Thanks for the reply. I have tried this already. We don't get the associated interface name from this output. 

Would you mind send the output? Blur out any sensitive info please.

Hi Andy,

When run the 'show security-zones' command in Smart console CLI, I get exactly the same output format as you get, except for different values. I would like to see the association between the security zone and the interface. I'm not sure, but I guess the management API commands cannot help us here. I'm pretty sure that there would be a checkpoint database with this information and would like to get it from there.

K, I see what you mean. Let me look into it and see if I can get it. So you need correct interfaces to show as associated with the zones displayed...got it. Will update you how far I get.

Andy

Thanks 🙂 

The management API should be able to help for the non-VSX boxes. Log in to a CMA, 'show security-zones' to get the zone objects, then 'show simple-gateways' and 'show simple-clusters'. Each firewall object in the result should have an array of interfaces, which should each have a security-zone boolean and optionally a security-zone-settings object (if security-zone is true). Inside the security-zone-settings, there's auto-calculated and specific-zone.

I'm not sure about VSs, as I haven't explored that area of the API yet.

There are no official APIs for anything VS related (management or gateway).
I know we plan to address this in the future.

Having said that, you might be able to do some scripting work to extract the various details.
This will involve use of the generic-object API and running db_tool from the gateway to get the UUID of the relevant objects as I'm not aware of a way to get them otherwise.
Since I don't have VSX set up anywhere, I hope someone can give this a try and let me know if it works or not.
Even without that, I'm sure it'll be useful for regular Security Gateway 🙂

First, use something like the following to list all the objects involved in the policy from the gateway.
Note the paths will need to be modified for your version and to the specific "state" directory for the given VS.

db_tool -p /opt/CPsuite-R81.20/fw1/state/local/FW1 get_rules |grep UUID | awk '{split($0,a,":"); print a[2]}' | uniq | awk ' { cmd="db_tool -p /opt/CPsuite-R81.20/fw1/state/local/FW1 get_object -u "$1;system(cmd)}'

What you're looking for is the UUID of the VS object, which will only show if the VS is directly used in the policy.
Once you have all the UUIDs of all the VS objects, you can get the interface names and zone information with something like this from the management server (note this is for a specific UUID):

mgmt_cli -r true --format json show generic-object uid 8414a95f-8f3d-5442-9944-9877f964d08e | jq -r '.interfaces[] | [.officialname, .securityZone ] | @csv'

This returns the information nicely in CSV format, with one small exception (the Zone is listed as a UUID)

"eth0","237a4cbc-7fb6-4d50-872a-4904468271c4"
"eth1","e8131db2-8388-42a5-924a-82de32db20f7"

Fortunately, it's easy to get the UUIDs for the Security Zones like so:

mgmt_cli -r true --format json show security-zones | jq -r '.objects[] | [.name, .uid] | @csv'

Which translates (in my case) to:

"DMZZone","8c4041ea-ff14-4e4b-a9d9-4183d18c790a"
"ExternalZone","237a4cbc-7fb6-4d50-872a-4904468271c4"
"InternalZone","e8131db2-8388-42a5-924a-82de32db20f7"
"WirelessZone","57de3848-3675-48ed-b045-41378f4babb3"

Which means we can conclude that:

• eth0 is a member of External Zone
• eth1 is a member of Internal Zone

Again, whether any of this will work with VSX objects is a separate question.

You can get the VS' UUIDs easily enough using 'show gateways-and-servers'. There are a few relevant object types:

• CpmiVsxClusterMember - VSX cluster member

• CpmiVsxClusterNetobj - VSX cluster

• CpmiVsClusterNetobj - VS cluster (a VS on a VSX cluster is technically a cluster of VSs, but the members are automatically managed)

I don't know the types for a non-clustered VSX gateway or a non-clustered VS. I've never actually seen a non-clustered VSX deployment outside a lab.

If that API returns information about VSX objects (including VSes), then this particular command from the management might be easier to work with:

mgmt_cli -r true --format json show gateways-and-servers | jq -r '.objects[] | [.name,  .type, .uid] | @csv'

Again, results are returned in CSV format.
You'll have to filter the results to VS objects as this will return all gateway/server objects.

Thanks a lot! I believe this should work. I will try this today and will let you know. 🙂 

I would start with this:

mgmt_cli -f json -r true show gateways-and-servers limit 500 details-level full \
| jq -c '.objects[]|{type:.type,name:.name,uuid:.uid}' \
| grep -v cluster-member \
| grep -v CpmiVsxClusterNetobj \
| grep -v CpmiVsxClusterMember \
| grep -v "checkpoint-host"

Tweak the 'grep -v' lines (e.g, by adding more) if the list contains objects which aren't firewalls or VSs. Once the list is down to what you want, pipe it into 'jq ".uuid"' and you'll get UUIDs one per line. That's suitable to pipe into something like this:

mgmt_cli -f json -r true show gateways-and-servers limit 500 details-level full \
| jq -c '.objects[]|{type:.type,name:.name,uuid:.uid}' \
| grep -v cluster-member \
| grep -v CpmiVsxClusterNetobj \
| grep -v CpmiVsxClusterMember \
| grep -v "checkpoint-host" \
| jq '.uuid' \
| xargs -L 1 -I % sh -c '
mgmt_cli -f json -r true show generic-object uid % \
| jq -c "{name:.name,interface:.interfaces[]|{interfaceName:.officialname,zone:.securityZone}}"'

I find security zones a fantastic way to shoot myself in the foot, so I don't use them at all. As such, I can't be sure if that last field on the last line will return the zone information you want.

Thanks !The mangement API commands have a different effect on the VSs. For example, 'show simple-gateways' and 'show simple-clusters' didn't give me any output when I ran them in the VSX cluster. I could be wrong, but just saying that there could be a difference in way we need to execute the commands for VSs.

I knew 'show simple-gateways' and 'show simple-clusters' don't return anything VSX, but they include the zone information for interfaces on objects which they do return. Meanwhile, 'show gateways-and-servers' includes VSX objects, and some interface information like IP address, but doesn't include the zone information in the interfaces. The API results when dealing with firewalls are super inconsistent between calls.

'show generic-object' provides the most complete information, but it also only works on one object at a time. It's also not officially stable, so result format might change between versions. Great for one-off stuff like getting this today. Not so great if you want to dump this every week for the foreseeable future.

Right, generic-object isn't formally supported, or even documented in the Management API guide.
Where possible, use a documented API endpoint, you can get proper support if it doesn't work, etc.

Having said that, I've never actually seen an instance where generic-object returns different results in different versions.
Certainly this is the case for object types that still don't have API support.