This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kumar_Gollapudi
Participant
‎2018-04-19 09:05 AM
Jump to solution

How to check the access list in Check Point via CLI

How to check the access list in checkpoint through CLI like (Cisco: show access-list)

any help is much appreciated.

1 Solution

Accepted Solutions
deniskr
Employee Alumnus
Employee Alumnus
‎2022-08-08 05:29 AM
Jump to solution

To print the rulebase in nice format, run command on the CP gateway via expert mode (R80.30+):

db_tool -p $FWDIR/state/local/FW1 get_rules

View solution in original post

25 Replies
HeikoAnkenbrand
Champion Champion
Champion
‎2018-04-19 02:02 PM
Jump to solution

Hi Kumar,

I don't understand the question 100%. I think you want to display the policy.

Use mgmt_cli to show the firewall policy on CLI.

Check Point - Management API reference 

Regards

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Kumar_Gollapudi
Participant
‎2018-04-20 04:58 AM
In response to HeikoAnkenbrand
Jump to solution

how to grep the rules for the source and destination how we do on Cisco (Show access-list | in 192.168.1.1)

0 Kudos
Robert_Decker
Advisor
‎2018-04-20 07:21 AM
In response to Kumar_Gollapudi
Jump to solution

If you are running R80.X environment, please refer to my answer below using new R80 REST API commands.

If you have R77.x and below, you'll need old CLI commands.

Robert.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-04-20 08:10 AM
In response to Kumar_Gollapudi
Jump to solution

The output of either mgmt_cli or dbedit are pretty verbose--a simple grep won't show you the rules you're looking for.

0 Kudos
Robert_Decker
Advisor
‎2018-04-19 03:16 PM
Jump to solution

https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/show-access-rulebase~v1.1%20

For Example:

mgmt_cli show access-rulebase name "my_policy Network" package "my_policy" -f json

Robert.

0 Kudos
XavierBens
Employee
Employee
‎2018-04-20 06:00 AM
Jump to solution

What version are you using https://community.checkpoint.com/people/anant20d3161d-e0b2-4a74-a8ae-f942d673f5b7 ?

Cybersecurity Evangelist, CISSP, CCSP, CCSM Elite
0 Kudos
Kumar_Gollapudi
Participant
‎2018-04-20 07:40 AM
In response to XavierBens
Jump to solution

Most of the versions like 77.30 & 77.20, 75.40

0 Kudos
(1)
PhoneBoy
Admin
Admin
‎2018-04-20 08:25 AM
In response to Kumar_Gollapudi
Jump to solution

If you're using R80 management, then you can use the mgmt_cli commands referred to above.

If you're using R77.30 or earlier management, then you do something like the following from the management:

[Expert@mgmt:0]# dbedit -local

Please enter a command, -h for help or -q to quit:

dbedit> print fw_policies ##YourPolicy

Note that in no case will you be able to easily obtain this information from the gateway itself, only on the management.

Yuri_Slobodyany
Collaborator
‎2018-04-22 01:36 AM
In response to PhoneBoy
Jump to solution

Just for completeness sake will say it is possible (I did it on few occasions) , but will agree it gets ugly - parsing <Policy name>.pf  file from the gateway. 

https://www.linkedin.com/in/yurislobodyanyuk/
0 Kudos
Hugo_vd_Kooij
Leader
Leader
‎2018-04-23 04:40 AM
In response to Yuri_Slobodyany
Jump to solution

Yuri, I don't think the .pf is pushed to the gateway.

You can sort of read the policy in $FWDIR/state/local/FW1/local.rule but it is .... not pretty.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
Yuri_Slobodyany
Collaborator
‎2018-04-24 04:45 AM
In response to Hugo_vd_Kooij
Jump to solution

Yep, my bad  .pf is kept on management as well.

https://www.linkedin.com/in/yurislobodyanyuk/
0 Kudos
Dor_Marcovitch
Advisor
‎2018-05-01 01:47 PM
Jump to solution

how ofter are you doing this operation?

also this is not the right way to get all the rules that match a source address for example larger subnet / address group on the rule.

on R80.10 search hear for a packet based search on the smart console.

on R77.30... it wont be easy at all. if it is day to day operation i would suggest checking for 3rd party software like Tufin / AlgoSec / skybox

if you are not afraid of open source and this is not an operation you are doing on a day to day basics check the paloalto migration tool you can load in the config from the managment and export a cli commands which you can filter on linux / notepad++

if you are known to some scripting / xml / html you can use the web virtualization tool to get the policy and objects on those formats and run a query on those files.

