Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Kumar_Gollapudi
Participant

How to check the access list in Check Point via CLI

Jump to solution

How to check the access list in checkpoint through CLI like (Cisco: show access-list)

any help is much appreciated.

1 Solution

Accepted Solutions
deniskr
Employee
Employee

To print the rulebase in nice format, run command on the CP gateway via expert mode (R80.30+):

db_tool -p $FWDIR/state/local/FW1 get_rules

View solution in original post

0 Kudos
21 Replies

Hi Kumar,

I don't understand the question 100%. I think you want to display the policy.

Use mgmt_cli to show the firewall policy on CLI.

Check Point - Management API reference 

Regards

Heiko

Kumar_Gollapudi
Participant

how to grep the rules for the source and destination how we do on Cisco (Show access-list | in 192.168.1.1)

0 Kudos
Robert_Decker
Employee Alumnus
Employee Alumnus

If you are running R80.X environment, please refer to my answer below using new R80 REST API commands.

If you have R77.x and below, you'll need old CLI commands.

Robert.

0 Kudos
PhoneBoy
Admin
Admin

The output of either mgmt_cli or dbedit are pretty verbose--a simple grep won't show you the rules you're looking for.

0 Kudos
Robert_Decker
Employee Alumnus
Employee Alumnus

https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/show-access-rulebase~v1.1%20

For Example:

mgmt_cli show access-rulebase name "my_policy Network" package "my_policy" -f json

Robert.

0 Kudos
XBensemhoun
Employee
Employee

What version are you using https://community.checkpoint.com/people/anant20d3161d-e0b2-4a74-a8ae-f942d673f5b7 ?

Information Security enthusiast, CISSP, CCSP
0 Kudos
Kumar_Gollapudi
Participant

Most of the versions like 77.30 & 77.20, 75.40

0 Kudos
PhoneBoy
Admin
Admin

If you're using R80 management, then you can use the mgmt_cli commands referred to above.

If you're using R77.30 or earlier management, then you do something like the following from the management:

[Expert@mgmt:0]# dbedit -local

Please enter a command, -h for help or -q to quit:

dbedit> print fw_policies ##YourPolicy

Note that in no case will you be able to easily obtain this information from the gateway itself, only on the management.

Yuri_Slobodyany
Collaborator

Just for completeness sake will say it is possible (I did it on few occasions) , but will agree it gets ugly - parsing <Policy name>.pf  file from the gateway. 

0 Kudos

Yuri, I don't think the .pf is pushed to the gateway.

You can sort of read the policy in $FWDIR/state/local/FW1/local.rule but it is .... not pretty.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
Yuri_Slobodyany
Collaborator

Yep, my bad  .pf is kept on management as well.

0 Kudos

how ofter are you doing this operation?

also this is not the right way to get all the rules that match a source address for example larger subnet / address group on the rule.

on R80.10 search hear for a packet based search on the smart console.

on R77.30... it wont be easy at all. if it is day to day operation i would suggest checking for 3rd party software like Tufin / AlgoSec / skybox

if you are not afraid of open source and this is not an operation you are doing on a day to day basics check the paloalto migration tool you can load in the config from the managment and export a cli commands which you can filter on linux / notepad++

if you are known to some scripting / xml / html you can use the web virtualization tool to get the policy and objects on those formats and run a query on those files.

hope this helped

deniskr
Employee
Employee

To print the rulebase in nice format, run command on the CP gateway via expert mode (R80.30+):

db_tool -p $FWDIR/state/local/FW1 get_rules

0 Kudos
_Val_
Admin
Admin

@deniskr you are answering a VERY old thread, just in case you did not realize it 🙂

0 Kudos
deniskr
Employee
Employee

now this thread has a proper solution, just in case someone's looking 😉

_Val_
Admin
Admin

It sure does.

0 Kudos
Henrik_Noerr1
Collaborator

Hey @deniskr 

I truly appreciate an answer for the above however old it is. 
It is a question that has always shown a weak point regarding Check Point management. 

the suggested solution is a command impossible to remember and also requires expert mode access which is a shame.

Just a small shoutout from me to improve access list visibility localy on the gateways in a world where automated tools makes a centralized SmartCenter/MDS less and less relavant. 

regards,

Henrik

0 Kudos

As is all policy related automation targets the centralized Management today.

fw up_execute is an additional gateway side CLI tool that may assist a bit in this regard, refer:

 https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_CLI_ReferenceGuide/Topics-CLIG/FWG...

0 Kudos
_Val_
Admin
Admin

I respectfully disagree. This question is common for newbies who come from the cisco world and do not know yet anything about Check Point architecture. 

0 Kudos
Henrik_Noerr1
Collaborator

Not sure how I deserved the newbie title with more than 20 years of indepth vsx/mds experience. You could ask yourself if you understand customer needs instead.

Sure we have the API and it is very useful. Noone is questioning that.

@deniskr I know of the fw_up command, it has helped in some corner cases. Thank you

0 Kudos
_Val_
Admin
Admin

@Henrik_Noerr1 , I was referring to the topic starter, obviously. No need to take it personally. 

In my experience, this is the first question that students ask on the CCSA course if they have taken switching and routing Cisco classes before that. I would even define it as one of the FAQs.

I can only base my judgment on my own experience, but with 20+ years on the field, with all those CP PS and Support Partner years, I have never had a need to see policy in text format during connectivity troubleshooting or otherwise. So yes, I may not fully understand that need, and I do apologize for that fact.

That said, db_tool is out there for some time now, and I specifically marked @deniskr's comment as the solution, to help out those who may look for it. 

Finally, if there is a strong need for a user-friendly tool to print out policies and a good argument towards it, I suggest you open an RFE with your local Check Point representative. 

Once again, no offense meant, and thanks for your understanding.