- Products
- Learn
- Local User Groups
- Partners
-
More
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
IDC Spotlight -
Uplevel The SOC
Important! R80 and R80.10
End Of Support around the corner (May 2021)
R80.10 introduces a new feature called Packet Mode. This is a search mode that searches through a security policy as if a packet is traveling through it. Take a look at this video and see how this can help you in your daily tasks working with R80.10.
Let us know what other topics you would like to see addressed.
Awesome video!! thx
Didn't know about this. Thanks for sharing.
How do you export the access-rules after filtering with packet mode ?
API tools should assist for this. use the "filter" and "filter-settings" parameters to perform packet mode search. then export the results to desired files.
Could you please help me where exactly filter option exist in API tools, i searched through it, but I could not found it
Hi,
the following reference page should show you the command "show access-rulebase": Check Point - Management API reference
it demonstrates running it with packet mode filter:
Hi Tomer,
This link was incredibly helpful but I think I found a bug. When I run packet mode in the console I get the expected result. But when I run through the API it seems like the object ANY has the same uid as several services including http, dns, ftp, icmp, and probably more. So when I do the API call with packet mode, if I have dns, http, https, ftp, etc in the service column it will match ANY service and return the associated rule which is not correct. It works in the console which is the perplexing part. Any ideas??
How are you doing the API call?
So far just using either the CLI or with the API interface in the console. No external tools yet...
Ok then example CLI command you're using with the different results
SmartDashboard:
So upon closer inspection they're not all the same uid, just very close. But not sure why rule 4 shows up as a possible in CLI vs in UI
You'll also notice at the bottom that it is showing it matched on two rules for the same filter, the other being rule 4. Snip with rule 4 below included so you can see there is no https in the service column
CLI:
> show access-rulebase name network filter "src:10.0.0.1 dst:192.168.137.5 svc:443" filter-settings.search-mode packet
uid: "8a5e96fb-c793-457f-b78f-c667074223a5"
name: "Network"
rulebase:
- uid: "14568d6e-eb4d-4f84-9bca-0ebe438c67e6"
type: "access-rule"
domain:
uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
name: "SMC User"
domain-type: "domain"
rule-number: 4
filter-match-details:
- column: "source"
objects:
- "432f5a1a-1eb0-45cd-b860-261c984e377d"
track:
type: "598ead32-aa42-4615-90ed-f51a5928d41d"
per-session: false
per-connection: true
accounting: false
alert: "none"
source:
- "432f5a1a-1eb0-45cd-b860-261c984e377d"
source-negate: false
destination:
- "97aeb369-9aea-11d5-bd16-0090272ccb30"
destination-negate: false
service:
- "97aeb3d0-9aea-11d5-bd16-0090272ccb30"
- "97aeb406-9aea-11d5-bd16-0090272ccb30"
- "97aeb46b-9aea-11d5-bd16-0090272ccb30"
- "97aeb470-9aea-11d5-bd16-0090272ccb30"
service-negate: false
vpn:
- "97aeb369-9aea-11d5-bd16-0090272ccb30"
action: "6c488338-8eec-4103-ad21-cd461ac2c472"
action-settings:
enable-identity-captive-portal: false
content:
- "97aeb369-9aea-11d5-bd16-0090272ccb30"
content-negate: false
content-direction: "any"
time:
- "97aeb369-9aea-11d5-bd16-0090272ccb30"
custom-fields:
field-1: ""
field-2: ""
field-3: ""
meta-info:
lock: "unlocked"
validation-state: "ok"
last-modify-time:
posix: 1533138381161
iso-8601: "2018-08-01T08:46-0700"
last-modifier: "admin"
creation-time:
posix: 1533138052702
iso-8601: "2018-08-01T08:40-0700"
creator: "admin"
comments: ""
enabled: true
install-on:
- "6c488338-8eec-4103-ad21-cd461ac2c476"
- uid: "0f62cb69-736a-4559-a6d0-a54048abb3eb"
name: "Cleanup rule"
type: "access-rule"
domain:
uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
name: "SMC User"
domain-type: "domain"
rule-number: 5
filter-match-details:
- column: "source"
objects:
- "97aeb369-9aea-11d5-bd16-0090272ccb30"
track:
type: "598ead32-aa42-4615-90ed-f51a5928d41d"
