This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Tomer_Sole
Mentor
Mentor
‎2018-02-12 01:59 AM

How to get all the information about a deleted rule

With R80.10, an audit log for a deleted Access Control rule contains the name of the rule, and the list of policies and layers that contain it.

If you wish to get all the rule's information: source, destination, everything, you can leverage the 

show-changes REST API.

This can happen either on the MGMT machine itself, or via outside script.

In this example, I did it on the MGMT machine itself because every MGMT machine also has a tool called “JQ” which is preinstalled and allows to filter the results of the command. “show-changes” will show all changes that happened in the given session UID, and I’m sending the results to JQ which then filters them only to deleted access rules.

Step 1: get the session ID from the audit log card.

Step 2: On the security management machine, login and save the login details to a text file. We will use this text file to identify for the next command.

mgmt_cli login user [username] password [password] domain [domain, optional] > sid.txt

 

Step 3: Use the show-changes API with filter on deleted access rules and based on the session UID that we copied from step 1.

mgmt_cli show-changes -s sid.txt to-session 2af63713-ad4e-4e9e-869b-361262810258 details-level full --format json | jq -r '.tasks[]["task-details"][].changes[].operations["deleted-objects"][]|select(.type=="access-rule")'

result is attached to this thread (big json with all the data that the rule has) (2 rules were deleted in this session)

 

 

Step 4: logout

 

mgmt_cli logout -s sid.txt

 

Feedback is welcome.

deleted rule data.txt.zip
6 Replies
PhoneBoy
Admin
Admin
‎2018-02-12 01:01 PM

That's actually a neat trick Smiley Happy

0 Kudos
Danny
MVP Platinum
MVP Platinum
‎2018-02-15 12:00 AM

I like that!

0 Kudos
PhongNN
Contributor
‎2022-05-19 12:44 AM

Thank you so much. It 's very useful

0 Kudos
Tomer_Noy
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2022-05-19 02:00 AM
In response to PhongNN

This is a very old post, but glad to see that it's still useful 😁

There are actually easier ways to do this in today's latest versions. If you see an audit log for a deleted rule, you can look at the session name, find it in the Revisions view (under "Manage and Settings"), right click and select "Compare with previous".

That will open a visual change report with the session's changes, including the details of the deleted rule.

0 Kudos
PhongNN
Contributor
‎2022-05-19 02:03 AM
In response to Tomer_Noy

Excuse me

Is this feature available on version R80.30?

0 Kudos
Tomer_Noy
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2022-05-19 03:07 AM
In response to PhongNN

The "Change Report" feature was added in R81

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events