Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Wolfgang
Leader
Leader

export or show policy with IPs

Hello Checkmates,

we would like to export a policy but with IP adresses of the objects and not their names.

Has anyone an idea ? Or is it possible to have such a view in SmartConsole?

Wolfgang

0 Kudos
2 Replies
Bob_Zimmerman
Advisor

Chunks of my ipsToRules script could be adapted to do this:

https://community.checkpoint.com/t5/Scripts/IPs-to-Rules-as-JSON-or-CSV/m-p/116524

Instead of IPs -> where-used -> rules, you would use something like "show access-rulebase | jq '.rulebase[]|.', which spits out the rules. Then modify the object dereferencer to replace object UUIDs with the IP address of the object (or with the member UUIDs for groups).

The object dereferencer works in multiple passes, finding all the remaining object UUIDs in the data, getting the definition of that object, and adding a sed script to replace the UUID with the definition. Once it's done getting all the UUIDs it knows about, it runs the collection of sed scripts, then looks for any remaining object UUIDs. It only ends when it has resolved all of the UUIDs to object definitions. Depending on exactly how you want to handle groups, you may need to return the group as an object with the members in a list (to retain group names), or you may need to return them bare (to dump all the contents directly into the rule field).

The other complication I can think of is rule sections. I'm not sure how I would handle them.

0 Kudos
Ryan_Darst
Employee
Employee

Take a look at the option to use the show-as-ranges as part of the API call show-access-rulebase.  This will provide you with ranges of IP addresses instead of the object names.  This option was first added in R80.20.

https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/show-access-rulebase~v1.7%20

Also please note that this call is limited to 20 rules per api call when using the option, so you will need to iterate over the rules in smaller chunks than normal to get a full rulebase.  This is documented as part of the API call in the guide.

 

 

0 Kudos