Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Maik
Advisor
Jump to solution

Export implied rules from policy

Hello guys,

Short question... I got asked by a customer whether it is possible to export the implied rules from a given policy. I know that this question maybe sounds weird, as these rules can't be modified at all (just the logging option and where the rules should be matched ~ First rules | Before last rules | Last rules). But this is required for some kind of management report.

The file $FWDIR/lib/implied_rules.def seems to include the implied rules in an absolutely not readable format (which makes sense as this file should not be opened or modified manually). But are there other ways to achieve the described goal in any way? The Mgmt API is not able to read these rules as well (can't find any parameter for implied rules). I also tried to achieve something via the generic object API but my guess is that the implied rules don't even have an UID to work with... so yeah. Kinda complicated (and maybe weird question). 

Hope someone can help me.

Regards,

Maik

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
The implied rules are a combination of the .def files and Global Properties settings.
Global Properties settings can be accessed via API using the generic-object API.
See: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/How-to-Query-Global-Properties-vi...

View solution in original post

4 Replies
Tal_Paz-Fridman
Employee
Employee

If a visual output is good for the report in question, go to - Security Policies > Access Control > Actions (from Policy menu) > Implied Rules

 

Implied Rules.jpg

 

PhoneBoy
Admin
Admin
The API does not list the implied rules.
Short of the listing in SmartConsole, I'm afraid you're in RFE territory.
0 Kudos
Maik
Advisor

Thanks for your replies. Unfortunately the SmartConsole View is not enough - that was my first suggestion when I got asked. 🙂

But yeah, thought about being in RFE territory. As this request is really, I mean really, special I dont think it makes sense to request something like that. I'll see what is possible... maybe I can write it down in a readable manner + take some kind of Hash of the implied rules config in order to verify whether anything has changed.

Regards,

Maik

PhoneBoy
Admin
Admin
The implied rules are a combination of the .def files and Global Properties settings.
Global Properties settings can be accessed via API using the generic-object API.
See: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/How-to-Query-Global-Properties-vi...

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events