I thought the API wasn't case sensitive in that way, but good catch!

Hello,

im having a similir issue not sure if the search syntax is wrong

The rules return but the clean up rule (any any drop) also returns.

im using postman for testing:

{
  "offset" : 0,
  "limit" : 20,
  "name" : "Network",
  "details-level" : "standard",
  "use-object-dictionary" : true,
  "filter" : "src:10.0.0.6 AND dst:192.168.0.6 action: Accept",
  "filter-settings" : {
    "search-mode" : "packet"
  }
}

Ive tried all these filters:

src:10.0.0.6 AND dst:192.168.0.6 action: Accept

src:10.0.0.6 AND dst:192.168.0.6 action:Accept

src:10.0.0.6 AND dst:192.168.0.6 Action: Accept

src:10.0.0.6 AND dst:192.168.0.6 Action:Accept

src:10.0.0.6 AND dst:192.168.0.6 action: *UID*

src:10.0.0.6 AND dst:192.168.0.6 action:*UID*

src:10.0.0.6 AND dst:192.168.0.6 Action: *UID*

src:10.0.0.6 AND dst:192.168.0.6 Action:*UID*

When i do the same search in SmartConsole: "src:10.0.0.6 AND dst:192.168.0.6 action:Accept mode:Packet" - the results come back fine.

Any thoughts?

Hi,

As i mentioned above in the thread, this may be bug in API.

"Action:Accept" will return both drop as well as accept packets.

"action:Accept" will return empty result every time.

You should use UID of Accept to filter data.

Please use :

scr:10.0.0.6 AND dst:192.168.0.6 AND action:6c488338-8eec-4103-ad21-cd461ac2c472

"6c488338-8eec-4103-ad21-cd461ac2c472" is UID of Accept

Hi,

The syntax of "svc" filter can work with either:

- existing service objects by name or their UID

- port number (will match TCP and UDP appropriate services with this port, as well as port range objects)

We are planning to enhance the syntax for port+protocol in our next releases.

Hope this helps

Hi Tomer Sole,

How to search for port range?

I tried "svc:553-598" but it's not returning proper result.

Hi, the search will work for either:

- a single port number

- an existing port range object by its name of UID

hope it helps

Hello Tomer

 can we expect this filter option works similar like Cisco ASA policy tracer

Do we have some detailed documents /examples on this topic apart from Managment API reference page

Since here,we are trying to develop some script using python

 > Suppose the assumption is like if have thousands of rules already existed in our firewall table

 > But, as per new firewall rule requirement (usually in spreadsheet format) , only rules should be created if it does not existed in our firewall rule base. creating firewall rules as per request wont be big challenge 

so we thought of using this filter option to check if the required pattern of firewall rules are already existed, rather creating the rules as per requirement. this leads to duplication of rules if already exists

if its not possible this filter, do we have any other options to get it done

thanks

Kishori

Hi, generally this is the intent and it should be possible with this API.

The biggest documentation set is available at the R80.10 Security Management Admin guide (pages 19-20) available here: Check Point R80.10 

I suggest that we continue to use this thread in case you have questions about specific incidents in which the filters did not work as you expected them to.

Note that Cisco requires to stream GW traffic while Check Point performs static analysis on the policies which saves you from reading logs to identify matching rules. Check Point has a pinj command-line (packet injector) which you can use for the case of streaming traffic and checking matches.

I would also like to point out that similar functionality will be available with Rule Assistant, however the search open API is already available and you can apply it for this need without waiting for Rule Assistant to come out.

