This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
pdn
Contributor
Friday

Get all inline access rules via API

Hello,

I wrote a python script to get all inline access rules from all firewall policies.  

 

I've used show-access-rulebase, in for loops, first to find the rules at the access-section layer.  Then using show-access-rulebase again, in for loops, to get all inline-layer access rules.  Then, I have to use show-object, again in for loops, to convert source/destination/service uid objects into human readable texts.  Since source/destination/port for a specific inline rule can be a long list, my script is taking a while.

 

Is there a better way than what I described?  Seems that the slowest part is using the  show-object API calls.  Is there another API or option in the show-access-rulebase to get the inline rules with human readable source/destination/port, directly without having to use the show-object for conversion?

 

Much thanks in advance!

 

0 Kudos
7 Replies
Tal_Paz-Fridman
Employee
Employee
Friday

Use the following API command which translates Source / Destination / Service to values:

https://sc1.checkpoint.com/documents/latest/APIs/index.html?#cli/show-access-rulebase~v1.9.1%20

show-access-rulebase with rules displayed as ranges 

 

For example:

mgmt_cli show access-rulebase offset 0 limit 20 name "Network" show-as-ranges "true"  --format json
0 Kudos
pdn
Contributor
Friday
In response to Tal_Paz-Fridman

Thanks  Tal_Paz-Fridman.  I tried that before, but it didn't display the source/destination/service as what is shown in SmartConsole (ie, source/destination =  abc.company.com, 1.1.1.1, service = tcp_1000). 

 

If I recalled correctly, ranges were shown instead, not the actually values shown in SmartConsole.

 

Maybe I am missing something or mispeaking?  Can you provide an example API?

 

0 Kudos
Tal_Paz-Fridman
Employee
Employee
Friday
In response to pdn

You're right - it only shows ranges but if the start and end are the same its a single value.

 

I created an Order layer or Inline where the second rule is:

 

Rule 2.png

 

The IP of host_for_server10 is 10.10.10.10

I ran the command:

mgmt_cli show access-rulebase name "Layer name" show-as-ranges "true" --format json

The is the command output (I highlighted the relevant values):

}, {
"uid" : "4960587a-7376-450c-b8b6-00b766eda078",
"type" : "access-rule",
"domain" : {
"uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
"name" : "SMC User",
"domain-type" : "domain"
},
"enabled" : true,
"comments" : "",
"meta-info" : {
"lock" : "unlocked",
"validation-state" : "ok",
"last-modify-time" : {
"posix" : 1725646212468,
"iso-8601" : "2024-09-06T21:10+0300"
},
"last-modifier" : "cc",
"creation-time" : {
"posix" : 1725646212468,
"iso-8601" : "2024-09-06T21:10+0300"
},
"creator" : "cc"
},
"available-actions" : {
"clone" : "not_supported"
},
"install-on" : [ "6c488338-8eec-4103-ad21-cd461ac2c476" ],
"tags" : [ ],
"source-ranges" : {
"ipv4" : [ {
"start" : "10.10.10.10",
"end" : "10.10.10.10"
} ],
"ipv6" : [ ],
"others" : [ ],
"excluded-others" : [ ]
},
"destination-ranges" : {
"ipv4" : [ {
"start" : "0.0.0.0",
"end" : "255.255.255.255"
} ],
"ipv6" : [ {
"start" : "0:0:0:0:0:0:0:0",
"end" : "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"
} ],
"others" : [ ],
"excluded-others" : [ ]
},
"service-ranges" : {
"tcp" : [ {
"start" : "80",
"end" : "80"
} ],
"udp" : [ ],
"others" : [ ],
"excluded-others" : [ ]
},
"vpn" : [ "97aeb369-9aea-11d5-bd16-0090272ccb30" ],
"action" : "6c488338-8eec-4103-ad21-cd461ac2c472",
"action-settings" : {
"enable-identity-captive-portal" : false
},
"content" : [ "97aeb369-9aea-11d5-bd16-0090272ccb30" ],
"content-negate" : false,
"content-direction" : "any",
"time" : [ "97aeb369-9aea-11d5-bd16-0090272ccb30" ],
"custom-fields" : {
"field-1" : "",
"field-2" : "",
"field-3" : ""
},
"rule-number" : 2,
"track" : {
"type" : "29e53e3d-23bf-48fe-b6b1-d59bd88036f9",
"per-session" : false,
"per-connection" : false,
"accounting" : false,
"enable-firewall-session" : false,
"alert" : "none"
}
}, {

0 Kudos
PhoneBoy
Admin
Admin
Friday

Add use-object-dictionary true to the call and it should include a translation for the various objects as part of the JSON output.

0 Kudos
pdn
Contributor
Friday
In response to PhoneBoy

@PhoneBoy I thought I tried that flag before as well, but didn't see what I was looking for.  I can try again.  

0 Kudos
pdn
Contributor
Friday
In response to pdn

I set both "show-as-ranges" and "use-object-dictionary" to true and tried.  I got a mixed of results, some are good (clear texts like in SmarConsole, but in ranges), some are object ID's (which requires me to use show-access-rulebase again).

