- Products
- Learn
- Local User Groups
- Partners
-
More
Celebrate the New Year
With CheckMates!
Value of Security
Vendor Self-Awareness
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
Mobile Security
Buyer's Guide Out Now
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Hi Team,
Is there any api or cli command to get the "Any" access either on source or destination or port on checkpoint policy.
and also need UID of that rulebase.
Its possible you can use a show-access-rulebase with the filter option, but I find it easier to just loop through the rulebase.
Here's a sample powershell script to list rules with "Any" src/dst/svc
[string]$BaseUri = "https://10.10.2.1/web_api"
[string]$domain = "domainname" # Only used for MDS servers
[string]$user = "username"
[string]$pass = "password"
[string]$layer= "demo-policy Network"
$loginData = @{
"user" = $user
"password" = $pass
"domain" = $domain # Only used for MDS servers
} | ConvertTo-Json
Write-Output "Invoking Login"
$login = Invoke-RestMethod -Method Post -Uri "$BaseUri/login" -Body $loginData -Headers @{ "content-type" = "application/json" }
$headers = @{
"content-type" = "application/json"
"x-chkp-sid" = $login.sid
}
# Get RuleBase
Write-Output "Getting rulebase"
$body = @{
"name" = $layer
} | ConvertTo-Json
$rules = Invoke-RestMethod -Method Post -Uri "$BaseUri/show-access-rulebase" -Body $body -Headers $headers
foreach ($y in $rules.rulebase.rulebase) {
$body = @{
"uid" = $($y.uid)
"layer" = $layer
} |ConvertTo-Json
$rule = Invoke-RestMethod -Method Post -Uri "$BaseUri/show-access-rule" -Body $body -Headers $headers
if ($($rule.source.name) -like "Any") {
Write-output "Any Source, Rulename: $($rule.name), Rule UID: $($rule.uid), Source: $($rule.source.Name), Destination: $($rule.destination.Name), Service: $($rule.service.Name), Action: $($rule.action.Name)"
}
elseif ($($rule.destination.name) -like "Any") {
Write-output "Any Destination, Rulename: $($rule.name), Rule UID: $($rule.uid), Source: $($rule.source.Name), Destination: $($rule.destination.Name), Service: $($rule.service.Name), Action: $($rule.action.Name)"
}
elseif ($($rule.service.name) -like "Any") {
Write-output "Any Service, Rulename: $($rule.name), Rule UID: $($rule.uid), Source: $($rule.source.Name), Destination: $($rule.destination.Name), Service: $($rule.service.Name), Action: $($rule.action.Name)"
}
}
Write-Output "Disconnect session $($login.uid)"
$null = Invoke-RestMethod -Method Post -Uri "$BaseUri/disconnect" -Headers $headers -Body (@{ "uid" = $login.uid } | ConvertTo-Json)
Thank you so much Sigbjorn.Are you having any bash script that to run it from linux machine(need to run or run from Linux machine)
I don't have this example for bash, but if you just follow the same logic, you can do the same stuff with curl, or even abit easier (imo) with python and the request and json libraries.
If you search this forum, i think you'll find a (near) complete python sdk so its easier to get started.
Directly with mgmt_cli/API? Don't believe so.
By processing the output of the API (e.g. mgmt_cli piped through jq), yes.
I would loop through the rules as @Sigbjorn suggests and only print rules where "any" is used.
Thanks Sigbjorn and phoneboy. The script is working .Is there any way to get the admin details who installed the Any rule.
Just add $($rule.'meta-info'.creator) or $($rule.'meta-info'.'last-modifier') to get the username for who created the rule, and who last modified it.
If you run this in PowerShell ISE, you can just type $rule in the console after it ran to see all the details included for the last rule in the loop. This can give you an idea about what other details you can pull out.
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY