- Products
- Learn
- Local User Groups
- Partners
-
More
Celebrate the New Year
With CheckMates!
Value of Security
Vendor Self-Awareness
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
Mobile Security
Buyer's Guide Out Now
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Hi All,
I was trying to search the rule based on the UUID of the rule, am doing some analysis based on that. But i could not find any place to search the rule based on UUID, i tried smart tracker also. Could someone please let me now if there is any way to do that.
Vijay
In the SmartLog you can use this syntax:
layer_uuid_rule_uuid:(*_<the crazy UUID number>)
or simply the <the crazy UUID number>
or API command: show access-rule layer "Policy-name Layer" uid <the crazy UUID number>
Actually , when i copy the UUID and just paste in smartlog , am not getting anything. But for few UUID am getting , should i have the live traffic to get the UUID reference?
Vijay
Did you try the other syntax I suggested?
layer_uuid_rule_uuid:(*_<the crazy UUID number>)
Hi,
I tried both syntax both not working, please let me know , if am doing something wrong.
layer_uuid_rule_uuid:(77070954-EFA6-414D-8E9E-92FD523BB599)
Cannot search the 'layer_uuid_rule_uuid' field. Try omitting the field name.
layer_uuid_rule_uuid:(*_<77070954-EFA6-414D-8E9E-92FD523BB599>)
'*' or '?' not allowed as first character:
layer_uuid_rule_uuid:(*_<77070954-efa6-414d-8e9e-92fd523bb599>)
......................^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
this one too..
layer_uuid_rule_uuid:(*_77070954-EFA6-414D-8E9E-92FD523BB599)
On R77.30 version UUID looks like - {B6A5A8F0-9BFC-4440-9FDF-3E8EEC3EC70A}
On R80.10 version UUID looks like - 8da7e5ed-36f4-43d1-a29a-ff38c3a33805
So, which version we are talking about?
You should definitely have some traffic matched by this rule to see logs for it. Or it will say "No matches found for your search", without errors if the query is correct.
In R77.30 you can find a rule in SmartLog by these qeuries:
rule:{B6A5A8F0-9BFC-4440-9FDF-3E8EEC3EC70A} (Expecting <Rule Number>/<Policy Name> or <Rule UID>)
{B6A5A8F0-9BFC-4440-9FDF-3E8EEC3EC70A}
Not allowed expression and give the same errors as you have:
layer_uuid_rule_uuid:(*_{B6A5A8F0-9BFC-4440-9FDF-3E8EEC3EC70A})
layer_uuid_rule_uuid:({B6A5A8F0-9BFC-4440-9FDF-3E8EEC3EC70A})
In R80.10 Cloud Demo mode you can find traffic in logs for a rule with the following queries:
8da7e5ed-36f4-43d1-a29a-ff38c3a33805
layer_uuid_rule_uuid:(*_8da7e5ed-36f4-43d1-a29a-ff38c3a33805)
In SmartView Tracker you can try to find this rule in the list of changes made to the policy. Open there a Management tab, add filter for Changes column, Field - Contains, Text - {UID}.
Also in addition to Kaspars' comment, you can use rule:{UID} in SmartLog. Might be a bit more understandable for a quick look when working with a long filter.
You can jump directly to the rule based on UID. When the policy is open go to Actions > Go to Rule and enter the UID in that box and it will take you directly to it. Just note it will only go to rules in the current policy so you do at least need to have the correct policy open first.
Don't know how helpful this is, but here's a quick procedure to get at UUID in the log:
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY