How To's - Interact with Check Point Management API on Gaia R81

Silesio — Wed, 23 Dec 2020 20:30:29 GMT

Hi there, in this post we’re going to see how to interact with Check Point Management API. We are going to run some API commands using GAIA CLI (clish), Windows CLI and SmartConsole CLI.

Before starting, be sure to enable to enable API on SmartConsole > Manage & Settings > Blades > Management API > Advanced Settings > Accept call from: All IP addresses.

This change requires us to restart the api service. Login into management server and restart the api service by running the command api restart

After some minutes we can verify the api status service by running the command api status

As we are already at Gaia clish, we’ll begin performing some operations here.

First we have to log in as a management user by running the command mgmt login. Another variation for this command is to use mgmt login without the user argument, but for some reason the authentication failed.

To use api commands the syntax is mgmt + command + parameters. For example let’s list all the network objects by running the command mgmt show-networks

The result is printed in json format. This means that we can leverage this output using python (I'll right more about this in the future).

Let’s change the DMZ network name, by running the command mgmt set network name DMZ new-name DMZ-API color “blue”

When we change an object value, the object will be locked for the current session until we publish the change.

Let’s publish the change by running the command mgmt publish

And we have success. Let’s verify by running the command mgmt show network name DMZ-API

We can also verify by looking at SmartConsole

Now let's install a policy by running the command mgmt install-policy policy-package MainSite access true threat-prevention true targets.1 A-GW-CLUSTER

We should get a successful result

Windows cli console

Now let’s run some commands using windows cli console. We’ll have to use the Check Point tool mgmt_cli.exe, located in C:\Program Files (x86)\CheckPoint\SmartConsole\R81\PROGRAM folder.

When using the mgmt_cli tool, in order for a command to run, it is mandatory to provide login credentials or use a session-id token that was obtained previously using the ‘login’ command.

Let’s login into mgmt_server by running the command mgmt_cli login –u silesio –p admin1234 –m 192.168.234.11

Now let’s see all the hosts by running the command mgmt_cli show hosts –u silesio –p admin1234 –m 192.168.234.11

Calling mgmt_cli with credentials (provided explicitly or entered by prompt) will result in performing four different operations:

Log into the management server using the supplied credentials
Execute the command
Publish
Logout

Let’s delete the host H_192.168.20.1 by running the command mgmt_cli delete host name H_192.168.20.1 –u silesio –p admin1234 –m 192.168.234.11

We can also run the commands without specifying the credentials all the time. Let’s create a file to store the session and use it whenever we want to run a command.

Open the windows prompt as administrator.

Type the command mgmt_cli –u silesio –p admin1234 –m 192.168.234.11 > session.txt

Let’s add a new host by running the command mgmt_cli add host name "New Host API" ip-address 172.30.30.1 color green -s session.txt

Notice that the change, wasn’t published. In the above example, the output from the login command is redirected to a file called "session.txt". By using the "-s" parameter, the rest of the commands read "session.txt" and automatically extract the session-id from this file.

We can confirm the new host was created successfully.

SmartConsole CLI

Lastly, let’s use the SmartConsole CLI.

When typing commands inside the window they just work - There is no need to provide a username, password or the ip-address of the management server because this information was already provided in the GUI’s login dialog and the commands are executed in that context.

The syntax is identical to the commands used previously. The main difference, here we don’t have to add mgmt command.

Let’s add two groups, and a new network inside of one of the groups.

To save the changes we have to publish.

It appears that the publish command isn’t supported inside SmartConsole CLI, so we have publish manually.

These are some of the commands that we can use to interact with Check Point Management API. They are more helpful for bulk operations like adding more than 100 objects, or even to automate some repetitive tasks.

I hope you enjoyed this post, leave your comments below and I'll see you on the next one.

Reference:

https:// sc1.checkpoint.com/documents/latest/APIs/index.html#cli/introduction~v1.7%20

Re: How To's - Interact with Check Point Management API on Gaia R81

PhoneBoy — Wed, 23 Dec 2020 21:06:26 GMT

This got posted twice…what happened to cause that?

Re: How To's - Interact with Check Point Management API on Gaia R81

Silesio — Thu, 24 Dec 2020 00:13:57 GMT

Probably an error while posting. I think this happens whenever there is a link in the post.

If you noticed, I had to add a blank space in the url.

Re: How To's - Interact with Check Point Management API on Gaia R81

PhoneBoy — Thu, 24 Dec 2020 01:59:03 GMT

That shouldn’t cause an error…

topic How To's - Interact with Check Point Management API on Gaia R81 in API / CLI Discussion

How To's - Interact with Check Point Management API on Gaia R81

Re: How To's - Interact with Check Point Management API on Gaia R81

Re: How To's - Interact with Check Point Management API on Gaia R81

Re: How To's - Interact with Check Point Management API on Gaia R81