TQL Fields For the Rule Viewer

The following fields are available via TQL.

All Fields

The type of information displayed for each rule will vary according to the device type from which the rule is taken
Field Name Description Values / Format

action

The rule action

ALLOW, DENY, GOTO, UNSUPPORTED, CLIENTAUTH

application.comment

The comment given to an application included in the rule

String

application.isAny

Application is set to ANY meaning the rule applies to any application

true, false

application.name

Applications included in the rule

String
Note that the auto-complete feature lists only pre-defined application names. If you have a customized application name, it will not appear in the auto-complete list, however you can type the name in the search.

application.noHit

Applications on the rule which never triggered any firewall hits

true, false

application.timeLastHit

The time frame when an application defined on the rule last triggered a firewall hit

Last month, last week, next month, next week, next year, today, tomorrow, yesterday

appliedTo.name

Names of objects covered by the rule. Will search hierarchically in VMs & NICs

String

automationAttribute

Rule automation attribute.

A legacy rule is a rule that is no longer needed and is typically a candidate for future decommissioning. When a rule is marked as legacy, SecureChange Designer will treat it as a shadowed rule when making recommendations, and SecureChange Verifier will ignore it when verifying access.

A stealth rule is a 'deny' rule (cannot be 'allow') placed at the top of the policy whose purpose is prevent all access that hasn't been explicitly granted by other rules, thus protecting the entire network including the firewall itself.

For users of SecureChange, when a rule is marked as stealth, Designer recommendations will place any new rules recommended for an access request below the stealth section of the policy.

STEALTH, LEGACY

businessOwner.email

Email address of the business owner

String

businessOwner.name

Name of the business owner

String

certificationStatus

Whether the rule has been certified

CERTIFIED, DECERTIFIED

comment

The comment given to the rule

String

description

The rule description

String

destination.comment

The comment given to the destination

String

destination.ip

Destination IP addresses

String in IP format
See IP Addresses

destination.isAny

Destination is set to ANY

true, false

destination.name

Destination names

String

destination.negated

The destination is negated meaning it applies to all destinations except those specified

true, false

destinationZone.isAny

Destination zone is set to ANY - any destination zone will be covered by the rule.

true, false

destinationZone.name

The name of the destination zone

String

device.model

The model of the device containing the rule.

ASA, AWS, AWS_VPC, AZURE_ACCOUNT, AZURE_VNET, CMA, FORTIGATE, FORTIMANAGER, GCP_PROJECT, GCP_VPC, MDS, NEXUS, PANORAMA, PANOS, ROUTER, SMART_CENTER, VMWARE_NSX_DISTRIBUTED_FIREWALL,VMWARE_NSX_EDGE, VMWARE_NSX_MANAGEMENT, UNKNOWN

device.name

 The device name

String

direction

The direction of the traffic referred to by the rule.

INBOUND, OUTBOUND

disabled

The rule is disabled

true, false

domain.name

The name of the domain to which the device has been assigned

String

fullyShadowed

The rule will never handle the traffic due to other rules existing higher up in the rulebase.

true, false

idOnDevice

Device specific rule identifier. Usually identifies the rule order in the security policy.

String

installedOn.isAny

Installed on is set to ANY, meaning the rule can be installed on any device

true, false

installedOn.name

Device name on which the rule is installed

String

isExemptedFromUsp

Rules that will not trigger a violation due to an active exception

true, false

logged

The rule is logged

true, false

logProfile.name

The name of the log profile in which the rule is logged

String

name

The rule name

String

permissivenessLevel

Permissiveness level

HIGH, LOW, MEDIUM

policy.name

Policy name

String

relatedTicket.text

The related ticket ID given by the user

String

sectionTitle

Section title

String

secureappApplicationName

Name of related SecureApp application

String

secureappApplicationOwner

Owner of related SecureApp application

String

securechangeTicketInProgressId

The ID of a SecureChange ticket in progress

String

securityProfiles.category

Security profile category

String

securityProfiles.name

Security profile name

String

service.comment

Service comment

String

service.icmpCode

Service ICMP code

Int

service.icmpType

Service ICMP type

Numeric range

service.isAny

Service set to ANY

true, false

service.isApplicationDefault

Service is set to the default application

true, false

service.name

Service name

String
Note that the auto-complete feature lists only pre-defined service names. If you have a customized service name, it will not appear in the auto-complete list, however you can type the name in the search.

service.negated

Service is negated

true, false

service.port

Service port

Int

service.protocol

Service protocol

Int

source.comment

 Source comment

String

source.domainAddress

 

 

source.ip

Source IP

String in IP format
See IP Addresses

source.isAny

Source is set to ANY

true, false

source.name

Source name

String

source.negated

The source is negated

true, false

sourceZone.isAny

Source zone is set to ANY

true, false

sourceZone.name

Name of source zone

String

tags

Tags included in the rule

String

text

Text search of all strings in all fields in the system. This includes all fields except true/false fields or time stamps.
You can use a text search for partial IP address.

