Checkpoint R80.10: dump firewall rules from remote

Checkpoint R80.10: dump firewall rules from remote

One of the core concepts of computer and network security is multi-layer security protection. In simple words it means, to be safe, you need to add more protection layers. A few days ago I created a new tool to add a new security protection to our infrastructure. What I have done is the following. I created a script that dumps Checkpoint firewall rules from remote and another script that looks for changes in the rules – by comparing old and new version.

It is not like a full-featured security protection layer but more like additional firewall audit layer.

For this I used Checkpoint Management API that can be found here:
https://sc1.checkpoint.com/documents/R80/APIs/

So, here is a script that dumps firewall rules.
NOTE: This script dumps all rules from all layers. It can be different from the rules that are actually installed on your Checkpoint gateway.


import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
import pprint
import json
import sys

requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

def api_call(ip_addr, port, command, json_payload, sid):
url = 'https://' + ip_addr + ':' + port + '/web_api/' + command
if sid == '':
request_headers = {'Content-Type' : 'application/json'}
else:
request_headers = {'Content-Type' : 'application/json', 'X-chkp-sid' : sid}
r = requests.post(url, data=json.dumps(json_payload), headers=request_headers, verify=False)
data = r.content
return r.json()

if len(sys.argv) < 3:
print("Checkpoint R80 dump firewall rules from remote.\n")
print("Usage: %s username password ip port\n" % sys.argv[0])
print("The port value is optional, by default it is 443.\n")
sys.exit()
user = sys.argv[1]
password = sys.argv[2]
srv = sys.argv[3]
port = str(443)
if len(sys.argv) > 4:
port = sys.argv[4]

logindata = {'user':user, 'password' : password}
response = api_call(srv, port, 'login', logindata, '')
sid = response["sid"]
#print("Session id: " + sid)

data = {'limit':'500'}
response = api_call(srv, port, "show-access-layers", data, sid)
layers = response["access-layers"]
for layer in layers:
print("----LAYER----")
pprint.pprint(layer)
#print(layer['name'],layer['uid'])
r = {'name':layer['name'], 'details-level':'standard', 'use-object-dictionary':'false', 'limit':'500'}
rules = api_call(srv, port, "show-access-rulebase", r, sid)
rules = rules['rulebase']
print("----RULES----")
for rule in rules:
#print json.dumps(rule,indent=4)
pprint.pprint(rule,indent=4)

api_call(srv, port, "logout", {}, sid)

Here is an output:

