This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Bill_Ng
Collaborator
‎2018-01-30 11:15 AM
Jump to solution

FW object rule report

All,

We are on R80.10 management station.

Any one know of a way to get FW object information across our policies in a readable format?  The where used function works but it only lists out the rule number.  I guess we would like a more detailed version which spits out the groups the object is in and instead of the rule numbers it lists out the actual rule (src, dst, service port), and on which policy the rule is in?  I've used '$MDS_FWDIR/scripts/web_api_show_package.sh'  to export policies but painstakingly do searches within each policy for the specific objects. 

Thanks in advance,

Bill

0 Kudos
1 Solution

Accepted Solutions
Tomer_Sole
Mentor
Mentor
‎2018-02-02 07:14 AM
In response to Astardzhiev
Jump to solution

Just to compare, attached below typical output of R8x show-package tool. As you can see, information completely replaces the same functionality of R7x Web Visualization Tool.

This thread however discusses how to get full rule information when searching for usages of objects.

Option 1: run "where used", collect the UID's of the rules, then run "show access-rule" for each rule UID.

Option 2: run "where used" with "details-level full". This will show the full objects that use the given object. However, it will show a lot of other information and may result with a slow response. 

Option 3: run "where used", collect the rule positions, then look at the show-package HTML output (see image above) and locate the rule.

Let's demonstrate option 1:

Step 1: where used for host "Marco". We want to see its indirect usages, because Marco belongs to a network group which appears in some rules. From the output we would like to isolate the rule UID and the layer UID because both parameters are required for the next step. So we will use JQ to parse the output and select only the things that we care about.

mgmt_cli where-used name Marco indirect true -s id.txt --format json | jq -r '."used-indirectly"."access-control-rules"[] | (.rule.name // "no rule name", .rule.uid, .layer.name, .layer.uid)'
no rule name
97ed7f41-f56d-4ef5-99e9-9f698ad55902
FinanceSolutions Network
19942103-1419-4e71-b655-e1aad4c82535
no rule name
86f56fc4-7652-4518-8d94-3f9ec6ced892
FinanceSolutions Network
19942103-1419-4e71-b655-e1aad4c82535
no rule name
1030a2d1-7663-462f-b43b-8825abf39e21
FinanceSolutions Network
19942103-1419-4e71-b655-e1aad4c82535
no rule name
c0d19b8f-10d7-4ea2-8684-61968c7e94d7
FinanceSolutions Network
19942103-1419-4e71-b655-e1aad4c82535
no rule name
69ea551c-ad13-4a5f-8b68-897928119da8
FinanceSolutions Network
19942103-1419-4e71-b655-e1aad4c82535
no rule name
5f0d2800-1e9d-44f6-9f39-7953a33b82a2
FinanceSolutions Network
19942103-1419-4e71-b655-e1aad4c82535
no rule name
0fb52774-487a-4e3c-afcc-65d1ccbaffb7
FinanceSolutions Network
19942103-1419-4e71-b655-e1aad4c82535

We got groups of 4 - rule name (which shows "no rule name" in case it has no name), rule UID, layer name, layer UID.

Now we can run show access-rule on each result to see the full rule. For example, for the first result:

mgmt_cli show access-rule uid 69ea551c-ad13-4a5f-8b68-897928119da8 layer 19942103-1419-4e71-b655-e1aad4c82535 -s id.txt

View solution in original post

11 Replies
Robert_Decker
Advisor
‎2018-01-30 12:50 PM
Jump to solution

This kind of information can be obtained by combining several API commands and mining the required information.

First, you should use the "where-used" command to get the policy/rulebase information (uid is enough), and then use the "show-access-rule" command with that preliminary info to retrieve the specific details about the rule.

Robert.

0 Kudos
Bill_Ng
Collaborator
‎2018-02-02 04:31 AM
In response to Robert_Decker
Jump to solution

Hi Robert,

Thanks for pointing me in the right direction.  We are in process of using powershell from the modules that tkoopman created to extract that info.  I found a guy on my team that's really good with Powershell.

0 Kudos
Robert_Decker
Advisor
‎2018-02-02 07:35 AM
In response to Bill_Ng
Jump to solution

No problem, glad to help.

Robert.

