cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Sarath_M
Nickel

Error while exporting access rules using show package script

Jump to solution

I am trying to export the access logs using $MDS_FWDIR/scripts/web_api_show_package.sh command on our Management server which is R80. I can export all the FW rules and other IPS rules but i'm not able to export the NAT rules.

It gives me the following error.

Unexpected character (S) at position 39.
at org.json.simple.parser.Yylex.yylex(Yylex.java:610)
at org.json.simple.parser.JSONParser.nextToken(JSONParser.java:269)
at org.json.simple.parser.JSONParser.parse(JSONParser.java:118)
at org.json.simple.parser.JSONParser.parse(JSONParser.java:81)
at org.json.simple.parser.JSONParser.parse(JSONParser.java:75)
at com.checkpoint.mgmt_api.client.ApiClient.store(ApiClient.java:567)
at com.checkpoint.mgmt_api.client.ApiClient.apiCall(ApiClient.java:305)
at com.checkpoint.mgmt_api.client.ApiClient.apiCall(ApiClient.java:359)
at com.checkpoint.mgmt_api.examples.ShowRulebaseExample.showNATRulebase(ShowRulebaseExample.java:939)
at com.checkpoint.mgmt_api.examples.ShowRulebaseExample.getPackageData(ShowRulebaseExample.java:428)
at com.checkpoint.mgmt_api.examples.ShowRulebaseExample.main(ShowRulebaseExample.java:286)

Kindly let me know how to export the NAT rules as well.

Labels (1)
1 Solution

Accepted Solutions
Highlighted
Employee+
Employee+

Re: Error while exporting access rules using show package script

Jump to solution

Hi Sarath,

Thanks a lot for the collaboration. We found the problem and are going to fix it soon.

It's because of the security protocol versions configured by default in different java versions. R80 uses java version 7 and R80.10+ uses java version 8, that's why it fails to run locally on R80 Management Server.

Meanwhile, as a workaround you can add the following property to JVM: -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2

So instead of 

java -jar $MDS_FWDIR/api/samples/lib/web_api_show_package-jar-with-dependencies.jar -v

you should run

java -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 -jar $MDS_FWDIR/api/samples/lib/web_api_show_package-jar-with-dependencies.jar -v

We will inform you when the fix is ready.

18 Replies
Employee++
Employee++

Re: Error while exporting access rules using show package script

Jump to solution

can you please specify which R80 version are you using (cpinfo -y all command)?

Robert.

0 Kudos
Sarath_M
Nickel

Re: Error while exporting access rules using show package script

Jump to solution

cpinfo -y all command output:

This is Check Point CPinfo Build 914000182 for GAIA
[FW1]
HOTFIX_R80_JHF_T76 Take: 8
HOTFIX_R80_JHF_76_CIRRUS2 Take: 35

FW1 build number:
This is Check Point Security Management Server R80 - Build 002
This is Check Point's software version R80 - Build 012

[SecurePlatform]
No hotfixes..

[CPinfo]
No hotfixes..

[SmartPortal]
No hotfixes..

[Reporting Module]
HOTFIX_R80_JHF_T76 Take: 8

[CPuepm]
HOTFIX_R80_JHF_T76 Take: 8

[CVPN]
No hotfixes..

[SmartLog]
HOTFIX_R80_JHF_T76 Take: 8

[MGMTAPI]
No hotfixes..

[R7520CMP]
No hotfixes..

[R7540CMP]
No hotfixes..

[R7540VSCMP]
No hotfixes..

[R76CMP]
No hotfixes..

[SFWR77CMP]
HOTFIX_R80_JUMBO_COMP

[R77CMP]
HOTFIX_R80_JUMBO_T76_COMP

[R75CMP]
No hotfixes..

[NGXCMP]
No hotfixes..

[EdgeCmp]
No hotfixes..

[SFWCMP]
No hotfixes..

[FLICMP]
No hotfixes..

[SFWR75CMP]
No hotfixes..

[CPUpdates]
BUNDLE_R80_JHF_T76 Take: 8
BUNDLE_R80_JHF_76_CIRRUS2 Take: 35

[DIAG]
No hotfixes..

[VSEC]
HOTFIX_R80_JHF_76_CIRRUS2 Take: 35

[rtm]
No hotfixes..

0 Kudos
Employee++
Employee++

Re: Error while exporting access rules using show package script

Jump to solution

Thank You.

