cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Filter option in R80.10 show-access-rulebase API

Jump to solution

Hi,

I am trying to use filter option available in "show-access-rulebase" API available in R80.10.

My code is in PHP.

$rule_match_data = array(
    "offset" => 0,
    "limit" => 50,
    "name" => "Network",
    "filter-settings" => array("search-mode"=>"packet"),
     "filter" => "mode:{Packet} src:{122.34.22.56}  dst:{192.168.12.21} svc:{80} action:{Accept}"
);

Above data is not giving me proper result. Is this correct way to use filter or I need to change my text. The document says The provided text should be exactly the same as it would be given in Smart Console.

I tried :

"filter" => "src:10.10.10.10  dst:20.20.20.20  svc:80 action:Accept"

AND

"filter" => "src:{10.10.10.10}  dst:{20.20.20.20}  svc:{80} action:{Accept}"

0 Kudos
1 Solution

Accepted Solutions

Re: Filter option in R80.10 show-access-rulebase API

Jump to solution

Hi,

I solved by trying out different ways.Posting it here, it may help others.

Need to pass action  as "Action"

Replacing :

"filter" => "src:10.10.10.10  dst:20.20.20.20  svc:80 action:Accept"

with:

"filter" => "src:10.10.10.10  dst:20.20.20.20  svc:80 Action:Accept"

solved the issue.

Seems using exact string as smart console gives error

20 Replies

Re: Filter option in R80.10 show-access-rulebase API

Jump to solution

Hi,

I solved by trying out different ways.Posting it here, it may help others.

Need to pass action  as "Action"

Replacing :

"filter" => "src:10.10.10.10  dst:20.20.20.20  svc:80 action:Accept"

with:

"filter" => "src:10.10.10.10  dst:20.20.20.20  svc:80 Action:Accept"

solved the issue.

Seems using exact string as smart console gives error

Admin
Admin

Re: Filter option in R80.10 show-access-rulebase API

Jump to solution

I thought the API wasn't case sensitive in that way, but good catch!

0 Kudos

Re: Filter option in R80.10 show-access-rulebase API

Jump to solution

Hello,

im having a similir issue not sure if the search syntax is wrong

The rules return but the clean up rule (any any drop) also returns.

im using postman for testing:

{
  "offset" : 0,
  "limit" : 20,
  "name" : "Network",
  "details-level" : "standard",
  "use-object-dictionary" : true,
  "filter" : "src:10.0.0.6 AND dst:192.168.0.6 action: Accept",
  "filter-settings" : {
    "search-mode" : "packet"
  }
}

Ive tried all these filters:

src:10.0.0.6 AND dst:192.168.0.6 action: Accept

src:10.0.0.6 AND dst:192.168.0.6 action:Accept

src:10.0.0.6 AND dst:192.168.0.6 Action: Accept

src:10.0.0.6 AND dst:192.168.0.6 Action:Accept

src:10.0.0.6 AND dst:192.168.0.6 action: *UID*

src:10.0.0.6 AND dst:192.168.0.6 action:*UID*

src:10.0.0.6 AND dst:192.168.0.6 Action: *UID*

src:10.0.0.6 AND dst:192.168.0.6 Action:*UID*

When i do the same search in SmartConsole: "src:10.0.0.6 AND dst:192.168.0.6 action:Accept mode:Packet" - the results come back fine.

Any thoughts?

0 Kudos

Re: Filter option in R80.10 show-access-rulebase API

Jump to solution

Hi,

As i mentioned above in the thread, this may be bug in API.

"Action:Accept" will return both drop as well as accept packets.

"action:Accept" will return empty result every time.

You should use UID of Accept to filter data.

Please use :

scr:10.0.0.6 AND dst:192.168.0.6 AND action:6c488338-8eec-4103-ad21-cd461ac2c472

"6c488338-8eec-4103-ad21-cd461ac2c472" is UID of Accept

Re: Filter option in R80.10 show-access-rulebase API

Jump to solution

Hello 

How do you specify the service whether its TCP/UDP here in the syntax

I tried the below syntax , but still results with inappropriate rule statements, can you suggest if any errors on this below one

mgmt_cli show access-rulebase name "Network" filter "src:20.10.10.10/32 dst:10.10.10.1/32 svc:80 action:Accept"

thanks

0 Kudos

Re: Filter option in R80.10 show-access-rulebase API

Jump to solution

Hi,

The syntax of "svc" filter can work with either:

- existing service objects by name or their UID

- port number (will match TCP and UDP appropriate services with this port, as well as port range objects)

We are planning to enhance the syntax for port+protocol in our next releases.

Hope this helps

0 Kudos

Re: Filter option in R80.10 show-access-rulebase API

Jump to solution

Hi Tomer Sole,

How to search for port range?

I tried "svc:553-598" but it's not returning proper result.

