This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Wolfgang
Authority
Authority
‎2021-04-22 02:15 AM

export or show policy with IPs

Hello Checkmates,

we would like to export a policy but with IP adresses of the objects and not their names.

Has anyone an idea ? Or is it possible to have such a view in SmartConsole?

Wolfgang

2 Replies
Bob_Zimmerman
Authority
Authority
‎2021-04-22 06:42 AM

Chunks of my ipsToRules script could be adapted to do this:

https://community.checkpoint.com/t5/Scripts/IPs-to-Rules-as-JSON-or-CSV/m-p/116524

Instead of IPs -> where-used -> rules, you would use something like "show access-rulebase | jq '.rulebase[]|.', which spits out the rules. Then modify the object dereferencer to replace object UUIDs with the IP address of the object (or with the member UUIDs for groups).

The object dereferencer works in multiple passes, finding all the remaining object UUIDs in the data, getting the definition of that object, and adding a sed script to replace the UUID with the definition. Once it's done getting all the UUIDs it knows about, it runs the collection of sed scripts, then looks for any remaining object UUIDs. It only ends when it has resolved all of the UUIDs to object definitions. Depending on exactly how you want to handle groups, you may need to return the group as an object with the members in a list (to retain group names), or you may need to return them bare (to dump all the contents directly into the rule field).

The other complication I can think of is rule sections. I'm not sure how I would handle them.

Ryan_Darst
Employee
Employee
‎2021-05-03 07:23 AM

Take a look at the option to use the show-as-ranges as part of the API call show-access-rulebase.  This will provide you with ranges of IP addresses instead of the object names.  This option was first added in R80.20.

https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/show-access-rulebase~v1.7%20

Also please note that this call is limited to 20 rules per api call when using the option, so you will need to iterate over the rules in smaller chunks than normal to get a full rulebase.  This is documented as part of the API call in the guide.

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top