Solved: Disable a rule on R80.10 using Python Web API

Samiron_Mallick · ‎2018-09-18

Hello,

I have a management server running R80.10, which has almost 20 devices connected and has hundreds of rules defined. I wanted to disable rules that are not in use currently via Web API using Python script. Please guide me if there is way to do the same.

Please help me.

PhoneBoy · ‎2018-11-08

set-access-rule has an option to enable/disable the rule.

View solution in original post

PhoneBoy · ‎2018-09-18

There's an example of this already: ‌

Nüüül · ‎2018-09-18

Hi

someone already did a script like that here.

https://community.checkpoint.com/docs/DOC-2640?commentID=3239#comment-3239

If you want to script it by yourself. You could use the SDK from Check Point, which then is handling your session.

GitHub - CheckPointSW/cp_mgmt_api_python_sdk: Check Point API Python Development Kit

There are some examples included like "adding host" and so.

Daniel

Amiad_Stern · ‎2018-09-20

We are working on a comprehensive tool (python) to disable/delete rules based on hitcount.

Tool will run in few modes: plan , apply , apply without publish

You will be able to set global thresholds of "non hit period" for disable / delete rules and you will be able to override them per rule. In addition you will be able to skip specific rules / packages. You will get json output for all deleted/disabled/skipped rules (and the reason they were skipped, for example, rule with GW that its hitcount is off).

You will be able to adjust our script to fit your logic (for example, set rule at the bottom of policy afetr disabling it)

We are planning to release this tool by mid October.

Samiron_Mallick · ‎2018-11-08

Hello,

Is this released Amiad Stern‌ ? If so, where can i find that.

Thanks a lot.

Sam

Amiad_Stern · ‎2018-11-08

We have some delays. We are in final stages of approvals. I will add comment to this thread as well upon tool release.

Amiad_Stern · ‎2019-02-03

Updating that we released it GitHub - CheckPointSW/PolicyCleanUp

Samiron_Mallick · ‎2018-09-27

Thank you very much for the link provided here. It helped a lot.

Actually i am writing python code which fetches JSON data using web_api. The issue i am reporting here is:

If i do api call with below code, i usually get details about all the rules inside each rulebase.

https://{{server}}/show-access-rulebase
{
"offset" : 0,
"limit" : 500,
"name" : "rulebase_name",
"details-level" : "standard",
"use-object-dictionary" : true
}

however looking at each rule inside it, if i want to fetch values from "source, destination,service" etc., i get only encrypted id's but not the actual names.

"rule-number": 1, # contents have been deleted those not related with the issue
"source": [
"697bb7e0-0dfe-4070-a21a-68858fhkdaae98c",
"349fb05c-99b2-4fb2-aea6-7b447dhyt0e661c"
],
"source-negate": true,
"destination": [
"97aeb369-9aea-11d5-bd16-00902fgt72ccb30"
],
"destination-negate": false,
"service": [
"ef245528-9a3d-11d6-9eaa-3e5a6fvgtdd6a6a",
"dff4f7ba-9a3d-11d6-91c1-3e5a6fdd5lpo151",
"24bee257-6b37-49bb-99aa-557d993akol0e48",
"97aeb45c-9aea-11d5-bd16-0090272ciuycb30",
"97aeb471-9aea-11d5-bd16-0090272treccb30"
],
"service-negate": false,
"vpn": [
"97aeb369-9aea-11d5-bd16-0090272ccmkqb30"
],
"action": "6c488338-8eec-4103-ad21-cd4sov61ac2c473",
"action-settings": {},
"content": [
"97aeb369-9aea-11d5-bd16-0090272ftmccb30"
],
"content-negate": false,
"content-direction": "any",
"comments": "My Comment",
"enabled": true,
"uid": "fcc5a2c8-3a78-4cc5-9fd3-e7bd5gyp9eb36ba",
"name": "sam@gmail.com",
"type": "access-rule",
},

But the same is available if I do api call to "show-access-rule" with specific rule

{ # contents have been deleted those not related with the issue
"uid": "fcc5a2c8-3a78-4cc5-9fd3-e7bd59ebfgy36ba",
"name": "sam@gmail.com",
"type": "access-rule",
"source": [
{
"uid": "293ef5ba-5235-464e-9247-bda2frt6229a998",
"name": "abcd.example.com",
"type": "host",
"ipv4-address": "192.168.1.40"
},
"destination": [
{
"uid": "b17d4573-ad1a-4126-ae6d-c874efoqa919cda",
"name": "efgh.example.com",
"type": "CpmiClusterMember",
}
],
"service": [
{
"uid": "18ec9eaa-1657-4240-ab97-5f234623336b",
"name": "ssh",
"type": "service-tcp",
"port": "22"
}
],

Question: Is there any way that can show the actual data while doing api call using show-access-rulebase ?

