Any cli/api command to filter the Any access on ch...

Aathi · ‎2020-09-23

Hi Team,

Is there any api or cli command to get the "Any" access either on source or destination or port on checkpoint policy.

and also need UID of that rulebase.

Sigbjorn · ‎2020-09-23

Its possible you can use a show-access-rulebase with the filter option, but I find it easier to just loop through the rulebase.

Here's a sample powershell script to list rules with "Any" src/dst/svc

[string]$BaseUri = "https://10.10.2.1/web_api"
[string]$domain = "domainname"  # Only used for MDS servers
[string]$user = "username"
[string]$pass = "password"
[string]$layer= "demo-policy Network"

$loginData = @{
    "user" = $user
    "password" = $pass
    "domain" = $domain # Only used for MDS servers
} | ConvertTo-Json

Write-Output "Invoking Login"
$login = Invoke-RestMethod -Method Post -Uri "$BaseUri/login" -Body $loginData -Headers @{ "content-type" = "application/json" }

$headers = @{
    "content-type" = "application/json"
    "x-chkp-sid" = $login.sid
}



# Get RuleBase
Write-Output "Getting rulebase"
$body = @{
    "name" = $layer
    } | ConvertTo-Json
$rules = Invoke-RestMethod -Method Post -Uri "$BaseUri/show-access-rulebase" -Body $body -Headers $headers

foreach ($y in $rules.rulebase.rulebase) {  
        $body = @{
        "uid" = $($y.uid)
        "layer" = $layer
        } |ConvertTo-Json
        $rule = Invoke-RestMethod -Method Post -Uri "$BaseUri/show-access-rule" -Body $body -Headers $headers
        if ($($rule.source.name) -like "Any") {
            Write-output "Any Source, Rulename: $($rule.name), Rule UID: $($rule.uid), Source: $($rule.source.Name), Destination: $($rule.destination.Name), Service: $($rule.service.Name), Action: $($rule.action.Name)"
        }
        elseif ($($rule.destination.name) -like "Any") {
            Write-output "Any Destination, Rulename: $($rule.name), Rule UID: $($rule.uid), Source: $($rule.source.Name), Destination: $($rule.destination.Name), Service: $($rule.service.Name), Action: $($rule.action.Name)"
        }
        elseif ($($rule.service.name) -like "Any") {
            Write-output "Any Service, Rulename: $($rule.name), Rule UID: $($rule.uid), Source: $($rule.source.Name), Destination: $($rule.destination.Name), Service: $($rule.service.Name), Action: $($rule.action.Name)"
        }
}


Write-Output "Disconnect session $($login.uid)"
$null = Invoke-RestMethod -Method Post -Uri "$BaseUri/disconnect" -Headers $headers -Body (@{ "uid" = $login.uid } | ConvertTo-Json)

Aathi · ‎2020-09-24

Thank you so much Sigbjorn.Are you having any bash script that to run it from linux machine(need to run or run from Linux machine)

Sigbjorn · ‎2020-09-24

I don't have this example for bash, but if you just follow the same logic, you can do the same stuff with curl, or even abit easier (imo) with python and the request and json libraries.

If you search this forum, i think you'll find a (near) complete python sdk so its easier to get started.

PhoneBoy · ‎2020-09-24

Directly with mgmt_cli/API? Don't believe so.
By processing the output of the API (e.g. mgmt_cli piped through jq), yes.
I would loop through the rules as @Sigbjorn suggests and only print rules where "any" is used.

Aathi · ‎2020-09-24

Thanks Sigbjorn and phoneboy. The script is working .Is there any way to get the admin details who installed the Any rule.

Sigbjorn · ‎2020-09-24

Just add $($rule.'meta-info'.creator) or $($rule.'meta-info'.'last-modifier') to get the username for who created the rule, and who last modified it.

If you run this in PowerShell ISE, you can just type $rule in the console after it ran to see all the details included for the last rule in the loop. This can give you an idea about what other details you can pull out.

Any cli/api command to filter the Any access on checkpoint rule base.