Solved: show-access-rulebase web API call not returning UI...

Tony_Young · ‎2019-01-11

BACKSTORY:

So I'm trying to do some cleanup on some firewall policies that are getting out of hand. I've already created a script to mass delete unused objects, and now I'm going after disabled rules. I want to filter out all disabled rules in each policy and store the UID into a CSV for a later script to go in and delete everything. I want to wait a month and then check again and mass delete any rules that are still disabled.

PROBLEM:

I'm using Web API version 1.2 and I'm running into an issue with the API call not returning the UID for the last rule in each section. I see the UID for all other rules except for the last one in each section. When I query the rule directly I get it, but when I curl /show-access-rulebase it is not there. I want to use UID rather than rule number or name because I think it would be more accurate after a months worth of firewall changes.

QUESTIONS:

Is there some reasoning for this?

We are upgrading to R80.20 GA soon. Is this issue is fixed in API 1.3?

Does UID ever change on a rule?

Thanks,

Tony

PhoneBoy · ‎2019-01-12

I don't see this behavior in R80.20 GA (which is API level 1.3).

I also queried at API levels 1.2 and 1.1 on R80.20 GA and saw the same, expected behavior where the UID is returned.

The rule UID should not change.

View solution in original post

PhoneBoy · ‎2019-01-11

As far as I’m know that is not expected behavior.

Will check in later releases.

Meanwhile I recommend opening a TAC case.

PhoneBoy · ‎2019-01-12

I don't see this behavior in R80.20 GA (which is API level 1.3).

I also queried at API levels 1.2 and 1.1 on R80.20 GA and saw the same, expected behavior where the UID is returned.

The rule UID should not change.

Tony_Young · ‎2019-01-14

So this was a human error on my side. I was reading the json output incorrectly. Apologies for crying wolf

On the plus side I was able to create a script that produces the desired output.

DISCLAIMER: My bash skills are mediocre at best. Your miles may vary:

#!/bin/bash

host="<OMITTED>"
baseurl="https://$host/web_api"

SID=`curl -k --silent --header "Content-Type: application/json" --request POST \
--data '{
"user":"<OMITTED>" ,
"password":"<OMITTED>"
}' \
$baseurl/login | grep sid | awk '{print $3}' | sed 's/"//g' | sed 's/,//g'`

curl -k --silent --header "Content-Type: application/json" --header "X-chkp-sid: $SID" --request POST \
--data '{
"offset" : 0,
"limit" : 500,
"name" : "<OMITTED>"
}' \
$baseurl/show-access-rulebase | egrep "^ \"uid\"|rule-number|enabled" | grep -B2 enabled |
awk '/rule-number/||NR==1{printf $0; next}{printf "\n"$0}' | awk '/enabled/||NR==1{printf $0; next}{printf "\n"$0}' | awk '{print $3,$6,$9}' | sed 's\"\\g; s\ \\g'

The output is a CSV file that looks like this:

uid,rule#,true/false

This first two fields are self explanatory and the third field is whether or not the rule is enabled. I can then grep that file for "false" and read the UID into another script that deletes the disabled rules. Thanks for the help!

PhoneBoy · ‎2019-01-14

A better way to parse the output from the API is to use jq as it natively understands JSON.

My "one liner" that gets the SID from the login event (and puts it into the environment variable SID):

SID=`curl --silent --insecure -XPOST "https://host/web_api/v1.3/login" --data-binary "{\"user\": \"aa\", \"password\": \"aaaa\" }" -H "Content-Type: application/json" | jq -r .sid`

Likewise, you can easily get the data from the API in the format you want as follows:

curl --silent --insecure -XPOST https://host/web_api/v1.3/show-access-rulebase --data-binary "{ \"name\": \"Rulebase Name\" }" --data-binary "{}" -H "Content-Type: application/json" -H "X-chkp-sid: $SID" | jq -r '.rulebase[] | .uid + "," + (."rule-number"|tostring) + "," + (.enabled|tostring)'

Personally, I'm still getting the hang of jq, but it's very powerful.

Are you a member of CheckMates?

show-access-rulebase web API call not returning UID for last rule in a section.