This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Hllrdm
Contributor
‎2023-09-19 12:58 AM

Getting rule numbers where Access roles are used

We have a large security policy written that utilizes Access roles. Is there some script or api so we can see the rule numbers where access roles are used so we don't have to manually review 3000+ rules?

0 Kudos
6 Replies
Alex-
MVP Silver
MVP Silver
‎2023-09-19 01:57 AM

Here's a basic script that lists access-roles UID and iterates a where-used on the UID.

You will need to filter the JSON output further and play with offsets for going over 500 items.

 

 

 

 

#!/bin/bash

ar_uid=$(mgmt_cli -r true show-access-roles --format json | jq -r ".objects[] | .uid")

declare -a name_array
while IFS= read -r line; do
    name_array+=("$line")
done <<< "$ar_uid"

for ar_uid in "${name_array[@]}"; do
    echo "Processing: $ar_uid"
    ar_uid_where_used=$(mgmt_cli -r true where-used uid "$ar_uid" --format json)
    echo $ar_uid_where_used
done

 

 

 

 

0 Kudos
Hllrdm
Contributor
‎2023-09-19 02:02 AM
In response to Alex-

Thanks for the reply, we will try to use it.
We are additionally using MDS and different policy packages, is there any way to make the script download the rule numbers from a specific CMA and from a specific policy package?

0 Kudos
Alex-
MVP Silver
MVP Silver
‎2023-09-19 02:29 AM
In response to Hllrdm

I don't have access to an MDS but it looks like you have to log in to the CMA after logging into the System Domain on the MDS so the code would need to be expanded a bit.

Check Point - Management API reference

Otherwise, you can expand the script to remove the clutter like "Proccessing: " and save everything in a file where you can use further tooling to filter and sort. This script in itself is a basic iteration in an environment with few access roles where a visual check is enough.

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2023-09-19 04:55 AM
In response to Hllrdm

Are any of the access roles you're interested in defined at the global level, or are they all defined in the CMAs?

0 Kudos
Hllrdm
Contributor
‎2023-09-22 01:43 AM
In response to Bob_Zimmerman

All objects are defined in the CMA in one policy package

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2023-09-22 11:44 AM
In response to Hllrdm

In that case, you just need to add a quick '-d "CMA name"' to each mgmt_cli call above. For example:

mgmt_cli -d "CMA name" -r true where-used uid "$ar_uid" --format json

Replacing the literal string 'CMA name' with the name of the CMA you want to check.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events