topic Re: Best Practices for Threat Prevention API Calls to Appliance in Firewall and Security Management

Best Practices for Threat Prevention API Calls to Appliance

Ofer_Fichman — Tue, 27 Apr 2021 15:48:42 GMT

The Check Point Threat Prevention API lets you use Threat Prevention products through web services.

Threat Prevention API calls can be used either to Threat-Cloud or to a local Appliance.

Here we focus on Threat Prevention API to Appliance.

We can use Threat Prevention API calls to an appliance, when we’d like to scan files and/or clean their suspicious parts, in an environment where these files don’t go through the gateway traffic, however there’s an appliance with Threat Emulation enabled and/or Threat Extraction enabled.

Using API calls to Threat Emulation and/or Anti Virus on the appliance, we detect whether files are malicious. Threat Emulation includes detecting unknown malware and Zero-day attacks.

Using API calls to Threat Extraction on the appliance, we proactively block malware and we are enabled to deliver reconstructed files to avoid delays.

Utilities

Name	Description	Link
tp_api	ALL IN ! Threat Emulation API, Threat Extraction API and Anti Virus API calls to an appliance.	https://github.com/CheckPointSW/appliance_tpapi/tree/master/tp_api
te_api	Threat Emulation API calls to an appliance	https://github.com/CheckPointSW/appliance_tpapi/tree/master/te_api
tex_api	Threat Extraction API calls to an appliance	https://github.com/CheckPointSW/appliance_tpapi/tree/master/tex_api
av_api	Anti Virus API calls to an appliance	https://github.com/CheckPointSW/appliance_tpapi/tree/master/av_api

Video

Demonstrating the use of Threat Emulation API calls to Appliance via curl commands.

(view in My Videos)

Documentation references

Description	Link
Threat Prevention API reference guide. Note: The guide is common to both Cloud API and Appliance API, except for Threat Extraction API to appliance.	TPAPIRefGuide
SK for using API to appliance that includes Threat Extraction.	sk137032
Using the Threat Emulation early malicious verdict feature via API (te_eb feature).	sk117168_chapter4
Generating and retrieving the new Threat Emulation reports via API to appliance.	sk120357_chapter5

Enjoy

Re: Best Practices for Threat Prevention API Calls to Appliance

_Val_ — Sat, 25 Apr 2020 20:10:17 GMT

Very nice!

Re: Best Practices for Threat Prevention API Calls to Appliance

Jarvis_Lin — Sat, 20 Mar 2021 13:05:11 GMT

Hi,

Would you please demo how "extraction" in curl?

I run these command, but not working

curl --insecure -X POST \
https://x.x.x.x:18194/tecloud/api/v1/file/upload \
-H 'Content-Type: application/json' \
-F 'request={ "request": [{"file_name": "MyFile.docx", "file_type": "docx", "features": [ "extraction" ], "extraction": { "method": "clean" } } ] }' \
-F 'file=@/home/admin/MyFile.docx'

It shows

{
"response" : [
{
"features" : [ "extraction" ],
"file_name" : "MyFile.docx",
"file_type" : "docx",
"md5" : "98c85fd8326af531fc1b50d90d3479f3",
"sha1" : "9afd524f9874ebcc2968d82813645cc9984347ff",
"sha256" : "3debf5b8f820feef44b36c3353af050b09d5c5a06873a34f47b8db787c21d354",
"status" : {
"code" : 1004,
"label" : "NOT_FOUND",
"message" : "Couldn't find the requested file, please upload it"
}
}
]
}

Re: Best Practices for Threat Prevention API Calls to Appliance

Ofer_Fichman — Sat, 20 Mar 2021 18:50:37 GMT

Hi,

Already noted that you can't use extraction by Cloud API type (see attached screenshot named API_note.PNG).

An example ("demo") of extraction API to Appliance via curl - please find in attached text file named: Threat_Extraction_Appliance_API_curl_example.txt

Before running this curl command, make sure you replace :

The x.x.x.x with the appliance ip-address.
The nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn with the appliance api-key.

In this example I base64 encoded a small office excel file (I named it in the curl API call as "000102.xls").

Of course, before running the curl command, reminding required settings described in documentation for "extraction" in Appliance API calls : sk113599 , sk137032

BTW, please find up-to-date Threat Extraction to Appliance API python utility here

Let me know if you have any further questions.

BR,

Ofer

Re: Best Practices for Threat Prevention API Calls to Appliance

Jarvis_Lin — Sun, 21 Mar 2021 06:05:44 GMT

Hi Ofer,

Thank you for your example, I understand.

Another question:

Is this a only way to get cleaned-file from "file_enc_data" by decoded?

Re: Best Practices for Threat Prevention API Calls to Appliance

Ofer_Fichman — Sun, 21 Mar 2021 06:22:25 GMT

Hi Jarvis Lin,

Yes, via API the only way to get the cleaned-file is by base64 encoding the file content and set it in "file_enc_data" field in the Request.

BR,