cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Add users to existing access-role

Hello,I am trying to add an AD user to an existing group.Code I tried:set access-role name "Test_Access_Role" users "test1" machines "any" networks "any" remote-access-clients "any"Every command I enter returns an error message.what am I missing?
Ed_Eades
Ed_Eades inside API / CLI Discussion and Samples Friday
views 13700 14 5

Bulk Add Network Objects

I am looking for advice on how to bulk add network objects. I need to add around 550 networks and we are on GAIA R80.10. I have read some about dbedit, Using a dbedit script to create new network objects and network object groups, but I am not sure if that would still be the best method. I will also mention I have never used dbedit. When adding these network objects I would also like to add a description on each network object. The dbedit link does not include the syntax for the description. I came across a thread on cpug that If R80, there are more robust CLI for these things. You can find documentation and several examples at https://community.checkpoint.com.Thanks in advance!

Export all rules referencing a list of IPs

I recently had the need to build a table out of all of the rules referencing any IP address in a list of addresses. Basically a rule audit for all the rules involved in a given application.USAGEThe script should be run as root (in expert mode, and with elevated privileges if you use low-privilege users) on the SmartCenter or MDS. Doesn't need any credentials. It does everything via the API in read-only mode.Usage is given right at the top of the script. It also prints the usage if you run the script with no switches or if you run it with the -h switch: [Bob_Zimmerman@MySmartCenter]# ./ipsToRules.sh -h Usage: ./ipsToRules.sh [-d] [-h] [-J file] [-j file] [-c file] [-O] Default output is pretty-print JSON to STDOUT, suitable for output redirection. -d Increase debug level, up to twice. -h Print this usage information. -J file Write pretty-print JSON output to . -j file Write compact JSON output to . One line per rule. -c file Write quote-delimited CSV output to . -O Write pretty-print JSON output to STDOUT. list List of IPs to search for, separated by spaces. As you can see, it currently has options for compact JSON output, pretty JSON output, and quote-delimited CSV output. It should be pretty clear from the code how to write a new output formatter. Just needs a new variable for the name, a new switch in the getopts case statement, a little output prep work, and a new item in the "masterOutput" function.The only privileged commands it uses right now are 'cpprod_util FwIsFirewallMgmt' (to detect if it is run on a firewall instead of a management) and 'mdsstat' (to detect if it is a SmartCenter or MDS), within a few lines of each other at the bottom. You can make a version which will work only on a SmartCenter or only on an MDS, and it would work as an unprivileged user.KNOWN LIMITATIONSIt currently accepts only IP addresses. Haven't yet gotten around to writing logic for spotting CIDR notation, or for looking up networks once I've found them in the input.There's a big case statement in the middle for dereferencing objects. It includes all the object types I personally needed, but I'm sure there are plenty which are not included.I'm pretty sure there are error cases I don't handle properly, such as if none of the IP addresses are found.I don't know if you can build a cycle of groups (as an example, group A contains group B, group B contains group C, group C contains group A), but I don't do any detection for that.

Updatable objects logos?

Hi communityWe are using updatable objects within our security policies and they are working fine. Despite it being a trivial things the logos for the objects e.g Amazon Services or S3 Services are not displayed next to the object name, It just shows a horizontal line. It would be nice if it shows the correct logo?Has anyone seen this before?ThanksPaul
Danny
Danny inside API / CLI Discussion and Samples Tuesday
views 288 10 18

