- Products
- Learn
- Local User Groups
- Partners
- More
Access Control and Threat Prevention Best Practices
5 November @ 5pm CET / 11am ET
Ask Check Point Threat Intelligence Anything!
October 28th, 9am ET / 3pm CET
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
Spark Management Portal and More!
HI Team,
I need to check and extract all the rule bases which are going to expire in next 15 days ( time object), is there any script in ansible/shell/python and mgmt cli api call satisfies above condition. and below are my needs as well.
1) to get full file bases which are disabled using a script.
2) how alert rules that are going to expire through email.
3) how to get the details of expired rule bases
also please let me know how to start with mgmt_cli_api call.
Regards,
Ram
If you're new to the API and scripting in general, I recommend going through our Automation and Orchestration lab on CheckMates Labs: https://community.checkpoint.com/t5/CheckMates-Labs/ct-p/checkmates-labs 
Here's a couple of starters for the points I mentioned above (will need more work to fully automate):
Expanding a little, looks like you need to filter for time objects where "end-never" is set to false. Something like this should do:
mgmt_cli -r true --format json show times details-level full limit 500 offset 0 \
| jq -c '.objects[]|.' \
| grep '"end-never":false' \
| jq -c '.uid,.end."iso-8601"' \
| xargs -L 2 sh -c 'if [[ "$1" < "$(date -d "+10 days" -Iseconds)" ]];then echo $0;fi'That should output the UUIDs of time objects with end dates before ten days in the future, one per line. You can assign them to a shell variable for iteration, or pipe them through xargs. Whichever way you do it, you will need to find where the time objects with those UUIDs are used.
The pipeline above will only show the first 500 time objects you have. If you have more than 500 time objects, you will need to run it several times increasing the offset 500 each time.
I'd read the API documentation and the jq documentation. Yes, it is a bit tricky for a beginner like me but it gets easier with use.
This should get you started with what you need...
DAYS=20
DOMAIN="MGMT"
TMPDIR="/var/log/expiring"
STARTH=$(date +%m/%d/%Y )
echo Starting now: $STARTH
START=$(date -d "$STARTH" +%s%N | cut -b1-13)
ENDH=$(date +%m/%d/%Y -d '+'$DAYS' days')
echo Ending $ENDH
END=$(date -d "$ENDH" +%s%N | cut -b1-13)
TOFILE=$TMPDIR/time-object-name.txt
REFILE=$TMPDIR/rules_expiring.txt
ORFILE=$TMPDIR/old_rules.txt
PFILE=$TMPDIR/policies.tmp
printf "\nSearching for Rules that are within $DAYS days of expiring in $DOMAIN.\n"
mgmt_cli -r true -d $DOMAIN show times details-level full limit 500 --format json | jq --arg START ${START} --arg END ${END} --raw-output '.objects[] | select( (.end.posix|tonumber) >= ($START|tonumber) and (.end.posix|tonumber) <= ($END|tonumber) ) | .name ' > $TOFILE
mgmt_cli -r true -d $DOMAIN show access-layers limit 500 --format json | jq --raw-output '."access-layers"[] | (.name)' | grep "\ Security" > $PFILE
OFS=$IFS
IFS=$'\n'
for POL_NAME in $(cat $PFILE); do
IFS=$OFS
echo "Search policies for the expiring time objects.."
for line in $(cat $TOFILE);
do
echo "Searching for time object $line in the $POL_NAME"
f_log "Searching for time object $line in the $POL_NAME" $LOGFILE
mgmt_cli -r true -d $DOMAIN show access-rulebase limit 500 name "$POL_NAME" details-level "standard" use-object-dictionary true filter "$line" --format json | jq --raw-output '.rulebase[] .rulebase[] | ."rule-number"' > $ORFILE
done
for rule_num in $(cat $ORFILE ) ;
do
echo "Expiring Rules on $DOMAIN $POL_NAME:"
mgmt_cli -r true -d $DOMAIN show access-rule layer "$POL_NAME" rule-number "$rule_num" --format json |jq --raw-output --arg PN "$POL_NAME" --arg RN "$rule_num" '($PN + "," + $RN + "," + .source[].name + "," + .destination[].name + "," + .service[].name + "," + .action.name + "," + .time[].name + "," + .comments)' >> $REFILE
done
done
cat $REFILE
Just to be clear, rules never really "expire."
