Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Tribhawan_Singh
Contributor

Python Script to run mgmt_cli .csv commands

Hello Team,

I am using .csv file to add different host,network,address-range, access rule into the checkpoint database.

But for this i need to login into management server and run those mgmt_cli < batch -- .csv file>  commands.

Is it possible to use Python (from a jump host from where MGMT server is accessible) Paramiko/Netmiko type modules to log into firewall and then go into expert mode and then execute those commands.

Basically what i  want to achieve is to run mgmt_cli commands through a python script so that users don't have to login to management server to add any object or rule.

11 Replies
PhoneBoy
Admin
Admin

I suppose you could do that but why wouldn't you just parse the CSV file and call the API directly?

Tribhawan_Singh
Contributor

Thanks for the reply Dameon Welch-Abernathy‌ but i don't want users to login into MDS server and then edit the .csv file and then call the API. Instead i want to achieve this from an external jumphost.

user just do the changes in csv file on the external server only and then run the script and the script should go to MDS server and call the API as written in the script.

Through Paramiko i can enter into MGMT server but it is giving me successful output from clish mode only and not entering into expert mode to make API calls (mgmt_cli or bash commands)

Anything which can help to use pexpect type library to enter into expert mode and then run the mgmt_cli/bash commands

0 Kudos
Joshua_Hatter
Employee
Employee

To clarify, Dameon means utilizing the Web Services(REST) API directly. I can honestly admit I was you and first used parimiko to ssh to box and run API commands this well. You will not regret switching to REST API it will be much faster and we have a very nice python example to get you started on this reference page at the bottom.

Check Point - Management API reference 

Tribhawan_Singh
Contributor

Joshua Hatter‌ Can you please share the script when you used Paramiko or any other library  and run the API commands to configure objects.

Also I'd love to switch to Rest but is there any post/thread which explain how to start it and some used scripts

0 Kudos
Joshua_Hatter
Employee
Employee

I don't have them and I would recommend against going that route. I already provided a link in my previous post with an example for python.

Tribhawan_Singh
Contributor

Joshua Hatter‌ Thanks for your reply Josh,Rest is not an option here because team wants to deploy objects in bulk and not everyone is comfortable to use rest.  is there any way through mgmt_cli , if i create a .csv file and any command which can find out and check what all objects are already in place and then we can filter those objects in our .csv file and then re-run add-host/network mgmt_cli command to add objects on the management server.

0 Kudos
PhoneBoy
Admin
Admin

It might be easier to run the mgmt_cli command with the --ignore-errors switch.

This way, if it is unable to create a given object in the CSV (e.g. because it exists), then the command will continue working on other items in the CSV file.

That said, you will have to parse for these errors (and deal with them). 

A couple of notes about what you're trying to do:

  • Working with the REST API is not significantly more difficult than what you're trying to do here with the mgmt_cli command, especially given that you will need to process (and understand) the results that come back from executing commands.
  • You will probably have better performance using mgmt_cli if you create a session, execute the commands, then execute a publish action (versus successive mgmt_cli -r true commands, each of which will create and commit an individual session).
  • Keep your CSV file to no more than 500 lines for optimal performance.
0 Kudos
Tribhawan_Singh
Contributor

Dameon Welch-Abernathy‌it was helpful.

1. Now i got the idea that i have to write a code to execute the commands and if errors comes then through that code i need to parse the error message and then after correction in csv file it will work well.

2. Is it possible to import the .csv file and run  rest calls through postman tool.

0 Kudos
PhoneBoy
Admin
Admin

Not sure if postman has a CSV import function.

Either way, you'd still need to write code to accomplish the task you're after.

Tribhawan_Singh
Contributor

Dameon Welch-AbernathyJoshua Hatter  Just a question not related to this thread:

Is there any command in CheckPoint (expert, clish) through which we can check whether a particular sourceIP/destinationIP/Port is allowed on the firewall or not.

Like Packet tracer in ASA, Test security-policy-match command in Palo alto CLI.

if this is not in place then is there any planning to introduce any such thing in any future releases.

0 Kudos
Joshua_Hatter
Employee
Employee

Packet Injector SK110865

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events