Difference between revisions of "r80 api notes"
(→rule numbers) |
(→notes before you begin) |
||
Line 29: | Line 29: | ||
| jq '.rulebase[] | .rulebase[]' | | jq '.rulebase[] | .rulebase[]' | ||
+ | |||
+ | ====rule numbers==== | ||
===show access layers?=== | ===show access layers?=== |
Revision as of 16:17, 4 April 2018
Contents |
examples
logging in
login and redirect session info to a file for reuse
# mgmt_cli login user admin > id.txt
search existing object
search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range.
# mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}'
return only objects with the EXACT ip
# mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name'
- details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object)
access rules
notes before you begin
when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name>
as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules.
What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands...
for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with
| jq '.rulebase[]'
if you DO HAVE headers, to output the rules you need
| jq '.rulebase[] | .rulebase[]'
rule numbers
show access layers?
[Expert@chmkmgr1:0]# mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network" "Network"
where "Network" represents the default policy package Standard
examples
display only the rule number for a rule with uid = xxx
# mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"
display src/dst/service from rule with uid
for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done
alternate(inferior) way with jq
mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"'
1
display rule number with comment containing a string haha
mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}'
"rulenum": 1,
"comment": "hahahlol"
links
official python open source api
parsing json return output jq
[https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli'