoke-RestMethod -Method Post -Uri "$BaseUri/login" -Body $loginData -Headers @{ "content-type" = "application/json" }

$headers = @{
    "content-type" = "application/json"
    "x-chkp-sid" = $login.sid
}



# Get RuleBase
Write-Output "Getting rulebase"
$body = @{
    "name" = "demo-policy Network"
    } | ConvertTo-Json
$rules = Invoke-RestMethod -Method Post -Uri "$BaseUri/show-access-rulebase" -Body $body -Headers $headers

foreach ($i in $rules.rulebase.rulebase) {  
    if ($i.enabled -like "False") {
        Write-Output "Rulename: $($i.name), Source: $($i.source), Destination: $($i.destination), Service: $($i.service), Enabled: $($i.enabled)"
        }
}


Write-Output "Disconnect session $($login.uid)"
$null = Invoke-RestMethod -Method Post -Uri "$BaseUri/disconnect" -Headers $headers -Body (@{ "uid" = $login.uid } | ConvertTo-Json)

Aathi · ‎2020-09-28

Hi Sigbjorn,

i tried to get source name and destination name and service using for each loop but getting the error,can you share the exact syntax to get the same.

Thanks in advance.

Sigbjorn · ‎2020-09-28

Hi,

This should do it:

# Get RuleBase
Write-Output "Getting rulebase"
$body = @{
    "name" = $layer
    } | ConvertTo-Json
$rules = Invoke-RestMethod -Method Post -Uri "$BaseUri/show-access-rulebase" -Body $body -Headers $headers

foreach ($y in $rules.rulebase.rulebase) {  
        $body = @{
        "uid" = $($y.uid)
        "layer" = $layer
        } |ConvertTo-Json
        $rule = Invoke-RestMethod -Method Post -Uri "$BaseUri/show-access-rule" -Body $body -Headers $headers
        if ($($rule.enabled) -like "False") {
            Write-output "Disabled rule, Rulename: $($rule.name), Enabled: $($rule.enabled), Rule UID: $($rule.uid), Source: $($rule.source.Name), Destination: $($rule.destination.Name), Service: $($rule.service.Name), Action: $($rule.action.Name)"
            }
}

Aathi · ‎2021-08-23

Hi Sigbjorn,

Thanks for sharing the scripts.Can you help us to get the already expired Rule base list.

Thanks in advance.

Sigbjorn · ‎2021-08-23

Hi Aathi, I'm not entirely sure what you're looking for.

Could you elaborate?

Aathi · ‎2021-08-25

Hi Sigbjorn,

I want to get the rules which are already expired like we got for disabled rules from checkpoint rulebase.

Please let us know if any scripts for the same.

Regards

Aathi

REDW0LF · ‎2020-09-29

Here is a mgmt_cli API call you can try. I modified it from a call I use to grab zero hits rules. If you are not running a multi-domain management server you can remove the -d option. This will send the results to a csv file as well. You may be having the problem retrieving source and destination if they have more than one object. the [] specifies those fields are arrays. The one limitation I haven't been able to get around is those fields return UID values rather than their plain text names.

mgmt_cli -d <domain> show access-rulebase offset 0 limit 2000 uid "<rulebase UID>" details-level "standard" use-object-dictionary true --format json -u <username> |jq -r '.rulebase[].rulebase[]|select(.enabled = "False")| [."uid", ."name", ."comments", ."enabled", .source[], .destination[], .service[]]|@csv' > <csvfilename>.csv

Ron

Aathi · ‎2021-08-09

Hi REDWOLF,

Thanks for the update.i tried but getting below error can you help on this

[Expert@XXX:0]# mgmt_cli show access-rulebase offset 0 limit 2000 uid "cafc790f-681d-49ea-b44c-b618dc937c66" details-level "standard" use-object-dictionary true --format json -u admin|jq -r '.rulebase[].rulebase[]|select(.enabled = "False")| [."uid", ."name", ."comments", ."enabled", .source[], .destination[], .service[]]|@csv' > aathi.csv
Password:

jq: error: Cannot iterate over null

can u help on this

PhoneBoy · ‎2021-08-23

That means there's an error in the jq statement.
You've got .rulebase[] in there twice.
Also it looks like the select doesn't do what you want.
Most of the results return a UID, which I assume you want in some sort of human readable format.
Also, setting the limit to 2000 will not return all results, you will need to make multiple calls using the offset parameter to get the next 50 results (or so).
Not exactly right, but this is a lot closer:

mgmt_cli -s sid.txt show access-rulebase name "LayerName" details-level full --format json | jq -r '.rulebase[] | select (.enabled == false)| .uid' | while read X; do
mgmt_cli -s sid.txt --format json show access-rule uid $X layer "LayerName" |
jq -r '[.uid, .name, .source[].name, .destination[].name, .service[].name, .action.name]|@csv'
done

At a high level, this is:

Getting the UID of the rules that are disabled (note you will need to use limit/offset in this command and call it multiple times to get all the rules.
For each rule UID, get human readable source/destination/service/action and output in something that looks like a CSV file (though each source/destination/service will create a column).

There may be some way to clean up the jq further here so you get a cleaner CSV file.

Aathi · ‎2021-08-09

Hi SIG,

Thank you so much for sharing the script.

This script only check the first 50 rules from rulebase ,is there any way to check all the rulebases

Thanks

PhoneBoy · ‎2021-08-09

The API only returns a limited number of results by design.
That is true even if you specify a higher limit in the API call.
You would have to make multiple calls to the same API using the offset parameter iteratively to get all the results.

Are you a member of CheckMates?

API command to get the disable rule