https://community.checkpoint.com/t5/API-CLI-Discussion/Threat-Prevention-Profile-API-Malware-DNS-Trap/m-p/78095#M4577 <P>Hello Guys,</P><P>I'm trying to create a query in order to show and modify (adding/removing) entries on the "Malware DNS Trap" feature on Threat Prevention Profiles.</P><P>The problem is that from both documentation on:&nbsp;</P><P><A href="https://sc1.checkpoint.com/documents/latest/APIs/index.html#web/show-threat-profile~v1.3%20" target="_blank" rel="nofollow noopener noreferrer">https://sc1.checkpoint.com/documents/latest/APIs/index.html#web/show-threat-profile~v1.3%20</A></P><P>&nbsp;</P><P>and querying with "show-threat-profile" in FULL detail-levels, I cannot see any output reminding to that.</P><P>Is there someone that already experienced it and came out with a solution or is there simply someone that could help me out?<SPAN>&nbsp;<span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks a lot,</P><P>Luca</P> Thu, 12 Mar 2020 10:05:25 GMT Luca_Tinelli 2020-03-12T10:05:25Z https://community.checkpoint.com/t5/API-CLI-Discussion/Threat-Prevention-Profile-API-Malware-DNS-Trap/m-p/78095#M4577 <P>Hello Guys,</P><P>I'm trying to create a query in order to show and modify (adding/removing) entries on the "Malware DNS Trap" feature on Threat Prevention Profiles.</P><P>The problem is that from both documentation on:&nbsp;</P><P><A href="https://sc1.checkpoint.com/documents/latest/APIs/index.html#web/show-threat-profile~v1.3%20" target="_blank" rel="nofollow noopener noreferrer">https://sc1.checkpoint.com/documents/latest/APIs/index.html#web/show-threat-profile~v1.3%20</A></P><P>&nbsp;</P><P>and querying with "show-threat-profile" in FULL detail-levels, I cannot see any output reminding to that.</P><P>Is there someone that already experienced it and came out with a solution or is there simply someone that could help me out?<SPAN>&nbsp;<span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks a lot,</P><P>Luca</P> Thu, 12 Mar 2020 10:05:25 GMT https://community.checkpoint.com/t5/API-CLI-Discussion/Threat-Prevention-Profile-API-Malware-DNS-Trap/m-p/78095#M4577 Luca_Tinelli 2020-03-12T10:05:25Z https://community.checkpoint.com/t5/API-CLI-Discussion/Threat-Prevention-Profile-API-Malware-DNS-Trap/m-p/78317#M4585 <P>Unfortunately, there is no official API for these settings.<BR />You can see and modify it with the generic-object API.<BR />Once you have the UID of your threat profile, you can see the settings as follows:</P> <P class="lia-indent-padding-left-30px"><FONT face="courier new,courier">[Expert@MGMT:0]# <STRONG>mgmt_cli -r true --format json show generic-object uid 079c86f0-0c53-4518-9a4e-167a9c1c492e | jq '.malwareDnsTrapSettings'</STRONG></FONT><BR /><FONT face="courier new,courier">{</FONT><BR /><FONT face="courier new,courier">&nbsp; "objId": "292e317a-88a8-4e74-a33f-0e20d871e5cd",</FONT><BR /><FONT face="courier new,courier">&nbsp; "checkPointObjId": null,</FONT><BR /><FONT face="courier new,courier">&nbsp; "domainsPreset": null,</FONT><BR /><FONT face="courier new,courier">&nbsp; "domainId": "41e821a0-3720-11e3-aa6e-0800200c9fde",</FONT><BR /><FONT face="courier new,courier">&nbsp; "resolveIpv4RequestsTo": true,</FONT><BR /><FONT face="courier new,courier">&nbsp; "specificIpaddr": "5.5.5.5",</FONT><BR /><FONT face="courier new,courier">&nbsp; "ipv4ModeSelection": "SPECIFIED_IP",</FONT><BR /><FONT face="courier new,courier">&nbsp; "folderPath": "1dc7816c-2c8e-40a3-a4ed-34dd462ebf4f",</FONT><BR /><FONT face="courier new,courier">&nbsp; "text": null,</FONT><BR /><FONT face="courier new,courier">&nbsp; "folder": "1dc7816c-2c8e-40a3-a4ed-34dd462ebf4f",</FONT><BR /><FONT face="courier new,courier">&nbsp; "is_owned": false,</FONT><BR /><FONT face="courier new,courier">&nbsp; "ownedName": ""<BR />}</FONT></P> <P>To change the IP of the DNS trap:</P> <P class="lia-indent-padding-left-30px"><FONT face="courier new,courier">[Expert@MGMT:0]# <STRONG>mgmt_cli -r true set generic-object uid 079c86f0-0c53-4518-9a4e-167a9c1c492e malwareDnsTrapSettings.specificIpaddr "6.6.6.6"</STRONG></FONT></P> <P>Of course, now that I've read the question again, I realize this <EM><STRONG>wasn't</STRONG></EM> the question you asked.<BR />However, because I did go to some effort to figure this out, I'm leaving the answer here in case anyone else wants to know.</P> <P>It turns out, the objects that show up in the "Internal DNS Servers" part of the profile is not set in the profile anywhere.<BR />It is a flag that is set in those specific host objects.<BR />Which would mean querying all the host objects to see which ones have the flag set (dns-server true).<BR />Haven't worked out the exact syntax to&nbsp;accomplish this with jq, but I assume it can be done.</P> <P>To turn an existing host object into a DNS server (and thus show up on this tab):</P> <P class="lia-indent-padding-left-30px"><FONT face="courier new,courier">[Expert@MGMT:0]# <STRONG>mgmt_cli -r true set host name "DNS Server" host-servers.dns-server true</STRONG></FONT></P> <P>Making something not a DNS server (and thus disappear from this tab) would be:</P> <P class="lia-indent-padding-left-30px"><FONT face="courier new,courier">[Expert@MGMT:0]# <STRONG>mgmt_cli -r true set host name "DNS Server" host-servers.dns-server false</STRONG></FONT></P> <P>Hope that helps.</P> <P>&nbsp;</P> Sun, 15 Mar 2020 02:47:12 GMT https://community.checkpoint.com/t5/API-CLI-Discussion/Threat-Prevention-Profile-API-Malware-DNS-Trap/m-p/78317#M4585 PhoneBoy 2020-03-15T02:47:12Z