----LAYER----
{u'domain': {u'domain-type': u'domain',
u'name': u'SMC User',
u'uid': u'41e821a0-3720-11e3-aa6e-0800200c9fde'},
u'name': u'Network',
u'type': u'access-layer',
u'uid': u'a3379caa-e06f-43e0-84cc-454ffce77b84'}
----RULES----
{ u'action': { u'domain': { u'domain-type': u'data domain',
u'name': u'Data',
u'uid': u'a0bbbc99-adef-4ef8-bb6d-defdefdefdef'},
u'name': u'Accept',
u'type': u'RulebaseAction',
u'uid': u'6c488338-8eec-4103-ad21-cd461ac2c472'},
u'action-settings': { u'enable-identity-captive-portal': False},
u'comments': u'',
u'content': [ { u'domain': { u'domain-type': u'data domain',
u'name': u'Data',
u'uid': u'a0bbbc99-adef-4ef8-bb6d-defdefdefdef'},
u'name': u'Any',
u'type': u'CpmiAnyObject',
u'uid': u'97aeb369-9aea-11d5-bd16-0090272ccb30'}],
u'content-direction': u'any',
u'content-negate': False,
u'custom-fields': { u'field-1': u'', u'field-2': u'', u'field-3': u''},
u'destination': [ { u'domain': { u'domain-type': u'data domain',
u'name': u'Data',
u'uid': u'a0bbbc99-adef-4ef8-bb6d-defdefdefdef'},
u'name': u'Any',
u'type': u'CpmiAnyObject',
u'uid': u'97aeb369-9aea-11d5-bd16-0090272ccb30'}],
u'destination-negate': False,
u'domain': { u'domain-type': u'domain',
u'name': u'SMC User',
u'uid': u'41e821a0-3720-11e3-aa6e-0800200c9fde'},
u'enabled': True,
u'install-on': [ { u'domain': { u'domain-type': u'data domain',
u'name': u'Data',
u'uid': u'a0bbbc99-adef-4ef8-bb6d-defdefdefdef'},
u'name': u'Policy Targets',
u'type': u'Global',
u'uid': u'6c488338-8eec-4103-ad21-cd461ac2c476'}],
u'meta-info': { u'creation-time': { u'iso-8601': u'2017-07-24T10:52+0300',
u'posix': 1500882743180},
u'creator': u'XXXXXXXXXX',
u'last-modifier': u'XXXXXXXXXX',
u'last-modify-time': { u'iso-8601': u'2017-07-24T10:52+0300',
u'posix': 1500882777815},
u'lock': u'unlocked',
u'validation-state': u'ok'},
u'name': u'Ping',
u'rule-number': 1,
u'service': [ { u'domain': { u'domain-type': u'data domain',
u'name': u'Data',
u'uid': u'a0bbbc99-adef-4ef8-bb6d-defdefdefdef'},
u'name': u'echo-request',
u'type': u'service-icmp',
u'uid': u'97aeb40a-9aea-11d5-bd16-0090272ccb30'},
{ u'domain': { u'domain-type': u'data domain',
u'name': u'Data',
u'uid': u'a0bbbc99-adef-4ef8-bb6d-defdefdefdef'},
u'name': u'echo-reply',
u'type': u'service-icmp',
u'uid': u'97aeb406-9aea-11d5-bd16-0090272ccb30'}],
u'service-negate': False,
u'source': [ { u'domain': { u'domain-type': u'data domain',
u'name': u'Data',
u'uid': u'a0bbbc99-adef-4ef8-bb6d-defdefdefdef'},
u'name': u'Any',
u'type': u'CpmiAnyObject',
u'uid': u'97aeb369-9aea-11d5-bd16-0090272ccb30'}],
u'source-negate': False,
u'time': [ { u'domain': { u'domain-type': u'data domain',
u'name': u'Data',
u'uid': u'a0bbbc99-adef-4ef8-bb6d-defdefdefdef'},
u'name': u'Any',
u'type': u'CpmiAnyObject',
u'uid': u'97aeb369-9aea-11d5-bd16-0090272ccb30'}],
u'track': { u'accounting': False,
u'alert': u'none',
u'per-connection': False,
u'per-session': False,
u'type': { u'domain': { u'domain-type': u'data domain',
u'name': u'Data',
u'uid': u'a0bbbc99-adef-4ef8-bb6d-defdefdefdef'},
u'name': u'None',
u'type': u'Track',
u'uid': u'29e53e3d-23bf-48fe-b6b1-d59bd88036f9'}},
u'type': u'access-rule',
u'uid': u'3d366527-2448-403b-a433-eadcad5d0636',
u'vpn': [ { u'domain': { u'domain-type': u'data domain',
u'name': u'Data',
u'uid': u'a0bbbc99-adef-4ef8-bb6d-defdefdefdef'},
u'name': u'Any',
u'type': u'CpmiAnyObject',
u'uid': u'97aeb369-9aea-11d5-bd16-0090272ccb30'}]}

About the author

Yuli Stremovsky
Yuli StremovskyParanoid Security Guy
For the past 15 years I’ve been leading the evolution of startups and enterprises to achieve the highest level of security and compliance. Throughout my career I’ve been a Cyber Security expert and advanced solutions architect with many years of hands on experience both on offensive and defensive side. Knowledgeable at the highest level in application development, networking, data and databases, web applications, large scale Software as a Service solutions, cloud security and blockchain technologies.

I’ve been working with CISO’s of international enterprises, helping them set Information Security strategy, and overseeing the implementation of these recommendations. As part of these projects, I’ve been assisting companies to achieve compliance in GDPR, PCI, HIPAA and SOX.

Among my credits, I was a founder of a database security company GreenSQL/Hexatier which was acquired by Huawei and I’ve co-founded Kesem.io, Secure multi-signature Crypto wallet.

Specialties: Software and cloud architecture, Compliance (GDPR, HIPAA, PCI, SOX), blockchain technologies, software development, secure architectures, project management and low level research.