On This Page
TQL Fields For the Rule Viewer
The following fields are available via TQL.
All Fields
Field Name | Description | Values / Format |
---|---|---|
action |
Rule action. |
ALLOW, DENY, GOTO, UNSUPPORTED, CLIENTAUTH |
application.comment |
Comment given to an application included in the rule. |
String |
application.isAny |
Application is set to ANY meaning the rule applies to any application. |
true, false |
application.name |
Applications included in the rule. |
String |
application.noHit |
Applications on the rule which never triggered any firewall hits. |
true, false |
application.timeLastHit |
Time frame when an application defined on the rule last triggered a firewall hit. |
Last month, last week, next month, next week, next year, today, tomorrow, yesterday |
appliedTo.name |
Names of objects covered by the rule. Will search hierarchically in VMs & NICs. |
String |
automationAttribute |
Rule automation attribute. A legacy rule is a rule that is no longer needed and is typically a candidate for future decommissioning. When a rule is marked as legacy, SecureChange Designer will treat it as a shadowed rule when making recommendations, and SecureChange Verifier will ignore it when verifying access. A stealth rule is a 'deny' rule (cannot be 'allow') placed at the top of the policy whose purpose is prevent all access that hasn't been explicitly granted by other rules, thus protecting the entire network including the firewall itself. For users of SecureChange, when a rule is marked as stealth, Designer recommendations will place any new rules recommended for an access request below the stealth section of the policy. |
STEALTH, LEGACY |
businessOwner.email |
Email address of the business owner. |
String |
businessOwner.name |
Name of the business owner. |
String |
certificationStatus |
Whether the rule has been certified. |
CERTIFIED, DECERTIFIED |
comment |
Comment given to the rule. |
String |
description |
Rule description. |
String |
destination.comment |
Comment given to the destination. |
String |
destination.ip |
Destination IP addresses. |
String in IP format |
destination.isAny |
Destination is set to ANY. |
true, false |
destination.name |
Destination names. |
String |
destination.negated |
Destination is negated; it applies to all destinations except those specified. |
true, false |
destinationZone.isAny |
Destination zone is set to ANY - any destination zone will be covered by the rule. |
true, false |
destinationZone.name |
Name of the destination zone. |
String |
device.model |
Model of the device containing the rule. |
ASA, AWS, AWS_VPC, AZURE_ACCOUNT, AZURE_VNET, CMA, FORTIGATE, FORTIMANAGER, GCP_PROJECT, GCP_VPC, MDS, NEXUS, PANORAMA, PANOS, ROUTER, SMART_CENTER, VMWARE_NSX_DISTRIBUTED_FIREWALL,VMWARE_NSX_EDGE, VMWARE_NSX_MANAGEMENT, UNKNOWN |
device.name |
Device name. |
String |
direction |
Direction of the traffic referred to by the rule. |
INBOUND, OUTBOUND |
disabled |
Rule is disabled. |
true, false |
domain.name |
Name of the domain to which the device has been assigned. |
String |
fullyShadowed |
Rule will never handle the traffic due to other rules existing higher up in the rulebase. |
true, false |
idOnDevice |
Device specific rule identifier. Usually identifies the rule order in the security policy. |
String |
installedOn.isAny |
Installed on is set to ANY; the rule can be installed on any device. |
true, false |
installedOn.name |
Device name on which the rule is installed. |
String |
isExemptedFromUsp |
Rules that will not trigger a violation due to an active exception. |
true, false |
logged |
Rule is logged. |
true, false |
logProfile.name |
Name of the log profile in which the rule is logged. |
String |
name |
Rule name. |
String |
object.notHit |
Contains at least one object that has never received a hit. Supported for Azure NSG only. Object results include: Source, destination, or service. |
true, false |
object.timeLastHit |
Contains at least one object that was last hit within the specified time frame. Supported for Azure NSG only. Object results include: Source, destination, or service. |
Last month, last week, next month, next week, next year, today, tomorrow, yesterday
|
permissivenessLevel |
Permissiveness level. |
HIGH, LOW, MEDIUM |
policy.name |
Policy name. |
String |
relatedTicket.text |
Related ticket ID given by the user. |
String |
sectionTitle |
Section title. |
String |
secureappApplicationName |
Name of related SecureApp application. |
String |
secureappApplicationOwner |
Owner of related SecureApp application. |
String |
securechangeTicketInProgressId |
ID of a SecureChange ticket in progress. |
String |
securityProfiles.category |
Security profile category. |
String |
securityProfiles.name |
Security profile name. |
String |
service.comment |
Service comment. |
String |
service.icmpCode |
Service ICMP code. |
Int |
service.icmpType |
Service ICMP type. |
Numeric range |
service.isAny |
Service set to ANY. |
true, false |
service.isApplicationDefault |
Service is set to the default application. |
true, false |
