topic Re: Automating Security Operations with the Check Point APIs TechTalk, Q&A, and Slides in API / CLI Discussion

Automating Security Operations with the Check Point APIs TechTalk, Q&A, and Slides

PhoneBoy — Fri, 25 Oct 2019 03:32:18 GMT

On 23rd October 2019, @Rafi_Zvi from Backbox talked about automating security operations using the Check Point APIs and Backbox.

Content available to CheckMates members:

Slides
Video

Except below.
Q&A from the session will be posted as comments.

(view in My Videos)

Re: Automating Security Operations with the Check Point APIs TechTalk, Q&A, and Slides

PhoneBoy — Wed, 23 Oct 2019 20:40:46 GMT

Which version of R80.x corresponds to v1.5?

R80.30. You can see a complete list here: API Versions

Where are these commands run from?

You can use any REST client to generate these commands. You can also use them from the CLI of a Check Point Management device using mgmt_cli.

For mgmt_cli calls using powershell, is there a way to properly discard the session after use?

This should happen when you use the logout API call after your session completes. If this is not the case for you, best to open a TAC case so we can investigate.

Can You Manipulate VSX Objects with the API?

You can refer to individual VS objects with the API, but you cannot manipulate those objects currently.

Can You Set the Shared Secret (Passphrase) for VPN using the API?

Yes. See https://sc1.checkpoint.com/documents/latest/APIs/#cli/set-vpn-community-meshed~v1.5%20

What is the behavior in case of some "error" ? (like name of object already exists - error, or there is a different object with same IP address - a warning)

The API provides error messages to this effect, as will Backbox.

Why is "Last Modified" admin instead of API?

Because you authenticate to the API using the same credentials as SmartConsole and, in the examples here, the user "admin" was used.

Using api, can we move policies and objects from one management/CMA to another?

Not directly, but you can read the desired information using the API from one management/CMA and write it to another. The Python tool for exporting/importing a policy package or parts of it works on this premise.

Is this process of automation through API available for SmartEndpoint too?

Not yet.

How do I identify hosts, which I would like to delete, but they are somehow used in a policy rule? Is there a way to find those dependencies, delete the objects, but perhaps prevent a cell where the objects is the last one? (prevent an "Any" cell)?!

This is potentially doable through the API, but will require a few different calls to achieve. where-used will tell you where a given object is used. You would have to manually interrogate each rule to validate it is not the last object in a cell.

Can you make any reporting API requests related to the lifecycle of the device (e.g. end of support date), contract data (e.g. start date, end date, etc)?

There are no direct API calls for this, but you could use run-script to run the necessary CLI commands to do this.

Re: Automating Security Operations with the Check Point APIs TechTalk, Q&A, and Slides

PhoneBoy — Fri, 25 Oct 2019 03:30:30 GMT

More Q&A

I need to make a query where I can see the vpn users and see his permissions

Currently, there is no official API for locally defined users. You can query them by means of the generic-object API. The following will give you JSON output of all VPN users:

mgmt_cli -r true --format json show generic-objects class-name com.checkpoint.objects.classes.dummy.CpmiUser | jq .objects[].uid | while read X; do mgmt_cli -r true --format json show generic-object uid $X; done

Additional parsing with jq can give you exactly the data you're looking for.

Can I export output of commands typed via SmartConsole CLI into a file please?

The SmartConsole CLI is a shell similar to clish that doesn't allow for output redirect. If you require this functionality, use mgmt_cli, which can be executed from Windows.

Where can I find more details about the Gaia API?

The Gaia API Documentation and sk143612.

In what version will the GAIA API be included natively and enabled by default?

I believe this is targeted for R80.40.

Does executing API calls to the gateway still have to work around the ‘lock database’ issue?

Yes, only one process can make changes to the gateway configuration at a time.

Will you be able to complete any type of logging and monitoring queries via API in the future? E.g. for un-attended log/health check methods potentially.

You can use run-script API to run whatever monitoring you’d like. Logging will eventually have API support.

Is the Gaia API available on SMB appliances?

Not currently.

How can I search as I would in the search bar via API? Something like: 'Show me where Check_Mate_Host AND port 22 are used?"

Not directly, but this could be done with where-used and parsing the results.

What about API support for Gateway Cluster objects?

Currently planned for R80.40.

After we delete a object, or group using the API, how would we know what firewalls to push to implement the change?

You could probably determine this by using there where-used API call.

Is it easy to limit what kind of API access a particular user has?

The API follows the same permission profiles that SmartConsole uses. If the user has access to something via SmartConsole and the permission profile grants API access, they have access via API as well.