Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Radek_Cernousek
Explorer

API Cluster build

Hello All,

Can somebody tell me if there is any possibility how to add a Cluster to the Mgmt (CMA) over the API?

I found only the "add-simple-gateway" but nothign else?

Thanks for info

Radek

17 Replies
PhoneBoy
Admin
Admin

Adding cluster objects is one of the handful of operations that still require the use of CPMI and not the R80 API.

It's something planned to be addressed in a later release.

Radek_Cernousek
Explorer

OK, does the Check Point has any estimation when this feature coudl be part of the API?

Could you send me any reference to documentation how to use CPMI to build a cluster by script ?

Thanks

Radek

0 Kudos
PhoneBoy
Admin
Admin

To my knowledge, the timelines for incorporating this into the API have not been finalized.

I'm also not aware of any documentation for building a cluster using dbedit (the scriptable way to use CPMI) or if it is even possible.

I would communicate your requirements in this area to your Check Point SE, if you haven't already.

0 Kudos
Don_Paterson
Advisor
Advisor

I have managed in the past to build a cluster object using dbedit. It was not without issues though and I think I ended up deleting and creating the cluster object manually in the end. 

The topology of the cluster had to be completed manually (I was reverse engineering using GUIDBedit and couldn't work out the dbedit commands for cluster topology (I think I ran out of time)) and a SIC reset also had to be done. I had used the CLI to push SIC certificates. Perhaps the SIC trust pulled from the server rather than pushed is better since a topology get occurs during SIC establishment.

Would be good to know when the API is up to the job (although I am about to look into it on R80.10) and until then if there is a work around until then. That is, other than simple objects created in API to half complete the job of creating the cluster object.

Regards,

Don

Robert_Decker
Advisor

Thanks to Nicolas Boisse, you can use this utility - https://community.checkpoint.com/docs/DOC-2625.

Also, please note my caveat there.

Robert.

JozkoMrkvicka
Authority
Authority

When we can FINALLY expect such a basic feature like manipulating Cluster objects within R80 ? R80.30 is GA, without any single API command for this purpose. What a shame.

Kind regards,
Jozko Mrkvicka
0 Kudos
Nicolas_Boisse
Employee Alumnus
Employee Alumnus

The cluster API was supposed to be released in R80.30 M1. This is postponed to R80.40 version.

G_W_Albrecht
Legend Legend
Legend

Basic feature ? Would be a thing everybody needs anyday - but honestly, creating and manipulating hundreds of cluster objects using API is not everybody's favorite daily game, most people still use the Dashboard and are happy nevertheless 😊

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
JozkoMrkvicka
Authority
Authority

Not in case you are managing 30+ clusters with daily VLANs creation 🙂 Monkey job...

Kind regards,
Jozko Mrkvicka
0 Kudos
Magnus-Holmberg
Advisor
Advisor

How is it possible that an API is released when u cant controll a cluster.
More or less the first thing when buying firewall the vendor always say "u need a cluster"

Struggling to find something to control VS, dose checkpoint see that as a cluster, single gw or something else?
Currently running R80.20 MDS with R80.30 3.1 VSX Clusters.

https://www.youtube.com/c/MagnusHolmberg-NetSec
Jim_Oqvist
Employee
Employee

Hi,

There is currently no API endpoint for adding, changing or deleting VS on a VSX.  What we have is a vsx_provisioning_tool to perform these operations using the CLI, to achieve this over the RESTful Management API one could use a combination of the run-script api endpoint and vsx_provisioning_tool.

Here are two ansible playbook examples on how to create and delete VS on a VSX using a combination of run-script endpoint and the vsx_provisioning_tool. More information about the vsx_provisioning_tool can be found in the Check Point VSX R80.x Administration Guide

R80-AddVS.yml

---
# Example playbook to add Virtual System on a Check Point VSX
# Using management API run-script endpoint and the vsx_provisioning_tool binary
# Variables used in this playbook that are defined in vars.yml
#   mgmt_user        - Admin username for R80 Security Management API
#   mgmt_password    - Admin password for R80 Security Management API
#   mgmt_domain      - The Domain to make the changes in, set this to "SMC User" if this is a SMS
#   mgmt_server      - The MDS or SMS ip to connect to
#   mgmt_fingerprint - The API server fingerprint on MDS or SMS
#   dms_ip           - Domain Management Server IP for the domain where the VSX object exists
#   mgmt_user        - Management API admin user name
#   mgmt_password    - Management API admin user password
#   vsx_hostname     - Name of the VSX object where the virtual system should be created
#   script_targets   - list, Should contain name of dms that managed the domain with the VSX object

