This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
pdn
Contributor
‎2024-09-06 10:21 AM

Get all inline access rules via API

Hello,

I wrote a python script to get all inline access rules from all firewall policies.  

 

I've used show-access-rulebase, in for loops, first to find the rules at the access-section layer.  Then using show-access-rulebase again, in for loops, to get all inline-layer access rules.  Then, I have to use show-object, again in for loops, to convert source/destination/service uid objects into human readable texts.  Since source/destination/port for a specific inline rule can be a long list, my script is taking a while.

 

Is there a better way than what I described?  Seems that the slowest part is using the  show-object API calls.  Is there another API or option in the show-access-rulebase to get the inline rules with human readable source/destination/port, directly without having to use the show-object for conversion?

 

Much thanks in advance!

 

0 Kudos
7 Replies
Tal_Paz-Fridman
Employee
Employee
‎2024-09-06 10:55 AM

Use the following API command which translates Source / Destination / Service to values:

https://sc1.checkpoint.com/documents/latest/APIs/index.html?#cli/show-access-rulebase~v1.9.1%20

show-access-rulebase with rules displayed as ranges 

 

For example:

mgmt_cli show access-rulebase offset 0 limit 20 name "Network" show-as-ranges "true"  --format json
0 Kudos
pdn
Contributor
‎2024-09-06 11:05 AM
In response to Tal_Paz-Fridman

Thanks  Tal_Paz-Fridman.  I tried that before, but it didn't display the source/destination/service as what is shown in SmartConsole (ie, source/destination =  abc.company.com, 1.1.1.1, service = tcp_1000). 

 

If I recalled correctly, ranges were shown instead, not the actually values shown in SmartConsole.

 

Maybe I am missing something or mispeaking?  Can you provide an example API?

 

0 Kudos
Tal_Paz-Fridman
Employee
Employee
‎2024-09-06 11:21 AM
In response to pdn

You're right - it only shows ranges but if the start and end are the same its a single value.

 

I created an Order layer or Inline where the second rule is:

 

Rule 2.png

 

The IP of host_for_server10 is 10.10.10.10

I ran the command:

mgmt_cli show access-rulebase name "Layer name" show-as-ranges "true" --format json

The is the command output (I highlighted the relevant values):

}, {
"uid" : "4960587a-7376-450c-b8b6-00b766eda078",
"type" : "access-rule",
"domain" : {
"uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
"name" : "SMC User",
"domain-type" : "domain"
},
"enabled" : true,
"comments" : "",
"meta-info" : {
"lock" : "unlocked",
"validation-state" : "ok",
"last-modify-time" : {
"posix" : 1725646212468,
"iso-8601" : "2024-09-06T21:10+0300"
},
"last-modifier" : "cc",
"creation-time" : {
"posix" : 1725646212468,
"iso-8601" : "2024-09-06T21:10+0300"
},
"creator" : "cc"
},
"available-actions" : {
"clone" : "not_supported"
},
"install-on" : [ "6c488338-8eec-4103-ad21-cd461ac2c476" ],
"tags" : [ ],
"source-ranges" : {
"ipv4" : [ {
"start" : "10.10.10.10",
"end" : "10.10.10.10"
} ],
"ipv6" : [ ],
"others" : [ ],
"excluded-others" : [ ]
},
"destination-ranges" : {
"ipv4" : [ {
"start" : "0.0.0.0",
"end" : "255.255.255.255"
} ],
"ipv6" : [ {
"start" : "0:0:0:0:0:0:0:0",
"end" : "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"
} ],
"others" : [ ],
"excluded-others" : [ ]
},
"service-ranges" : {
"tcp" : [ {
"start" : "80",
"end" : "80"
} ],
"udp" : [ ],
"others" : [ ],
"excluded-others" : [ ]
},
"vpn" : [ "97aeb369-9aea-11d5-bd16-0090272ccb30" ],
"action" : "6c488338-8eec-4103-ad21-cd461ac2c472",
"action-settings" : {
"enable-identity-captive-portal" : false
},
"content" : [ "97aeb369-9aea-11d5-bd16-0090272ccb30" ],
"content-negate" : false,
"content-direction" : "any",
"time" : [ "97aeb369-9aea-11d5-bd16-0090272ccb30" ],
"custom-fields" : {
"field-1" : "",
"field-2" : "",
"field-3" : ""
},
"rule-number" : 2,
"track" : {
"type" : "29e53e3d-23bf-48fe-b6b1-d59bd88036f9",
"per-session" : false,
"per-connection" : false,
"accounting" : false,
"enable-firewall-session" : false,
"alert" : "none"
}
}, {

0 Kudos
PhoneBoy
Admin
Admin
‎2024-09-06 12:47 PM

Add use-object-dictionary true to the call and it should include a translation for the various objects as part of the JSON output.

0 Kudos
pdn
Contributor
‎2024-09-06 03:37 PM
In response to PhoneBoy

@PhoneBoy I thought I tried that flag before as well, but didn't see what I was looking for.  I can try again.  

