Searching a Rule Base

What can I do here?

Use this window to search the access control, NAT, or Threat Prevention Rule Base.

Getting Here - Security Policies > Access/NAT/Threat Prevention > Policy. Click inside the Rule Base search bar.

Rule Base Search

The search box looks for the query term in all columns of the Rule Base. For example, if the query term is "Check Point" , the search finds all rules that use this term. The results returned by the query are direct or indirect.

• Direct - The object in the query matches a rule
• Indirect - The object in the query matches a group inside a rule

You can also search the Rule Base using these predefined tokens:

Button Name	Text name	Refers to an object in the:
Source	src:	Source column
Destination	dst:	Destination column
Services	svc:	Services and Applications column
Applications	app:	Services and Applications column
Install On	installOn:	Install On column

Note - These tokens are used for searching the access control policy. The NAT and Threat Prevention policies use different but similar ones.

To use a token in a search:

1. Enter a token in to the search bar
   • Click on a token button, for example Source or Destination.

     Suggestions for Source or Destination show.

   • Type the full name, for example Source: with a colon at the end.

     Suggestions for source show after typing the final colon (:)

   • Type the shortcut name, for example: src:

     Suggestions for source show after typing the final colon (:)

   A token can be written in any combination of upper and lower case letters.

2. Select one or more of the suggestions from the list.

   The content name is appended to the token, for example: src:DMZNet.

3. Click the search icon or hit Enter.

Note - Typing the token name into the search box does not always produce the same results as selecting from the list. For example:

• app:http searches for words with an http prefix.
• Typing app: then selecting http from the list searches for exact matches on http. Objects selected from the list show in bold font.

Using Boolean Operators in a Search Query

Use operators by typing them into the query in upper case format only. For example: "mycompany OR src: AuxiliaryNet".

If an operator is not used, the default AND operator applies. For example app:http John produces the same result as app:http AND John.

Query Examples:

• Drop AND dst:Gateways
• src:Alice AND dst:Bosa
• src:bob OR dst:Cellarix OR app:IKE
• src:bob AND (dst:Cellarix OR app:IKE)
• Alice OR Bob
• src:192.168.50.0

To stop a running query:

• Click the X button in the search box.
• Clear the search box and press enter.
• Start a new search. The new search overrides the previous one.

Query Examples

• Drop AND dst:Gateways
• src:Alice AND dst:Bosa
• src:bob OR dst:Cellarix OR app:IKE
• src:bob AND (dst:Cellarix OR app:IKE)
• Alice OR Bob
• src:192.168.50.0

Stopping a Running Query

1. Click the X button in the search box.
2. Clear the search box and press enter.
3. Start a new search. The new search overrides the previous one.

Keyboard Navigation

• Ctrl + F from the Rule Base focuses on the search box.
• Hitting Enter when the cursor is in the search runs a search.
• Up and down arrows navigate the list of suggestions.
• Hitting Enter while in the suggestions list selects the object and closes the list but does not run a search
• Hitting Escape while in the search box closes the list and returns focus to the Rule Base
• F3 (in the Rule Base or search box) navigates to the next result in a circular fashion
• Shift + F3 navigates previous results.