This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Mathieu_d
Explorer
‎2025-05-07 04:13 AM
Jump to solution

How to filter the automaticly generated NAT rule when using "show NAT rulebase" on checkpoint API

I am working in an environment with a lot of automatically generated rules, and they are present on all the policies. I am writing a rule cleanup script taking into account the NAT rules.

When I fetch the NAT rulebase using "show nat rulebase", the automatic rules appear each time, resulting in a lot of useless queries in my script, and then I face an issue with the API rate limit.

Is there a way to filter the automatically generated NAT rules when using the checkpoint management API?

Another way to do this would be to just put the rules on top or bottom of my rulebase and skipping them using the offset parameter, but I can't find a way to get the number of automatic rules.

Regards.

0 Kudos
1 Solution

Accepted Solutions
Bob_Zimmerman
Authority
Authority
‎2025-05-08 10:40 AM
Jump to solution

Automatic rules have the key "auto-generated" set to true. Try this:

mgmt_cli -f json -r true show nat-rulebase package <UUID> details-level full limit 500 offset 0 | jq '.rulebase[]|if has("rulebase") then .rulebase[] else . end|select(."auto-generated" != true)|.'

Note that this flattens the NAT rulebase so sections no longer appear in the output. It's fine for demonstrating how jq's select statement can filter this, though.

[Expert@DallasSC]# cat testNat.json 
{
  "uid": "fcd91efa-fd33-47ce-9985-aa8afb838fc0",
  "rulebase": [
	{
	  "uid": "01234567-89ab-cdef-1111-111111111111",
	  "auto-generated": true
	},
	{
	  "uid": "01234567-89ab-cdef-1111-222222222222",
	  "auto-generated": false
	},
    {
      "uid": "f364febb-bf96-4979-b8df-5033952173a2",
      "name": "Automatic Generated Rules : Address Range Hide NAT",
      "type": "nat-section",
      "rulebase": []
    },
    {
      "uid": "b63740e8-e228-4ac3-a9ae-43f484415515",
      "name": "Automatic Generated Rules : Network Hide NAT",
      "type": "nat-section",
      "from": 1,
      "to": 2,
      "rulebase": [
        {
          "uid": "01234567-89ab-cdef-2222-111111111111",
          "auto-generated": true
        },
        {
          "uid": "01234567-89ab-cdef-2222-222222222222",
          "auto-generated": false
        },
        {
          "uid": "01234567-89ab-cdef-2222-333333333333",
          "auto-generated": true
        }
      ]
    }
  ]
}

[Expert@DallasSC]# <testNat.json jq '.rulebase[]|if has("rulebase") then .rulebase[] else . end|select(."auto-generated" != true)|.uid'
"01234567-89ab-cdef-1111-222222222222"
"01234567-89ab-cdef-2222-222222222222"

View solution in original post

2 Replies
Amir_Senn
Employee
Employee
‎2025-05-08 08:26 AM
Jump to solution

Have you tried using sections and use "show NAT section"?

https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/show-nat-section~v2%20

Kind regards, Amir Senn
0 Kudos
Bob_Zimmerman
Authority
Authority
‎2025-05-08 10:40 AM
Jump to solution

Automatic rules have the key "auto-generated" set to true. Try this:

mgmt_cli -f json -r true show nat-rulebase package <UUID> details-level full limit 500 offset 0 | jq '.rulebase[]|if has("rulebase") then .rulebase[] else . end|select(."auto-generated" != true)|.'

Note that this flattens the NAT rulebase so sections no longer appear in the output. It's fine for demonstrating how jq's select statement can filter this, though.

[Expert@DallasSC]# cat testNat.json 
{
  "uid": "fcd91efa-fd33-47ce-9985-aa8afb838fc0",
  "rulebase": [
	{
	  "uid": "01234567-89ab-cdef-1111-111111111111",
	  "auto-generated": true
	},
	{
	  "uid": "01234567-89ab-cdef-1111-222222222222",
	  "auto-generated": false
	},
    {
      "uid": "f364febb-bf96-4979-b8df-5033952173a2",
      "name": "Automatic Generated Rules : Address Range Hide NAT",
      "type": "nat-section",
      "rulebase": []
    },
    {
      "uid": "b63740e8-e228-4ac3-a9ae-43f484415515",
      "name": "Automatic Generated Rules : Network Hide NAT",
      "type": "nat-section",
      "from": 1,
      "to": 2,
      "rulebase": [
        {
          "uid": "01234567-89ab-cdef-2222-111111111111",
          "auto-generated": true
        },
        {
          "uid": "01234567-89ab-cdef-2222-222222222222",
          "auto-generated": false
        },
        {
          "uid": "01234567-89ab-cdef-2222-333333333333",
          "auto-generated": true
        }
      ]
    }
  ]
}

[Expert@DallasSC]# <testNat.json jq '.rulebase[]|if has("rulebase") then .rulebase[] else . end|select(."auto-generated" != true)|.uid'
"01234567-89ab-cdef-1111-222222222222"
"01234567-89ab-cdef-2222-222222222222"

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events