Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
h2k
Contributor

Security Zones

Hi Checkmates, 

Is there a way to view the security zones and their associated interfaces using CLI. I can see it in the smart console from the gateway properties. However it is time consuming for my work. I'm in a process of consolidating the Security zone information, associated interfaces and the routing information . I have close to 100 network interfaces configured in multiple security gateways in the VSX cluster and going into every single gateway property to get this information is time consuming and prone to human errors. I say its prone to human error because I have to copy that information in to an excel sheet. 

Please let me know if there is way to fetch this information via CLI or any effective methods for both VSX and Checkpoint appliances.

🙏

Thanks,

Hari

0 Kudos
16 Replies
the_rock
Legend
Legend

Hi Hari,

Not sure if below might be helpful, but I will also check in lab and see what I get.

Andy

https://sc1.checkpoint.com/documents/latest/APIs/?#cli/show-security-zone~v1.9%20

0 Kudos
the_rock
Legend
Legend

Does below help?

By the way, password is smart console password, not ssh.


[Expert@QUANTUM-MANAGEMENT:0]# mgmt_cli show security-zones
Username: admin
Password:
objects:
- uid: "8c4041ea-ff14-4e4b-a9d9-4183d18c790a"
name: "DMZZone"
type: "security-zone"
domain:
uid: "a0bbbc99-adef-4ef8-bb6d-defdefdefdef"
name: "Check Point Data"
domain-type: "data domain"
icon: "NetworkObjects/zone"
color: "black"
- uid: "237a4cbc-7fb6-4d50-872a-4904468271c4"
name: "ExternalZone"
type: "security-zone"
domain:
uid: "a0bbbc99-adef-4ef8-bb6d-defdefdefdef"
name: "Check Point Data"
domain-type: "data domain"
icon: "NetworkObjects/zone"
color: "black"
- uid: "e8131db2-8388-42a5-924a-82de32db20f7"
name: "InternalZone"
type: "security-zone"
domain:
uid: "a0bbbc99-adef-4ef8-bb6d-defdefdefdef"
name: "Check Point Data"
domain-type: "data domain"
icon: "NetworkObjects/zone"
color: "black"
- uid: "57de3848-3675-48ed-b045-41378f4babb3"
name: "WirelessZone"
type: "security-zone"
domain:
uid: "a0bbbc99-adef-4ef8-bb6d-defdefdefdef"
name: "Check Point Data"
domain-type: "data domain"
icon: "NetworkObjects/zone"
color: "black"
from: 1
to: 4
total: 4

[Expert@QUANTUM-MANAGEMENT:0]#

0 Kudos
h2k
Contributor

Thanks for the reply. I have tried this already. We don't get the associated interface name from this output. 

0 Kudos
the_rock
Legend
Legend

Would you mind send the output? Blur out any sensitive info please.

0 Kudos
h2k
Contributor

Hi Andy,

 

When run the 'show security-zones' command in Smart console CLI, I get exactly the same output format as you get, except for different values. I would like to see the association between the security zone and the interface. I'm not sure, but I guess the management API commands cannot help us here. I'm pretty sure that there would be a checkpoint database with this information and would like to get it from there.

0 Kudos
the_rock
Legend
Legend

K, I see what you mean. Let me look into it and see if I can get it. So you need correct interfaces to show as associated with the zones displayed...got it. Will update you how far I get.

Andy

h2k
Contributor

Thanks 🙂 

0 Kudos
Bob_Zimmerman
Authority
Authority

The management API should be able to help for the non-VSX boxes. Log in to a CMA, 'show security-zones' to get the zone objects, then 'show simple-gateways' and 'show simple-clusters'. Each firewall object in the result should have an array of interfaces, which should each have a security-zone boolean and optionally a security-zone-settings object (if security-zone is true). Inside the security-zone-settings, there's auto-calculated and specific-zone.

I'm not sure about VSs, as I haven't explored that area of the API yet.

PhoneBoy
Admin
Admin

There are no official APIs for anything VS related (management or gateway).
I know we plan to address this in the future.

Having said that, you might be able to do some scripting work to extract the various details.
This will involve use of the generic-object API and running db_tool from the gateway to get the UUID of the relevant objects as I'm not aware of a way to get them otherwise.
Since I don't have VSX set up anywhere, I hope someone can give this a try and let me know if it works or not.
Even without that, I'm sure it'll be useful for regular Security Gateway 🙂

First, use something like the following to list all the objects involved in the policy from the gateway.
Note the paths will need to be modified for your version and to the specific "state" directory for the given VS.

db_tool -p /opt/CPsuite-R81.20/fw1/state/local/FW1 get_rules |grep UUID | awk '{split($0,a,":"); print a[2]}' | uniq | awk ' { cmd="db_tool -p /opt/CPsuite-R81.20/fw1/state/local/FW1 get_object -u "$1;system(cmd)}'

