cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

API Cluster build

Hello All,

Can somebody tell me if there is any possibility how to add a Cluster to the Mgmt (CMA) over the API?

I found only the "add-simple-gateway" but nothign else?

Thanks for info

Radek

Labels (2)
0 Kudos
13 Replies
Admin
Admin

Re: API Cluster build

Adding cluster objects is one of the handful of operations that still require the use of CPMI and not the R80 API.

It's something planned to be addressed in a later release.

0 Kudos

Re: API Cluster build

OK, does the Check Point has any estimation when this feature coudl be part of the API?

Could you send me any reference to documentation how to use CPMI to build a cluster by script ?

Thanks

Radek

0 Kudos
Highlighted
Admin
Admin

Re: API Cluster build

To my knowledge, the timelines for incorporating this into the API have not been finalized.

I'm also not aware of any documentation for building a cluster using dbedit (the scriptable way to use CPMI) or if it is even possible.

I would communicate your requirements in this area to your Check Point SE, if you haven't already.

0 Kudos

Re: API Cluster build

I have managed in the past to build a cluster object using dbedit. It was not without issues though and I think I ended up deleting and creating the cluster object manually in the end. 

The topology of the cluster had to be completed manually (I was reverse engineering using GUIDBedit and couldn't work out the dbedit commands for cluster topology (I think I ran out of time)) and a SIC reset also had to be done. I had used the CLI to push SIC certificates. Perhaps the SIC trust pulled from the server rather than pushed is better since a topology get occurs during SIC establishment.

Would be good to know when the API is up to the job (although I am about to look into it on R80.10) and until then if there is a work around until then. That is, other than simple objects created in API to half complete the job of creating the cluster object.

Regards,

Don

0 Kudos
Employee++
Employee++

Re: API Cluster build

Thanks to Nicolas Boisse, you can use this utility - https://community.checkpoint.com/docs/DOC-2625.

Also, please note my caveat there.

Robert.

Re: API Cluster build

When we can FINALLY expect such a basic feature like manipulating Cluster objects within R80 ? R80.30 is GA, without any single API command for this purpose. What a shame.

Kind regards,
Jozko Mrkvicka
0 Kudos
Employee+
Employee+

Re: API Cluster build

The cluster API was supposed to be released in R80.30 M1. This is postponed to R80.40 version.

0 Kudos

Re: API Cluster build

Basic feature ? Would be a thing everybody needs anyday - but honestly, creating and manipulating hundreds of cluster objects using API is not everybody's favorite daily game, most people still use the Dashboard and are happy nevertheless 😊

0 Kudos

Re: API Cluster build

Not in case you are managing 30+ clusters with daily VLANs creation 🙂 Monkey job...

Kind regards,
Jozko Mrkvicka
0 Kudos
snowie-swe
Nickel

Re: API Cluster build

How is it possible that an API is released when u cant controll a cluster.
More or less the first thing when buying firewall the vendor always say "u need a cluster"

Struggling to find something to control VS, dose checkpoint see that as a cluster, single gw or something else?
Currently running R80.20 MDS with R80.30 3.1 VSX Clusters.

Employee+
Employee+

Re: API Cluster build

Hi,

There is currently no API endpoint for adding, changing or deleting VS on a VSX.  What we have is a vsx_provisioning_tool to perform these operations using the CLI, to achieve this over the RESTful Management API one could use a combination of the run-script api endpoint and vsx_provisioning_tool.

Here are two ansible playbook examples on how to create and delete VS on a VSX using a combination of run-script endpoint and the vsx_provisioning_tool. More information about the vsx_provisioning_tool can be found in the Check Point VSX R80.x Administration Guide

R80-AddVS.yml

---
# Example playbook to add Virtual System on a Check Point VSX
# Using management API run-script endpoint and the vsx_provisioning_tool binary
# Variables used in this playbook that are defined in vars.yml
#   mgmt_user        - Admin username for R80 Security Management API
#   mgmt_password    - Admin password for R80 Security Management API
#   mgmt_domain      - The Domain to make the changes in, set this to "SMC User" if this is a SMS
#   mgmt_server      - The MDS or SMS ip to connect to
#   mgmt_fingerprint - The API server fingerprint on MDS or SMS
#   dms_ip           - Domain Management Server IP for the domain where the VSX object exists
#   mgmt_user        - Management API admin user name
#   mgmt_password    - Management API admin user password
#   vsx_hostname     - Name of the VSX object where the virtual system should be created
#   script_targets   - list, Should contain name of dms that managed the domain with the VSX object