0 Kudos
pdn
Contributor
‎2024-09-06 03:53 PM
In response to pdn

I set both "show-as-ranges" and "use-object-dictionary" to true and tried.  I got a mixed of results, some are good (clear texts like in SmarConsole, but in ranges), some are object ID's (which requires me to use show-access-rulebase again).

So, it seems there is no better solution than what I described initially.

 

{"uid": "obj-id-xxx",
"limit": 500,
"offset": 0,
"details-level": "standard",
"show-as-ranges": true,
"use-object-dictionary": true
}

 

},
"source-ranges": {
"ipv4": [
{
"start": "1.1.1.1",
"end": "1.1.1.1"
}
],
"ipv6": [
],
"others": [
],
"excluded-others": [
]
},
"destination-ranges": {
"ipv4": [
],
"ipv6": [
],
"others": [
"obj-id-xxx"
],
"excluded-others": [
]
},
"service-ranges": {
"tcp": [
{
"start": "1000",
"end": "1000"
}
],

"source-ranges": {
"ipv4": [
{
"start": "0.0.0.0",
"end": "255.255.255.255"
}
],
"ipv6": [
{
"start": "0:0:0:0:0:0:0:0",
"end": "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"
}
],
"others": [
],
"excluded-others": [
]
},
"destination-ranges": {
"ipv4": [
{
"start": "0.0.0.0",
"end": "255.255.255.255"
}
],
"ipv6": [
{
"start": "0:0:0:0:0:0:0:0",
"end": "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"
}

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2024-09-07 11:44 AM
In response to pdn

"use-object-dictionary" defaults to true. By default, you will get output like this:

[Expert@DallasSA]# mgmt_cli -f json -r true show access-rulebase uid 8a994dd3-993e-4c0c-92a1-a8630b153f4c limit 1 | jq .
{
  "uid": "8a994dd3-993e-4c0c-92a1-a8630b153f4c",
  "name": "Network",
  "rulebase": [
    {
      "uid": "9d820cd3-fb7b-44ef-b3e0-399fca6a44a4",
      "name": "Sectionless",
      "type": "access-rule",
      "domain": {...},
      "rule-number": 1,
      "track": {...},
      "source": [
        "97aeb369-9aea-11d5-bd16-0090272ccb30"
      ],
      "source-negate": false,
      "destination": [
        "97aeb369-9aea-11d5-bd16-0090272ccb30"
      ],
      "destination-negate": false,
      "service": [
        "97aeb40a-9aea-11d5-bd16-0090272ccb30"
      ],
      "service-negate": false,
      "service-resource": "",
      "vpn": [
        "97aeb369-9aea-11d5-bd16-0090272ccb30"
      ],
      "action": "6c488338-8eec-4103-ad21-cd461ac2c472",
      "action-settings": {
        "enable-identity-captive-portal": false
      },
      "content": [
        "97aeb369-9aea-11d5-bd16-0090272ccb30"
      ],
      "content-negate": false,
      "content-direction": "any",
      "time": [
        "97aeb369-9aea-11d5-bd16-0090272ccb30"
      ],
      "custom-fields": {
        "field-1": "",
        "field-2": "",
        "field-3": ""
      },
      "meta-info": {...},
      "comments": "",
      "enabled": true,
      "install-on": [
        "6c488338-8eec-4103-ad21-cd461ac2c476"
      ],
      "tags": []
    }
  ],
  "objects-dictionary": [
    {
      "uid": "6c488338-8eec-4103-ad21-cd461ac2c472",
      "name": "Accept",
      "type": "RulebaseAction",
      "domain": {...},
      "icon": "Actions/actionsAccept",
      "color": "none"
    },
    {
      "uid": "97aeb369-9aea-11d5-bd16-0090272ccb30",
      "name": "Any",
      "type": "CpmiAnyObject",
      "domain": {...},
      "icon": "General/globalsAny",
      "color": "black"
    },
    {
      "uid": "97aeb40a-9aea-11d5-bd16-0090272ccb30",
      "name": "echo-request",
      "type": "service-icmp",
      "domain": {...},
      "icon": "Services/ICMPService",
      "color": "orchid"
    },
    {
      "uid": "29e53e3d-23bf-48fe-b6b1-d59bd88036f9",
      "name": "None",
      "type": "Track",
      "domain": {...},
      "icon": "General/globalsNone",
      "color": "none"
    },
    {
      "uid": "6c488338-8eec-4103-ad21-cd461ac2c476",
      "name": "Policy Targets",
      "type": "Global",
      "domain": {...},
      "icon": "General/globalsAny",
      "color": "none"
    }
  ],
  "from": 1,
  "to": 1,
  "total": 29
}

The "objects-dictionary" key contains a list of all of the objects referenced in the rules covered by the API call. The "details-level" key in the call controls the level of detail of the rule and of these objects. This does have a significant limitation, though: group members are not included. You can resolve group members one at a time, but like you said, that's really slow.

If you can afford to spend the RAM, it's a lot faster to start by calling "/show-objects" over and over to ingest all objects into a local cache. You then pull the rules, ignore the "objects-dictionary" key, and ingest the rule using the objects from your local cache.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top