- CheckMates
- :
- Products
- :
- Developers
- :
- API / CLI Discussion
- :
- Re: Disable a rule on R80.10 using Python Web API
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Disable a rule on R80.10 using Python Web API
Hello,
I have a management server running R80.10, which has almost 20 devices connected and has hundreds of rules defined. I wanted to disable rules that are not in use currently via Web API using Python script. Please guide me if there is way to do the same.
Please help me.
- Labels:
-
Access Policy
-
General
-
Object Management
- Tags:
- python
- r80 web apis
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
set-access-rule has an option to enable/disable the rule.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
someone already did a script like that here.
https://community.checkpoint.com/docs/DOC-2640?commentID=3239#comment-3239
If you want to script it by yourself. You could use the SDK from Check Point, which then is handling your session.
GitHub - CheckPointSW/cp_mgmt_api_python_sdk: Check Point API Python Development Kit
There are some examples included like "adding host" and so.
Daniel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are working on a comprehensive tool (python) to disable/delete rules based on hitcount.
Tool will run in few modes: plan , apply , apply without publish
You will be able to set global thresholds of "non hit period" for disable / delete rules and you will be able to override them per rule. In addition you will be able to skip specific rules / packages. You will get json output for all deleted/disabled/skipped rules (and the reason they were skipped, for example, rule with GW that its hitcount is off).
You will be able to adjust our script to fit your logic (for example, set rule at the bottom of policy afetr disabling it)
We are planning to release this tool by mid October.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have some delays. We are in final stages of approvals. I will add comment to this thread as well upon tool release.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Updating that we released it GitHub - CheckPointSW/PolicyCleanUp
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much for the link provided here. It helped a lot.
Actually i am writing python code which fetches JSON data using web_api. The issue i am reporting here is:
If i do api call with below code, i usually get details about all the rules inside each rulebase.
https://{{server}}/show-access-rulebase
{
"offset" : 0,
"limit" : 500,
"name" : "rulebase_name",
"details-level" : "standard",
"use-object-dictionary" : true
}
however looking at each rule inside it, if i want to fetch values from "source, destination,service" etc., i get only encrypted id's but not the actual names.
"rule-number": 1, # contents have been deleted those not related with the issue
"source": [
"697bb7e0-0dfe-4070-a21a-68858fhkdaae98c",
"349fb05c-99b2-4fb2-aea6-7b447dhyt0e661c"
],
"source-negate": true,
"destination": [
"97aeb369-9aea-11d5-bd16-00902fgt72ccb30"
],
"destination-negate": false,
"service": [
"ef245528-9a3d-11d6-9eaa-3e5a6fvgtdd6a6a",
"dff4f7ba-9a3d-11d6-91c1-3e5a6fdd5lpo151",
"24bee257-6b37-49bb-99aa-557d993akol0e48",
"97aeb45c-9aea-11d5-bd16-0090272ciuycb30",
"97aeb471-9aea-11d5-bd16-0090272treccb30"
],
"service-negate": false,
"vpn": [
"97aeb369-9aea-11d5-bd16-0090272ccmkqb30"
],
"action": "6c488338-8eec-4103-ad21-cd4sov61ac2c473",
"action-settings": {},
"content": [
"97aeb369-9aea-11d5-bd16-0090272ftmccb30"
],
"content-negate": false,
"content-direction": "any",
"comments": "My Comment",
"enabled": true,
"uid": "fcc5a2c8-3a78-4cc5-9fd3-e7bd5gyp9eb36ba",
"name": "sam@gmail.com",
"type": "access-rule",
},
But the same is available if I do api call to "show-access-rule" with specific rule
{ # contents have been deleted those not related with the issue
"uid": "fcc5a2c8-3a78-4cc5-9fd3-e7bd59ebfgy36ba",
"name": "sam@gmail.com",
"type": "access-rule",
"source": [
{
"uid": "293ef5ba-5235-464e-9247-bda2frt6229a998",
"name": "abcd.example.com",
"type": "host",
"ipv4-address": "192.168.1.40"
},
"destination": [
{
"uid": "b17d4573-ad1a-4126-ae6d-c874efoqa919cda",
"name": "efgh.example.com",
"type": "CpmiClusterMember",
}
],
"service": [
{
"uid": "18ec9eaa-1657-4240-ab97-5f234623336b",
"name": "ssh",
"type": "service-tcp",
"port": "22"
}
],
Question: Is there any way that can show the actual data while doing api call using show-access-rulebase ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The result of the API call provides an objects-dictionary.
This can be used to deference all the object UIDs returned as part of the rulebase.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much. I am able to figure this out now.
However can you please let me know if there is anything i missed below. My only goal is to list only rules that has not been used after the "to-date" including rule that never used.
With the below code if I change the "to-date" and run to test if that works, i am getting same rule with different "to-date" value. Which seems not actual. Ran the command with "show-access-rulebase" API call.
# Input with "to-date" : "2018-04-06"
#####################################
{
"offset" : 0,
"limit" : 500,
"name" : "my Security",
"details-level" : "standard",
"show-hits" : true,
"use-object-dictionary" : false,
"hits-settings" : {
"from-date" : "2000-01-01",
"to-date" : "2018-04-06"
}
}
# Output with "to-date" : "2018-04-06"
######################################
"rule-number": 1,
"hits": {
"percentage": "1%",
"level": "low",
"value": 38032181,
"first-date": {
"posix": 1473045718000,
"iso-8601": "2016-09-04T22:21-0500"
},
"last-date": {
"posix": 1523003466000,
"iso-8601": "2018-04-06T03:31-0500"
}
},# Input with "to-date" : "2017-08-06"
#####################################
{
"offset" : 0,
"limit" : 500,
"name" : "my Security",
"details-level" : "standard",
"show-hits" : true,
"use-object-dictionary" : false,
"hits-settings" : {
"from-date" : "2000-01-01",
"to-date" : "2017-08-06"
}
}
# Output with "to-date" : "2017-08-06"
######################################
"rule-number": 1,
"hits": {
"percentage": "0%",
"level": "low",
"value": 31325295,
"first-date": {
"posix": 1473045718000,
"iso-8601": "2016-09-04T22:21-0500"
},
"last-date": {
"posix": 1502012563000,
"iso-8601": "2017-08-06T04:42-0500"
}
},
However with "show-access-rule" API if i try to fetch data for the rule#1 i get different output as below.
# Input
#########{
"rule-number": 1,
"layer" : "my Security",
"show-hits" : true
}# Output
#########"hits": {
"percentage": "1%",
"level": "low",
"value": 62724501,
"first-date": {
"posix": 1473045718000,
"iso-8601": "2016-09-04T22:21-0500"
},
"last-date": {
"posix": 1538583391000,
"iso-8601": "2018-10-03T11:16-0500"
}
},
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That suggests a bug of some sort.
Please open a support ticket and we can have a look.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I should note Samiron Mallick that there is a new feature in API 1.3 (aligned with R80.20 release) that actually will allow you to output "the actual data" as you refer to it.
It's called "Show as Ranges" and it's a new parameter to the show-access-rulebase API call.
There are some limits to this (only allows output of 20 rules).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am having the last query to this thread.
I found "delete-access-rule" WebAPI command to delete access rule. But unable to find command to DISABLE rules. My requirement is to DISABLE rules via WebAPI.
Ex: https://my-management:port/web_api/delete-access-rule
Tried "disable-access-rule" but no luck as that is not a valid command.
Is it possible to disable access-rule via WebAPI ? if so what is the command.
Thanks,
Sam
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
set-access-rule has an option to enable/disable the rule.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you this worked as expected.
