This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Vijay_Nagaraj
Contributor
‎2018-01-29 09:41 AM

Regarding UUID

Hi All,

I was trying to search the rule based on the UUID of the rule, am doing some analysis based on that. But i could not find any place to search the rule based on UUID, i tried smart tracker also. Could someone please let me now if there is any way to do that.

Vijay

0 Kudos
10 Replies
Kaspars_Zibarts
Employee Employee
Employee
‎2018-01-29 10:16 AM

In the SmartLog you can use this syntax:

layer_uuid_rule_uuid:(*_<the crazy UUID number>

or simply the <the crazy UUID number>

 

or API command: show access-rule layer "Policy-name Layer" uid <the crazy UUID number>

Vijay_Nagaraj
Contributor
‎2018-02-16 07:15 AM
In response to Kaspars_Zibarts

Actually , when i copy the UUID and just paste in smartlog , am not getting anything. But for few UUID am getting , should i have the live traffic to get the UUID reference? 

Vijay

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee
‎2018-02-16 11:05 AM
In response to Vijay_Nagaraj

Did you try the other syntax I suggested?

layer_uuid_rule_uuid:(*_<the crazy UUID number>

0 Kudos
Vijay_Nagaraj
Contributor
‎2018-02-16 08:51 PM
In response to Kaspars_Zibarts

Hi,

I tried both syntax both not working, please let me know , if am doing something wrong.

layer_uuid_rule_uuid:(77070954-EFA6-414D-8E9E-92FD523BB599) 

Cannot search the 'layer_uuid_rule_uuid' field. Try omitting the field name.

layer_uuid_rule_uuid:(*_<77070954-EFA6-414D-8E9E-92FD523BB599>) 

'*' or '?' not allowed as first character:

layer_uuid_rule_uuid:(*_<77070954-efa6-414d-8e9e-92fd523bb599>)
......................^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

0 Kudos
Vijay_Nagaraj
Contributor
‎2018-02-16 08:54 PM
In response to Vijay_Nagaraj

this one too..

layer_uuid_rule_uuid:(*_77070954-EFA6-414D-8E9E-92FD523BB599) 

0 Kudos
AlekseiShelepov
Advisor
‎2018-02-17 12:25 AM
In response to Vijay_Nagaraj

On R77.30 version UUID looks like - {B6A5A8F0-9BFC-4440-9FDF-3E8EEC3EC70A}

On R80.10 version UUID looks like - 8da7e5ed-36f4-43d1-a29a-ff38c3a33805

So, which version we are talking about?

You should definitely have some traffic matched by this rule to see logs for it. Or it will say "No matches found for your search", without errors if the query is correct.

In R77.30 you can find a rule in SmartLog by these qeuries:

rule:{B6A5A8F0-9BFC-4440-9FDF-3E8EEC3EC70A} (Expecting <Rule Number>/<Policy Name> or <Rule UID>)

{B6A5A8F0-9BFC-4440-9FDF-3E8EEC3EC70A}

Not allowed expression and give the same errors as you have:

layer_uuid_rule_uuid:(*_{B6A5A8F0-9BFC-4440-9FDF-3E8EEC3EC70A})

layer_uuid_rule_uuid:({B6A5A8F0-9BFC-4440-9FDF-3E8EEC3EC70A})

In R80.10 Cloud Demo mode you can find traffic in logs for a rule with the following queries:

8da7e5ed-36f4-43d1-a29a-ff38c3a33805

layer_uuid_rule_uuid:(*_8da7e5ed-36f4-43d1-a29a-ff38c3a33805)

AlekseiShelepov
Advisor
‎2018-01-29 10:49 AM

In SmartView Tracker you can try to find this rule in the list of changes made to the policy. Open there a Management tab, add filter for Changes column, Field - Contains, Text - {UID}.

Also in addition to Kaspars' comment, you can use rule:{UID} in SmartLog. Might be a bit more understandable for a quick look when working with a long filter.

0 Kudos
Tim_Koopman
Contributor
‎2018-01-29 01:36 PM

You can jump directly to the rule based on UID. When the policy is open go to Actions > Go to Rule and enter the UID in that box and it will take you directly to it. Just note it will only go to rules in the current policy so you do at least need to have the correct policy open first.

cezar_varlan1
Collaborator
‎2021-12-08 01:41 AM
In response to Tim_Koopman

Both options imply that SmartLog can find a matching entry with the rule uuid and that there was traffic matching this or that you have a single Policy Package and know which it is to use Go To Action. 

 

This is a good piece of Impecable UI/UX from Check Point. This is why some people do Security and some people do UI. You won;t find both 

0 Kudos
Michael_Lawrenc
Contributor
‎2018-01-29 01:45 PM

Don't know how helpful this is, but here's a quick procedure to get at UUID in the log:

Get the UUID from the Log
Current Time 0:00
Duration 0:00
Loaded: 0%
Stream Type LIVE
Remaining Time 0:00
 
1x
    • Chapters
    • descriptions off, selected
    • captions off, selected
      (view in My Videos)

      Leaderboard

      Epsum factorial non deposit quid pro quo hic escorol.

      View All ≫
      Upcoming Events

        Sort by:
        CheckMates Events
        Top