https://community.checkpoint.com/t5/API-CLI-Discussion/Did-you-know-Add-Snort-Protections-with-R80-10-API/m-p/13690#M974 <HTML><HEAD></HEAD><BODY><P>Hi, sorry for slacking at the end <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://community.checkpoint.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" />&nbsp;</P><P>Let's say you pay for subscription to some 3rd party domain <A href="http://www.ExclusiveProtectionRules.com/feed.csv">www.ExclusiveProtectionRules.com/feed.csv</A>&nbsp;which contains list of .snort files each&nbsp;with logics to detect IPS.</P><P>You can place on a remote host a&nbsp;script in Python or bash or something, that polls that URL every now and then, and when it detects that new entries were added, downloads the new .snort files, places them on the Management Server&nbsp;and remotely calls the Management API commands.</P></BODY></HTML> Tue, 10 Apr 2018 06:08:28 GMT Tomer_Sole 2018-04-10T06:08:28Z https://community.checkpoint.com/t5/API-CLI-Discussion/Did-you-know-Add-Snort-Protections-with-R80-10-API/m-p/13688#M972 <HTML><HEAD></HEAD><BODY><P>1. Place the <A href="https://www.snort.org/rules_explanation">snort </A><A href="https://paginas.fe.up.pt/~mgi98020/pgr/writing_snort_rules.htm">protections </A>file on your Management server</P><P></P><P>2. Import it to your Security Management Server:</P><P></P><P>a. Login with valid Check Point admin credentials, so that the change will be audited by the relevant admin account.</P><PRE class="" style="color: #191919; background: #efefef; border: 0px none; margin: 0px 0px 10px; padding: 9.5px;">mgmt_cli login user "[username]" password "[password]"</PRE><P></P><P>b.&nbsp;Import the protections file</P><PRE class="" style="color: #191919; background: #efefef; border: 0px none; margin: 0px 0px 10px; padding: 9.5px;">mgmt_cli add threat-protections package-path "/path/to/community.rules" package-format "snort"</PRE><P></P><P>c. This command is asynchronous and returns a task ID. Track the progress of this task either with the "show task" command:</P><PRE class="" style="color: #191919; background: #efefef; border: 0px none; margin: 0px 0px 10px; padding: 9.5px;">mgmt_cli show task task-id "2eec70e5-78a8-4bdb-9a76-cfb5601d0bcb"</PRE><P>(given&nbsp;2eec70e5-78a8-4bdb-9a76-cfb5601d0bcb as the "task-id" value in the result of step b)</P><P>or with this utility&nbsp;<A href="https://community.checkpoint.com/thread/1268">Using a-synchronous commands (e.g. publish, install-policy and run-script)</A>&nbsp;</P><P></P><P>d. Publish your changes&nbsp;</P><PRE class="" style="color: #191919; background: #efefef; border: 0px none; margin: 0px 0px 10px; padding: 9.5px;">mgmt_cli publish </PRE><P></P><P>e. The "publish" command is also&nbsp;asynchronous, so you will need to track its progress similar to step c</P><P></P><P>f. Install Policy&nbsp;</P><PRE class="" style="color: #191919; background: #efefef; border: 0px none; margin: 0px 0px 10px; padding: 9.5px;">mgmt_cli install-policy policy-package "standard" access true threat-prevention true targets.1 "corporate-gateway"</PRE><P></P><P><SPAN>g. The "install-policy" command is also&nbsp;</SPAN><SPAN>asynchronous, so you will need to track its progress similar to step c</SPAN></P><P></P><P></P><P><SPAN>Now you can add your custom protections or connect between your feeds and the gateway automatically. Audit logs and SmartConsole UI reflect this change.</SPAN></P></BODY></HTML> Mon, 09 Apr 2018 16:37:55 GMT https://community.checkpoint.com/t5/API-CLI-Discussion/Did-you-know-Add-Snort-Protections-with-R80-10-API/m-p/13688#M972 Tomer_Sole 2018-04-09T16:37:55Z https://community.checkpoint.com/t5/API-CLI-Discussion/Did-you-know-Add-Snort-Protections-with-R80-10-API/m-p/13689#M973 <HTML><HEAD></HEAD><BODY><P>Hi Tomer,</P><P>Can you elaborate on "<SPAN style="color: #333333; background-color: #ffffff;">connect between your feeds and the gateway automatically"? Example perhaps.</SPAN></P></BODY></HTML> Mon, 09 Apr 2018 17:47:51 GMT https://community.checkpoint.com/t5/API-CLI-Discussion/Did-you-know-Add-Snort-Protections-with-R80-10-API/m-p/13689#M973 Eric_Ferland 2018-04-09T17:47:51Z https://community.checkpoint.com/t5/API-CLI-Discussion/Did-you-know-Add-Snort-Protections-with-R80-10-API/m-p/13690#M974 <HTML><HEAD></HEAD><BODY><P>Hi, sorry for slacking at the end <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://community.checkpoint.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" />&nbsp;</P><P>Let's say you pay for subscription to some 3rd party domain <A href="http://www.ExclusiveProtectionRules.com/feed.csv">www.ExclusiveProtectionRules.com/feed.csv</A>&nbsp;which contains list of .snort files each&nbsp;with logics to detect IPS.</P><P>You can place on a remote host a&nbsp;script in Python or bash or something, that polls that URL every now and then, and when it detects that new entries were added, downloads the new .snort files, places them on the Management Server&nbsp;and remotely calls the Management API commands.</P></BODY></HTML> Tue, 10 Apr 2018 06:08:28 GMT https://community.checkpoint.com/t5/API-CLI-Discussion/Did-you-know-Add-Snort-Protections-with-R80-10-API/m-p/13690#M974 Tomer_Sole 2018-04-10T06:08:28Z