Hello

we have only one firewall policy as below

rule # 1 - source 10.0.0.0/8 destination 20.0.0.0/8 service port - 443 accept - allow

while we run the below packet mode command syntax's to find if the requested pattern of rule is existed in firewall configuration

mgmt_cli show access-rule name "Network" filter-settings.search-mode "packet" "mode:packet src:10.10.10.10 dst:20.20.20.20 svc:80 Action:Accept" -u username -p password

mgmt_cli show access-rule name "Network" filter-settings.search-mode "packet" "mode:packet src:10.10.10.10 dst:20.20.20.20 svc:80" -u username -p password

mgmt_cli show access-rule name "Network" filter "src:10.10.10.10 dst:20.20.20.20 svc:80" -u username -p password

its should show that no rule matching in firewall policy configuration,as we have not opened for port 80

but still showing the results of matching rule number 1 which is not supposed 

are we missing something in above command syntax kindly advice

Hi,

Try this:

mgmt_cli show access-rule name "Network" filter-settings.search-mode "packet" "src:10.10.10.10  AND dst:20.20.20.20  AND svc:80  AND Action:Accept" -u username -p password

Hi,

I have noticed few weird thing about "action" while using Filter. Not sure if it's a bug or I am calling it in wrong way.

If I use this in packet mode:

filter: "Action: Accept" (this will return me all the result without filtering including drop)

filter: "action: Accept" (This will always return 0. always will be empty)

filter: "action: UID of Accept" (This will give me proper result)

Same with the drop as well.

Is this suppose to work only with UID of Accept/Drop etc? 

Hello Ekta

Yes its working as expected after adding AND syntax between src and dst

Thanks for your great help

Hello 

But its work for the host objects and group objects.. not for the range objects

Say example if we have below policy configuration

source - R_10.10.10.10-10.10.10.13

Destination - R_20.20.20.20-20.20.20.23

Port - 80

results showing NIL after running the below syntax

mgmt_cli show access-rule name "Network" filter-settings.search-mode "packet" "src:10.10.10.10  AND dst:20.20.20.20  AND svc:80  AND Action:Accept" -u username -p password

Note- its works for Host object & Group Object rules

Thanks

Kishori

Hi,

I have checked for range object with R80.10 API it's working for me.

You can use postman to test different combination like just filter src field instead of filtering all fields.

This should work according to the specifications. If this does not work and you have a reproduction you can also open a task so that the Check Point Support can investigate the root cause.

Hello Tomer

Thanks for your Prompt update!!!!

Much Appreciated

Regards

Kishori

Hi Kishore lal,

I have not tried REST API through mgmt_cli, but as Tomer Sole mentioned svc will work without specifying weather service is UDP or TCP.

I can suggest you to try :

mgmt_cli show access-rulebase name "Network" filter "src:20.10.10.10/32 dst:10.10.10.1/32 svc:80 Action:Accept"

in place of :

mgmt_cli show access-rulebase name "Network" filter "src:20.10.10.10/32 dst:10.10.10.1/32 svc:80 action:Accept"

For me, this worked.

Hi Ekta,

I am trying to findout the rule from below filter however i am not getting any rule details. using the same filter as you mentioned .could you please help .

I am always  getting below output where no rule details available. i already checked with smart console there is rule present for mention source and destination.

"json": {
"name": "Network",
"rulebase": [],
"total": 0,
"uid": "uid number"
},
"msg": "OK (unknown bytes)",
"redirected": false,
"server": "CPWS",
"status": 200,
"strict_transport_security": "max-age=31536000; includeSubDomains",
"transfer_encoding": "chunked",
"url": "https://x.x.x.x/web_api/show-access-rulebase",
"x_forwarded_host_port": "443",
"x_frame_options": "SAMEORIGIN",
"x_ua_compatible": "IE=EmulateIE8"

url: "https://{{mserver_hostname}}/web_api/show-access-rulebase"
validate_certs: False
method: POST
headers:
x-chkp-sid: "{{ login.json.sid }}"
body:
offset: 0
limit: 20
name: "network"
details-level: "full"
use-object-dictionary: true
filter-settings:
search-mode: "packet"
filter: "src:10.10.10.10 AND dst:10.10.20.20 AND svc:30000 action:6c488338-8eec-4103-ad21-cd461ac2c472"
body_format: json
register: rule_search

Please help me i am stuck with this . My main objective to search rule on given source destination and port.

Thanks  in advance,