On This Page
TQL Fields For the Rule Viewer
The following fields are available via TQL.
All Fields
Field Name | Description | Values / Format |
---|---|---|
action |
The rule action |
ALLOW, DENY, GOTO, UNSUPPORTED, CLIENTAUTH |
application.comment |
The comment given to an application included in the rule |
String |
application.isAny |
Application is set to ANY meaning the rule applies to any application |
true, false |
application.name |
Applications included in the rule |
String |
application.noHit |
Applications on the rule which never triggered any firewall hits |
true, false |
application.timeLastHit |
The time frame when an application defined on the rule last triggered a firewall hit |
Last month, last week, next month, next week, next year, today, tomorrow, yesterday |
appliedTo.name |
Names of objects covered by the rule. Will search hierarchically in VMs & NICs |
String |
automationAttribute |
Rule automation attribute. A legacy rule is a rule that is no longer needed and is typically a candidate for future decommissioning. When a rule is marked as legacy, SecureChange Designer will treat it as a shadowed rule when making recommendations, and SecureChange Verifier will ignore it when verifying access. A stealth rule is a 'deny' rule (cannot be 'allow') placed at the top of the policy whose purpose is prevent all access that hasn't been explicitly granted by other rules, thus protecting the entire network including the firewall itself. For users of SecureChange, when a rule is marked as stealth, Designer recommendations will place any new rules recommended for an access request below the stealth section of the policy. |
STEALTH, LEGACY |
businessOwner.email |
Email address of the business owner |
String |
businessOwner.name |
Name of the business owner |
String |
certificationStatus |
Whether the rule has been certified |
CERTIFIED, DECERTIFIED |
comment |
The comment given to the rule |
String |
description |
The rule description |
String |
destination.comment |
The comment given to the destination |
String |
destination.ip |
Destination IP addresses |
String in IP format |
destination.isAny |
Destination is set to ANY |
true, false |
destination.name |
Destination names |
String |
destination.negated |
The destination is negated meaning it applies to all destinations except those specified |
true, false |
destinationZone.isAny |
Destination zone is set to ANY - any destination zone will be covered by the rule. |
true, false |
destinationZone.name |
The name of the destination zone |
String |
device.model |
The model of the device containing the rule. |
ASA, AWS, AWS_VPC, AZURE_ACCOUNT, AZURE_VNET, CMA, FORTIGATE, FORTIMANAGER, GCP_PROJECT, GCP_VPC, MDS, NEXUS, PANORAMA, PANOS, ROUTER, SMART_CENTER, VMWARE_NSX_DISTRIBUTED_FIREWALL,VMWARE_NSX_EDGE, VMWARE_NSX_MANAGEMENT, UNKNOWN |
device.name |
The device name |
String |
direction |
The direction of the traffic referred to by the rule. |
INBOUND, OUTBOUND |
disabled |
The rule is disabled |
true, false |
domain.name |
The name of the domain to which the device has been assigned |
String |
fullyShadowed |
The rule will never handle the traffic due to other rules existing higher up in the rulebase. |
true, false |
idOnDevice |
Device specific rule identifier. Usually identifies the rule order in the security policy. |
String |
installedOn.isAny |
Installed on is set to ANY, meaning the rule can be installed on any device |
true, false |
installedOn.name |
Device name on which the rule is installed |
String |
isExemptedFromUsp |
Rules that will not trigger a violation due to an active exception |
true, false |
logged |
The rule is logged |
true, false |
logProfile.name |
The name of the log profile in which the rule is logged |
String |
name |
The rule name |
String |
permissivenessLevel |
Permissiveness level |
HIGH, LOW, MEDIUM |
policy.name |
Policy name |
String |
relatedTicket.text |
The related ticket ID given by the user |
String |
sectionTitle |
Section title |
String |
secureappApplicationName |
Name of related SecureApp application |
String |
secureappApplicationOwner |
Owner of related SecureApp application |
String |
securechangeTicketInProgressId |
The ID of a SecureChange ticket in progress |
String |
securityProfiles.category |
Security profile category |
String |
securityProfiles.name |
Security profile name |
String |
service.comment |
Service comment |
String |
service.icmpCode |
Service ICMP code |
Int |
service.icmpType |
Service ICMP type |
Numeric range |
service.isAny |
Service set to ANY |
true, false |
service.isApplicationDefault |
Service is set to the default application |
true, false |
service.name |
Service name |
String |
service.negated |
Service is negated |
true, false |
service.port |
Service port |
Int |
service.protocol |
Service protocol |
Int |
source.comment |
