Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Contributor

Any cli/api command to filter the Any access on checkpoint rule base.

Hi Team,

 

Is there any api or cli command to get the "Any" access either on source or destination or port on checkpoint policy.

and also need UID of that rulebase.

 

 

0 Kudos
Reply
6 Replies
Advisor

Its possible you can use a show-access-rulebase with the filter option, but I find it easier to just loop through the rulebase.

Here's a sample powershell script to list rules with "Any" src/dst/svc

 

[string]$BaseUri = "https://10.10.2.1/web_api"
[string]$domain = "domainname"  # Only used for MDS servers
[string]$user = "username"
[string]$pass = "password"
[string]$layer= "demo-policy Network"

$loginData = @{
    "user" = $user
    "password" = $pass
    "domain" = $domain # Only used for MDS servers
} | ConvertTo-Json

Write-Output "Invoking Login"
$login = Invoke-RestMethod -Method Post -Uri "$BaseUri/login" -Body $loginData -Headers @{ "content-type" = "application/json" }

$headers = @{
    "content-type" = "application/json"
    "x-chkp-sid" = $login.sid
}



# Get RuleBase
Write-Output "Getting rulebase"
$body = @{
    "name" = $layer
    } | ConvertTo-Json
$rules = Invoke-RestMethod -Method Post -Uri "$BaseUri/show-access-rulebase" -Body $body -Headers $headers

foreach ($y in $rules.rulebase.rulebase) {  
        $body = @{
        "uid" = $($y.uid)
        "layer" = $layer
        } |ConvertTo-Json
        $rule = Invoke-RestMethod -Method Post -Uri "$BaseUri/show-access-rule" -Body $body -Headers $headers
        if ($($rule.source.name) -like "Any") {
            Write-output "Any Source, Rulename: $($rule.name), Rule UID: $($rule.uid), Source: $($rule.source.Name), Destination: $($rule.destination.Name), Service: $($rule.service.Name), Action: $($rule.action.Name)"
        }
        elseif ($($rule.destination.name) -like "Any") {
            Write-output "Any Destination, Rulename: $($rule.name), Rule UID: $($rule.uid), Source: $($rule.source.Name), Destination: $($rule.destination.Name), Service: $($rule.service.Name), Action: $($rule.action.Name)"
        }
        elseif ($($rule.service.name) -like "Any") {
            Write-output "Any Service, Rulename: $($rule.name), Rule UID: $($rule.uid), Source: $($rule.source.Name), Destination: $($rule.destination.Name), Service: $($rule.service.Name), Action: $($rule.action.Name)"
        }
}


Write-Output "Disconnect session $($login.uid)"
$null = Invoke-RestMethod -Method Post -Uri "$BaseUri/disconnect" -Headers $headers -Body (@{ "uid" = $login.uid } | ConvertTo-Json)

 

Contributor

Thank you so much Sigbjorn.Are you having any bash script that to run it from linux machine(need to run or run from Linux machine)

 

0 Kudos
Reply
Advisor

I don't have this example for bash, but if you just follow the same logic, you can do the same stuff with curl, or even abit easier (imo) with python and the request and json libraries.

If you search this forum, i think you'll find a (near) complete python sdk so its easier to get started.

0 Kudos
Reply
Admin
Admin

Directly with mgmt_cli/API? Don't believe so.
By processing the output of the API (e.g. mgmt_cli piped through jq), yes.
I would loop through the rules as @Sigbjorn suggests and only print rules where "any" is used.

0 Kudos
Reply
Contributor

Thanks Sigbjorn and phoneboy. The script is working .Is there any way to get the admin details who installed the Any rule.

0 Kudos
Reply
Advisor

Just add $($rule.'meta-info'.creator) or $($rule.'meta-info'.'last-modifier') to get the username for who created the rule, and who last modified it.

If you run this in PowerShell ISE, you can just type $rule in the console after it ran to see all the details included for the last rule in the loop. This can give you an idea about what other details you can pull out.

0 Kudos
Reply