Searching a Rule Base

What can I do here?

Use this window to search the access control, NAT, or Threat Prevention Rule Base.

Getting Here - Security Policies > Access/NAT/Threat Prevention > Policy. Click inside the Rule Base search bar.

Rule Base Search

The search box looks for the query term in all columns of the Rule Base. For example, if the query term is "Check Point" , the search finds all rules that use this term. The results returned by the query are direct or indirect.

Direct - The object in the query matches a rule
Indirect - The object in the query matches a group inside a rule

You can also search the Rule Base using these predefined tokens:

Button Name	Text name	Refers to an object in the:
Source	`src:`	Source column
Destination	`dst:`	Destination column
VPN	`vpn:`	VPN column
Services	`svc:`	Services and Applications column
Applications	`app:`	Services and Applications column
Install On	`installOn:`	Install On column
Action	`action:`	Action column
Track	`track:`	Track column

Note - These tokens are used for searching the access control policy. The NAT and Threat Prevention policies use different but similar ones.

To use a token in a search:

Enter a token in to the search bar
- Click on a token button, for example Source or Destination.
  Suggestions for Source or Destination show.
- Type the full name, for example Source: with a colon at the end.
  Suggestions for source show after typing the final colon (:)
- Type the shortcut name, for example: src:
  Suggestions for source show after typing the final colon (:)
A token can be written in any combination of upper and lower case letters.
Select one or more of the suggestions from the list.
The content name is appended to the token, for example: src:DMZNet.
Click the search icon or hit Enter.

Note - Typing the token name into the search box does not always produce the same results as selecting from the list. For example:

app:http searches for words with an http prefix.
Typing app: then selecting http from the list searches for exact matches on http. Objects selected from the list show in bold font.

IP Search

You can run an advanced search for an IP address, network, or port. It returns direct and indirect matches for your search criteria.

IP address: xxx.xxx.xxx.xxx
Network: xxx.xxx.0.0/16 or xxx.xxx
Port: svc:<xxx>

These are the different IP search modes:

General – (Default). Returns direct matched results and indirect results in IP ranges, networks, groups, groups with exclusion, and rules that contain these objects.
Packet – Matches rules as if a packet with your IP address arrives at the gateway.

General IP Search

This is the default search mode. Use it to search in Rule Bases and in objects. If you enter a string that is not a valid IP or network, the search engine treats it as text.

When you enter a valid IP address or network, an advanced search is done and on these objects and rules:

Objects that have the IP address as a text value for example, in a comment
Objects that have an IP address property (direct results)
Groups, networks, and address ranges that contain objects with the text value or address value
Rules that contain those objects

Packet Search

A Packet Search matches rules as if a packet with your IP address arrives at the gateway. It matches rules that have:

The IP address in a column of the rule
"Any"
A Group-with-exclusion or negated field with the IP address in its declaration

To run a Packet Search:

Click the search box.
The search window opens.
Click Packet or enter: "mode:Packet"
To search a specific rule column, enter: ColumnName:Criteria

Rule Base Results

When you enter search criteria and view the matched results, the value that matched the criteria in a rule is highlighted.

If there is...	This is highlighted
A direct match on an object name or on textual columns	Only the specific matched characters
A direct match on object properties	The entire object name
A negated column	The negated label
A match on "Any"	"Any"

Known Limitation:

Packet search does not support IPv6.

Using Boolean Operators in a Search Query

Use operators by typing them into the query in upper case format only. For example: "mycompany OR src: AuxiliaryNet".

If an operator is not used, the default AND operator applies. For example app:http John produces the same result as app:http AND John.

Query Examples:

Drop AND dst:Gateways
src:Alice AND dst:Bosa
src:bob OR dst:Cellarix OR app:IKE
src:bob AND (dst:Cellarix OR app:IKE)
Alice OR Bob
src:192.168.50.0

To stop a running query:

Click the X button in the search box.
Clear the search box and press enter.
Start a new search. The new search overrides the previous one.

Query Examples

Drop AND dst:Gateways
src:Alice AND dst:Bosa
src:bob OR dst:Cellarix OR app:IKE
src:bob AND (dst:Cellarix OR app:IKE)
Alice OR Bob
src:192.168.50.0

Stopping a Running Query

Click the X button in the search box.
Clear the search box and press enter.
Start a new search. The new search overrides the previous one.

Keyboard Navigation

Ctrl + F from the Rule Base focuses on the search box.
Hitting Enter when the cursor is in the search runs a search.
Up and down arrows navigate the list of suggestions.
Hitting Enter while in the suggestions list selects the object and closes the list but does not run a search
Hitting Escape while in the search box closes the list and returns focus to the Rule Base
F3 (in the Rule Base or search box) navigates to the next result in a circular fashion
Shift + F3 navigates previous results.