Source comment |
String |
source.domainAddress |
|
|
source.ip |
Source IP |
String in IP format |
source.isAny |
Source is set to ANY |
true, false |
source.name |
Source name |
String |
source.negated |
The source is negated |
true, false |
sourceZone.isAny |
Source zone is set to ANY |
true, false |
sourceZone.name |
Name of source zone |
String |
tags |
Tags included in the rule |
String |
text |
Text search of all strings in all fields in the system. This includes all fields except true/false fields or time stamps. |
String |
time.name |
Time object or time group object in a rule. |
String |
time.isAny |
Time object or time group object in a rule exists |
true, false |
timeCertification |
The time that the rule was certified |
YYYY-MM-DD |
timeCertificationExpiration |
The time that the certification for the rule expires |
YYYY-MM-DD |
timeExpiration |
The date until which the requested traffic is required |
String |
timeLastHit |
The last time that traffic passed through the device and matched either the rule, user, or application identities details. This field is supported for security rules only, and not NAT rules, with the exception of Check Point, which supports Last Hit for both security rules and NAT rules. |
YYYY-MM-DD |
timeLastModified |
The last time traffic matched the rule |
YYYY-MM-DD |
urlCategory.isAny |
URL category is set to ANY |
true, false |
urlCategory.name |
URL category name |
String |
urlCategory.urls |
URL category URLs |
String |
user.dn |
User domain name |
String |
user.isAllIdentity |
User is set to All Identity |
true, false |
user.isAny |
User is set to ANY |
true, false |
user.isGuest |
User is set to guest |
true, false |
user.isPreAuth |
User is set to previous authentication |
true, false |
user.name |
User name |
String |
user.noHit |
Configured users on the rule who never triggered any firewall hits |
true, false |
user.timeLastHit |
The time frame when a configured user defined on the rule last triggered a firewall hit |
Last month, last week, next month, nest week, next year, today, tomorrow, yesterday |
uspExceptionName |
Exception name |
String |
vendor |
The device vendor |
AMAZON, BARRACUDA, CHECKPOINT, CISCO, FORTINET, GOOGLE, MICROSOFT, PALO_ALTO, VMWARE, UNKNOWN |
violationHighestSeverity |
Highest violation severity |
CRITICAL, HIGH, MEDIUM, LOW. Can use comparison operators e.g. <=. |
violations.fromZone |
The USP source zone in the case of a violation |
String |
violations.timeCreated |
Date of last violation calculation |
YYYY-MM-DD |
violations.toZone |
The USP target zone in the case of a violation |
String |
violations.usp.name |
The name of the violated USP |
String |
vpn.isAllCommunities |
VPN is set to all communities |
true, false |
vpn.isAny |
VPN is set to ANY |
true, false |
vpn.isGwToGw |
VPN is set to 'gateway to gateway' |
true, false |
vpn.name |
VPN name |
String |
zonesRelation |
Relationship between zones. Called rule type on some devices |
INTERZONE, INTRAZONE, UNIVERSAL (equivalent to ANY) |
Sort Fields
Fields than can be used with the 'order by' operator.
- timeLastHit
- timeLastModified
- name
- permissivenessLevel
- violationHighestSeverity
Query Examples
-
Before decommissioning a server, find all rules that contain an object with the server's IP address as source or destination including network groups.
source.ip = '11.22.33.44' or destination.ip = '11.22.33.44'
-
Before decommissioning a server, find all rules that contain an object with the server's name as source or destination including network groups.
source.name = 'MyServer' or destination.name = 'MyServer'
-
Audit for unsecured services. List all rules that allow the service, including service groups.
service.name in ('ssh', 'ftp')
-
Find all rules with tags.
tags exists
-
Find all rules without tags.
tags not exists
-
Find unneeded rules - rules with no hit and no modification in the last year
timeLastModified before 365 days ago and timeLastHit before 365 days ago
-
Find unneeded rules - shadowed rules with no hit and no modification in the last year or disabled
(fullyShadowed = true and timeLastModified before last year) or (disabled = true)
-
List rules with permissiveness level high or medium.
permissivenessLevel in ('HIGH','MEDIUM')
-
List rules with "ANY" in either source, destination, service, users or application.
source.isAny = true or destination.isAny = true or service.isAny = true or user.isAny = true or application.isAny = true
-
List rules allowing traffic between specific zones in the organization
sourceZone.name = 'dmz' and destinationZone.name = 'internet'
-
Device with rules that contain at least one time object that contains "night", for example, "EveryNight".
time.name CONTAINS 'night'
Was this helpful?
Thank you!
We’d love your feedback
We really appreciate your feedback
Send this page to a colleague