TQL Fields For the Rule Viewer

The following fields are available via TQL.

All Fields

The type of information displayed for each rule will vary according to the device type from which the rule is taken
Field Name Description Values / Format

action

Rule action.

ALLOW, DENY, GOTO, UNSUPPORTED, CLIENTAUTH

application.comment

Comment given to an application included in the rule.

String

application.isAny

Application is set to ANY meaning the rule applies to any application.

true, false

application.name

Applications included in the rule.

String
Note that the auto-complete feature lists only pre-defined application names. If you have a customized application name, it will not appear in the auto-complete list, however you can type the name in the search.

application.noHit

Applications on the rule which never triggered any firewall hits.

true, false

application.timeLastHit

Time frame when an application defined on the rule last triggered a firewall hit.

Last month, last week, next month, next week, next year, today, tomorrow, yesterday

appliedTo.name

Names of objects covered by the rule. Will search hierarchically in VMs & NICs.

String

automationAttribute

Rule automation attribute.

A legacy rule is a rule that is no longer needed and is typically a candidate for future decommissioning. When a rule is marked as legacy, SecureChange Designer will treat it as a shadowed rule when making recommendations, and SecureChange Verifier will ignore it when verifying access.

A stealth rule is a 'deny' rule (cannot be 'allow') placed at the top of the policy whose purpose is prevent all access that hasn't been explicitly granted by other rules, thus protecting the entire network including the firewall itself.

For users of SecureChange, when a rule is marked as stealth, Designer recommendations will place any new rules recommended for an access request below the stealth section of the policy.

STEALTH, LEGACY

businessOwner.email

Email address of the business owner.

String

businessOwner.name

Name of the business owner.

String

certificationStatus

Whether the rule has been certified.

CERTIFIED, DECERTIFIED

comment

Comment given to the rule.

String

description

Rule description.

String

destination.comment

Comment given to the destination.

String

destination.ip

Destination IP addresses.

String in IP format
See IP Addresses

destination.isAny

Destination is set to ANY.

true, false

destination.name

Destination names.

String

destination.negated

Destination is negated; it applies to all destinations except those specified.

true, false

destinationZone.isAny

Destination zone is set to ANY - any destination zone will be covered by the rule.

true, false

destinationZone.name

Name of the destination zone.

String

device.model

Model of the device containing the rule.

ASA, AWS, AWS_VPC, AZURE_ACCOUNT, AZURE_VNET, CMA, FORTIGATE, FORTIMANAGER, GCP_PROJECT, GCP_VPC, MDS, NEXUS, PANORAMA, PANOS, ROUTER, SMART_CENTER, VMWARE_NSX_DISTRIBUTED_FIREWALL,VMWARE_NSX_EDGE, VMWARE_NSX_MANAGEMENT, UNKNOWN

device.name

Device name.

String

direction

Direction of the traffic referred to by the rule.

INBOUND, OUTBOUND

disabled

Rule is disabled.

true, false

domain.name

Name of the domain to which the device has been assigned.

String

fullyShadowed

Rule will never handle the traffic due to other rules existing higher up in the rulebase.

true, false

idOnDevice

Device specific rule identifier. Usually identifies the rule order in the security policy.

String

installedOn.isAny

Installed on is set to ANY; the rule can be installed on any device.

true, false

installedOn.name

Device name on which the rule is installed.

String

isExemptedFromUsp

Rules that will not trigger a violation due to an active exception.

true, false

logged

Rule is logged.

true, false

logProfile.name

Name of the log profile in which the rule is logged.

String

name

Rule name.

String

object.notHit

Contains at least one object that has never received a hit. Supported for Azure NSG only.

Object results include: Source, destination, or service.

true, false

object.timeLastHit

Contains at least one object that was last hit within the specified time frame. Supported for Azure NSG only.

Object results include: Source, destination, or service.

Last month, last week, next month, next week, next year, today, tomorrow, yesterday

 

permissivenessLevel

Permissiveness level.

HIGH, LOW, MEDIUM

policy.name

Policy name.

String

relatedTicket.text

Related ticket ID given by the user.

String

sectionTitle

Section title.

String

secureappApplicationName

Name of related SecureApp application.

String

secureappApplicationOwner

Owner of related SecureApp application.

String

securechangeTicketInProgressId

ID of a SecureChange ticket in progress.

String

securityProfiles.category

Security profile category.

String

securityProfiles.name

Security profile name.

String

service.comment

Service comment.

String

service.icmpCode

Service ICMP code.

Int

service.icmpType

Service ICMP type.

Numeric range

service.isAny

Service set to ANY.

true, false

service.isApplicationDefault

Service is set to the default application.

true, false

service.name

Service name.

