This gets complicated if you potentially have multiple access layers in a policy package. I guess you could check each access layer one by one to see if at least one has such a rule.
It would likely be in the first 500, so you can probably get away with only fetching the one page.
It also gets complicated if you use a different form of stealth rule: an inner layer. Say the outer layer has "Any source to firewall object, send to firewall management layer". As long as the firewall management layer ends in drop or reject, that functions as a stealth rule, though it doesn't obviously look like one at first glance. The advantage of this pattern is you can manage all administrative access to all of your firewalls in the firewall management layer, regardless of which policy package they run. Add a new SNMP client? You just need to stick it into a rule in one place.
I would probably do something like this:
- Get a list of all domains. If this is a SmartCenter rather than an MDS (no domain), treat it like an MDS with only the one domain to scrub.
- For each domain, get a list of all policy packages. For each policy package:
- Record the policy package's installation targets.
- For each access layer in the policy package, get a list of the first 500 rules (
.rulebase[]|if has("rulebase") then .rulebase[] else . end| ... can help here).
- For each installation target, select all the rules with a source of "97aeb369-9aea-11d5-bd16-0090272ccb30" (UUID for Any), a destination of that target, and an action of "Drop", "Reject", or "Inner Layer".
- If the action is "Inner Layer", dump the access layer in the rule's "inline-layer" key and check to be sure either the last rule's action is Drop or Reject, or the layer's "implicit-cleanup-action" is "drop".
-
As long as at least one layer in the policy package has at least one matching rule for every installation target, you're good.