AD Automaization script or API

ShadowNif — Fri, 17 Oct 2025 05:57:11 GMT

Hi,

I am trying to do some sort of automatization and group updating in my rules. I KNOW that i can do that with IDENTITY AWARENESS and i already have it running, But I have a couple of PCs without it, but they are grouped in AD.

I need to update the Groups in my rule regarding those AD Groups, like Identity Awareness but without having an agent running.
I believe it is doable through Python or the REST API. But i want to know if there is already something like that or i need to start from the base!!

THNX

Re: AD Automaization script or API

the_rock — Fri, 17 Oct 2025 08:24:43 GMT

Here is what AI gave as far as Python scrip.

import json
import requests
import ssl
import ldap3
from ldap3 import Server, Connection, ALL, NTLM

# ---- CONFIG ----
CP_API_URL = "https://<mgmt-server>/web_api"
CP_USERNAME = "api-admin"
CP_PASSWORD = "yourpassword"

AD_SERVER = "ad.domain.local"
AD_USER = "DOMAIN\\ad_query_user"
AD_PASSWORD = "yourpassword"
AD_GROUP = "CN=GroupName,OU=Groups,DC=domain,DC=local"

FIREWALL_GROUP_NAME = "AD_Synced_Group"

# Disable SSL warnings (only if using self-signed certs!)
requests.packages.urllib3.disable_warnings()

# ---- HELPER FUNCTIONS ----

def login_cp():
url = f"{CP_API_URL}/login"
payload = {"user": CP_USERNAME, "password": CP_PASSWORD}
r = requests.post(url, json=payload, verify=False)
r.raise_for_status()
return r.json()["sid"]

def logout_cp(sid):
requests.post(f"{CP_API_URL}/logout", headers={"X-chkp-sid": sid}, verify=False)

def get_ad_group_members():
server = Server(AD_SERVER, get_info=ALL)
conn = Connection(server, user=AD_USER, password=AD_PASSWORD, authentication=NTLM, auto_bind=True)

conn.search(
search_base=AD_GROUP,
search_filter='(objectClass=group)',
attributes=['member']
)

members = []
for entry in conn.entries:
for member_dn in entry.member.values:
members.append(member_dn.split(",")[0].split("=")[1]) # Extract sAMAccountName or CN

conn.unbind()
return members

def create_or_update_cp_group(sid, group_name, members):
# Check if group exists
r = requests.post(f"{CP_API_URL}/show-group", json={"name": group_name}, headers={"X-chkp-sid": sid}, verify=False)
if r.status_code == 200:
print(f"Group {group_name} exists. Updating members...")
group_uid = r.json().get("uid")
payload = {
"uid": group_uid,
"members": members
}
r = requests.post(f"{CP_API_URL}/set-group", json=payload, headers={"X-chkp-sid": sid}, verify=False)
else:
print(f"Creating new group {group_name}...")
payload = {
"name": group_name,
"members": members
}
r = requests.post(f"{CP_API_URL}/add-group", json=payload, headers={"X-chkp-sid": sid}, verify=False)

r.raise_for_status()
return r.json()

def publish_changes(sid):
r = requests.post(f"{CP_API_URL}/publish", headers={"X-chkp-sid": sid}, verify=False)
r.raise_for_status()
print("Changes published.")

# ---- MAIN SCRIPT ----

if __name__ == "__main__":
print("[*] Logging into Check Point...")
sid = login_cp()

print("[*] Querying Active Directory...")
members = get_ad_group_members()
print(f"[*] Found {len(members)} AD members.")

print("[*] Updating Check Point group...")
update = create_or_update_cp_group(sid, FIREWALL_GROUP_NAME, members)

print("[*] Publishing policy changes...")
publish_changes(sid)

print("[*] Logging out.")
logout_cp(sid)

print("[✓] Done.")

Re: AD Automaization script or API

PhoneBoy — Fri, 17 Oct 2025 20:54:04 GMT

In case you've not seen, we have an Identity Awareness API: https://sc1.checkpoint.com/documents/latest/IdentityAPIs/#ida_api_intro~v1%20
The script @the_rock provided is completely wrong as it's calling the wrong API for this.

Re: AD Automaization script or API

the_rock — Fri, 17 Oct 2025 20:58:56 GMT

I blame AI lol

topic Re: AD Automaization script or API in Firewall and Security Management

AD Automaization script or API

Re: AD Automaization script or API

Re: AD Automaization script or API

Re: AD Automaization script or API