hope this helped

deniskr
Employee Alumnus
Employee Alumnus
‎2022-08-08 05:29 AM
Jump to solution

To print the rulebase in nice format, run command on the CP gateway via expert mode (R80.30+):

db_tool -p $FWDIR/state/local/FW1 get_rules

_Val_
Admin
Admin
‎2022-08-08 05:43 AM
In response to deniskr
Jump to solution

@deniskr you are answering a VERY old thread, just in case you did not realize it 🙂

0 Kudos
deniskr
Employee Alumnus
Employee Alumnus
‎2022-08-08 05:49 AM
In response to _Val_
Jump to solution

now this thread has a proper solution, just in case someone's looking 😉

_Val_
Admin
Admin
‎2022-08-08 06:39 AM
In response to deniskr
Jump to solution

It sure does.

0 Kudos
Henrik_Noerr1
Advisor
‎2022-08-09 03:00 PM
In response to deniskr
Jump to solution

Hey @deniskr 

I truly appreciate an answer for the above however old it is. 
It is a question that has always shown a weak point regarding Check Point management. 

the suggested solution is a command impossible to remember and also requires expert mode access which is a shame.

Just a small shoutout from me to improve access list visibility localy on the gateways in a world where automated tools makes a centralized SmartCenter/MDS less and less relavant. 

regards,

Henrik

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-08-09 04:21 PM
In response to Henrik_Noerr1
Jump to solution

As is all policy related automation targets the centralized Management today.

fw up_execute is an additional gateway side CLI tool that may assist a bit in this regard, refer:

 https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_CLI_ReferenceGuide/Topics-CLIG/FWG...

CCSM R77/R80/ELITE
0 Kudos
_Val_
Admin
Admin
‎2022-08-10 12:03 AM
In response to Henrik_Noerr1
Jump to solution

I respectfully disagree. This question is common for newbies who come from the cisco world and do not know yet anything about Check Point architecture. 

0 Kudos
Henrik_Noerr1
Advisor
‎2022-08-10 12:26 AM
In response to _Val_
Jump to solution

Not sure how I deserved the newbie title with more than 20 years of indepth vsx/mds experience. You could ask yourself if you understand customer needs instead.

Sure we have the API and it is very useful. Noone is questioning that.

@deniskr I know of the fw_up command, it has helped in some corner cases. Thank you

0 Kudos
_Val_
Admin
Admin
‎2022-08-10 12:54 AM
In response to Henrik_Noerr1
Jump to solution

@Henrik_Noerr1 , I was referring to the topic starter, obviously. No need to take it personally. 

In my experience, this is the first question that students ask on the CCSA course if they have taken switching and routing Cisco classes before that. I would even define it as one of the FAQs.

I can only base my judgment on my own experience, but with 20+ years on the field, with all those CP PS and Support Partner years, I have never had a need to see policy in text format during connectivity troubleshooting or otherwise. So yes, I may not fully understand that need, and I do apologize for that fact.

That said, db_tool is out there for some time now, and I specifically marked @deniskr's comment as the solution, to help out those who may look for it. 

Finally, if there is a strong need for a user-friendly tool to print out policies and a good argument towards it, I suggest you open an RFE with your local Check Point representative. 

Once again, no offense meant, and thanks for your understanding.





Bruno_Ramos
Contributor
‎2025-01-28 09:16 AM
In response to deniskr
Jump to solution

Hi,

This is no longer supported by R81.20. But a great command.

Cheers

BR

0 Kudos
PhoneBoy
Admin
Admin
‎2025-01-28 12:56 PM
In response to Bruno_Ramos
Jump to solution

db_tool is in R81.20 (just checked).
It's an expert-mode command.

0 Kudos
Bruno_Ramos
Contributor
‎2025-01-29 03:21 AM
In response to PhoneBoy
Jump to solution

Hi @PhoneBoy
Yes, indeed but Check Point support just replied to me stating is no longer supported.

"After consulting with my team lead, I have been informed that the db_tool utility is currently not supported in R81.20. As a result, attempting to use this tool in this version may lead to errors, such as the one you encountered."

The error:
db_tool -p $FWDIR/state/local/FW1 get_rules OUTPUT:

RULES === ===========================================================

db_tool: symbol lookup error: db_tool: undefined symbol: _ZN12CUpDBDataSet3refEv


Cheers

BR

0 Kudos
PhoneBoy
Admin
Admin
‎2025-01-29 10:18 AM
In response to Bruno_Ramos
Jump to solution

There's no SK or any documentation that suggests db_tool isn't supported.
However, I do see a few TAC cases mentioning that R81 was the last version this was supported in.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events