String
Note that the auto-complete feature lists only pre-defined service names. If you have a customized service name, it will not appear in the auto-complete list, however you can type the name in the search.

service.negated

Service is negated.

true, false

service.port

Service port.

Int

service.protocol

Service protocol.

Int

source.comment

Source comment.

String

source.domainAddress

IP address of the source domain.

 

source.ip

Source IP.

String in IP format
See IP Addresses

source.isAny

Source is set to ANY.

true, false

source.name

Source name.

String

source.negated

Source is negated.

true, false

sourceZone.isAny

Source zone is set to ANY.

true, false

sourceZone.name

Name of source zone.

String

tags

Tags included in the rule.

String

text

Text search of all strings in all fields in the system. This includes all fields except true/false fields or time stamps.
You can use a text search for partial IP address.

String

time.name

Time object or time group object in a rule.

String

time.isAny

Time object or time group object in a rule exists.

true, false

timeCertification

Time that the rule was certified.

YYYY-MM-DD

timeCertificationExpiration

Time that the certification for the rule expires.

YYYY-MM-DD

timeExpiration

Date until which the requested traffic is required.

String

timeLastHit

Last time that traffic passed through the device and matched either the rule, user, or application identities details. This field is supported for security rules only, and not NAT rules, with the exception of Check Point, which supports Last Hit for both security rules and NAT rules.

YYYY-MM-DD

timeLastModified

Last time the rule was changed.

YYYY-MM-DD

urlCategory.isAny

URL category is set to ANY.

true, false

urlCategory.name

URL category name.

String

urlCategory.urls

URL category URLs.

String

user.dn

User domain name.

String

user.isAllIdentity

User is set to All Identity.

true, false

user.isAny

User is set to ANY.

true, false

user.isGuest

User is set to guest.

true, false

user.isPreAuth

User is set to previous authentication.

true, false

user.name

User name.

String

user.noHit

Configured users on the rule who never triggered any firewall hits.

true, false

user.timeLastHit

Time frame when a configured user defined on the rule last triggered a firewall hit.

Last month, last week, next month, nest week, next year, today, tomorrow, yesterday

uspExceptionName

Exception name.

String

vendor

Device vendor.

AMAZON, BARRACUDA, CHECKPOINT, CISCO, FORTINET, GOOGLE, MICROSOFT, PALO_ALTO, VMWARE, UNKNOWN

violationHighestSeverity

Highest violation severity.

CRITICAL, HIGH, MEDIUM, LOW. Can use comparison operators e.g. <=.

violations.fromZone
or
violation.fromZone.name

USP source zone in the case of a violation.

String

violations.timeCreated

Date of last violation calculation.

YYYY-MM-DD

violations.toZone
or
violation.toZone.name

USP target zone in the case of a violation.

String

violations.usp.name

Name of the violated USP.

String

vpn.isAllCommunities

VPN is set to all communities.

true, false

vpn.isAny

VPN is set to ANY.

true, false

vpn.isGwToGw

VPN is set to 'gateway to gateway'.

true, false

vpn.name

VPN name.

String

zonesRelation

Relationship between zones (also called 'rule type' on some devices).

INTERZONE, INTRAZONE, UNIVERSAL (equivalent to ANY)

Sort Fields

Fields than can be used with the 'order by' operator.

  • timeLastHit
  • timeLastModified
  • name
  • permissivenessLevel
  • violationHighestSeverity

Query Examples

  • Before decommissioning a server, find all rules that contain an object with the server's IP address as source or destination including network groups.

    source.ip = '11.22.33.44' or destination.ip = '11.22.33.44'

  • Before decommissioning a server, find all rules that contain an object with the server's name as source or destination including network groups.

    source.name = 'MyServer' or destination.name = 'MyServer'

  • Audit for unsecured services. List all rules that allow the service, including service groups.

    service.name in ('ssh', 'ftp')

  • Find all rules with tags.

    tags exists

  • Find all rules without tags.

    tags not exists

  • Find unneeded rules - rules with no hit and no modification in the last year

    timeLastModified before 365 days ago and timeLastHit before 365 days ago

  • Find unneeded rules - shadowed rules with no hit and no modification in the last year or disabled

    (fullyShadowed = true and timeLastModified before last year) or (disabled = true)

  • List rules with permissiveness level high or medium.

    permissivenessLevel in ('HIGH','MEDIUM')

  • List rules with "ANY" in either source, destination, service, users or application.

    source.isAny = true or destination.isAny = true or service.isAny = true or user.isAny = true or application.isAny = true

  • List rules allowing traffic between specific zones in the organization

    sourceZone.name = 'dmz' and destinationZone.name = 'internet'

  • Device with rules that contain at least one time object that contains "night", for example, "EveryNight".

    time.name CONTAINS 'night'