per-session: false
per-connection: true
accounting: false
alert: "none"
source:
- "97aeb369-9aea-11d5-bd16-0090272ccb30"
source-negate: false
destination:
- "97aeb369-9aea-11d5-bd16-0090272ccb30"
destination-negate: false
service:
- "97aeb369-9aea-11d5-bd16-0090272ccb30"
service-negate: false
vpn:
- "97aeb369-9aea-11d5-bd16-0090272ccb30"
action: "6c488338-8eec-4103-ad21-cd461ac2c473"
action-settings: {}
content:
- "97aeb369-9aea-11d5-bd16-0090272ccb30"
content-negate: false
content-direction: "any"
time:
- "97aeb369-9aea-11d5-bd16-0090272ccb30"
custom-fields:
field-1: ""
field-2: ""
field-3: ""
meta-info:
lock: "unlocked"
validation-state: "ok"
last-modify-time:
posix: 1533138382512
iso-8601: "2018-08-01T08:46-0700"
last-modifier: "admin"
creation-time:
posix: 1513308839753
iso-8601: "2017-12-14T19:33-0800"
creator: "System"
comments: ""
enabled: true
install-on:
- "6c488338-8eec-4103-ad21-cd461ac2c476"
objects-dictionary:
- uid: "6c488338-8eec-4103-ad21-cd461ac2c472"
name: "Accept"
type: "RulebaseAction"
domain:
uid: "a0bbbc99-adef-4ef8-bb6d-defdefdefdef"
name: "Check Point Data"
domain-type: "data domain"
- uid: "97aeb369-9aea-11d5-bd16-0090272ccb30"
name: "Any"
type: "CpmiAnyObject"
domain:
uid: "a0bbbc99-adef-4ef8-bb6d-defdefdefdef"
name: "Check Point Data"
domain-type: "data domain"
- uid: "97aeb46b-9aea-11d5-bd16-0090272ccb30"
name: "dns"
type: "service-group"
domain:
uid: "a0bbbc99-adef-4ef8-bb6d-defdefdefdef"
name: "Check Point Data"
domain-type: "data domain"
- uid: "6c488338-8eec-4103-ad21-cd461ac2c473"
name: "Drop"
type: "RulebaseAction"
domain:
uid: "a0bbbc99-adef-4ef8-bb6d-defdefdefdef"
name: "Check Point Data"
domain-type: "data domain"
- uid: "97aeb406-9aea-11d5-bd16-0090272ccb30"
name: "echo-reply"
type: "service-icmp"
domain:
uid: "a0bbbc99-adef-4ef8-bb6d-defdefdefdef"
name: "Check Point Data"
domain-type: "data domain"
- uid: "97aeb3d0-9aea-11d5-bd16-0090272ccb30"
name: "ftp"
type: "service-tcp"
domain:
uid: "a0bbbc99-adef-4ef8-bb6d-defdefdefdef"
name: "Check Point Data"
domain-type: "data domain"
port: "21"
- uid: "598ead32-aa42-4615-90ed-f51a5928d41d"
name: "Log"
type: "Track"
domain:
uid: "a0bbbc99-adef-4ef8-bb6d-defdefdefdef"
name: "Check Point Data"
domain-type: "data domain"
- uid: "432f5a1a-1eb0-45cd-b860-261c984e377d"
name: "LXXL-10.0.0.0_m8"
type: "network"
domain:
uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
name: "SMC User"
domain-type: "domain"
subnet4: "10.0.0.0"
mask-length4: 8
subnet-mask: "255.0.0.0"
- uid: "97aeb470-9aea-11d5-bd16-0090272ccb30"
name: "ntp"
type: "service-group"
domain:
uid: "a0bbbc99-adef-4ef8-bb6d-defdefdefdef"
name: "Check Point Data"
domain-type: "data domain"
- uid: "6c488338-8eec-4103-ad21-cd461ac2c476"
name: "Policy Targets"
type: "Global"
domain:
uid: "a0bbbc99-adef-4ef8-bb6d-defdefdefdef"
name: "Check Point Data"
domain-type: "data domain"
from: 1
to: 2
total: 2
SmartConsole UI search uses by default an "AND" operator between the operands, while API uses an "OR" operator.
Therefore the mismatch between the results.
If you run API command with "AND" between the operands, you will get the same results.
We will fix the API documentation to state this fact clearly.
Robert.
Thank you Robert! That was the issue, definitely would be good to have the documentation reflect that.
The current document reads:
"Search expression to filter the rulebase. The provided text should be exactly the same as it would be given in Smart Console. The logical operators in the expression ('AND', 'OR') should be provided in capital letters."
The "exactly the same as it would be given in Smart Console" is what was throwing me off since I wasn't using any of the operators in the Console.
Thanks again for the help!
Hi Dutch_Arling,
I have problems, when working with NSX-Security-Groups:
does not match the corresponding security-group, even though destination 4.3.2.1 is included in <My_Sec_Group>
I have to filter for:
to find the corresponding rule.
The other way round (I search for a Group but have a rule with a fix IP) neither works.
Is there a fix on this?
Best regards,
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY