xmlcheck

WatchGuard policy XML check utility.

xmlcheck is used to find duplicate aliases and services

xmlcheck is part of WatchGuard Toolbox Project

Installation

Prerequisites

this php projects needs composer for building the class autoloader and and ensuring the SimpleXML extension is installed.

~/xmlcheck$ composer install

        Loading composer repositories with package information
        Updating dependencies (including require-dev)
        Nothing to install or update
        Writing lock file
        Generating autoload files

~/xmlcheck$

Usage

$ ./xmlcheck.php <options> <args>

Command summary

xmlcheck v0.8


Usage:
./xmlcheck.php args|commands

-h, --help              this help file
-i, --infile filename   inputfile filename
-f, --file filename     inputfile filename

commands:
--alias aliasname     print alias aliasname
--list-aliases        lists all aliases
--list-policies       lists all policies
--list-types          lists all services(policy types)
--list-tags           lists all tags
--list-nats           lists all nats
--list-tunnels        lists all BOVPN (Gateway-)Tunnels
--info                lists general info
--warnings            lists warnings (differences to best practice)

internal commands:
--fwcheck             output full information
                      used for communication with fwcheck

filters:
these filters need --list-policy, may be used multiple times and together.
--filter-name name            only show policies matching name (regexp)
--filter-exclude-name name    only show policies not matching name (regexp)
--filter-type type            only show policies matching type
--filter-exclude-type type    only show policies not matching type
--filter-to   alias           only show policies using alias in to
--filter-from alias           only show policies using alias in from
--filter-action action        only show policies using action (Deny|Allow|Proxy)
--filter-tag tag              only show policies using tag

these filters need --list-types, may be used multiple times and together.
--filter-type type       only show types matching type
--filter-port port       only show types using port (e.g. '25/tcp')

special filters
--filter-port-mail       only show policies having ports
                           25/110/143/465/587/993/995

example:
    --list-policies
    --filter-type HTTPS --filter-to Any-External \
    --filter-from Any-Trusted --filter-from Any-Optional
will display policies
    of type HTTPS from (Any-Trusted or Any-Optional) to Any-External

options:
-v, --verbose           verbose output
-E, --enabled           only show enabled policies (= skip disabled policies)
-D, --disabled          only show disabled policies (= skip enabled policies)
-N, --nospace           change spaces to dots in policy name output
-u, --unused            only show unused (aliases/tags/etc.)
--json                  currently only available with info - output in json format
--json-pretty           same as --json, but uses JSON_PRETTY_PRINT

debug:
--simplexmlout          print SimpleXML structure
                        as read from xmlfile

Listing aliases

$ ./xmlcheck.php -i <inputxml> -l
$ ./xmlcheck.php -i <inputxml> --listaliases

Description

List all aliases from the xml file.

Options

-v, --verbose

verbose output

-u, --unused

show only unused objects

Arguments

-i, --infile filename

inputfile filename (mandatory)

Display single alias

$ ./xmlcheck.php -i <inputxml> -a <aliasname>

Description

Displays one single alias.

Options

-v, --verbose

verbose output

Arguments

-i, --infile filename

inputfile filename (mandatory)

Listing services

$ ./xmlcheck.php -i <inputxml> -s
$ ./xmlcheck.php -i <inputxml> --listservices

Description

List all services from the xml file.

Options

-v, --verbose

verbose output

-u, --unused

show only unused objects

Arguments

-i, --infile filename

inputfile filename (mandatory)

Listing tags

$ ./xmlcheck.php -i <inputxml> -t
$ ./xmlcheck.php -i <inputxml> --listtags

Description

List all tags from the xml file.

Options

-v, --verbose

verbose output

-u, --unused

show only unused objects

Arguments

-i, --infile filename

inputfile filename (mandatory)

Listing policies

$ ./xmlcheck.php -i <inputxml> -p
$ ./xmlcheck.php -i <inputxml> --listpolicies

Description

List all policies from the xml file.

Options

-v, --verbose

verbose output

-E, --enabled

only show enabled policies (= skip disabled policies)

-D, --disabled

only show disabled policies (= skip enabled policies)

Arguments

-i, --infile filename

inputfile filename (mandatory)

API documentation & download

Changelog

  • 2025-07-07 - v0.8 - added json output and lots of parameters to explore

  • 2020-07-27 - v0.4 - added -E and -D for enabled/disabled policies

  • 2019-09-11 - v0.3 - fixed “–listtags –unused” - now correct if more than one tag per policy

  • 2019-09-06 v0.2 - added –listtags

  • 2019-08-24 v0.1 - initial release