topic How-to fetch endpoint forensics reports on R80.20 programmatically in Endpoint https://community.checkpoint.com/t5/Endpoint/How-to-fetch-endpoint-forensics-reports-on-R80-20/m-p/58517#M3267 <P>Fetching packet captures and reports via API is a feature supported in R80.10 JHF 112 and 121 only. The feature is expected in R80.10 JHF 169 and R80.20 JHF 47.</P> <P>For those who simply cannot wait, I present the following stopgap solution:</P> <OL> <LI>Authenticate to the smartlog server service listening on localhost to obtain an "FWMToken" value<LI-CODE lang="c">[Expert@stack-mgmt-a0:0]# netstat -antp |grep 18242 tcp 0 0 127.0.0.1:18242 0.0.0.0:* LISTEN 3247/smartlog_serve [Expert@stack-mgmt-a0:0]#​</LI-CODE><LI-CODE lang="c"># authenticate and obtain FWMToken value curl_cli -v -d @fwm-login.xml '<A href="http://127.0.0.1:18242/login" target="_blank">http://127.0.0.1:18242/login</A>' --user-agent "Apache-HttpClient/4.3.1 (java 1.5)" -H "RflId: 52ff49cf-6ef8-40df-a968-a1a9863b0a2b" -o fwm-login-resp.xml fwm_token=`xmllint --format --shell fwm-login-resp.xml &lt;&lt;&lt; "cat //root/token/text()" |tail -n +2 |head -n -1`​</LI-CODE>Content of fwm-login.xml:<LI-CODE lang="markup">&lt;login&gt;&lt;user&gt;&lt;![CDATA[admin]]&gt;&lt;/user&gt;&lt;magic_number&gt;&lt;![CDATA[CP_Etude_2055]]&gt;&lt;/magic_number&gt;&lt;password&gt;&lt;![CDATA[admin123]]&gt;&lt;/password&gt;&lt;sso_token&gt;&lt;![CDATA[]]&gt;&lt;/sso_token&gt;&lt;get_all_columns_def /&gt;&lt;/login&gt;</LI-CODE></LI> <LI>Authenticate using mgmt_cli to obtain a "CPMToken" value<LI-CODE lang="c"># authenticate and obtain CPMToken value cpm_token=`mgmt_cli login -u admin -p admin123 --port 4434 |grep sid |awk -F ': ' '{print $2}' |sed 's:"::g'`</LI-CODE></LI> <LI>Fetch an XML report blog from the smartlog server service<LI-CODE lang="c">uid=A8571015-BF9A-492B-81D0-1D9EBCD6EB3F timestamp=`date -d '07/09/2019 12:00:00' +"%s"`</LI-CODE> <P>&nbsp;</P> <LI-CODE lang="c"># $1 - report uid # $2 - date - a unix timestamp that equals noon on the same day the event was created # fetch the XML report blob export FETCH_PCAP_COOKIE="FWMToken=$fwm_token&amp;CPMToken=$cpm_token" curl_cli -v '<A href="http://127.0.0.1:18242/packet_capture?session_id=0&amp;product=Forensics&amp;module_name=stack-mgmt-a0&amp;incident_uid='&quot;$1&quot;'&amp;date='&quot;$2&quot;'&amp;service=ignore&amp;log_server=10.0.0.14" target="_blank">http://127.0.0.1:18242/packet_capture?session_id=0&amp;product=Forensics&amp;module_name=stack-mgmt-a0&amp;incident_uid='"$1"'&amp;date='"$2"'&amp;service=ignore&amp;log_server=10.0.0.14</A>' --user-agent "Apache-HttpClient/4.3.1 (java 1.5)" -H "RflId: 52ff49cf-6ef8-40df-a968-a1a9863b0a2b" --cookie "${FETCH_PCAP_COOKIE}" -o $1.xml</LI-CODE> <P><SPAN style="font-size: 18px;">The complete request parameters:</SPAN></P> <LI-CODE lang="c">'?session_id=0&amp;product=Forensics&amp;module_name=stack-mgmt-a0&amp;incident_uid='"$1"'&amp;date='"$2"'&amp;service=ignore&amp;log_server=10.0.0.14'</LI-CODE> <P><SPAN style="font-size: 18px;">Note: Pay attention to the parameters that must be modified to match a different management server.</SPAN></P> </LI> <LI>Extract and decode XML report blob content<LI-CODE lang="c"># extract the XML report blob and decode it xmllint --nocdata --format --shell $1.xml &lt;&lt;&lt; "cat //blob/text()" |tail -n +2 |head -n -2 |base64 -d |base64 -d &gt; $1.zip</LI-CODE></LI> </OL> Mon, 22 Jul 2019 17:10:36 GMT Dana_Traversie 2019-07-22T17:10:36Z How-to fetch endpoint forensics reports on R80.20 programmatically https://community.checkpoint.com/t5/Endpoint/How-to-fetch-endpoint-forensics-reports-on-R80-20/m-p/58517#M3267 <P>Fetching packet captures and reports via API is a feature supported in R80.10 JHF 112 and 121 only. The feature is expected in R80.10 JHF 169 and R80.20 JHF 47.