Sure enough. I should have thought to try that.

[Expert@DallasSA]# mgmt_cli -f json -r true show object uid 6b647376-6f7a-4755-b3ca-adf3cc7d0b4e details-level full
{
  "object" : {
    "uid" : "6b647376-6f7a-4755-b3ca-adf3cc7d0b4e",
    "name" : "P2L2 Section 1",
    "type" : "access-section",
    "domain" : {
      "uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
      "name" : "SMC User",
      "domain-type" : "domain"
    },
    "tags" : [ ],
    "meta-info" : {
      "lock" : "unlocked",
      "validation-state" : "ok",
      "last-modify-time" : {
        "posix" : 1637433950042,
        "iso-8601" : "2021-11-20T18:45+0000"
      },
      "last-modifier" : "WEB_API",
      "creation-time" : {
        "posix" : 1637433949870,
        "iso-8601" : "2021-11-20T18:45+0000"
      },
      "creator" : "WEB_API"
    },
    "read-only" : false
  }
}

Also interesting: access sections have an associated domain and can have tags. Extremely inconvenient to have to make a separate request per section just to see all that, though.

And it's a little weird that the 'show object' output doesn't include the rules in that section, or even any indication whether it has rules at all. Passing the access section's UUID to 'show access-rulebase' returns a generic error with no contents, which is interesting:

[Expert@DallasSA]# mgmt_cli -f json -r true show access-rulebase uid 6b647376-6f7a-4755-b3ca-adf3cc7d0b4e
{
  "code" : "generic_error",
  "message" : ""
}
[Expert@DallasSA]# mgmt_cli -f json -r true show access-rulebase uid 97aeb369-9aea-11d5-bd16-0090272ccb30 # This is the UUID for the object "Any"
{
  "code" : "generic_error",
  "message" : "Runtime error: com.checkpoint.objects.classes.dummy.CpmiAnyObject incompatible with com.checkpoint.objects.rulebase.RulebaseEntity"
}

I just noticed that there are already API calls "show access-section" and "show nat-section" available. Have you tried to use them ?

Yep. That gives me the same stuff 'show object' does, just in a less convenient way (you have to specify the layer as well as the section, while 'show object' works with just the section). Meta-info block and tags are included, rules are not.

Looks like I have to make a 'show access-rulebase' call to learn about the sections which exist and their rule contents, then a separate 'show object' call for every single section to get its tags and meta-info.

I think I tested this for NAT sections earlier, but I can confirm it does not work on R81.10 jumbo 82:

[Expert@DallasSA]# mgmt_cli -r true -f json show nat-rulebase package Standard | jq '.rulebase[1]'
{
  "uid": "4599f9c5-9ea8-4bb8-95b5-c6af06a93cf9",
  "name": "Automatic Generated Rules : Machine Hide NAT",
  "type": "nat-section",
  "rulebase": []
}
[Expert@DallasSA]# mgmt_cli -r true -f json show object uid 4599f9c5-9ea8-4bb8-95b5-c6af06a93cf9
{
  "code" : "generic_error",
  "message" : "Null Pointer exception: null"
}
[Expert@DallasSA]# mgmt_cli -r true -f json show nat-section uid 4599f9c5-9ea8-4bb8-95b5-c6af06a93cf9 package Standard
{
  "uid" : "4599f9c5-9ea8-4bb8-95b5-c6af06a93cf9",
  "name" : "Automatic Generated Rules : Machine Hide NAT",
  "type" : "nat-section",
  "domain" : {
    "uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
    "name" : "SMC User",
    "domain-type" : "domain"
  },
  "tags" : [ ],
  "meta-info" : {
    "lock" : "unlocked",
    "validation-state" : "ok",
    "last-modify-time" : {
      "posix" : 1625139158832,
      "iso-8601" : "2021-07-01T11:32+0000"
    },
    "last-modifier" : "System",
    "creation-time" : {
      "posix" : 1625139158783,
      "iso-8601" : "2021-07-01T11:32+0000"
    },
    "creator" : "System"
  },
  "read-only" : true
}

Inconvenient.

Did some more testing. I'm able to use 'show object' to get the details for access layers, sections, and rules, HTTPS Inspection layers, sections, and rules, policy packages, and NAT rules. Only NAT sections are broken like above. I'll file a ticket with support.