cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

How to check the access list in Check Point via CLI

How to check the access list in checkpoint through CLI like (Cisco: show access-list)

any help is much appreciated.

12 Replies

Re: How to check the access list in checkpoint through CLI like (Cisco: show access-list) any help is much appreciated.

Hi Kumar,

I don't understand the question 100%. I think you want to display the policy.

Use mgmt_cli to show the firewall policy on CLI.

Check Point - Management API reference 

Regards

Heiko

Re: How to check the access list in checkpoint through CLI like (Cisco: show access-list) any help is much appreciated.

how to grep the rules for the source and destination how we do on Cisco (Show access-list | in 192.168.1.1)

0 Kudos
Employee++
Employee++

Re: How to check the access list in checkpoint through CLI like (Cisco: show access-list) any help is much appreciated.

If you are running R80.X environment, please refer to my answer below using new R80 REST API commands.

If you have R77.x and below, you'll need old CLI commands.

Robert.

0 Kudos
Admin
Admin

Re: How to check the access list in checkpoint through CLI like (Cisco: show access-list) any help is much appreciated.

The output of either mgmt_cli or dbedit are pretty verbose--a simple grep won't show you the rules you're looking for.

0 Kudos
Employee++
Employee++

Re: How to check the access list in checkpoint through CLI like (Cisco: show access-list) any help is much appreciated.

https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/show-access-rulebase~v1.1%20

For Example:

mgmt_cli show access-rulebase name "my_policy Network" package "my_policy" -f json

Robert.

0 Kudos

Re: How to check the access list in checkpoint through CLI like (Cisco: show access-list) any help is much appreciated.

0 Kudos

Re: How to check the access list in checkpoint through CLI like (Cisco: show access-list) any help is much appreciated.

Most of the versions like 77.30 & 77.20, 75.40

0 Kudos
Admin
Admin

Re: How to check the access list in checkpoint through CLI like (Cisco: show access-list) any help is much appreciated.

If you're using R80 management, then you can use the mgmt_cli commands referred to above.

If you're using R77.30 or earlier management, then you do something like the following from the management:

[Expert@mgmt:0]# dbedit -local

Please enter a command, -h for help or -q to quit:

dbedit> print fw_policies ##YourPolicy

Note that in no case will you be able to easily obtain this information from the gateway itself, only on the management.

Re: How to check the access list in Check Point via CLI

Just for completeness sake will say it is possible (I did it on few occasions) , but will agree it gets ugly - parsing <Policy name>.pf  file from the gateway. 

0 Kudos

Re: How to check the access list in Check Point via CLI

Yuri, I don't think the .pf is pushed to the gateway.

You can sort of read the policy in $FWDIR/state/local/FW1/local.rule but it is .... not pretty.

Re: How to check the access list in Check Point via CLI

Yep, my bad  .pf is kept on management as well.

0 Kudos

Re: How to check the access list in Check Point via CLI

how ofter are you doing this operation?

also this is not the right way to get all the rules that match a source address for example larger subnet / address group on the rule.

on R80.10 search hear for a packet based search on the smart console.

on R77.30... it wont be easy at all. if it is day to day operation i would suggest checking for 3rd party software like Tufin / AlgoSec / skybox

if you are not afraid of open source and this is not an operation you are doing on a day to day basics check the paloalto migration tool you can load in the config from the managment and export a cli commands which you can filter on linux / notepad++

if you are known to some scripting / xml / html you can use the web virtualization tool to get the policy and objects on those formats and run a query on those files.

hope this helped