service.name |
Service name. |
String |
service.negated |
Service is negated. |
true, false |
service.port |
Service port. |
Int |
service.protocol |
Service protocol. |
Int |
source.comment |
Source comment. |
String |
source.domainAddress |
IP address of the source domain. |
|
source.ip |
Source IP. |
String in IP format |
source.isAny |
Source is set to ANY. |
true, false |
source.name |
Source name. |
String |
source.negated |
Source is negated. |
true, false |
sourceZone.isAny |
Source zone is set to ANY. |
true, false |
sourceZone.name |
Name of source zone. |
String |
tags |
Tags included in the rule. |
String |
text |
Text search of all strings in all fields in the system. This includes all fields except true/false fields or time stamps. |
String |
time.name |
Time object or time group object in a rule. |
String |
time.isAny |
Time object or time group object in a rule exists. |
true, false |
timeCertification |
Time that the rule was certified. |
YYYY-MM-DD |
timeCertificationExpiration |
Time that the certification for the rule expires. |
YYYY-MM-DD |
timeExpiration |
Date until which the requested traffic is required. |
String |
timeLastHit |
Last time that traffic passed through the device and matched either the rule, user, or application identities details. This field is supported for security rules only, and not NAT rules, with the exception of Check Point, which supports Last Hit for both security rules and NAT rules. |
YYYY-MM-DD |
timeLastModified |
Last time the rule was changed. |
YYYY-MM-DD |
urlCategory.isAny |
URL category is set to ANY. |
true, false |
urlCategory.name |
URL category name. |
String |
urlCategory.urls |
URL category URLs. |
String |
user.dn |
User domain name. |
String |
user.isAllIdentity |
User is set to All Identity. |
true, false |
user.isAny |
User is set to ANY. |
true, false |
user.isGuest |
User is set to guest. |
true, false |
user.isPreAuth |
User is set to previous authentication. |
true, false |
user.name |
User name. |
String |
user.noHit |
Configured users on the rule who never triggered any firewall hits. |
true, false |
user.timeLastHit |
Time frame when a configured user defined on the rule last triggered a firewall hit. |
Last month, last week, next month, nest week, next year, today, tomorrow, yesterday |
uspExceptionName |
Exception name. |
String |
vendor |
Device vendor. |
AMAZON, BARRACUDA, CHECKPOINT, CISCO, FORTINET, GOOGLE, MICROSOFT, PALO_ALTO, VMWARE, UNKNOWN |
violationHighestSeverity |
Highest violation severity. |
CRITICAL, HIGH, MEDIUM, LOW. Can use comparison operators e.g. <=. |
violations.fromZone |
USP source zone in the case of a violation. |
String |
violations.timeCreated |
Date of last violation calculation. |
YYYY-MM-DD |
violations.toZone |
USP target zone in the case of a violation. |
String |
violations.usp.name |
Name of the violated USP. |
String |
vpn.isAllCommunities |
VPN is set to all communities. |
true, false |
vpn.isAny |
VPN is set to ANY. |
true, false |
vpn.isGwToGw |
VPN is set to 'gateway to gateway'. |
true, false |
vpn.name |
VPN name. |
String |
zonesRelation |
Relationship between zones (also called 'rule type' on some devices). |
INTERZONE, INTRAZONE, UNIVERSAL (equivalent to ANY) |
Sort Fields
Fields than can be used with the 'order by' operator.
- timeLastHit
- timeLastModified
- name
- permissivenessLevel
- violationHighestSeverity
Query Examples
-
Before decommissioning a server, find all rules that contain an object with the server's IP address as source or destination including network groups.
source.ip = '11.22.33.44' or destination.ip = '11.22.33.44'
-
Before decommissioning a server, find all rules that contain an object with the server's name as source or destination including network groups.
source.name = 'MyServer' or destination.name = 'MyServer'
-
Audit for unsecured services. List all rules that allow the service, including service groups.
service.name in ('ssh', 'ftp')
-
Find all rules with tags.
tags exists
-
Find all rules without tags.
tags not exists
-
Find unneeded rules - rules with no hit and no modification in the last year
timeLastModified before 365 days ago and timeLastHit before 365 days ago
-
Find unneeded rules - shadowed rules with no hit and no modification in the last year or disabled
(fullyShadowed = true and timeLastModified before last year) or (disabled = true)
-
List rules with permissiveness level high or medium.
permissivenessLevel in ('HIGH','MEDIUM')
-
List rules with "ANY" in either source, destination, service, users or application.
source.isAny = true or destination.isAny = true or service.isAny = true or user.isAny = true or application.isAny = true
-
List rules allowing traffic between specific zones in the organization
sourceZone.name = 'dmz' and destinationZone.name = 'internet'
-
Device with rules that contain at least one time object that contains "night", for example, "EveryNight".
time.name CONTAINS 'night'
Was this helpful?
Thank you!
We’d love your feedback
We really appreciate your feedback
Send this page to a colleague