- hosts: "localhost"
  connection: local
  gather_facts: no
  vars_files:
  - vars.yml

  tasks:
  - name: "login"
    check_point_mgmt:
      command: login
      parameters:
        username: "{{mgmt_user}}"
        password: "{{mgmt_password}}"
        domain: "{{mgmt_domain}}"
        management: "{{mgmt_server}}"
      fingerprint: "{{mgmt_fingerprint}}"
    register: login_response
      
  - name: "Create VS on VXS with run-script"
    check_point_mgmt:
      command: run-script
      parameters:
       script-name: "Create VS vs{{item}} on VXS {{vsx_hostname}} with run-script"
       script: "$MDS_FWDIR/bin/vsx_provisioning_tool -s {{dms_ip}} -u {{mgmt_user}} -p {{mgmt_password}} -o add vd name vs{{item}} vsx {{vsx_hostname}} type vs, add interface name eth1.{{item}} ip 1.1.{{item}}.254 netmask 255.255.255.0, add interface name eth2.{{item}} ip 2.2.{{item}}.254 netmask 255.255.255.0"
       targets:
        "{{ script_targets }}"
      session-data: "{{login_response}}"
    with_sequence: start=10 end=12

  - name: "logout"
    check_point_mgmt:
      command: logout
      session-data: "{{login_response}}"

 

R80-RemoveVS.yml

---
# Example playbook to remove Virtual System on a Check Point VSX
# Using management API run-script endpoint and the vsx_provisioning_tool binary
# Variables used in this playbook that are defined in vars.yml
#   mgmt_user        - Admin username for R80 Security Management API
#   mgmt_password    - Admin password for R80 Security Management API
#   mgmt_domain      - The Domain to make the changes in, set this to "SMC User" if this is a SMS
#   mgmt_server      - The MDS or SMS ip to connect to
#   mgmt_fingerprint - The API server fingerprint on MDS or SMS
#   dms_ip           - Domain Management Server IP for the domain where the VSX object exists
#   mgmt_user        - Management API admin user name
#   mgmt_password    - Management API admin user password
#   vsx_hostname     - Name of the VSX object where the virtual system should be created
#   script_targets   - list, Should contain name of dms that managed the domain with the VSX object

- hosts: "localhost"
  connection: local
  gather_facts: no
  vars_files:
  - vars.yml

  tasks:
  - name: "login"
    check_point_mgmt:
      command: login
      parameters:
        username: "{{mgmt_user}}"
        password: "{{mgmt_password}}"
        domain: "{{mgmt_domain}}"
        management: "{{mgmt_server}}"
      fingerprint: "{{mgmt_fingerprint}}"
    register: login_response
      
  - name: "Remove VS on VXS with run-script"
    check_point_mgmt:
      command: run-script
      parameters:
       script-name: "Remove VS vs{{item}} on VXS {{vsx_hostname}} with run-script"
       script: "$MDS_FWDIR/bin/vsx_provisioning_tool -s {{dms_ip}} -u {{mgmt_user}} -p {{mgmt_password}} -o remove vd name vs{{item}}"
       targets:
        "{{ script_targets }}"
      session-data: "{{login_response}}"
    with_sequence: start=10 end=12

  - name: "logout"
    check_point_mgmt:
      command: logout
      session-data: "{{login_response}}"

 

0 Kudos
Magnus-Holmberg
Advisor
Advisor

Sure there is way around it with vsx_util / vsx_provisioning_tool
The point is more that Check Point really need to put in an effort to add more features to the API.

The way we want to use it is for making sure documentation is up to date, but also add VLAN and changes routes on VS.
Having an API for this would make a huge diff.
https://www.youtube.com/c/MagnusHolmberg-NetSec
Nicolas_Boisse
Employee Alumnus
Employee Alumnus

I'm working on a pre release of add simple-cluster API. This is coming in R80.40. Stay tuned. Gaia API is there if you want to send calls direct to the gateway. sk143612. Its available as a add-on package for R80.10, R80.20 and R80.30. Will be probably built in R80.40.
Don_Paterson
Advisor
Advisor

Is there any confirmed release where the cluster object can be created in the API, using a simple command and not a lot of scripts?

Also. Is there a document, SK or thread that lists the known limitations of the current and/or previous API version?

 

Thanks,

Don

0 Kudos
rolf
Participant

👍🏻

0 Kudos
Jim_Oqvist
Employee
Employee

The cluster API is confirmed for R80.40 and will make it to GA if it goes through the EA process without any issues. Not sure what you are looking for in terms of known limitations in terms of the API. We document the changes between API versions in here: https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/changelog~v1.5%20
0 Kudos
Timothy_Hall
Legend Legend
Legend

Due to constant questions I got about this while teaching a CCAS class, I started an unofficial list of operations that must be performed from a GUI client and cannot be accomplished via the API:

https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Functionality-API-vs-SmartConsole...

These limitations are generally because the operations listed must be handled in the older fwm process (which is not database-aware) instead of the new cpm process on the SMS/MDS.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events