That would show it, but is there a flag to export it?

Hope you are staying safe!

Andy

I usually echo the response into a file and then it's easier for me. I haven't tried the tool from the sk @Zolocofxp mentioned, if it works well it will be more presentable and worth a shot.

Trying to stay safe, thank you very much for your concern.

True, that tool is good, agree! I pray for peace man no matter who it is or what nation. I lived in war myself (Hell, probably better word to use), so I know exactly how it is...sadly, ALWAYS innocent people pay the price.

Andy

Hello, Amir_Senn, using mgmt_cli export has bar code restrictions, the policy can only display 20 items at a time, can you specify the main information such as source address, destination address, and port in a table?

Sorry, I don't understand which 20 items you're talking about, can you elaborate?

BTW, I made a one-liner that goes over the DB and takes all the policy packages and export access control RB + NAT RB for each and saves them as text file in json format. Still needs work but maybe you can use it. Not suitable for MDS at the moment.

mgmt_cli show packages -r true | grep "name" > Senn_temp.txt ; cat Senn_temp.txt | cut -d':' -f2- > Senn_temp0.txt ; Lines=$(cat Senn_temp0.txt | wc -l) ; for (( N=0; $N<$Lines; N=(($N+2)))); { current=$(head -1 Senn_temp$N.txt); current=${current::-2}; current=${current:2}; echo $current >> policies0.txt; cat Senn_temp0.txt | tail -$(($Lines-$N-2)) > Senn_temp$(($N+2)).txt; } ; rm Senn_temp* ; Lines=$(cat policies0.txt | wc -l) ; for (( N=0; $N<$Lines; N=(($N+1)))); { current_policy=$(head -1 policies$N.txt); current_layer=$(mgmt_cli show package -r true name $current_policy | grep -A2 access-layers: | grep name* | cut -c8-); current_layer=${current_layer::-2}; current_layer=${current_layer:2}; current_name="${current_layer// /_}"; mgmt_cli show access-rulebase name "$current_layer" limit 500 -r true --format json > $current_name.txt; mgmt_cli show nat-rulebase package "$current_policy" limit 500 -r true --format json > NAT_$current_name.txt; cat policies$N.txt | tail -$(($Lines-$N-1)) > policies$(($N+1)).txt; } ; rm policies* ;

Hey Amir,

Just tested this in my lab and got below. PLEASE keep staying safe.

Andy

[Expert@CP-management:0]# mgmt_cli show packages -r true | grep "LAB-POLICY" > Senn_temp.txt ; cat Senn_temp.txt | cut -d':' -f2- > Senn_temp0.txt ; Lines=$(cat Senn_temp0.txt | wc -l) ; for (( N=0; $N<$Lines; N=(($N+2)))); { current=$(head -1 Senn_temp$N.txt); current=${current::-2}; current=${current:2}; echo $current >> policies0.txt; cat Senn_temp0.txt | tail -$(($Lines-$N-2)) > Senn_temp$(($N+2)).txt; } ; rm Senn_temp* ; Lines=$(cat policies0.txt | wc -l) ; for (( N=0; $N<$Lines; N=(($N+1)))); { current_policy=$(head -1 policies$N.txt); current_layer=$(mgmt_cli show package -r true name $current_policy | grep -A2 access-layers: | grep name* | cut -c8-); current_layer=${current_layer::-2}; current_layer=${current_layer:2}; current_name="${current_layer// /_}"; mgmt_cli show access-rulebase name "$current_layer" limit 500 -r true --format json > $current_name.txt; mgmt_cli show nat-rulebase package "$current_policy" limit 500 -r true --format json > NAT_$current_name.txt; cat policies$N.txt | tail -$(($Lines-$N-1)) > policies$(($N+1)).txt; } ; rm policies* ;
tail: unrecognized option '--1'
Try 'tail --help' for more information.

Nm, disregard my last command, layer 8 issue lol

Just ran same command without changing anything and it did produce 2 files, one for network, one for nat...looks good!

Kind regards,

Andy

That is true, BUT, I dont think it exports it into csv format, at least not that I can recall.

Andy

Hi,@Zolocofxp,this sk has seen, is it necessary to export the policy file through python? I performed the configuration according to the requirements of sk, but the log content was empty and the path of the exported file was not found.

Hi PhoneBoy,mgmt_cli Export policy The bar code has a maximum of 500 lines. What are the exported commands? What additional parameters do I need to add? I saw a python export policy on github, is this reliable? And you can export it in any format you want? For example, only the source IP address, destination IP address, vpn, port, action, and log parameters are exported. Other Uids do not need to be displayed.

To be clear, there is no single command that will dump a large rulebase and/or object database.
The API limits the number of results returned by design to keep the service performant.
This means you will have to make multiple API calls with the offset parameter (offset 500, offset 1000, etc) to get the next set of results.
You can pipe the output of mgmt_cli to jq in order to get exactly the fields you want in the exact format you want.

This tool, although not formally supported, is produced by Check Point R&D: https://community.checkpoint.com/t5/API-CLI-Discussion/Python-tool-for-exporting-importing-a-policy-... 
Another tool, produced by one of our SEs, exports to/imports from CSV: https://community.checkpoint.com/t5/API-CLI-Discussion/CLI-API-Example-for-exporting-importing-and-d... 

Having said all of that, SmartConsole can export the current rulebase in CSV from here:

The NAT rulebase can be exported similarly.
Note that you can not import rules directly from CSV.