- hosts: "localhost"
  connection: local
  gather_facts: no
  vars_files:
  - vars.yml

  tasks:
  - name: "login"
    check_point_mgmt:
      command: login
      parameters:
        username: "{{mgmt_user}}"
        password: "{{mgmt_password}}"
        domain: "{{mgmt_domain}}"
        management: "{{mgmt_server}}"
      fingerprint: "{{mgmt_fingerprint}}"
    register: login_response
      
  - name: "Create VS on VXS with run-script"
    check_point_mgmt:
      command: run-script
      parameters:
       script-name: "Create VS vs{{item}} on VXS {{vsx_hostname}} with run-script"
       script: "$MDS_FWDIR/bin/vsx_provisioning_tool -s {{dms_ip}} -u {{mgmt_user}} -p {{mgmt_password}} -o add vd name vs{{item}} vsx {{vsx_hostname}} type vs, add interface name eth1.{{item}} ip 1.1.{{item}}.254 netmask 255.255.255.0, add interface name eth2.{{item}} ip 2.2.{{item}}.254 netmask 255.255.255.0"
       targets:
        "{{ script_targets }}"
      session-data: "{{login_response}}"
    with_sequence: start=10 end=12

  - name: "logout"
    check_point_mgmt:
      command: logout
      session-data: "{{login_response}}"

 

R80-RemoveVS.yml

---
# Example playbook to remove Virtual System on a Check Point VSX
# Using management API run-script endpoint and the vsx_provisioning_tool binary
# Variables used in this playbook that are defined in vars.yml
#   mgmt_user        - Admin username for R80 Security Management API
#   mgmt_password    - Admin password for R80 Security Management API
#   mgmt_domain      - The Domain to make the changes in, set this to "SMC User" if this is a SMS
#   mgmt_server      - The MDS or SMS ip to connect to
#   mgmt_fingerprint - The API server fingerprint on MDS or SMS
#   dms_ip           - Domain Management Server IP for the domain where the VSX object exists
#   mgmt_user        - Management API admin user name
#   mgmt_password    - Management API admin user password
#   vsx_hostname     - Name of the VSX object where the virtual system should be created
#   script_targets   - list, Should contain name of dms that managed the domain with the VSX object

- hosts: "localhost"
  connection: local
  gather_facts: no
  vars_files:
  - vars.yml

  tasks:
  - name: "login"
    check_point_mgmt:
      command: login
      parameters:
        username: "{{mgmt_user}}"
        password: "{{mgmt_password}}"
        domain: "{{mgmt_domain}}"
        management: "{{mgmt_server}}"
      fingerprint: "{{mgmt_fingerprint}}"
    register: login_response
      
  - name: "Remove VS on VXS with run-script"
    check_point_mgmt:
      command: run-script
      parameters:
       script-name: "Remove VS vs{{item}} on VXS {{vsx_hostname}} with run-script"
       script: "$MDS_FWDIR/bin/vsx_provisioning_tool -s {{dms_ip}} -u {{mgmt_user}} -p {{mgmt_password}} -o remove vd name vs{{item}}"
       targets:
        "{{ script_targets }}"
      session-data: "{{login_response}}"
    with_sequence: start=10 end=12

  - name: "logout"
    check_point_mgmt:
      command: logout
      session-data: "{{login_response}}"

 

0 Kudos
snowie-swe
Nickel

Re: API Cluster build

Sure there is way around it with vsx_util / vsx_provisioning_tool
The point is more that Check Point really need to put in an effort to add more features to the API.

The way we want to use it is for making sure documentation is up to date, but also add VLAN and changes routes on VS.
Having an API for this would make a huge diff.
Employee+
Employee+

Re: API Cluster build

I'm working on a pre release of add simple-cluster API. This is coming in R80.40. Stay tuned. Gaia API is there if you want to send calls direct to the gateway. sk143612. Its available as a add-on package for R80.10, R80.20 and R80.30. Will be probably built in R80.40.