</P> <P>For those who simply cannot wait, I present the following stopgap solution:</P> <OL> <LI>Authenticate to the smartlog server service listening on localhost to obtain an "FWMToken" value<LI-CODE lang="c">[Expert@stack-mgmt-a0:0]# netstat -antp |grep 18242 tcp 0 0 127.0.0.1:18242 0.0.0.0:* LISTEN 3247/smartlog_serve [Expert@stack-mgmt-a0:0]#​</LI-CODE><LI-CODE lang="c"># authenticate and obtain FWMToken value curl_cli -v -d @fwm-login.xml '<A href="http://127.0.0.1:18242/login" target="_blank">http://127.0.0.1:18242/login</A>' --user-agent "Apache-HttpClient/4.3.1 (java 1.5)" -H "RflId: 52ff49cf-6ef8-40df-a968-a1a9863b0a2b" -o fwm-login-resp.xml fwm_token=`xmllint --format --shell fwm-login-resp.xml &lt;&lt;&lt; "cat //root/token/text()" |tail -n +2 |head -n -1`​</LI-CODE>Content of fwm-login.xml:<LI-CODE lang="markup">&lt;login&gt;&lt;user&gt;&lt;![CDATA[admin]]&gt;&lt;/user&gt;&lt;magic_number&gt;&lt;![CDATA[CP_Etude_2055]]&gt;&lt;/magic_number&gt;&lt;password&gt;&lt;![CDATA[admin123]]&gt;&lt;/password&gt;&lt;sso_token&gt;&lt;![CDATA[]]&gt;&lt;/sso_token&gt;&lt;get_all_columns_def /&gt;&lt;/login&gt;</LI-CODE></LI> <LI>Authenticate using mgmt_cli to obtain a "CPMToken" value<LI-CODE lang="c"># authenticate and obtain CPMToken value cpm_token=`mgmt_cli login -u admin -p admin123 --port 4434 |grep sid |awk -F ': ' '{print $2}' |sed 's:"::g'`</LI-CODE></LI> <LI>Fetch an XML report blog from the smartlog server service<LI-CODE lang="c">uid=A8571015-BF9A-492B-81D0-1D9EBCD6EB3F timestamp=`date -d '07/09/2019 12:00:00' +"%s"`</LI-CODE> <P>&nbsp;</P> <LI-CODE lang="c"># $1 - report uid # $2 - date - a unix timestamp that equals noon on the same day the event was created # fetch the XML report blob export FETCH_PCAP_COOKIE="FWMToken=$fwm_token&amp;CPMToken=$cpm_token" curl_cli -v '<A href="http://127.0.0.1:18242/packet_capture?session_id=0&amp;product=Forensics&amp;module_name=stack-mgmt-a0&amp;incident_uid='&quot;$1&quot;'&amp;date='&quot;$2&quot;'&amp;service=ignore&amp;log_server=10.0.0.14" target="_blank">http://127.0.0.1:18242/packet_capture?session_id=0&amp;product=Forensics&amp;module_name=stack-mgmt-a0&amp;incident_uid='"$1"'&amp;date='"$2"'&amp;service=ignore&amp;log_server=10.0.0.14</A>' --user-agent "Apache-HttpClient/4.3.1 (java 1.5)" -H "RflId: 52ff49cf-6ef8-40df-a968-a1a9863b0a2b" --cookie "${FETCH_PCAP_COOKIE}" -o $1.xml</LI-CODE> <P><SPAN style="font-size: 18px;">The complete request parameters:</SPAN></P> <LI-CODE lang="c">'?session_id=0&amp;product=Forensics&amp;module_name=stack-mgmt-a0&amp;incident_uid='"$1"'&amp;date='"$2"'&amp;service=ignore&amp;log_server=10.0.0.14'</LI-CODE> <P><SPAN style="font-size: 18px;">Note: Pay attention to the parameters that must be modified to match a different management server.</SPAN></P> </LI> <LI>Extract and decode XML report blob content<LI-CODE lang="c"># extract the XML report blob and decode it xmllint --nocdata --format --shell $1.xml &lt;&lt;&lt; "cat //blob/text()" |tail -n +2 |head -n -2 |base64 -d |base64 -d &gt; $1.zip</LI-CODE></LI> </OL> Mon, 22 Jul 2019 17:10:36 GMT https://community.checkpoint.com/t5/Endpoint/How-to-fetch-endpoint-forensics-reports-on-R80-20/m-p/58517#M3267 Dana_Traversie 2019-07-22T17:10:36Z