What you're looking for is the UUID of the VS object, which will only show if the VS is directly used in the policy.
Once you have all the UUIDs of all the VS objects, you can get the interface names and zone information with something like this from the management server (note this is for a specific UUID):

mgmt_cli -r true --format json show generic-object uid 8414a95f-8f3d-5442-9944-9877f964d08e | jq -r '.interfaces[] | [.officialname, .securityZone ] | @csv'

This returns the information nicely in CSV format, with one small exception (the Zone is listed as a UUID)

"eth0","237a4cbc-7fb6-4d50-872a-4904468271c4"
"eth1","e8131db2-8388-42a5-924a-82de32db20f7"

Fortunately, it's easy to get the UUIDs for the Security Zones like so:

mgmt_cli -r true --format json show security-zones | jq -r '.objects[] | [.name, .uid] | @csv'

Which translates (in my case) to:

"DMZZone","8c4041ea-ff14-4e4b-a9d9-4183d18c790a"
"ExternalZone","237a4cbc-7fb6-4d50-872a-4904468271c4"
"InternalZone","e8131db2-8388-42a5-924a-82de32db20f7"
"WirelessZone","57de3848-3675-48ed-b045-41378f4babb3"

Which means we can conclude that:

  • eth0 is a member of External Zone
  • eth1 is a member of Internal Zone

Again, whether any of this will work with VSX objects is a separate question.

0 Kudos
Bob_Zimmerman
Authority
Authority

You can get the VS' UUIDs easily enough using 'show gateways-and-servers'. There are a few relevant object types:

  • CpmiVsxClusterMember - VSX cluster member

  • CpmiVsxClusterNetobj - VSX cluster

  • CpmiVsClusterNetobj - VS cluster (a VS on a VSX cluster is technically a cluster of VSs, but the members are automatically managed)

I don't know the types for a non-clustered VSX gateway or a non-clustered VS. I've never actually seen a non-clustered VSX deployment outside a lab.

PhoneBoy
Admin
Admin

If that API returns information about VSX objects (including VSes), then this particular command from the management might be easier to work with:

mgmt_cli -r true --format json show gateways-and-servers | jq -r '.objects[] | [.name,  .type, .uid] | @csv'

Again, results are returned in CSV format.
You'll have to filter the results to VS objects as this will return all gateway/server objects.

h2k
Contributor

Thanks a lot! I believe this should work. I will try this today and will let you know. 🙂 

0 Kudos
Bob_Zimmerman
Authority
Authority

I would start with this:

mgmt_cli -f json -r true show gateways-and-servers limit 500 details-level full \
| jq -c '.objects[]|{type:.type,name:.name,uuid:.uid}' \
| grep -v cluster-member \
| grep -v CpmiVsxClusterNetobj \
| grep -v CpmiVsxClusterMember \
| grep -v "checkpoint-host"

Tweak the 'grep -v' lines (e.g, by adding more) if the list contains objects which aren't firewalls or VSs. Once the list is down to what you want, pipe it into 'jq ".uuid"' and you'll get UUIDs one per line. That's suitable to pipe into something like this:

mgmt_cli -f json -r true show gateways-and-servers limit 500 details-level full \
| jq -c '.objects[]|{type:.type,name:.name,uuid:.uid}' \
| grep -v cluster-member \
| grep -v CpmiVsxClusterNetobj \
| grep -v CpmiVsxClusterMember \
| grep -v "checkpoint-host" \
| jq '.uuid' \
| xargs -L 1 -I % sh -c '
mgmt_cli -f json -r true show generic-object uid % \
| jq -c "{name:.name,interface:.interfaces[]|{interfaceName:.officialname,zone:.securityZone}}"'

I find security zones a fantastic way to shoot myself in the foot, so I don't use them at all. As such, I can't be sure if that last field on the last line will return the zone information you want.

0 Kudos
h2k
Contributor

Thanks !The mangement API commands have a different effect on the VSs. For example, 'show simple-gateways' and 'show simple-clusters' didn't give me any output when I ran them in the VSX cluster. I could be wrong, but just saying that there could be a difference in way we need to execute the commands for VSs.

0 Kudos
Bob_Zimmerman
Authority
Authority

I knew 'show simple-gateways' and 'show simple-clusters' don't return anything VSX, but they include the zone information for interfaces on objects which they do return. Meanwhile, 'show gateways-and-servers' includes VSX objects, and some interface information like IP address, but doesn't include the zone information in the interfaces. The API results when dealing with firewalls are super inconsistent between calls.

'show generic-object' provides the most complete information, but it also only works on one object at a time. It's also not officially stable, so result format might change between versions. Great for one-off stuff like getting this today. Not so great if you want to dump this every week for the foreseeable future.

0 Kudos
PhoneBoy
Admin
Admin

Right, generic-object isn't formally supported, or even documented in the Management API guide.
Where possible, use a documented API endpoint, you can get proper support if it doesn't work, etc.

Having said that, I've never actually seen an instance where generic-object returns different results in different versions.
Certainly this is the case for object types that still don't have API support.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events