FW Monitor SuperTool

One-liner (Bash) to assist running fw monitor on Check Point firewall gateways.In expert mode run: if [[ `$CPDIR/bin/cpprod_util FwIsFirewallModule 2>/dev/null` != *'1'* ]]; then echo; tput bold; echo ' Not a firewall gateway!'; tput sgr0; echo; else echo; printf '%.s-' {1..60}; echo; echo ' FW Monitor SuperTool'; printf '%.s-' {1..60}; echo; echo; tput bold; echo -n ' Add host IPs '; tput sgr0; echo -n '(leave empty for any): '; read _hosts; h='0'; case $_hosts in '') echo -n ' any '; tput setaf 2; echo 'OK'; tput sgr0;; *) _hosts=($(echo $_hosts | tr ',;:|()#<>' ' ' | tr -s ' ')); for i in ${_hosts[@]}; do if [[ `ipcalc -ms $i` == *'='* ]] && [[ $i == *'.'* ]]; then echo -n ' '$i' '; tput setaf 2; echo 'OK'; h='1'; tput sgr0; else echo -n ' '$i' '; tput setaf 1; echo 'Bad syntax!'; tput sgr0; fi; done; esac; echo; tput bold; echo -n ' Add ports '; tput sgr0; echo -n '(leave empty for any): '; read _ports; p='0'; case $_ports in '') echo -n ' any '; tput setaf 2; echo 'OK'; tput sgr0;; *) _ports=($(echo $_ports | tr ',;:|()#<>' ' ' | tr -s ' ')); for i in ${_ports[@]}; do if [[ $i != *[^0-9]* ]]; then echo -n ' '$i' '; tput setaf 2; echo 'OK'; p='1'; tput sgr0; else echo -n ' '$i' '; tput setaf 1; echo 'Bad syntax!'; tput sgr0; fi; done; esac; echo; tput bold; echo -n ' Add protocol '; tput sgr0; echo -n '(tcp, udp, icmp): '; read _prot; c='0'; case $_prot in '') echo -n ' any '; tput setaf 2; echo 'OK'; tput sgr0;; *) _prot=($(echo $_prot | tr ',;:|()#<>' ' ' | tr -s ' ')); for i in ${_prot[@]}; do case $i in tcp|udp|icmp) echo -n ' '$i' '; tput setaf 2; echo 'OK'; c='1'; tput sgr0;; *) echo -n ' '$i' '; tput setaf 1; echo 'Unknown protocol!'; tput sgr0; esac; done; esac; echo; tput bold; echo -n ' Capture to file '; tput sgr0; read -p '(leave empty for stdout): ' _file; if [[ -n $_file ]]; then tput setaf 2; echo -n ' Saving output to: '; tput sgr0; echo $_file; else tput setaf 2; echo ' Output to CLI'; tput sgr0; fi; echo; printf '%.s-' {1..60}; echo; _sxl='0'; echo -n ' [Executing:]# '; if [[ `fw monitor -h 2>&1` != *'-F'* ]]; then case `fwaccel stat | grep 'Accelerator Status :' | cut -c 22-` in on) _sxl='1'; esac; fi; if [[ $_sxl == '1' ]]; then _run='fwaccel off; fw monitor'; else _run='fw monitor'; fi; if [[ `fw monitor -h 2>&1` != *'-F'* ]]; then _run+=' -e "'; if [[ $h == '1' && $p == '1' ]]; then _run+='('; elif [[ $h == '1' && $c == '1' ]]; then _run+='('; fi; for i in ${_hosts[@]}; do if [[ `ipcalc -ms $i` == *'='* ]] && [[ $i == *'.'* ]]; then _run+='host('$i') and '; fi; done; if [[ $h == '1' && $p == '1' ]]; then _run=${_run%?????}; _run+=')'; elif [[ $h == '1' && $c == '1' ]]; then _run=${_run%?????}; _run+=')'; fi; if [[ $h == '1' && $p == '1' ]]; then _run+=' and ('; elif [[ $p == '1' && $c == '1' ]]; then _run+='('; elif [[ $h == '1' && $c == '1' ]]; then _run+=' and ('; fi; for i in ${_ports[@]}; do if [[ $i != *[^0-9]* ]]; then _run+='port('$i') or '; fi; done; if [[ $h == '1' && $p == '1' ]]; then _run=${_run%????}; _run+=')'; elif [[ $p == '1' && $c == '1' ]]; then _run=${_run%????}; _run+=')'; elif [[ $h == '0' && $p == '1' ]]; then _run=${_run%????}; elif [[ $h == '1' && $p == '0' ]]; then _run=${_run%?????}; fi; if [[ $h == '1' || $p == '1' ]]; then if [[ $c == '1' ]]; then _run+=' and ('; fi; fi; for i in ${_prot[@]}; do case $i in tcp) _run+='ip_p=6 or ';; udp) _run+='ip_p=11 or ';; icmp) _run+='ip_p=1 or '; esac; done; if [[ $h == '1' || $p == '1' ]]; then if [[ $c == '1' ]]; then _run=${_run%????}; _run+=')'; fi; elif [[ $h == '1' && $p == '0' && $c == '0' ]]; then _run=${_run%?????}; elif [[ $h == '0' && $p == '1' && $c == '0' ]]; then _run=${_run%?????}; elif [[ $h == '0' && $p == '0' && $c == '1' ]]; then _run=${_run%????}; fi; if [[ $h == '1' || $p == '1' || $c == '1' ]]; then _run+=', '; fi; _run+='accept;"'; else _run+=' -F "0,0,0,0,0"'; fi; if [[ -n $_file ]]; then _run+=' -o /var/log/'$_file; fi; if [[ $_sxl == '1' ]]; then _run+='; fwaccel on'; fi; tput bold; echo $_run; tput sgr0; read -sn1; case $REPLY in '') eval $_run;; *) echo 'Abort!'; esac; echo; unset _hosts _ports _prot _file _sxl _run i h p c; fi SuperTool interactively asks for all data to build up the correct syntax to run fw monitor. If gateways require the new -F syntax (R80.20 JHF 73+, R80.30 JHF?+) SuperTool adjusts the syntax accordingly. It also checks and deactivates SecureXL during fw monitor execution if necessary. SuperTool will be integrated soon within our ccc script. Attention! *Work in progress* SuperTool will be further improved in the upcoming days to support: full -F syntax (currently just filters all traffic) VSX controls decide between AND/OR for hosts NOT controls Kudos to the entire CheckMates community. Special greetings to: @Moti , @Timothy_Hall , @Kaspars_Zibarts , @Vladimir , @HeikoAnkenbrand , @PhoneBoy , @Valeri_Loukine , @Amit_Sharon , @Niran , @Yasushi_Kono1 and the entire Check Point Support and R&D Team. -- More one-liners -- One-liner for Address Spoofing TroubleshootingOne-liner to show VPN topology on gatewaysOne-liner to show Geo Policy on gateways
Mod

