Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ekta_Siwani1
Contributor
Jump to solution

Filter option in R80.10 show-access-rulebase API

Hi,

I am trying to use filter option available in "show-access-rulebase" API available in R80.10.

My code is in PHP.

$rule_match_data = array(
    "offset" => 0,
    "limit" => 50,
    "name" => "Network",
    "filter-settings" => array("search-mode"=>"packet"),
     "filter" => "mode:{Packet} src:{122.34.22.56}  dst:{192.168.12.21} svc:{80} action:{Accept}"
);

Above data is not giving me proper result. Is this correct way to use filter or I need to change my text. The document says The provided text should be exactly the same as it would be given in Smart Console.

I tried :

"filter" => "src:10.10.10.10  dst:20.20.20.20  svc:80 action:Accept"

AND

"filter" => "src:{10.10.10.10}  dst:{20.20.20.20}  svc:{80} action:{Accept}"

0 Kudos
1 Solution

Accepted Solutions
Ekta_Siwani1
Contributor

Hi,

I solved by trying out different ways.Posting it here, it may help others.

Need to pass action  as "Action"

Replacing :

"filter" => "src:10.10.10.10  dst:20.20.20.20  svc:80 action:Accept"

with:

"filter" => "src:10.10.10.10  dst:20.20.20.20  svc:80 Action:Accept"

solved the issue.

Seems using exact string as smart console gives error

View solution in original post

21 Replies
Ekta_Siwani1
Contributor

Hi,

I solved by trying out different ways.Posting it here, it may help others.

Need to pass action  as "Action"

Replacing :

"filter" => "src:10.10.10.10  dst:20.20.20.20  svc:80 action:Accept"

with:

"filter" => "src:10.10.10.10  dst:20.20.20.20  svc:80 Action:Accept"

solved the issue.

Seems using exact string as smart console gives error

PhoneBoy
Admin
Admin

I thought the API wasn't case sensitive in that way, but good catch!

0 Kudos
Alex_Menendez
Explorer

Hello,

im having a similir issue not sure if the search syntax is wrong

The rules return but the clean up rule (any any drop) also returns.

im using postman for testing:

{
  "offset" : 0,
  "limit" : 20,
  "name" : "Network",
  "details-level" : "standard",
  "use-object-dictionary" : true,
  "filter" : "src:10.0.0.6 AND dst:192.168.0.6 action: Accept",
  "filter-settings" : {
    "search-mode" : "packet"
  }
}

Ive tried all these filters:

src:10.0.0.6 AND dst:192.168.0.6 action: Accept

src:10.0.0.6 AND dst:192.168.0.6 action:Accept

src:10.0.0.6 AND dst:192.168.0.6 Action: Accept

src:10.0.0.6 AND dst:192.168.0.6 Action:Accept

src:10.0.0.6 AND dst:192.168.0.6 action: *UID*

src:10.0.0.6 AND dst:192.168.0.6 action:*UID*

src:10.0.0.6 AND dst:192.168.0.6 Action: *UID*

src:10.0.0.6 AND dst:192.168.0.6 Action:*UID*

When i do the same search in SmartConsole: "src:10.0.0.6 AND dst:192.168.0.6 action:Accept mode:Packet" - the results come back fine.

Any thoughts?

0 Kudos
Ekta_Siwani1
Contributor

Hi,

As i mentioned above in the thread, this may be bug in API.

"Action:Accept" will return both drop as well as accept packets.

"action:Accept" will return empty result every time.

You should use UID of Accept to filter data.

Please use :

scr:10.0.0.6 AND dst:192.168.0.6 AND action:6c488338-8eec-4103-ad21-cd461ac2c472

"6c488338-8eec-4103-ad21-cd461ac2c472" is UID of Accept

kishore_lal
Explorer

Hello 

How do you specify the service whether its TCP/UDP here in the syntax

I tried the below syntax , but still results with inappropriate rule statements, can you suggest if any errors on this below one

mgmt_cli show access-rulebase name "Network" filter "src:20.10.10.10/32 dst:10.10.10.1/32 svc:80 action:Accept"

thanks

0 Kudos
Tomer_Sole
Mentor
Mentor

Hi,

The syntax of "svc" filter can work with either:

- existing service objects by name or their UID

- port number (will match TCP and UDP appropriate services with this port, as well as port range objects)

We are planning to enhance the syntax for port+protocol in our next releases.

Hope this helps

0 Kudos
Ekta_Siwani1
Contributor

Hi Tomer Sole,

How to search for port range?

I tried "svc:553-598" but it's not returning proper result.

0 Kudos
Tomer_Sole
Mentor
Mentor

Hi, the search will work for either:

- a single port number

- an existing port range object by its name of UID

hope it helps

kishore_lal
Explorer

Hello Tomer

 can we expect this filter option works similar like Cisco ASA policy tracer

Do we have some detailed documents /examples on this topic apart from Managment API reference page

Since here,we are trying to develop some script using python

 > Suppose the assumption is like if have thousands of rules already existed in our firewall table

 > But, as per new firewall rule requirement (usually in spreadsheet format) , only rules should be created if it does not existed in our firewall rule base. creating firewall rules as per request wont be big challenge 

so we thought of using this filter option to check if the required pattern of firewall rules are already existed, rather creating the rules as per requirement. this leads to duplication of rules if already exists

if its not possible this filter, do we have any other options to get it done

thanks

Kishori

0 Kudos
Tomer_Sole
Mentor
Mentor

Hi, generally this is the intent and it should be possible with this API.

