Checkpoint R80.10: dump firewall rules from remote

By | September 18, 2017

One of the core concepts of computer and network security is multi-layer security protection. In simple words it means, to be safe, you need to add more protection layers. A few days ago I created a new tool to add a new security protection to our infrastructure. What I have done is the following. I created a script that dumps Checkpoint firewall rules from remote and another script that looks for changes in the rules – by comparing old and new version.

It is not like a full-featured security protection layer but more like additional firewall audit layer.

For this I used Checkpoint Management API that can be found here:
https://sc1.checkpoint.com/documents/R80/APIs/

So, here is a script that dumps firewall rules.
NOTE: This script dumps all rules from all layers. It can be different from the rules that are actually installed on your Checkpoint gateway.

import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
import pprint
import json
import sys

requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

def api_call(ip_addr, port, command, json_payload, sid):
url = ‘https://’ + ip_addr + ‘:’ + port + ‘/web_api/’ + command
if sid == ”:
request_headers = {‘Content-Type’ : ‘application/json’}
else:
request_headers = {‘Content-Type’ : ‘application/json’, ‘X-chkp-sid’ : sid}
r = requests.post(url, data=json.dumps(json_payload), headers=request_headers, verify=False)
data = r.content
return r.json()

if len(sys.argv) < 3: print("Checkpoint R80 dump firewall rules from remote.\n") print("Usage: %s username password ip port\n" % sys.argv[0]) print("The port value is optional, by default it is 443.\n") sys.exit() user = sys.argv[1] password = sys.argv[2] srv = sys.argv[3] port = str(443) if len(sys.argv) > 4:
port = sys.argv[4]

logindata = {‘user’:user, ‘password’ : password}
response = api_call(srv, port, ‘login’, logindata, ”)
sid = response[“sid”]
#print(“Session id: ” + sid)

data = {‘limit’:’500′}
response = api_call(srv, port, “show-access-layers”, data, sid)
layers = response[“access-layers”]
for layer in layers:
print(“—-LAYER—-“)
pprint.pprint(layer)
#print(layer[‘name’],layer[‘uid’])
r = {‘name’:layer[‘name’], ‘details-level’:’standard’, ‘use-object-dictionary’:’false’, ‘limit’:’500′}
rules = api_call(srv, port, “show-access-rulebase”, r, sid)
rules = rules[‘rulebase’]
print(“—-RULES—-“)
for rule in rules:
#print json.dumps(rule,indent=4)
pprint.pprint(rule,indent=4)

api_call(srv, port, “logout”, {}, sid)

Here is an output:

----LAYER----
{u'domain': {u'domain-type': u'domain',
u'name': u'SMC User',
u'uid': u'41e821a0-3720-11e3-aa6e-0800200c9fde'},
u'name': u'Network',
u'type': u'access-layer',
u'uid': u'a3379caa-e06f-43e0-84cc-454ffce77b84'}
----RULES----
{ u'action': { u'domain': { u'domain-type': u'data domain',
u'name': u'Data',
u'uid': u'a0bbbc99-adef-4ef8-bb6d-defdefdefdef'},
u'name': u'Accept',
u'type': u'RulebaseAction',
u'uid': u'6c488338-8eec-4103-ad21-cd461ac2c472'},
u'action-settings': { u'enable-identity-captive-portal': False},
u'comments': u'',
u'content': [ { u'domain': { u'domain-type': u'data domain',
u'name': u'Data',
u'uid': u'a0bbbc99-adef-4ef8-bb6d-defdefdefdef'},
u'name': u'Any',
u'type': u'CpmiAnyObject',
u'uid': u'97aeb369-9aea-11d5-bd16-0090272ccb30'}],
u'content-direction': u'any',
u'content-negate': False,
u'custom-fields': { u'field-1': u'', u'field-2': u'', u'field-3': u''},
u'destination': [ { u'domain': { u'domain-type': u'data domain',
u'name': u'Data',
u'uid': u'a0bbbc99-adef-4ef8-bb6d-defdefdefdef'},
u'name': u'Any',
u'type': u'CpmiAnyObject',
u'uid': u'97aeb369-9aea-11d5-bd16-0090272ccb30'}],
u'destination-negate': False,
u'domain': { u'domain-type': u'domain',
u'name': u'SMC User',
u'uid': u'41e821a0-3720-11e3-aa6e-0800200c9fde'},
u'enabled': True,
u'install-on': [ { u'domain': { u'domain-type': u'data domain',
u'name': u'Data',
u'uid': u'a0bbbc99-adef-4ef8-bb6d-defdefdefdef'},
u'name': u'Policy Targets',
u'type': u'Global',
u'uid': u'6c488338-8eec-4103-ad21-cd461ac2c476'}],
u'meta-info': { u'creation-time': { u'iso-8601': u'2017-07-24T10:52+0300',
u'posix': 1500882743180},
u'creator': u'XXXXXXXXXX',
u'last-modifier': u'XXXXXXXXXX',
u'last-modify-time': { u'iso-8601': u'2017-07-24T10:52+0300',
u'posix': 1500882777815},
u'lock': u'unlocked',
u'validation-state': u'ok'},
u'name': u'Ping',
u'rule-number': 1,
u'service': [ { u'domain': { u'domain-type': u'data domain',
u'name': u'Data',
u'uid': u'a0bbbc99-adef-4ef8-bb6d-defdefdefdef'},
u'name': u'echo-request',
u'type': u'service-icmp',
u'uid': u'97aeb40a-9aea-11d5-bd16-0090272ccb30'},
{ u'domain': { u'domain-type': u'data domain',
u'name': u'Data',
u'uid': u'a0bbbc99-adef-4ef8-bb6d-defdefdefdef'},
u'name': u'echo-reply',
u'type': u'service-icmp',
u'uid': u'97aeb406-9aea-11d5-bd16-0090272ccb30'}],
u'service-negate': False,
u'source': [ { u'domain': { u'domain-type': u'data domain',
u'name': u'Data',
u'uid': u'a0bbbc99-adef-4ef8-bb6d-defdefdefdef'},
u'name': u'Any',
u'type': u'CpmiAnyObject',
u'uid': u'97aeb369-9aea-11d5-bd16-0090272ccb30'}],
u'source-negate': False,
u'time': [ { u'domain': { u'domain-type': u'data domain',
u'name': u'Data',
u'uid': u'a0bbbc99-adef-4ef8-bb6d-defdefdefdef'},
u'name': u'Any',
u'type': u'CpmiAnyObject',
u'uid': u'97aeb369-9aea-11d5-bd16-0090272ccb30'}],
u'track': { u'accounting': False,
u'alert': u'none',
u'per-connection': False,
u'per-session': False,
u'type': { u'domain': { u'domain-type': u'data domain',
u'name': u'Data',
u'uid': u'a0bbbc99-adef-4ef8-bb6d-defdefdefdef'},
u'name': u'None',
u'type': u'Track',
u'uid': u'29e53e3d-23bf-48fe-b6b1-d59bd88036f9'}},
u'type': u'access-rule',
u'uid': u'3d366527-2448-403b-a433-eadcad5d0636',
u'vpn': [ { u'domain': { u'domain-type': u'data domain',
u'name': u'Data',
u'uid': u'a0bbbc99-adef-4ef8-bb6d-defdefdefdef'},
u'name': u'Any',
u'type': u'CpmiAnyObject',
u'uid': u'97aeb369-9aea-11d5-bd16-0090272ccb30'}]}