Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Bob_Zimmerman
Authority
Authority

Lock for Rule Sections?

Do rule sections have a concept of being locked? When I look at one via the API, I only get this:

 

[Expert@DallasSA]# mgmt_cli -f json -r true show access-rulebase name "Policy 2, Layer 2" details-level full limit 1
{
  "uid" : "2578c425-63b7-485a-a022-05fff5ca88b9",
  "name" : "Policy 2, Layer 2",
  "rulebase" : [ {
    "uid" : "6b647376-6f7a-4755-b3ca-adf3cc7d0b4e",
    "name" : "P2L2 Section 1",
    "type" : "access-section",
    "from" : 1,
    "to" : 1,
    "rulebase" : [ ... ]
  } ],
  "objects-dictionary" : [ ... ],
  "from" : 1,
  "to" : 1,
  "total" : 2500
}

 

NAT sections are similar. They don't return a meta-info block at all, so I can't tell when one was created or last modified, who last worked on it, or much of anything else.

6 Replies
JozkoMrkvicka
Mentor
Mentor

What you can get if you will check the object of section itself using "show object" API ?

mgmt_cli -f json -r true show object uid "2578c425-63b7-485a-a022-05fff5ca88b9" details-level full

Kind regards,
Jozko Mrkvicka
Bob_Zimmerman
Authority
Authority

Sure enough. I should have thought to try that.

[Expert@DallasSA]# mgmt_cli -f json -r true show object uid 6b647376-6f7a-4755-b3ca-adf3cc7d0b4e details-level full
{
  "object" : {
    "uid" : "6b647376-6f7a-4755-b3ca-adf3cc7d0b4e",
    "name" : "P2L2 Section 1",
    "type" : "access-section",
    "domain" : {
      "uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
      "name" : "SMC User",
      "domain-type" : "domain"
    },
    "tags" : [ ],
    "meta-info" : {
      "lock" : "unlocked",
      "validation-state" : "ok",
      "last-modify-time" : {
        "posix" : 1637433950042,
        "iso-8601" : "2021-11-20T18:45+0000"
      },
      "last-modifier" : "WEB_API",
      "creation-time" : {
        "posix" : 1637433949870,
        "iso-8601" : "2021-11-20T18:45+0000"
      },
      "creator" : "WEB_API"
    },
    "read-only" : false
  }
}

Also interesting: access sections have an associated domain and can have tags. Extremely inconvenient to have to make a separate request per section just to see all that, though.

And it's a little weird that the 'show object' output doesn't include the rules in that section, or even any indication whether it has rules at all. Passing the access section's UUID to 'show access-rulebase' returns a generic error with no contents, which is interesting:

[Expert@DallasSA]# mgmt_cli -f json -r true show access-rulebase uid 6b647376-6f7a-4755-b3ca-adf3cc7d0b4e
{
  "code" : "generic_error",
  "message" : ""
}
[Expert@DallasSA]# mgmt_cli -f json -r true show access-rulebase uid 97aeb369-9aea-11d5-bd16-0090272ccb30 # This is the UUID for the object "Any"
{
  "code" : "generic_error",
  "message" : "Runtime error: com.checkpoint.objects.classes.dummy.CpmiAnyObject incompatible with com.checkpoint.objects.rulebase.RulebaseEntity"
}
JozkoMrkvicka
Mentor
Mentor

I just noticed that there are already API calls "show access-section" and "show nat-section" available. Have you tried to use them ?

Kind regards,
Jozko Mrkvicka
0 Kudos
Bob_Zimmerman
Authority
Authority

Yep. That gives me the same stuff 'show object' does, just in a less convenient way (you have to specify the layer as well as the section, while 'show object' works with just the section). Meta-info block and tags are included, rules are not.

Looks like I have to make a 'show access-rulebase' call to learn about the sections which exist and their rule contents, then a separate 'show object' call for every single section to get its tags and meta-info.

Bob_Zimmerman
Authority
Authority

I think I tested this for NAT sections earlier, but I can confirm it does not work on R81.10 jumbo 82:

[Expert@DallasSA]# mgmt_cli -r true -f json show nat-rulebase package Standard | jq '.rulebase[1]'
{
  "uid": "4599f9c5-9ea8-4bb8-95b5-c6af06a93cf9",
  "name": "Automatic Generated Rules : Machine Hide NAT",
  "type": "nat-section",
  "rulebase": []
}
[Expert@DallasSA]# mgmt_cli -r true -f json show object uid 4599f9c5-9ea8-4bb8-95b5-c6af06a93cf9
{
  "code" : "generic_error",
  "message" : "Null Pointer exception: null"
}
[Expert@DallasSA]# mgmt_cli -r true -f json show nat-section uid 4599f9c5-9ea8-4bb8-95b5-c6af06a93cf9 package Standard
{
  "uid" : "4599f9c5-9ea8-4bb8-95b5-c6af06a93cf9",
  "name" : "Automatic Generated Rules : Machine Hide NAT",
  "type" : "nat-section",
  "domain" : {
    "uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
    "name" : "SMC User",
    "domain-type" : "domain"
  },
  "tags" : [ ],
  "meta-info" : {
    "lock" : "unlocked",
    "validation-state" : "ok",
    "last-modify-time" : {
      "posix" : 1625139158832,
      "iso-8601" : "2021-07-01T11:32+0000"
    },
    "last-modifier" : "System",
    "creation-time" : {
      "posix" : 1625139158783,
      "iso-8601" : "2021-07-01T11:32+0000"
    },
    "creator" : "System"
  },
  "read-only" : true
}

Inconvenient.

0 Kudos
Bob_Zimmerman
Authority
Authority

Did some more testing. I'm able to use 'show object' to get the details for access layers, sections, and rules, HTTPS Inspection layers, sections, and rules, policy packages, and NAT rules. Only NAT sections are broken like above. I'll file a ticket with support.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events