Disable/Delete Rules with a Zero Hit Count (MDS or SMS)

**v3 and above now allows you to pick a specific access layer** **v4 added new functions thanks to user feedback. Now has the ability to navigate around section title headers and to handle of any size****v5 with a lot of work by Vincent Bacher‌ he determined that some larger policies need a time specified to search. This version added in a 6 month limit on hits prior to the day you run it (Today - 6Months.)**** v6 combined MDS & SMS into a single script. Added the ability to disable or delete rules based on UID or NAME. The disable script will add a commend 'Disabled by Zero Hits'This is a simple shell script that will allow you to parse a specific rulebase for rules with a ZERO hit count. The results will be output into a single file of mgmt_cli commands to disable or delete those rules.The script is setup to run on the Mgmt station itself and uses the 'mgmt_cli -r true' function and uses the -d DOMAIN flag to support SMS and MDS in a single scriptIt is highly recommended to run the 'DISABLE' version prior to running a 'DELETE' it will treat it as a staging for full deletionHow to UseMove script to the management station./cleanup-zero-hits.shEnter IP address of SMS or CMA you wish to checkFollow remaining prompts for optionsuid or nameThe script will ask if you want to export with uid or name. UID is more accurate as it does not change with position. This will prevent a situation where another admin is adding/removing rules from the rulebase before you are able to run the output file.You can take the delete/disable command file and run it.chmod 755 Output-Filename.txt./Output-Filename.txtOriginal files on github: GitHub - cpmidsouth/Delete-or-Disable-Zero-Hit-Rules: This script is designed to search a specifed rule base with ZERO h… NOTE: If you use inline layers within the rulebase you will need to search those as a separate layer. This script is not effective in a rulebase where multiple targets within the same rulebase. I am working on that one. Thanks to Vincent Bacher‌ for being my QA and spending way too much time testing with me. Feedback welcome this was a simple project that came out of a client request.
Employee+

