topic Re: Management API Reference + Threat emulation global exceptions in API / CLI Discussion

Management API Reference + Threat emulation global exceptions

Ohad — Tue, 13 Aug 2024 14:41:32 GMT

Dear all,

I am trying my best to work with the API document of CheckPoint:

https://sc1.checkpoint.com/documents/latest/APIs/index.html?#cli/show-threat-rule-exception-rulebase~v1.9.1%20

But as always its murky at best..

I have R81.10 with a custom policy and it own set of exceptions..

I want to "migrate" all those exceptions to the global exceptions since I am planning to move from the custom policy to the autonomous one... however its like 100 + rules...

As you can see in the example that they present:

mgmt_cli set threat-exception name "Exception Rule" layer "New Layer 1" rule-number 1 new-name "Last rule"

This example does not refer to the main global exceptions under threat preventions ==> Exceptions

I can tell that this is not the case since when using #mgmt_cli show threat-exception it shows the exceptions for the custom policy exceptions and not the global..

Any ideas would be appreciated 🙂

Re: Management API Reference + Threat emulation global exceptions

Daniel_Kuhl1 — Tue, 13 Aug 2024 15:32:45 GMT

Have you tried using the following command: show exception-group name "Global Exceptions"

Re: Management API Reference + Threat emulation global exceptions

Ohad — Wed, 14 Aug 2024 07:40:05 GMT

Hi Daniel,

Thanks for the quick reply 🙂

The prompt gives me the upper box of the exceptions instead of the bottom box:

**I am attaching a screenshot of the smartconsole - As you can see the "comments" are the same between the output and the screenshot...

I need the Global exceptions rules themselves... not the group....

uid: "82006125-3aca-41ea-9a92-519d6065b810"
name: "Global Exceptions"
type: "exception-group"
domain:
uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
name: "SMC User"
domain-type: "domain"
apply-on: "all-threat-rules"
comments: "Out of the box global exception group for threat prevention"
color: "black"
icon: "ThreatPrevention/Exception_Group_Objects"
tags: []
meta-info:
lock: "unlocked"
validation-state: "ok"
last-modify-time:
posix: 1513272839206
iso-8601: "2017-12-14T19:33+0200"
last-modifier: "System"
creation-time:
posix: 1513272839206
iso-8601: "2017-12-14T19:33+0200"
creator: "System"
read-only: true

Re: Management API Reference + Threat emulation global exceptions

Daniel_Kuhl1 — Wed, 14 Aug 2024 08:43:37 GMT

Ah sorry, try this one: show threat-exception name "Test" exception-group-name "Global Exceptions"

You can extend the output by setting the detail level to full like this:

show threat-exception name "Test" exception-group-name "Global Exceptions" details-level full

Re: Management API Reference + Threat emulation global exceptions

Ohad — Wed, 14 Aug 2024 09:45:25 GMT

Cool, it shows the rule now 🙂

Now for the 1 million question - How to add a rule to said group...

The syntax is:

mgmt_cli add threat-exception layer "New Layer 1" rule-number 1 position 1 name "Exception Rule" track "Log" protected-scope "All_Internet" protection-or-site "Adware.a" --format json

I am assuming it would be something like:

mgmt_cli add threat-exception layer "Global Exceptions" rule-number 12 name "Test12" source-name "ohad-pc" service-name "smtp" destination "ohad-pc" protection-or-site "Anti-Virus" action "Inactive" track "Log"

However I am getting an error message:

code: "generic_err_invalid_parameter_name"
message: "Unrecognized parameter [service-name]"

Executed command failed. Changes are discarded.

And if I were to plan ahead, I think the best way to go would be to export the current 100+ rules into a csv, and use the batch flag like when using:

mgmt_cli add host --batch hosts.csv

I dont see in the URL any provided information in case I want to use a batch file instead of single commands...

Re: Management API Reference + Threat emulation global exceptions

PhoneBoy — Wed, 14 Aug 2024 13:05:04 GMT

It’s service, not service-name.
See: https://sc1.checkpoint.com/documents/latest/APIs/#cli/add-threat-exception~v1.9.1%20

Exporting the existing rules into a CSV is probably possible with some scripting involving the jq utility.
For it to be importable with the batch option, you need to construct the CSV correctly.
Consider you are passing name/value pairs via mgmt_cli.
The first (header) line includes the “names” you pass (e.g. layer, rule-number…).
Subsequent lines have the relevant values.

Re: Management API Reference + Threat emulation global exceptions

Daniel_Kuhl1 — Tue, 20 Aug 2024 14:00:05 GMT

Hi @Ohad , try the API call below:

mgmt_cli add threat-exception name "Test12" position bottom exception-group-name "Global Exceptions" source "ohad-pc" service "smtp" destination "ohad-pc" protection-or-site "AntiVirus" action "Inactive" track "Log"