Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Tony_Young
Participant
Jump to solution

show-access-rulebase web API call not returning UID for last rule in a section.

BACKSTORY:

So I'm trying to do some cleanup on some firewall policies that are getting out of hand. I've already created a script to mass delete unused objects, and now I'm going after disabled rules. I want to filter out all disabled rules in each policy and store the UID into a CSV for a later script to go in and delete everything. I want to wait a month and then check again and mass delete any rules that are still disabled.

PROBLEM:

I'm using Web API version 1.2 and I'm running into an issue with the API call not returning the UID for the last rule in each section. I see the UID for all other rules except for the last one in each section. When I query the rule directly I get it, but when I curl /show-access-rulebase it is not there. I want to use UID rather than rule number or name because I think it would be more accurate after a months worth of firewall changes.

QUESTIONS:

Is there some reasoning for this?

We are upgrading to R80.20 GA soon. Is this issue is fixed in API 1.3?

Does UID ever change on a rule?

Thanks,

Tony

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

I don't see this behavior in R80.20 GA (which is API level 1.3).

I also queried at API levels 1.2 and 1.1 on R80.20 GA and saw the same, expected behavior where the UID is returned.

The rule UID should not change.

View solution in original post

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

As far as I’m know that is not expected behavior.

Will check in later releases.

Meanwhile I recommend opening a TAC case.

0 Kudos
PhoneBoy
Admin
Admin

I don't see this behavior in R80.20 GA (which is API level 1.3).

I also queried at API levels 1.2 and 1.1 on R80.20 GA and saw the same, expected behavior where the UID is returned.

The rule UID should not change.

0 Kudos
Tony_Young
Participant

So this was a human error on my side. I was reading the json output incorrectly. Apologies for crying wolf Smiley Sad

On the plus side I was able to create a script that produces the desired output.

DISCLAIMER: My bash skills are mediocre at best. Your miles may vary:

#!/bin/bash

host="<OMITTED>"
baseurl="https://$host/web_api"

SID=`curl -k --silent --header "Content-Type: application/json" --request POST \
--data '{
"user":"<OMITTED>" ,
"password":"<OMITTED>"
}' \
$baseurl/login | grep sid | awk '{print $3}' | sed 's/"//g' | sed 's/,//g'`

curl -k --silent --header "Content-Type: application/json" --header "X-chkp-sid: $SID" --request POST \
--data '{
"offset" : 0,
"limit" : 500,
"name" : "<OMITTED>"
}' \
$baseurl/show-access-rulebase | egrep "^ \"uid\"|rule-number|enabled" | grep -B2 enabled |
awk '/rule-number/||NR==1{printf $0; next}{printf "\n"$0}' | awk '/enabled/||NR==1{printf $0; next}{printf "\n"$0}' | awk '{print $3,$6,$9}' | sed 's\"\\g; s\ \\g'

The output is a CSV file that looks like this:

uid,rule#,true/false

This first two fields are self explanatory and the third field is whether or not the rule is enabled. I can then grep that file for "false" and read the UID into another script that deletes the disabled rules. Thanks for the help!

0 Kudos
PhoneBoy
Admin
Admin

A better way to parse the output from the API is to use jq as it natively understands JSON. 

My "one liner" that gets the SID from the login event (and puts it into the environment variable SID):

SID=`curl --silent --insecure -XPOST "https://host/web_api/v1.3/login" --data-binary "{\"user\": \"aa\", \"password\": \"aaaa\" }" -H "Content-Type: application/json" | jq -r .sid`

Likewise, you can easily get the data from the API in the format you want as follows:

curl --silent --insecure -XPOST https://host/web_api/v1.3/show-access-rulebase --data-binary "{ \"name\": \"Rulebase Name\" }" --data-binary "{}" -H "Content-Type: application/json" -H "X-chkp-sid: $SID" | jq -r '.rulebase[] | .uid + "," + (."rule-number"|tostring) + "," + (.enabled|tostring)'

Personally, I'm still getting the hang of jq, but it's very powerful.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events