Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
CrossCheck
Explorer

list networks behind a firewall

Is there a way with the API to export a list of all the networks behind a firewall?

0 Kudos
7 Replies
Bob_Zimmerman
Authority
Authority

Probably yes, but it depends on what exactly you mean by "behind". To a lesser degree, it also depends on what management version you are running and what firewall version you are running.

For most useful definitions of "networks behind a firewall", the routing table is the way to go. The GAiA API can dump that for you for non-VSX firewalls. No management involvement needed, but the GAiA API is relatively new. While I use VSX a lot, I have not yet tried using the GAiA API together with VSX, so I don't personally know whether they can work together.

For some definitions of "networks behind a firewall", you will need the antispoofing topology, which you can get via the management API. A few simple API commands ('show gateways-and-servers' to find the firewall you want, then 'show object uuid ____' to get the contents of the object) should give you all the raw data you need, though some quick jq would pare it down to only the topology. These API commands are available from R80 up, but I don't know if they return enough information about the firewall's interfaces to find the antispoofing topology in earlier versions. I know in R80.20 and up, they do.

0 Kudos
CrossCheck
Explorer

Thanks what I am looking for is an exportable list of what is shown on the Network Management page under the gateway cluster properties in console.

0 Kudos
Timothy_Hall
Champion
Champion

Check out the address spoofing troubleshooting one-liner, it uses the compiled INSPECT policy to extract this information instead of the API:

https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/One-liner-for-Address-Spoofing-Tr...

The policy files are typically accessed directly on the gateway by the script, but compiled policies for all gateways are cached on the SMS and could all just be accessed there.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Bob_Zimmerman
Authority
Authority

If you just want to have the information in text form without having to type all of it out yourself, this is a great option.

If you actually need it via the API for some reason (such as you need someone who can't log into the CLI to get it, or you are building some kind of integration), there isn't a single command to get it, but it's simple enough to build.

0 Kudos
CrossCheck
Explorer

Yes this works but I was hoping to be able to do it from the Console so i didn't need to log into each of the firewalls. Thats why I thought Maybe the API could do that based on a firewalls name and then it could be exported to a file.

0 Kudos
Danny
Champion Champion
Champion

Then use my SmartConsole Extension.

Timothy_Hall
Champion
Champion

You don't need to log into each of the firewalls.  From the SMS in expert mode run the anti-spoofing one-liner against the directories where the installed firewall policy is cached for all managed gateways, directory $FWDIR/state/(gateway object name)/FW1/.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events