That said, you can add a time element to a rule and specify an "end" date so the rule will no longer apply after that date. 
Regardless, I've never seen anyone post a script that looks for these rules.
If I were to write such a script, I'd probably do something like:
HI Phone Boy,
Thanks you for your reply, since im new to mgmt_cli api and scripting , im stuck with how to proceed. i tried but couldn't make up syntaxes correct, could you pls help me to start up with.
my requirement is , we have rules bases which are time bounded and we want to alert our team by 10 days before it rules go to expire. how can i check time object of all the rule bases by iterating and extracting the same... since im new to mgmt_cli...im not sure of syntaxes and how to proceed. could you please help me.
Regards,
Ram
If you're new to the API and scripting in general, I recommend going through our Automation and Orchestration lab on CheckMates Labs: https://community.checkpoint.com/t5/CheckMates-Labs/ct-p/checkmates-labs 
Here's a couple of starters for the points I mentioned above (will need more work to fully automate):
Expanding a little, looks like you need to filter for time objects where "end-never" is set to false. Something like this should do:
mgmt_cli -r true --format json show times details-level full limit 500 offset 0 \
| jq -c '.objects[]|.' \
| grep '"end-never":false' \
| jq -c '.uid,.end."iso-8601"' \
| xargs -L 2 sh -c 'if [[ "$1" < "$(date -d "+10 days" -Iseconds)" ]];then echo $0;fi'That should output the UUIDs of time objects with end dates before ten days in the future, one per line. You can assign them to a shell variable for iteration, or pipe them through xargs. Whichever way you do it, you will need to find where the time objects with those UUIDs are used.
The pipeline above will only show the first 500 time objects you have. If you have more than 500 time objects, you will need to run it several times increasing the offset 500 each time.
thanks, bob...but what if i want to export the whole rule bases to a csv, also..will this one script checks for all the rule bases across all the policies in management server?.
This is one of the reasons I suggested looking at the time objects directly and using where-used against them: it will show all the rules in all policy layers where these objects are used.
If you start with a given policy layer and try and work out what rules will expire soon, it will likely be a whole lot more work, especially if the policy layer has hundreds of rules.
In general, in case of time objects, we need to take into consideration following conditions:
1. Time objects can be used in already disabled rules
2. Time objects can be used in more rules
3. Some rules can have more than 1 time object (one of them already expired, second one still valid)
4. Not all created time objects must be used in rule
5. Time objects can be created as Global Objects used in different Domains (in case of MDS)
Sure, but the code above should get you to the time objects you need to care about within the current domain. Everything you're talking about (except item 5) is something you do after you have the time objects you need to care about.
On the other hand, why we should take care about scripting such a thing at all ?
In R77.30 there was nice feature where you typed "expired" in rulebase search bar and you will get all rules which are expired.
Why we need to script such a basic function which was there in R77.30, but is still missing in R8x versions ?
By the way, isnt it already baked in R8x Compliance blade ? Isnt Compliance blade checking all disabled/expired rules?
Hello Jozko
Indeed we had a default BP “FW-145” that was part of R77.30, showing access rules that have zero hit counts on the last 6 months. Hit Count search was broken from R80.
We have introduced a new option to fix the hit count on custom Best Practices for the previous 3 months as well, so customers can create their own BPs according to their needs. The fix will be merged into R81.10, unless there is an urgency from the customer’s side.
TX
Corinne
Hi Corinne,
Thanks for great info.
What about expired/rules with time objects ? Can we expect this to be included in R81.10 BP as well ?
For example, I would like to know how many + which rules are already expired (based on time objects), or will expire in next XY days/months.
Hi Jozko, just to add that indeed it's a different feature.
Today Compliance cannot check on the time stamp, but if you create a FW User Best Practice and define the search on all rules with a Time object= Expire, Compliance will search and show all rules with Time=Expire. (see attached). By double clicking on the rules found, you can drill down up to the rule base, from the Compliance DB.
