This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
nildi
Participant
‎2023-07-02 11:53 PM
Jump to solution

Query 'Any' network- and service-objects by uid

Greetings!

I am currently trying to export a rulebase via the web-api via

 

'show-access-rulebase', {'name': 'my firewall rulebase'}

 

This results in a json representation of my ruleset. A rule in this result set might look like this (uids manually changed):

 

{
    "uid": "11111111-2222-3333-4444-555555555555",
    "name": "Test-Rule",
    "type": "access-rule",
    "domain": {
        "uid": "11111111-2222-3333-4444-555555555555",
        "name": "SMC User",
        "domain-type": "domain"
    },
    "rule-number": 40,
    "track": {...}
    "source": [
        "11111111-2222-3333-4444-555555555555"
    ],
    "source-negate": false,
    "destination": [
        "11111111-2222-3333-4444-555555555555"
    ],
    "destination-negate": false,
    "service": [
        "11111111-2222-3333-4444-555555555555"
    ],
    "service-negate": false,
    "service-resource": "",
    "vpn": [
        "11111111-2222-3333-4444-555555555555"
    ],
    "action": "11111111-2222-3333-4444-555555555555",
    "action-settings": {
        "enable-identity-captive-portal": false
    },
    "content": [
        "11111111-2222-3333-4444-555555555555"
    ],
    "content-negate": false,
    ...
}

 

I can resolve the uids given in the "source", "destination" and "service" fields via commands like

 

'show-host', {'uid': '11111111-2222-3333-4444-555555555555'}

 

or similar (show-group, show-network, ...) commands.

Some uids however I can not resolve via these commands. Even the command 'show-object' does not work for these uids. When I check the rules in the Smart Console, the source, destination or service fields contain the 'Any' object.

How can I query these 'Any' objects via the web-api by their uid?

Tank you very much in advance!

Regards,

Nils 

1 Solution

Accepted Solutions
Bob_Zimmerman
MVP Gold
MVP Gold
‎2023-07-03 09:05 AM
In response to nildi
Jump to solution

'show objects' does not include these, yes. It also doesn't include rule actions (Accept, Drop, etc. all have UUIDs), rule track settings (Log, Alert, etc.), tags, or a few other things. The list of UUIDs I provided is what I've found I have to download by hand to ensure I have every valid option for the various fields.

I forget if QoS limits show up in 'show objects', but I do end up with them after recursively downloading everything I can.

I definitely wouldn't mind a 'show special-objects' or similar call which shows all of the weird things like these. I requested something like that a while ago, but never heard if it's on the roadmap. Fortunately, their UUIDs never change since they're built-in, so I just built that manual list to download.

View solution in original post

7 Replies
abraxxa
Participant
‎2023-07-03 06:35 AM
Jump to solution

We're currently facing the same issue.

The show-objects API does return the CpmiAnyObject when queried for its uid, which seems to be 97aeb369-9aea-11d5-bd16-0090272ccb30 on all our managers. We still don't want to hardcode it for rule generation as it might change.

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2023-07-03 07:12 AM
Jump to solution

'show object' definitely works for the UUID for Any:

[Expert@DallasSA]# mgmt_cli -f json -r true show object uid 97aeb369-9aea-11d5-bd16-0090272ccb30
{
  "object" : {
    "uid" : "97aeb369-9aea-11d5-bd16-0090272ccb30",
    "name" : "Any",
    "type" : "CpmiAnyObject",
    "domain" : {
      "uid" : "a0bbbc99-adef-4ef8-bb6d-defdefdefdef",
      "name" : "Check Point Data",
      "domain-type" : "data domain"
    },
    "icon" : "General/globalsAny",
    "color" : "black"
  }
}

There are a number of special objects like that:

6c488338-8eec-4103-ad21-cd461ac2c476: Policy Targets
85c0f50f-6d8a-4528-88ab-5fb11d8fe16c: Original
97aeb36a-9aea-11d5-bd16-0090272ccb30: None
97aeb36a-9aeb-11d5-bd16-0090272ccb30: All Users
97aeb36a-9aed-11d5-bd16-0090272ccb30: All_GwToGw (all site-to-site VPNs)
97aeb368-9aea-11d5-bd16-0090272ccb30: All
97aeb369-9aea-11d5-bd16-0090272ccb30: Any
213f0a22-49da-4719-94b3-f2d74623f3fb: Policy HTTPS Targets

There are probably some others which I haven't run into yet.

abraxxa
Participant
‎2023-07-03 07:35 AM
In response to Bob_Zimmerman
Jump to solution

Yes, but the question is how to get its UID without knowing it.

0 Kudos
nildi
Participant
‎2023-07-03 08:03 AM
In response to abraxxa
Jump to solution

Thank you for your responses!

First of all: You are correct Bob. The 'show-object' command resolves these objects. Thank you for pointing this out. I was sure to have testet for it.

Nevertheless abraxxa is correct, that there is no way to query the 'Any' object before it is encountered in the policy afaik.

For performance reasons I query all network and service objects before querying the ruleset, so I can resolve all uids I encounter on the fly. Only the 'Any' objects are not queryable beforehand, so I need to dynamically load them while parsing the ruleset.

I just rechecked: The 'show-objects' command does not show the 'Any' objects.

'show-objects', {'filter': 'Any'}

So is there a way to query these 'Any' objects via the web-api before knowing their uid?

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2023-07-03 09:05 AM
In response to nildi
Jump to solution

'show objects' does not include these, yes. It also doesn't include rule actions (Accept, Drop, etc. all have UUIDs), rule track settings (Log, Alert, etc.), tags, or a few other things. The list of UUIDs I provided is what I've found I have to download by hand to ensure I have every valid option for the various fields.

I forget if QoS limits show up in 'show objects', but I do end up with them after recursively downloading everything I can.

I definitely wouldn't mind a 'show special-objects' or similar call which shows all of the weird things like these. I requested something like that a while ago, but never heard if it's on the roadmap. Fortunately, their UUIDs never change since they're built-in, so I just built that manual list to download.

Bob_Zimmerman
MVP Gold
MVP Gold
‎2023-07-03 08:04 AM
In response to abraxxa
Jump to solution

No it's not. The question as originally stated:

@nildi wrote:

Some uids however I can not resolve via these commands. Even the command 'show-object' does not work for these uids. When I check the rules in the Smart Console, the source, destination or service fields contain the 'Any' object.

How can I query these 'Any' objects via the web-api by their uid?

And the answer is to use 'show object' with the UUID. It definitely works. I've used it for Any back to R80.20, though I don't have any management servers that old anymore to confirm the other UUIDs in my list, but I would expect all of them to work as well.

The objects referenced in rules should also show up in the 'show access-rulebase' call's objects dictionary. The objects I listed above don't show up in 'show objects' and may not show up in rules, but they're still valid destinations for certain object relationships.

0 Kudos
nildi
Participant
‎2023-07-03 11:45 PM
In response to Bob_Zimmerman
Jump to solution

Thank you very much for the clarification. Seems I will hard-code these objects into my code for now, until there is such a 'show-special-objects' function.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events