I know that there was an issue with NAT rulebase that was fixed and delivered as a hotfix.

I'll check on Sunday the exact version and inform you.

Sorry for this inconvenience.

Robert.

0 Kudos
Employee++
Employee++

Re: Error while exporting access rules using show package script

Jump to solution

Hi Sarath,

It seems that you have installed an older R80 management on your environment.

Our Show-Package tool has evolved big time since then (now on R80.10 installations) - bugs fixed, new features added, including a support for unicode.

Nevertheless, we will check how we can adjust our new version tool to your old installation and inform you.

Robert.

0 Kudos
Sarath_M
Nickel

Re: Error while exporting access rules using show package script

Jump to solution

Okay. Thank you.

0 Kudos
Employee+
Employee+

Re: Error while exporting access rules using show package script

Jump to solution

Hi Sarath,

Please check this repository https://github.com/CheckPointSW/ShowPolicyPackage to get the latest version of the Show Package tool. The version works with both R80 and R80.10 and can be used as a standalone tool remotely or put into the Security Management Server (to replace the bundled one).

Feel free to ask us questions in case you have ones.

Sarath_M
Nickel

Re: Error while exporting access rules using show package script

Jump to solution

My plan of action is to download web_api_show_package-jar-with-dependencies.jar from the link provided and copy it into $MDS_FWDIR/api/samples/lib/ replacing the old file on the management server.

(I will back up the old file as well.)

Then run the command $MDS_FWDIR/scripts/web_api_show_package.sh.


Is this approach correct?

0 Kudos
Employee++
Employee++

Re: Error while exporting access rules using show package script

Jump to solution

It is one of the approaches, as mentioned in the tool's instructions on GitHub - replace the old jar with the new one.

Robert.

0 Kudos
Sarath_M
Nickel

Re: Error while exporting access rules using show package script

Jump to solution

I have downloaded the new jar file in the release tab and replaced it but it is of 729KB and the old one which we have is 13059KB and the tool did not run and showed a severe error and exited.

[4/26/18 12:10 PM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: The parameters that were received:
[4/26/18 12:10 PM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: Limit number of object per page: 10
[4/26/18 12:10 PM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: Local Ips: [x.x.x.x, 127.0.0.1]
[4/26/18 12:10 PM com.checkpoint.mgmt_api.examples.MyLogger.severe()SEVERE]: ERROR: failed connecting to the server: 127.0.0.1
[4/26/18 12:10 PM com.checkpoint.mgmt_api.examples.ShowPackageTool.logoutReportAndExit()INFO]: Script stopped running due to severe error!
[4/26/18 12:10 PM com.checkpoint.mgmt_api.examples.ShowPackageTool.logoutReportAndExit()INFO]: dirPath: /home/myid/110d4c46-0bf0-4de3-b163-e1436ff67762
[4/26/18 12:10 PM com.checkpoint.mgmt_api.examples.ShowPackageTool.logoutReportAndExit()INFO]: tarGzPath: show_package-2018-04-26_12-10-06.tar.gz

I do not want to build the jar file as i'm not aware of those commands and do not know how to build them.

0 Kudos
Employee++
Employee++

Re: Error while exporting access rules using show package script

Jump to solution

Can you please specify the parameters you are providing to the tool?

I need the exact command line you are running (you may use xxx for sensitive values).

The size of JAR files doesn't matter.

Robert.

0 Kudos
Sarath_M
Nickel

Re: Error while exporting access rules using show package script

Jump to solution

I have entered the below command on a side server. I can log into the GUI from this server and using the same credentials.

D:\java -jar .\web_api_show_package-jar-with-dependencies.jar -m x.x.x.x -u admin -p ***

[4/27/18 11:52 AM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: The parameters that were received: server:(-m)=x.x.x.x username:(-u)=admin password:(-p)=*****
[4/27/18 11:52 AM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: Limit number of object per page: 10
[4/27/18 11:52 AM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: Login As root: false
[4/27/18 11:52 AM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: Login with 'read-only' flag.
[4/27/18 11:52 AM com.checkpoint.mgmt_api.examples.MyLogger.severe()SEVERE]: An error occurred while logging in to the server. Exception: ERROR: Could not connect to API server, check 'api status' for more details. Error message: Error: failed to get string data
[4/27/18 11:52 AM com.checkpoint.mgmt_api.examples.ShowPackageTool.logoutReportAndExit()INFO]: Script stopped running due to severe error!
[4/27/18 11:52 AM com.checkpoint.mgmt_api.examples.ShowPackageTool.logoutReportAndExit()INFO]: dirPath: D:\c820221a-6745-41d9-a91d-0547cc52c498
[4/27/18 11:52 AM com.checkpoint.mgmt_api.examples.ShowPackageTool.logoutReportAndExit()INFO]: tarGzPath: show_package-2018-04-27_11-52-04.tar.gz

api status:

