Are you a member of CheckMates?
×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
With R80.10, an audit log for a deleted Access Control rule contains the name of the rule, and the list of policies and layers that contain it.
If you wish to get all the rule's information: source, destination, everything, you can leverage the
This can happen either on the MGMT machine itself, or via outside script.
In this example, I did it on the MGMT machine itself because every MGMT machine also has a tool called “JQ” which is preinstalled and allows to filter the results of the command. “show-changes” will show all changes that happened in the given session UID, and I’m sending the results to JQ which then filters them only to deleted access rules.
Step 1: get the session ID from the audit log card.
Step 2: On the security management machine, login and save the login details to a text file. We will use this text file to identify for the next command.
mgmt_cli login user [username] password [password] domain [domain, optional] > sid.txt
Step 3: Use the show-changes API with filter on deleted access rules and based on the session UID that we copied from step 1.
mgmt_cli show-changes -s sid.txt to-session 2af63713-ad4e-4e9e-869b-361262810258 details-level full --format json | jq -r '.tasks[]["task-details"][].changes[].operations["deleted-objects"][]|select(.type=="access-rule")'
result is attached to this thread (big json with all the data that the rule has) (2 rules were deleted in this session)
Step 4: logout
mgmt_cli logout -s sid.txt
Feedback is welcome.