0 Kudos

Re: Filter option in R80.10 show-access-rulebase API

Jump to solution

Hi, the search will work for either:

- a single port number

- an existing port range object by its name of UID

hope it helps

Re: Filter option in R80.10 show-access-rulebase API

Jump to solution

Hello Tomer

 can we expect this filter option works similar like Cisco ASA policy tracer

Do we have some detailed documents /examples on this topic apart from Managment API reference page

Since here,we are trying to develop some script using python

 > Suppose the assumption is like if have thousands of rules already existed in our firewall table

 > But, as per new firewall rule requirement (usually in spreadsheet format) , only rules should be created if it does not existed in our firewall rule base. creating firewall rules as per request wont be big challenge 

so we thought of using this filter option to check if the required pattern of firewall rules are already existed, rather creating the rules as per requirement. this leads to duplication of rules if already exists

if its not possible this filter, do we have any other options to get it done

thanks

Kishori

0 Kudos

Re: Filter option in R80.10 show-access-rulebase API

Jump to solution

Hi, generally this is the intent and it should be possible with this API.

The biggest documentation set is available at the R80.10 Security Management Admin guide (pages 19-20) available here: Check Point R80.10 

I suggest that we continue to use this thread in case you have questions about specific incidents in which the filters did not work as you expected them to.

Note that Cisco requires to stream GW traffic while Check Point performs static analysis on the policies which saves you from reading logs to identify matching rules. Check Point has a pinj command-line (packet injector) which you can use for the case of streaming traffic and checking matches.

I would also like to point out that similar functionality will be available with Rule Assistant, however the search open API is already available and you can apply it for this need without waiting for Rule Assistant to come out.

0 Kudos

Re: Filter option in R80.10 show-access-rulebase API

Jump to solution

Hello

we have only one firewall policy as below

rule # 1 - source 10.0.0.0/8 destination 20.0.0.0/8 service port - 443 accept - allow


while we run the below packet mode command syntax's to find if the requested pattern of rule is existed in firewall configuration

mgmt_cli show access-rule name "Network" filter-settings.search-mode "packet" "mode:packet src:10.10.10.10 dst:20.20.20.20 svc:80 Action:Accept" -u username -p password

mgmt_cli show access-rule name "Network" filter-settings.search-mode "packet" "mode:packet src:10.10.10.10 dst:20.20.20.20 svc:80" -u username -p password

mgmt_cli show access-rule name "Network" filter "src:10.10.10.10 dst:20.20.20.20 svc:80" -u username -p password

its should show that no rule matching in firewall policy configuration,as we have not opened for port 80

but still showing the results of matching rule number 1 which is not supposed 

are we missing something in above command syntax kindly advice

0 Kudos

Re: Filter option in R80.10 show-access-rulebase API

Jump to solution

Hi,

Try this:

mgmt_cli show access-rule name "Network" filter-settings.search-mode "packet" "src:10.10.10.10  AND dst:20.20.20.20  AND svc:80  AND Action:Accept" -u username -p password

 

0 Kudos

Re: Filter option in R80.10 show-access-rulebase API

Jump to solution

Hi,

I have noticed few weird thing about "action" while using Filter. Not sure if it's a bug or I am calling it in wrong way.

If I use this in packet mode:

filter: "Action: Accept" (this will return me all the result without filtering including drop)

filter: "action: Accept" (This will always return 0. always will be empty)

filter: "action: UID of Accept" (This will give me proper result)

Same with the drop as well.

Is this suppose to work only with UID of Accept/Drop etc? 

0 Kudos

Re: Filter option in R80.10 show-access-rulebase API

Jump to solution

Hello Ekta

Yes its working as expected after adding AND syntax between src and dst

Thanks for your great help

0 Kudos

Re: Filter option in R80.10 show-access-rulebase API

Jump to solution

Hello 

But its work for the host objects and group objects.. not for the range objects

Say example if we have below policy configuration

source - R_10.10.10.10-10.10.10.13

Destination - R_20.20.20.20-20.20.20.23

Port - 80

results showing NIL after running the below syntax

mgmt_cli show access-rule name "Network" filter-settings.search-mode "packet" "src:10.10.10.10  AND dst:20.20.20.20  AND svc:80  AND Action:Accept" -u username -p password

Note- its works for Host object & Group Object rules

Thanks

Kishori

0 Kudos

Re: Filter option in R80.10 show-access-rulebase API

Jump to solution

Hi,

I have checked for range object with R80.10 API it's working for me.

You can use postman to test different combination like just filter src field instead of filtering all fields.

Re: Filter option in R80.10 show-access-rulebase API

Jump to solution

This should work according to the specifications. If this does not work and you have a reproduction you can also open a task so that the Check Point Support can investigate the root cause.

0 Kudos

Re: Filter option in R80.10 show-access-rulebase API

Jump to solution

Hello Tomer

Thanks for your Prompt update!!!!

Much Appreciated

Regards

Kishori

0 Kudos

Re: Filter option in R80.10 show-access-rulebase API

Jump to solution

Hi Kishore lal,

I have not tried REST API through mgmt_cli, but as Tomer Sole mentioned svc will work without specifying weather service is UDP or TCP.

I can suggest you to try :

mgmt_cli show access-rulebase name "Network" filter "src:20.10.10.10/32 dst:10.10.10.1/32 svc:80 Action:Accept"

in place of :

mgmt_cli show access-rulebase name "Network" filter "src:20.10.10.10/32 dst:10.10.10.1/32 svc:80 action:Accept"

For me, this worked.

0 Kudos

Re: Filter option in R80.10 show-access-rulebase API

Jump to solution

Hello Ekta

Thanks for your valuable update

Regards

Kishori

0 Kudos