I hope it helps !
Corinne
The architecture of R77.x and R80.x is very different on the management side.
When you load up a rulebase in SmartDashboard, pretty much everything you saw was loaded into memory. 
This was one of the reasons concurrent admins weren’t supported.
However, it did allow SmartDashboard to perform queries on the data very easily.
I didn’t even realize that SmartDashboard had an option to show expired rules.
In R8x, most everything you see in SmartConsole is the result of API calls and little is cached client-side.
This means we pretty much had to re-implement every feature that SmartDashboard had or, in the few cases where CPMI is still used, reuse those components.
In any case, this was clearly not a feature we have (yet) re-implemented in R8x.
My guess is we could implement this as a SmartConsole Extension similar to what was done for the Change Report.
However, it’d officially be an RFE.
If it’s something you need, I recommend engaging with your local Check Point office.
thanks bob, one more query can i able to loop it here itself or do i need to run another script,. how can i loop to check all the time objects that i have? or is there a way in which i can delete unused time objects.
What we're providing you is fragments of a potential script.
This could be done as a single script, but would need more work to develop.
I'd read the API documentation and the jq documentation. Yes, it is a bit tricky for a beginner like me but it gets easier with use.
This should get you started with what you need...
DAYS=20
DOMAIN="MGMT"
TMPDIR="/var/log/expiring"
STARTH=$(date +%m/%d/%Y )
echo Starting now: $STARTH
START=$(date -d "$STARTH" +%s%N | cut -b1-13)
ENDH=$(date +%m/%d/%Y -d '+'$DAYS' days')
echo Ending $ENDH
END=$(date -d "$ENDH" +%s%N | cut -b1-13)
TOFILE=$TMPDIR/time-object-name.txt
REFILE=$TMPDIR/rules_expiring.txt
ORFILE=$TMPDIR/old_rules.txt
PFILE=$TMPDIR/policies.tmp
printf "\nSearching for Rules that are within $DAYS days of expiring in $DOMAIN.\n"
mgmt_cli -r true -d $DOMAIN show times details-level full limit 500 --format json | jq --arg START ${START} --arg END ${END} --raw-output '.objects[] | select( (.end.posix|tonumber) >= ($START|tonumber) and (.end.posix|tonumber) <= ($END|tonumber) ) | .name ' > $TOFILE
mgmt_cli -r true -d $DOMAIN show access-layers limit 500 --format json | jq --raw-output '."access-layers"[] | (.name)' | grep "\ Security" > $PFILE
OFS=$IFS
IFS=$'\n'
for POL_NAME in $(cat $PFILE); do
IFS=$OFS
echo "Search policies for the expiring time objects.."
for line in $(cat $TOFILE);
do
echo "Searching for time object $line in the $POL_NAME"
f_log "Searching for time object $line in the $POL_NAME" $LOGFILE
mgmt_cli -r true -d $DOMAIN show access-rulebase limit 500 name "$POL_NAME" details-level "standard" use-object-dictionary true filter "$line" --format json | jq --raw-output '.rulebase[] .rulebase[] | ."rule-number"' > $ORFILE
done
for rule_num in $(cat $ORFILE ) ;
do
echo "Expiring Rules on $DOMAIN $POL_NAME:"
mgmt_cli -r true -d $DOMAIN show access-rule layer "$POL_NAME" rule-number "$rule_num" --format json |jq --raw-output --arg PN "$POL_NAME" --arg RN "$rule_num" '($PN + "," + $RN + "," + .source[].name + "," + .destination[].name + "," + .service[].name + "," + .action.name + "," + .time[].name + "," + .comments)' >> $REFILE
done
done
cat $REFILE
 
					
				
				
			
		
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count | 
|---|---|
| 5 | |
| 3 | |
| 2 | |
| 2 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | 
Tue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionThu 30 Oct 2025 @ 03:00 PM (CET)
Cloud Security Under Siege: Critical Insights from the 2025 Security Landscape - EMEAThu 30 Oct 2025 @ 11:00 AM (EDT)
Tips and Tricks 2025 #15: Become a Threat Exposure Management Power User!About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY