This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Tomer_Sole
Employee Alumnus
Employee Alumnus
‎2018-02-12 01:59 AM

How to get all the information about a deleted rule

With R80.10, an audit log for a deleted Access Control rule contains the name of the rule, and the list of policies and layers that contain it.

If you wish to get all the rule's information: source, destination, everything, you can leverage the 

show-changes REST API.

This can happen either on the MGMT machine itself, or via outside script.

In this example, I did it on the MGMT machine itself because every MGMT machine also has a tool called “JQ” which is preinstalled and allows to filter the results of the command. “show-changes” will show all changes that happened in the given session UID, and I’m sending the results to JQ which then filters them only to deleted access rules.

Step 1: get the session ID from the audit log card.

Step 2: On the security management machine, login and save the login details to a text file. We will use this text file to identify for the next command.

mgmt_cli login user [username] password [password] domain [domain, optional] > sid.txt

 

Step 3: Use the show-changes API with filter on deleted access rules and based on the session UID that we copied from step 1.

mgmt_cli show-changes -s sid.txt to-session 2af63713-ad4e-4e9e-869b-361262810258 details-level full --format json | jq -r '.tasks[]["task-details"][].changes[].operations["deleted-objects"][]|select(.type=="access-rule")'

result is attached to this thread (big json with all the data that the rule has) (2 rules were deleted in this session)

 

 

Step 4: logout

 

mgmt_cli logout -s sid.txt

 

Feedback is welcome.

deleted rule data.txt.zip
6 Replies
PhoneBoy
Admin
Admin
‎2018-02-12 01:01 PM

That's actually a neat trick Smiley Happy

0 Kudos
Danny
Champion
Champion
‎2018-02-15 12:00 AM

I like that!

0 Kudos
PhongNN
Contributor
‎2022-05-19 12:44 AM

Thank you so much. It 's very useful

0 Kudos
Tomer_Noy
Employee
Employee
‎2022-05-19 02:00 AM
In response to PhongNN

This is a very old post, but glad to see that it's still useful 😁

There are actually easier ways to do this in today's latest versions. If you see an audit log for a deleted rule, you can look at the session name, find it in the Revisions view (under "Manage and Settings"), right click and select "Compare with previous".

That will open a visual change report with the session's changes, including the details of the deleted rule.

0 Kudos
PhongNN
Contributor
‎2022-05-19 02:03 AM
In response to Tomer_Noy

Excuse me

Is this feature available on version R80.30?

0 Kudos
Tomer_Noy
Employee
Employee
‎2022-05-19 03:07 AM
In response to PhongNN

The "Change Report" feature was added in R81

0 Kudos