cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Maik
Silver

Export implied rules from policy

Jump to solution

Hello guys,

Short question... I got asked by a customer whether it is possible to export the implied rules from a given policy. I know that this question maybe sounds weird, as these rules can't be modified at all (just the logging option and where the rules should be matched ~ First rules | Before last rules | Last rules). But this is required for some kind of management report.

The file $FWDIR/lib/implied_rules.def seems to include the implied rules in an absolutely not readable format (which makes sense as this file should not be opened or modified manually). But are there other ways to achieve the described goal in any way? The Mgmt API is not able to read these rules as well (can't find any parameter for implied rules). I also tried to achieve something via the generic object API but my guess is that the implied rules don't even have an UID to work with... so yeah. Kinda complicated (and maybe weird question). 

Hope someone can help me.

Regards,

Maik

1 Solution

Accepted Solutions
Admin
Admin

Re: Export implied rules from policy

Jump to solution
The implied rules are a combination of the .def files and Global Properties settings.
Global Properties settings can be accessed via API using the generic-object API.
See: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/How-to-Query-Global-Properties-vi...

View solution in original post

4 Replies
Employee++
Employee++

Re: Export implied rules from policy

Jump to solution

If a visual output is good for the report in question, go to - Security Policies > Access Control > Actions (from Policy menu) > Implied Rules

 

Implied Rules.jpg

 

Admin
Admin

Re: Export implied rules from policy

Jump to solution
The API does not list the implied rules.
Short of the listing in SmartConsole, I'm afraid you're in RFE territory.
0 Kudos
Maik
Silver

Re: Export implied rules from policy

Jump to solution

Thanks for your replies. Unfortunately the SmartConsole View is not enough - that was my first suggestion when I got asked. 🙂

But yeah, thought about being in RFE territory. As this request is really, I mean really, special I dont think it makes sense to request something like that. I'll see what is possible... maybe I can write it down in a readable manner + take some kind of Hash of the implied rules config in order to verify whether anything has changed.

Regards,

Maik

Admin
Admin

Re: Export implied rules from policy

Jump to solution
The implied rules are a combination of the .def files and Global Properties settings.
Global Properties settings can be accessed via API using the generic-object API.
See: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/How-to-Query-Global-Properties-vi...

View solution in original post