API Settings:
---------------------
Accessibility: Allow from all
Automatic Start: Enabled

Processes:

Name State PID More Information
-------------------------------------------------
API Started 26621
CPM Started 4816 Check Point Security Management Server is running and ready
FWM Started 7517

Port Details:
-------------------
JETTY Internal Port: 50276
APACHE Gaia Port: 443


--------------------------------------------
Overall API Status: Started
--------------------------------------------

Test SUCCESSFUL. The server is up and ready to receive connections

Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'

I tried running this script from the management server as well but did not work.

0 Kudos
Employee++
Employee++

Re: Error while exporting access rules using show package script

Jump to solution

Hi Sarath,

Thanks for the information. We will check this on Sunday and inform you.

Robert.

Employee++
Employee++

Re: Error while exporting access rules using show package script

Jump to solution

Hi,

Please try running the following command on your management server - 

java -jar $MDS_FWDIR/api/samples/lib/web_api_show_package-jar-with-dependencies.jar -v

using the new jar from github.

Let me know if this worked.

Robert.

0 Kudos
Sarath_M
Nickel

Re: Error while exporting access rules using show package script

Jump to solution

Hi,

Here is the output after running the command on the management server with the new jar file.

# java -jar $MDS_FWDIR/api/samples/lib/web_api_show_package-jar-with-dependencies.jar -v
Script stopped running due to severe error!
Result file location: show_package-2018-04-30_06-46-21.tar.gz

[4/30/18 6:46 AM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: The parameters that were received: showPackagesList:(-v)=true
[4/30/18 6:46 AM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: Limit number of object per page: 10
[4/30/18 6:46 AM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: Local Ips: [x.x.x.x, 127.0.0.1]
[4/30/18 6:46 AM com.checkpoint.mgmt_api.examples.MyLogger.severe()SEVERE]: ERROR: failed connecting to the server: 127.0.0.1
[4/30/18 6:46 AM com.checkpoint.mgmt_api.examples.ShowPackageTool.logoutReportAndExit()INFO]: Script stopped running due to severe error!
[4/30/18 6:46 AM com.checkpoint.mgmt_api.examples.ShowPackageTool.logoutReportAndExit()INFO]: dirPath: /home/xxxx/10de5284-8833-4179-aaab-04000d267e7c
[4/30/18 6:46 AM com.checkpoint.mgmt_api.examples.ShowPackageTool.logoutReportAndExit()INFO]: tarGzPath: show_package-2018-04-30_06-46-21.tar.gz

0 Kudos
Highlighted
Employee+
Employee+

Re: Error while exporting access rules using show package script

Jump to solution

Hi Sarath,

Thanks a lot for the collaboration. We found the problem and are going to fix it soon.

It's because of the security protocol versions configured by default in different java versions. R80 uses java version 7 and R80.10+ uses java version 8, that's why it fails to run locally on R80 Management Server.

Meanwhile, as a workaround you can add the following property to JVM: -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2

So instead of 

java -jar $MDS_FWDIR/api/samples/lib/web_api_show_package-jar-with-dependencies.jar -v

you should run

java -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 -jar $MDS_FWDIR/api/samples/lib/web_api_show_package-jar-with-dependencies.jar -v

We will inform you when the fix is ready.

Sarath_M
Nickel

Re: Error while exporting access rules using show package script

Jump to solution

Awesome. Works superbly. Thank you very much.

Employee+
Employee+

Re: Error while exporting access rules using show package script

Jump to solution

The fix is ready.

You can use version v1.2.3 without providing extra JVM properties.  

0 Kudos
Sarath_M
Nickel

Re: Error while exporting access rules using show package script

Jump to solution

Thank you. It now works with just the command $MDS_FWDIR/scripts/web_api_show_package.sh on the management server.

0 Kudos