Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
tawsif
Participant

How to View Deleted Rules/Objects on the Firewall?

Is there a way to check for the deleted rules/objects on the firewall once it is published and has been installed? I've tried to open the revision session, but still unable to check for the deleted rules/objects on the firewall. We're running on R80.40. Thanks.

0 Kudos
5 Replies
Chris_Atkinson
Employee Employee
Employee

The "Audit Logs" pane should detail the changes, is no information available there in your environment?

Also depending on the version you will have a "Changes" option under "Actions" to compare the policy revisions.

CCSM R77/R80/ELITE
Alex-
Leader Leader
Leader

Here's a crude one-liner to run in Expert mode that will create a CSV with all deleted objects since last publish. For hosts and networks, it will give IP and subnet mask. For groups, the name. All the rest, name and UID. Output will be saved in deleted_items.csv

 

mgmt_cli -r true show changes -f json | jq '."tasks"[] |."task-details"[] | ."changes"[] | .operations | ."deleted-objects"[] | select(.type == "host") |  [.name, .type, ."ipv4-address"] |@csv' >> deleted_items.csv; mgmt_cli -r true show changes -f json | jq '."tasks"[] |."task-details"[] | ."changes"[] | .operations | ."deleted-objects"[] | select(.type == "network") |  [.name, .type, .subnet4, ."subnet-mask"] |@csv' >> deleted_items.csv; mgmt_cli -r true show changes -f json | jq '."tasks"[] |."task-details"[] | ."changes"[] | .operations | ."deleted-objects"[] | select(.type == "group") |  [.name, .type] |@csv' >> deleted_items.csv; mgmt_cli -r true show changes -f json | jq '."tasks"[] |."task-details"[] | ."changes"[] | .operations | ."deleted-objects"[] | select(.type != "host" and .type != "network" and .type != "group") | [.name, .type, .uid] |@csv' >> deleted_items.csv

 

 

Example output from a lab environment where I deleted a bunch of things.

 

cat deleted_items.csv
"\"Host_5\",\"host\",\"10.10.10.5\""
"\"Host_3\",\"host\",\"10.10.10.3\""
"\"Host_1\",\"host\",\"10.10.10.1\""
"\"Host_2\",\"host\",\"10.10.10.2\""
"\"Host_4\",\"host\",\"10.10.10.4\""
"\"myNet_1\",\"network\",\"10.10.100.0\",\"255.255.255.0\""
"\"myNet_2\",\"network\",\"10.10.200.0\",\"255.255.255.0\""
"\"myGroup\",\"group\""
",\"access-rule\",\"b2766e39-480c-4090-ad2f-4252ca6b6f12\""

 

HeikoAnkenbrand
Champion Champion
Champion

nice oneliner

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Danny
Champion Champion
Champion

0 Kudos
Swordfish
Contributor

You should see the changes in Smart Dashboard > Security Policies > Access Tools > Installation History. You can click in the history on "View installed changes" and can expand the audit logs, which gives you a more detailed view.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events