How to check the access list in checkpoint through CLI like (Cisco: show access-list)
any help is much appreciated.
I don't understand the question 100%. I think you want to display the policy.
Use mgmt_cli to show the firewall policy on CLI.
Check Point - Management API reference
how to grep the rules for the source and destination how we do on Cisco (Show access-list | in 192.168.1.1)
If you are running R80.X environment, please refer to my answer below using new R80 REST API commands.
If you have R77.x and below, you'll need old CLI commands.
The output of either mgmt_cli or dbedit are pretty verbose--a simple grep won't show you the rules you're looking for.
mgmt_cli show access-rulebase name "my_policy Network" package "my_policy" -f json
What version are you using Kumar Gollapudi ?
Most of the versions like 77.30 & 77.20, 75.40
If you're using R80 management, then you can use the mgmt_cli commands referred to above.
If you're using R77.30 or earlier management, then you do something like the following from the management:
[Expert@mgmt:0]# dbedit -local Please enter a command, -h for help or -q to quit: dbedit> print fw_policies ##YourPolicy
[Expert@mgmt:0]# dbedit -local
Please enter a command, -h for help or -q to quit:
dbedit> print fw_policies ##YourPolicy
Note that in no case will you be able to easily obtain this information from the gateway itself, only on the management.
Just for completeness sake will say it is possible (I did it on few occasions) , but will agree it gets ugly - parsing <Policy name>.pf file from the gateway.
Yuri, I don't think the .pf is pushed to the gateway.
You can sort of read the policy in $FWDIR/state/local/FW1/local.rule but it is .... not pretty.
Yep, my bad .pf is kept on management as well.
how ofter are you doing this operation?
also this is not the right way to get all the rules that match a source address for example larger subnet / address group on the rule.
on R80.10 search hear for a packet based search on the smart console.
on R77.30... it wont be easy at all. if it is day to day operation i would suggest checking for 3rd party software like Tufin / AlgoSec / skybox
if you are not afraid of open source and this is not an operation you are doing on a day to day basics check the paloalto migration tool you can load in the config from the managment and export a cli commands which you can filter on linux / notepad++
if you are known to some scripting / xml / html you can use the web virtualization tool to get the policy and objects on those formats and run a query on those files.
hope this helped
Retrieving data ...