Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Kumar_Gollapudi
Participant

How to check the access list in Check Point via CLI

How to check the access list in checkpoint through CLI like (Cisco: show access-list)

any help is much appreciated.

12 Replies
HeikoAnkenbrand
Champion
Champion

Hi Kumar,

I don't understand the question 100%. I think you want to display the policy.

Use mgmt_cli to show the firewall policy on CLI.

Check Point - Management API reference 

Regards

Heiko

Kumar_Gollapudi
Participant

how to grep the rules for the source and destination how we do on Cisco (Show access-list | in 192.168.1.1)

0 Kudos
Robert_Decker
Employee Alumnus
Employee Alumnus

If you are running R80.X environment, please refer to my answer below using new R80 REST API commands.

If you have R77.x and below, you'll need old CLI commands.

Robert.

0 Kudos
PhoneBoy
Admin
Admin

The output of either mgmt_cli or dbedit are pretty verbose--a simple grep won't show you the rules you're looking for.

0 Kudos
Robert_Decker
Employee Alumnus
Employee Alumnus

https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/show-access-rulebase~v1.1%20

For Example:

mgmt_cli show access-rulebase name "my_policy Network" package "my_policy" -f json

Robert.

0 Kudos
XBensemhoun
Employee
Employee

What version are you using https://community.checkpoint.com/people/anant20d3161d-e0b2-4a74-a8ae-f942d673f5b7 ?

Information Security enthusiast, CISSP, CCSP
0 Kudos
Kumar_Gollapudi
Participant

Most of the versions like 77.30 & 77.20, 75.40

0 Kudos
PhoneBoy
Admin
Admin

If you're using R80 management, then you can use the mgmt_cli commands referred to above.

If you're using R77.30 or earlier management, then you do something like the following from the management:

[Expert@mgmt:0]# dbedit -local

Please enter a command, -h for help or -q to quit:

dbedit> print fw_policies ##YourPolicy

Note that in no case will you be able to easily obtain this information from the gateway itself, only on the management.

Yuri_Slobodyany
Collaborator

Just for completeness sake will say it is possible (I did it on few occasions) , but will agree it gets ugly - parsing <Policy name>.pf  file from the gateway. 

0 Kudos
Hugo_vd_Kooij
Advisor

Yuri, I don't think the .pf is pushed to the gateway.

You can sort of read the policy in $FWDIR/state/local/FW1/local.rule but it is .... not pretty.

Yuri_Slobodyany
Collaborator

Yep, my bad  .pf is kept on management as well.

0 Kudos
Dor_Marcovitch
Advisor

how ofter are you doing this operation?

also this is not the right way to get all the rules that match a source address for example larger subnet / address group on the rule.

on R80.10 search hear for a packet based search on the smart console.

on R77.30... it wont be easy at all. if it is day to day operation i would suggest checking for 3rd party software like Tufin / AlgoSec / skybox

if you are not afraid of open source and this is not an operation you are doing on a day to day basics check the paloalto migration tool you can load in the config from the managment and export a cli commands which you can filter on linux / notepad++

if you are known to some scripting / xml / html you can use the web virtualization tool to get the policy and objects on those formats and run a query on those files.

hope this helped