Identify ports on a rule having Any Service Access

Blason_R

Hi Team,

I am curious whether there exists a pre-made script or extension that can display the ports utilized for rules that have ANY as a service. I am currently developing a Python script; however, the challenge arises when someone adds a rule either above or below, as this alters the rule number, making it difficult to identify the correct results later. Therefore, I am inquiring if such results are achievable. I attempted to use SmartView, but it is taking a considerable amount of time. Does the community have any readily available solutions for this?

Thanks and Regards,

Blason R

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

Lesley

Maybe give this one a try? Not sure if you can find ''any'' services:

https://community.checkpoint.com/t5/SmartConsole-Extensions/Policy-Audit-Extension/m-p/272730#M605

Alternative:

compliance blade can also do this.

Or Policy auditor / insights

https://community.checkpoint.com/t5/Firewall-and-Security-Management/This-Month-s-Spotlight-Features....

-------
Please press "Accept as Solution" if my post solved it 🙂

simonemantovani

I agree with @Lesley.

Alternatively you could export the logs in text format and create a script to extract the information based on the rule UID (this ID doesnt't change if you add rules above), or, if you have time, use Log Exporter to export logs for the specific rule to a syslog server and eventually, create a script on this syslog server that import the logs into a SQL database to simplify queries (in the past I've done something similar, by creating a script that read logs, filters out specific information like source, destination, protocol and port, and import these information in a MySQL DB).

Blason_R

This approach does not appear to be appropriate, as exporting the logs may lead to inconsistencies if someone has added or deleted a rule. Consequently, the numbers will not align, and the results will, of course, differ.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

Bob_Zimmerman

The rule numbers change, sure, but the rule UUID doesn't. Just use that in the filter.

emmap

If the rule is logged you can filter logs for that rule in the log viewer and then look at 'Top Services'. It won't be accurate for too far back (as it won't load all the logs) but if your goal is to limit the services matching you can add another rule over your 'any' rule with the same sources and destinations, and put your identified services that are doing most of the matching and that you want to allow in there, to take them out of the 'any' rule. Keep doing that until you have all the services you need and you'll have it cleaned up eventually.

Else the new Policy Insights service can be of service here to basically figure all that out for you.

Blason_R

Yes, I am aware of that; however, it would be challenging once more, as we have five firewall administrators, making it consistently difficult to maintain the rule numbers. Additionally, since this is a manual task and we have over 400 rules, with approximately 60 of those identified as Any Service, it is causing me an issue.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

simonemantovani

I understand, in this case you should evaluate to adopt a tool like Policy Auditor or some other 3rd party product like Tufin; on of these solutions will give you the information and visibility you need in a faster way with little effort.

PhoneBoy

The best way to refer to a specific rule is by uid, not by rule number.
This way, you don't have to worry about its precise position in the rulebase.

Are you a member of CheckMates?

Identify ports on a rule having Any Service Access