PhoneBoy · ‎2018-09-27

The result of the API call provides an objects-dictionary.

This can be used to deference all the object UIDs returned as part of the rulebase.

Samiron_Mallick · ‎2018-10-03

Thank you very much. I am able to figure this out now.

However can you please let me know if there is anything i missed below. My only goal is to list only rules that has not been used after the "to-date" including rule that never used.

With the below code if I change the "to-date" and run to test if that works, i am getting same rule with different "to-date" value. Which seems not actual. Ran the command with "show-access-rulebase" API call.

# Input with "to-date" : "2018-04-06"
#####################################
{
"offset" : 0,
"limit" : 500,
"name" : "my Security",
"details-level" : "standard",
"show-hits" : true,
"use-object-dictionary" : false,
"hits-settings" : {
   "from-date" : "2000-01-01",
   "to-date" : "2018-04-06"
   }
}
# Output with "to-date" : "2018-04-06"
######################################
"rule-number": 1,
"hits": {
   "percentage": "1%",
   "level": "low",
   "value": 38032181,
   "first-date": {
      "posix": 1473045718000,
      "iso-8601": "2016-09-04T22:21-0500"
   },
   "last-date": {
      "posix": 1523003466000,
      "iso-8601": "2018-04-06T03:31-0500"
   }
},
# Input with "to-date" : "2017-08-06"
#####################################
{
"offset" : 0,
"limit" : 500,
"name" : "my Security",
"details-level" : "standard",
"show-hits" : true,
"use-object-dictionary" : false,
"hits-settings" : {
   "from-date" : "2000-01-01",
   "to-date" : "2017-08-06"
   }
}
# Output with "to-date" : "2017-08-06"
######################################
"rule-number": 1,
"hits": {
   "percentage": "0%",
   "level": "low",
   "value": 31325295,
   "first-date": {
      "posix": 1473045718000,
      "iso-8601": "2016-09-04T22:21-0500"
   },
   "last-date": {
      "posix": 1502012563000,
      "iso-8601": "2017-08-06T04:42-0500"
   }
},

However with "show-access-rule" API if i try to fetch data for the rule#1 i get different output as below.

# Input
#########
{
"rule-number": 1,
"layer" : "my Security",
"show-hits" : true
}
# Output
#########
"hits": {
   "percentage": "1%",
   "level": "low",
   "value": 62724501,
   "first-date": {
      "posix": 1473045718000,
      "iso-8601": "2016-09-04T22:21-0500"
   },
   "last-date": {
      "posix": 1538583391000,
      "iso-8601": "2018-10-03T11:16-0500"
   }
},

PhoneBoy · ‎2018-10-03

That suggests a bug of some sort.

Please open a support ticket and we can have a look.

PhoneBoy · ‎2018-10-03

I should note Samiron Mallick‌ that there is a new feature in API 1.3 (aligned with R80.20 release) that actually will allow you to output "the actual data" as you refer to it.

It's called "Show as Ranges" and it's a new parameter to the show-access-rulebase API call.

There are some limits to this (only allows output of 20 rules).

Samiron_Mallick · ‎2018-11-08

I am having the last query to this thread.

I found "delete-access-rule" WebAPI command to delete access rule. But unable to find command to DISABLE rules. My requirement is to DISABLE rules via WebAPI.

Ex: https://my-management:port/web_api/delete-access-rule

Tried "disable-access-rule" but no luck as that is not a valid command.

Is it possible to disable access-rule via WebAPI ? if so what is the command.

Thanks,

Sam

PhoneBoy · ‎2018-11-08

set-access-rule has an option to enable/disable the rule.

Samiron_Mallick · ‎2018-11-08

Thank you this worked as expected.

Are you a member of CheckMates?

Disable a rule on R80.10 using Python Web API