cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
Admin
Admin

TechTalk Q&A: Leveraging the R80.10 API to Automate and Streamline Security Operations

There were a number of questions asked related to our recent TechTalk: Leveraging the R80.10 API to Automate and Streamline Security Operations

An edited list of questions and answers (with duplicates removed) are provided below.

Is the R80 API only on the Management Server or also on the GW itself?

The API server is on management only, similar to how it worked in previous versions.

Can we use the API to export reports from SmartEvent?

Not currently.

When you add a rule, is there some logic the administrator is using, how you do it in Automation?

There are features in the API today you can leverage to make an intelligent decision about where new rules can be placed. However, the automation will have to make the decision. To aid in this process, we are developing a Rule Assistant capability. This is currently in early availability. If you would like to participate, contact your Check Point SE or send me (Dameon Welch Abernathy‌) a private message. 

Can you use any third-party automation/orchestration platform?

As long as it can be configured to use our REST API, yes.

Do you have a python library to use the API with?

There a couple in the Developers (Code Hub)‌ space:

 

Is it possible to enable/disable individual Software Blades using the API?

For a single gateway, yes. For a cluster, it's roadmap. See: https://sc1.checkpoint.com/documents/latest/APIs/index.html#gui-cli/set-simple-gateway~v1.1

Can I limit certain login credentials to API use only?

You can prevent certain logins from using the API, but you can not prevent API credentials from also using SmartConsole. 

Can CLI commands be run on the gateways via API calls?

Yes, including cprid_util. See these threads:

Does R80.10 include the Identity Awareness API?

It's a separate API, but R80.10 includes it.

Refer to the following docs: Configuring Identity Sources 

Do you have a Threat Prevention API?

It's not specific to R80.10, but yes. We even have a space for it on CheckMates: SandBlast API

Can read-only users use the API?

Yes:

Can something other than a password be used to log in?

While SmartDashboard permits authentication via certificate, this cannot currently be done via the API.

Can we control which objects or commands a user is allowed to access and change?

All administrator users are assigned a permissions profile. API access will be restricted by these permission profiles. Refer to the following documentation: Managing Administrator Accounts 

Currently there is no way to apply access control to a specific object (either you have the ability to edit them or you don't). You can, however, apply permissions to policy layers.

Where can I download the Postman collection from?

See:How-to use Postman with R80 Security Management API

Can an API user have multiple open sessions?

Yes

Is it possible to configure backups and do restores via API?

No

Can I create domains or virtual systems via the API?

Domains can be created via the API, but virtual systems require use of the CLI (vsx_provisioning_tool).

Will applying jumbo hotfixes to R80.10 deprecate parts of the API?

If changes are required to the API, this will be documented and a new version will be made. For example, there were minor changes from R80 to R80.10, thus the version went from version 1.0 to 1.1.

Does the API help to do any sort of device configuration tasks?

Device provisioning features are not in the scope of the current APIs. This is on the roadmap.

Any specific support for Powershell or Chef?

Not at the moment, though there is nothing inherent with the APIs that would preclude using these tools. 

While creating a new rule through the API, can we determine the position of the rule?

Yes, you can determine the position the rule is added. Refer to API docs: Check Point - Management API reference 

Can you share the source code for cpportal?

Not at this time.

Is there a way to view the changes in the session prior to publishing the session changes?

This is something available in Early Availability form from SmartConsole:

Are change issued with mgmt_cli -r true audit logged?

Yes, here's a sample.

How do you delete a host (used in a group) from the policy?

Before you can delete any object, you have to delete references to it (e.g. in groups). Use the where-used option in the API to find the places you will need to remove the object before you can finally remove the object.

When publishing via the API can session name and description be supplied?

Yes, this can be done as part of the login action to the API.

Can we use this ansible playbook to do changes not only on gateway but also on other network devices?

As is, no.

I've recently started using CDT to deploy changes to multiple devices.  Do you feel the API is a better choice?

The Central Deployment Tool (CDT) is meant to maintain the OS, software, and patches on security gateways. The R80.10 API is focused on security policy mangement.

Is there a script for using ansible to run First Time Config Wizard?

They are included here: CheckMates_Aug15_Demos.zip

Can you do a database revision before publishing / install via API as well?

Database revisions work differently in R80/R80.10. Read more here: How to revert a Policy or discard changes?

What is more efficient? If I have to create 100 hosts, a) create one host at a time and publish it b) create all hosts and finally publish all of them.

Generally it's more efficient to make a bunch of changes and do a single publish operation. If the number of changes is large (say, several thousand), it may be better to break it up into smaller chunks and do a commit at each one.

What is not available from the API as compared to SmartConsole?

There are some functions that still rely on CPMI. Specifically things relating to Security Gateway objects or any features (e.g. HTTPS Inspection) that need to be configured with SmartDashboard.

Can we fetch AD users and create user based rules through API?

You cannot fetch AD users through the R80.x API but you can create Access Roles and rules that use them.

Is managing threat indicators supported through API?

Threat Prevention in general has an API: Threat Prevention API 1.0 Reference Guide. However, it does not include managing IoCs. In R80.10, this can only be currently done through SmarConsole.

How do I get mgmt_cli for Linux?

This is not currently available. 

Tags (2)