String

time.name

Time object or time group object in a rule.

String

time.isAny

Time object or time group object in a rule exists

true, false

timeCertification

The time that the rule was certified

YYYY-MM-DD

timeCertificationExpiration

The time that the certification for the rule expires

YYYY-MM-DD

timeExpiration

The date until which the requested traffic is required

String

timeLastHit

The last time that traffic passed through the device and matched either the rule, user, or application identities details. This field is supported for security rules only, and not NAT rules, with the exception of Check Point, which supports Last Hit for both security rules and NAT rules.

YYYY-MM-DD

timeLastModified

The last time traffic matched the rule

YYYY-MM-DD

urlCategory.isAny

URL category is set to ANY

true, false

urlCategory.name

URL category name

String

urlCategory.urls

URL category URLs

String

user.dn

User domain name

String

user.isAllIdentity

User is set to All Identity

true, false

user.isAny

User is set to ANY

true, false

user.isGuest

User is set to guest

true, false

user.isPreAuth

User is set to previous authentication

true, false

user.name

User name

String

user.noHit

Configured users on the rule who never triggered any firewall hits

true, false

user.timeLastHit

The time frame when a configured user defined on the rule last triggered a firewall hit

Last month, last week, next month, nest week, next year, today, tomorrow, yesterday

uspExceptionName

Exception name

String

vendor

The device vendor

AMAZON, BARRACUDA, CHECKPOINT, CISCO, FORTINET, GOOGLE, MICROSOFT, PALO_ALTO, VMWARE, UNKNOWN

violationHighestSeverity

Highest violation severity

CRITICAL, HIGH, MEDIUM, LOW. Can use comparison operators e.g. <=.

violations.fromZone
or
violation.fromZone.name

The USP source zone in the case of a violation

String

violations.timeCreated

Date of last violation calculation

YYYY-MM-DD

violations.toZone
or
violation.toZone.name

The USP target zone in the case of a violation

String

violations.usp.name

The name of the violated USP

String

vpn.isAllCommunities

VPN is set to all communities

true, false

vpn.isAny

VPN is set to ANY

true, false

vpn.isGwToGw

VPN is set to 'gateway to gateway'

true, false

vpn.name

VPN name

String

zonesRelation

Relationship between zones. Called rule type on some devices

INTERZONE, INTRAZONE, UNIVERSAL (equivalent to ANY)

Sort Fields

Fields than can be used with the 'order by' operator.

  • timeLastHit
  • timeLastModified
  • name
  • permissivenessLevel
  • violationHighestSeverity

Query Examples

  • Before decommissioning a server, find all rules that contain an object with the server's IP address as source or destination including network groups.

    source.ip = '11.22.33.44' or destination.ip = '11.22.33.44'

  • Before decommissioning a server, find all rules that contain an object with the server's name as source or destination including network groups.

    source.name = 'MyServer' or destination.name = 'MyServer'

  • Audit for unsecured services. List all rules that allow the service, including service groups.

    service.name in ('ssh', 'ftp')

  • Find all rules with tags.

    tags exists

  • Find all rules without tags.

    tags not exists

  • Find unneeded rules - rules with no hit and no modification in the last year

    timeLastModified before 365 days ago and timeLastHit before 365 days ago

  • Find unneeded rules - shadowed rules with no hit and no modification in the last year or disabled

    (fullyShadowed = true and timeLastModified before last year) or (disabled = true)

  • List rules with permissiveness level high or medium.

    permissivenessLevel in ('HIGH','MEDIUM')

  • List rules with "ANY" in either source, destination, service, users or application.

    source.isAny = true or destination.isAny = true or service.isAny = true or user.isAny = true or application.isAny = true

  • List rules allowing traffic between specific zones in the organization

    sourceZone.name = 'dmz' and destinationZone.name = 'internet'

  • Device with rules that contain at least one time object that contains "night", for example, "EveryNight".

    time.name CONTAINS 'night'