The biggest documentation set is available at the R80.10 Security Management Admin guide (pages 19-20) available here: Check Point R80.10 

I suggest that we continue to use this thread in case you have questions about specific incidents in which the filters did not work as you expected them to.

Note that Cisco requires to stream GW traffic while Check Point performs static analysis on the policies which saves you from reading logs to identify matching rules. Check Point has a pinj command-line (packet injector) which you can use for the case of streaming traffic and checking matches.

I would also like to point out that similar functionality will be available with Rule Assistant, however the search open API is already available and you can apply it for this need without waiting for Rule Assistant to come out.

0 Kudos
kishore_lal
Explorer

Hello

we have only one firewall policy as below

rule # 1 - source 10.0.0.0/8 destination 20.0.0.0/8 service port - 443 accept - allow


while we run the below packet mode command syntax's to find if the requested pattern of rule is existed in firewall configuration

mgmt_cli show access-rule name "Network" filter-settings.search-mode "packet" "mode:packet src:10.10.10.10 dst:20.20.20.20 svc:80 Action:Accept" -u username -p password

mgmt_cli show access-rule name "Network" filter-settings.search-mode "packet" "mode:packet src:10.10.10.10 dst:20.20.20.20 svc:80" -u username -p password

mgmt_cli show access-rule name "Network" filter "src:10.10.10.10 dst:20.20.20.20 svc:80" -u username -p password

its should show that no rule matching in firewall policy configuration,as we have not opened for port 80

but still showing the results of matching rule number 1 which is not supposed 

are we missing something in above command syntax kindly advice

0 Kudos
Ekta_Siwani1
Contributor

Hi,

Try this:

mgmt_cli show access-rule name "Network" filter-settings.search-mode "packet" "src:10.10.10.10  AND dst:20.20.20.20  AND svc:80  AND Action:Accept" -u username -p password

 

0 Kudos
Ekta_Siwani1
Contributor

Hi,

I have noticed few weird thing about "action" while using Filter. Not sure if it's a bug or I am calling it in wrong way.

If I use this in packet mode:

filter: "Action: Accept" (this will return me all the result without filtering including drop)

filter: "action: Accept" (This will always return 0. always will be empty)

filter: "action: UID of Accept" (This will give me proper result)

Same with the drop as well.

Is this suppose to work only with UID of Accept/Drop etc? 

0 Kudos
kishore_lal
Explorer

Hello Ekta

Yes its working as expected after adding AND syntax between src and dst

Thanks for your great help

0 Kudos
kishore_lal
Explorer

Hello 

But its work for the host objects and group objects.. not for the range objects

Say example if we have below policy configuration

source - R_10.10.10.10-10.10.10.13

Destination - R_20.20.20.20-20.20.20.23

Port - 80

results showing NIL after running the below syntax

mgmt_cli show access-rule name "Network" filter-settings.search-mode "packet" "src:10.10.10.10  AND dst:20.20.20.20  AND svc:80  AND Action:Accept" -u username -p password

Note- its works for Host object & Group Object rules

Thanks

Kishori

0 Kudos
Ekta_Siwani1
Contributor

Hi,

I have checked for range object with R80.10 API it's working for me.

You can use postman to test different combination like just filter src field instead of filtering all fields.

Tomer_Sole
Mentor
Mentor

This should work according to the specifications. If this does not work and you have a reproduction you can also open a task so that the Check Point Support can investigate the root cause.

0 Kudos
kishore_lal
Explorer

Hello Tomer

Thanks for your Prompt update!!!!

Much Appreciated

Regards

Kishori

0 Kudos
Ekta_Siwani1
Contributor

Hi Kishore lal,

I have not tried REST API through mgmt_cli, but as Tomer Sole mentioned svc will work without specifying weather service is UDP or TCP.

I can suggest you to try :

mgmt_cli show access-rulebase name "Network" filter "src:20.10.10.10/32 dst:10.10.10.1/32 svc:80 Action:Accept"

in place of :

mgmt_cli show access-rulebase name "Network" filter "src:20.10.10.10/32 dst:10.10.10.1/32 svc:80 action:Accept"

For me, this worked.

0 Kudos
yogesh_uit08
Explorer

Hi Ekta,

I am trying to findout the rule from below filter however i am not getting any rule details. using the same filter as you mentioned .could you please help .

I am always  getting below output where no rule details available. i already checked with smart console there is rule present for mention source and destination.

"json": {
"name": "Network",
"rulebase": [],
"total": 0,
"uid": "uid number"
},
"msg": "OK (unknown bytes)",
"redirected": false,
"server": "CPWS",
"status": 200,
"strict_transport_security": "max-age=31536000; includeSubDomains",
"transfer_encoding": "chunked",
"url": "https://x.x.x.x/web_api/show-access-rulebase",
"x_forwarded_host_port": "443",
"x_frame_options": "SAMEORIGIN",
"x_ua_compatible": "IE=EmulateIE8"

 

url: "https://{{mserver_hostname}}/web_api/show-access-rulebase"
validate_certs: False
method: POST
headers:
x-chkp-sid: "{{ login.json.sid }}"
body:
offset: 0
limit: 20
name: "network"
details-level: "full"
use-object-dictionary: true
filter-settings:
search-mode: "packet"
filter: "src:10.10.10.10 AND dst:10.10.20.20 AND svc:30000 action:6c488338-8eec-4103-ad21-cd461ac2c472"
body_format: json
register: rule_search

Please help me i am stuck with this . My main objective to search rule on given source destination and port.

Thanks  in advance,

 

 

 

0 Kudos
kishore_lal
Explorer

Hello Ekta

Thanks for your valuable update

Regards

Kishori

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events