So, it seems there is no better solution than what I described initially.

 

{"uid": "obj-id-xxx",
"limit": 500,
"offset": 0,
"details-level": "standard",
"show-as-ranges": true,
"use-object-dictionary": true
}

 

},
"source-ranges": {
"ipv4": [
{
"start": "1.1.1.1",
"end": "1.1.1.1"
}
],
"ipv6": [
],
"others": [
],
"excluded-others": [
]
},
"destination-ranges": {
"ipv4": [
],
"ipv6": [
],
"others": [
"obj-id-xxx"
],
"excluded-others": [
]
},
"service-ranges": {
"tcp": [
{
"start": "1000",
"end": "1000"
}
],

"source-ranges": {
"ipv4": [
{
"start": "0.0.0.0",
"end": "255.255.255.255"
}
],
"ipv6": [
{
"start": "0:0:0:0:0:0:0:0",
"end": "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"
}
],
"others": [
],
"excluded-others": [
]
},
"destination-ranges": {
"ipv4": [
{
"start": "0.0.0.0",
"end": "255.255.255.255"
}
],
"ipv6": [
{
"start": "0:0:0:0:0:0:0:0",
"end": "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"
}

0 Kudos
Bob_Zimmerman
Authority
Authority
Saturday
In response to pdn

"use-object-dictionary" defaults to true. By default, you will get output like this:

[Expert@DallasSA]# mgmt_cli -f json -r true show access-rulebase uid 8a994dd3-993e-4c0c-92a1-a8630b153f4c limit 1 | jq .
{
  "uid": "8a994dd3-993e-4c0c-92a1-a8630b153f4c",
  "name": "Network",
  "rulebase": [
    {
      "uid": "9d820cd3-fb7b-44ef-b3e0-399fca6a44a4",
      "name": "Sectionless",
      "type": "access-rule",
      "domain": {...},
      "rule-number": 1,
      "track": {...},
      "source": [
        "97aeb369-9aea-11d5-bd16-0090272ccb30"
      ],
      "source-negate": false,
      "destination": [
        "97aeb369-9aea-11d5-bd16-0090272ccb30"
      ],
      "destination-negate": false,
      "service": [
        "97aeb40a-9aea-11d5-bd16-0090272ccb30"
      ],
      "service-negate": false,
      "service-resource": "",
      "vpn": [
        "97aeb369-9aea-11d5-bd16-0090272ccb30"
      ],
      "action": "6c488338-8eec-4103-ad21-cd461ac2c472",
      "action-settings": {
        "enable-identity-captive-portal": false
      },
      "content": [
        "97aeb369-9aea-11d5-bd16-0090272ccb30"
      ],
      "content-negate": false,
      "content-direction": "any",
      "time": [
        "97aeb369-9aea-11d5-bd16-0090272ccb30"
      ],
      "custom-fields": {
        "field-1": "",
        "field-2": "",
        "field-3": ""
      },
      "meta-info": {...},
      "comments": "",
      "enabled": true,
      "install-on": [
        "6c488338-8eec-4103-ad21-cd461ac2c476"
      ],
      "tags": []
    }
  ],
  "objects-dictionary": [
    {
      "uid": "6c488338-8eec-4103-ad21-cd461ac2c472",
      "name": "Accept",
      "type": "RulebaseAction",
      "domain": {...},
      "icon": "Actions/actionsAccept",
      "color": "none"
    },
    {
      "uid": "97aeb369-9aea-11d5-bd16-0090272ccb30",
      "name": "Any",
      "type": "CpmiAnyObject",
      "domain": {...},
      "icon": "General/globalsAny",
      "color": "black"
    },
    {
      "uid": "97aeb40a-9aea-11d5-bd16-0090272ccb30",
      "name": "echo-request",
      "type": "service-icmp",
      "domain": {...},
      "icon": "Services/ICMPService",
      "color": "orchid"
    },
    {
      "uid": "29e53e3d-23bf-48fe-b6b1-d59bd88036f9",
      "name": "None",
      "type": "Track",
      "domain": {...},
      "icon": "General/globalsNone",
      "color": "none"
    },
    {
      "uid": "6c488338-8eec-4103-ad21-cd461ac2c476",
      "name": "Policy Targets",
      "type": "Global",
      "domain": {...},
      "icon": "General/globalsAny",
      "color": "none"
    }
  ],
  "from": 1,
  "to": 1,
  "total": 29
}

The "objects-dictionary" key contains a list of all of the objects referenced in the rules covered by the API call. The "details-level" key in the call controls the level of detail of the rule and of these objects. This does have a significant limitation, though: group members are not included. You can resolve group members one at a time, but like you said, that's really slow.

If you can afford to spend the RAM, it's a lot faster to start by calling "/show-objects" over and over to ingest all objects into a local cache. You then pull the rules, ignore the "objects-dictionary" key, and ingest the rule using the objects from your local cache.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events