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee
‎2018-01-30 10:12 PM
Jump to solution

Tufin is the answer. It's simply awesome for stuff like that Smiley Happy

0 Kudos
Robert_Decker
Advisor
‎2018-01-31 12:22 AM
In response to Kaspars_Zibarts
Jump to solution

Tufin is a good option with products on the shelf that cost.

We should provide here answers that are for free.

Robert.

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee
‎2018-01-31 12:28 AM
In response to Robert_Decker
Jump to solution

I was just pulling a small joke Robert Smiley Happy 

0 Kudos
Tomer_Sole
Mentor
Mentor
‎2018-01-31 01:45 AM
In response to Kaspars_Zibarts
Jump to solution

wow, we actually took it seriously.. lol.. Tufin is an excellent product and a great technology partner with Check Point. But if you are willing to customize and automate your Check Point Management workflow yourself using the Check Point Management API's we are here to help.

0 Kudos
Phan_Tuan_Loi
Explorer
‎2018-01-31 04:55 PM
Jump to solution

You may search Web Visualization Tool then try it Smiley Happy

It can list rules, objects (network and service), ... as the samples below

Rules

Objects

Astardzhiev
Contributor
‎2018-02-01 10:49 AM
In response to Phan_Tuan_Loi
Jump to solution

Hi Phan,

Unfortunately Web Virtualization Tool is not supported for R80 and above:

Important Note: This solution refers for R77.x versions only. For R80 and higher use "Show Package Tool" described in sk120342.

And looking at the question Bill is already on R80.x

0 Kudos
Phan_Tuan_Loi
Explorer
‎2018-02-01 05:10 PM
In response to Astardzhiev
Jump to solution

Thank you Alexander for you comment.

0 Kudos
Tomer_Sole
Mentor
Mentor
‎2018-02-02 07:14 AM
In response to Astardzhiev
Jump to solution

Just to compare, attached below typical output of R8x show-package tool. As you can see, information completely replaces the same functionality of R7x Web Visualization Tool.

This thread however discusses how to get full rule information when searching for usages of objects.

Option 1: run "where used", collect the UID's of the rules, then run "show access-rule" for each rule UID.

Option 2: run "where used" with "details-level full". This will show the full objects that use the given object. However, it will show a lot of other information and may result with a slow response. 

Option 3: run "where used", collect the rule positions, then look at the show-package HTML output (see image above) and locate the rule.

Let's demonstrate option 1:

Step 1: where used for host "Marco". We want to see its indirect usages, because Marco belongs to a network group which appears in some rules. From the output we would like to isolate the rule UID and the layer UID because both parameters are required for the next step. So we will use JQ to parse the output and select only the things that we care about.

mgmt_cli where-used name Marco indirect true -s id.txt --format json | jq -r '."used-indirectly"."access-control-rules"[] | (.rule.name // "no rule name", .rule.uid, .layer.name, .layer.uid)'
no rule name
97ed7f41-f56d-4ef5-99e9-9f698ad55902
FinanceSolutions Network
19942103-1419-4e71-b655-e1aad4c82535
no rule name
86f56fc4-7652-4518-8d94-3f9ec6ced892
FinanceSolutions Network
19942103-1419-4e71-b655-e1aad4c82535
no rule name
1030a2d1-7663-462f-b43b-8825abf39e21
FinanceSolutions Network
19942103-1419-4e71-b655-e1aad4c82535
no rule name
c0d19b8f-10d7-4ea2-8684-61968c7e94d7
FinanceSolutions Network
19942103-1419-4e71-b655-e1aad4c82535
no rule name
69ea551c-ad13-4a5f-8b68-897928119da8
FinanceSolutions Network
19942103-1419-4e71-b655-e1aad4c82535
no rule name
5f0d2800-1e9d-44f6-9f39-7953a33b82a2
FinanceSolutions Network
19942103-1419-4e71-b655-e1aad4c82535
no rule name
0fb52774-487a-4e3c-afcc-65d1ccbaffb7
FinanceSolutions Network
19942103-1419-4e71-b655-e1aad4c82535

We got groups of 4 - rule name (which shows "no rule name" in case it has no name), rule UID, layer name, layer UID.

Now we can run show access-rule on each result to see the full rule. For example, for the first result:

mgmt_cli show access-rule uid 69ea551c-ad13-4a5f-8b68-897928119da8 layer 19942103-1419-4e71-b655-e1aad4c82535 -s id.txt

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top