Searching a Rule Base
What can I do here?
Use this window to search the access control, NAT, or Threat Prevention Rule Base
All rules configured in a given Security Policy. Synonym: Rulebase..
|
|
Getting Here - Security Policies |
Rule Base Search
The search box looks for the query term in all columns of the Rule Base. For example, if the query term is "Check Point" , the search finds all rules that use this term. The results returned by the query are direct or indirect.
-
Direct - The object in the query matches a rule
-
Indirect - The object in the query matches a group inside a rule
You can also search the Rule Base using these predefined tokens:
|
Button Name |
Text Name |
Refers to an object in the |
|
Source |
|
Source column |
|
Destination |
|
Destination column |
|
VPN |
|
VPN column |
|
Services |
|
Services and Applications column |
|
Applications |
|
Services and Applications column |
|
Install On |
|
Install On column |
|
Action |
|
Action column |
|
Track |
|
Track column |
Note - These tokens are used for searching the access control policy. The NAT and Threat Prevention policies use different but similar ones.
To use a token in a search:
-
Enter a token in to the search bar
-
Click on a token button, for example Source or Destination.
Suggestions for Source or Destination show.
-
Type the full name, for example Source: with a colon at the end.
Suggestions for source show after typing the final colon (:)
-
Type the shortcut name, for example: src:
Suggestions for source show after typing the final colon (:)
A token can be written in any combination of upper and lower case letters.
-
-
Select one or more of the suggestions from the list.
The content name is appended to the token, for example:
src:DMZNet. -
Click the search icon or hit Enter.
Note - Typing the token name into the search box does not always produce the same results as selecting from the list. For example:
-
app:httpsearches for words with an http prefix. -
Typing
app:then selecting http from the list searches for exact matches on http . Objects selected from the list show in bold font.
IP Search
You can run an advanced search for an IP address, network, or port. It returns direct and indirect matches for your search criteria.
-
IP address: xxx.xxx.xxx.xxx
-
Network: xxx.xxx.0.0/16 or xxx.xxx
-
Port: svc:<xxx>
These are the different IP search modes:
-
General ? (Default). Returns direct matched results and indirect results in IP ranges, networks, groups, groups with exclusion, and rules that contain these objects.
-
Packet ? Matches rules as if a packet with your IP address arrives at the gateway.
General IP Search
This is the default search mode. Use it to search in Rule Bases and in objects. If you enter a string that is not a valid IP or network, the search engine treats it as text.
When you enter a valid IP address or network, an advanced search is done and on these objects and rules:
-
Objects that have the IP address as a text value for example, in a comment
-
Objects that have an IP address property (direct results)
-
Groups, networks, and address ranges that contain objects with the text value or address value
-
Rules that contain those objects
Packet Search
A Packet Search matches rules as if a packet with your IP address arrives at the gateway. It matches rules that have:
-
The IP address in a column of the rule
-
"Any"
-
A Group-with-exclusion or negated field with the IP address in its declaration
To run a Packet Search:
-
Click the search box.
The search window opens.
-
Click Packet or enter: "mode:Packet"
-
To search a specific rule column, enter: ColumnName:Criteria
Rule Base Results
When you enter search criteria and view the matched results, the value that matched the criteria in a rule is highlighted.
|
If there is: |
This is highlighted |
|
A direct match on an object name or on textual columns |
Only the specific matched characters |
|
A direct match on object properties |
The entire object name |
|
A negated column |
The negated label |
|
A match on "Any" |
"Any" |
Known Limitation: Packet search does not support IPv6.
Using Boolean Operators in a Search Query
Use operators by typing them into the query in upper case format only. For example: "mycompany OR src: AuxiliaryNet".
If an operator is not used, the default AND operator applies. For example app:http John produces the same result as app:http AND John.
Query Examples:
-
Drop AND dst: Gateways
-
src:Alice AND dst:Bosa
-
src:bob OR dst:Cellarix OR app:IKE
-
src:bob AND (dst:Cellarix OR app:IKE)
-
Alice OR Bob
-
src:192.168.50.0
To stop a running query:
-
Click the X button in the search box.
-
Clear the search box and press enter.
-
Start a new search. The new search overrides the previous one.
Query Examples
-
Drop AND dst: Gateways
-
src:Alice AND dst:Bosa
-
src:bob OR dst:Cellarix OR app:IKE
-
src:bob AND (dst:Cellarix OR app:IKE)
-
Alice OR Bob
-
src:192.168.50.0
Stopping a Running Query
-
Click the X button in the search box.
-
Clear the search box and press enter.
-
Start a new search. The new search overrides the previous one.
Keyboard Navigation
-
Ctrl + F from the Rule Base focuses on the search box.
-
Hitting Enter when the cursor is in the search runs a search.
-
Up and down arrows navigate the list of suggestions.
-
Hitting Enter while in the suggestions list selects the object and closes the list but does not run a search
-
Hitting Escape while in the search box closes the list and returns focus to the Rule Base
-
F3 (in the Rule Base or search box) navigates to the next result in a circular fashion
-
Shift + F3 navigates previous results.