Python tool for exporting/importing a policy package or parts of it

Overview ExportImportPolicyPackage tool enables you to export a policy package from a R80.x management database to a .tar.gz file, which can then be imported into any other R80.x management database. This tool can be used for backups, database transfers, testing and more. In the case you are exporting a policy package from a CMA, please verify that a global policy was NOT assigned to that CMA.The tool doesn't support exporting a policy with global policy assigned! Description This tool enables you to export a policy package (Access Policy, Threat Policy or both) from a management server into a .tar.gz file. Notice There are some types of objects that the script might not be able to export. In such a case, an appropriate dummy object will be exported instead, and a message will be logged into the log files to notify you of this. In the Check Point SmartConsole you can easily replace each of these objects by searching "export_error" in the search field, see where each object is used, create the necessary object manually, then replace it. Instructions Download the latest version from our GitHub repository: https://github.com/CheckPointSW/ExportImportPolicyPackage First, make sure you have [2.7.9 <= Python <= 2.7.14] installed on the machine running the script. To export a package, run the import_export_package.py script. An interactive menu will guide you the rest of the way. Command line flags may also be set in order to skip some or all of the menu. A lot more details can of course be accessed with the [-h] option. This option also prints the current version of the tool. Current tool version is V3.0. Limitations This export/import script does not gather all data from a given management server/CMA. In general, it is limited by the R80.x Management APIs. Specifically, this means: CMAs with a Global Policy assigned cannot be exported Workaround: unassign the Global Policy prior to export Gateway/Cluster objects have to be recreated Placeholder objects will be created UserCheck messages have to be recreated Placeholder objects will be created The Internal Certificate Authority will not be copied. This means: Re-establishing SIC with the appropriate gateways Re-generating VPN certificates Manually recreating HTTPS Inspection and DLP Rules Other objects not currently readable/writable via the R80.x API will not be copied Tested on version R80.x Source Code Availability The source code is available through GitHub: https://github.com/CheckPointSW/ExportImportPolicyPackage NOTICE: By using this sample code you agree to terms and conditions in this Terms and Conditions ...

Script that collects specific rules and exports them into csv/xml (R80.20)

I'm trying to make a script that collects rules with time objects and outputs them into an xml/csv file. The file must contain: the access policy package name the rules are behind and rules that have a time object. The rules with time objects will be listed if the rules are going to expire in 1 to 7 days (if a temporal rule expires in 8 days then it won't be listed, if it's 7 or less days then it will). What kind of info is shown about the rule when it's being exported? Number, Name, Source, Destination, VPN, Services & Applications, Time and Comments
Raymondn
Raymondn inside API / CLI Discussion and Samples 2 weeks ago
views 291 5

R80.10 API - Create Network with Tag and Associate to Group

hi there,I have been using this doc as my "menu" to explore various API use cases.(https://sc1.checkpoint.com/documents/R80/APIs/index.html#ws)I am able to create and delete network objects.However, I am not able to find examples how to assign an existing Tag to the network object, and how to associate the network object to an existing group.Any suggestions where I can find more info or examples?I have been playing this via Postman as well as Gaia "mgmt" interfaces. Thanks.

Unable to activate firewall blade

Hi everyone,I have installed an evaluation version of Al-in-one R80.10 Checkpoint Firewall in a VM.While opening the WebGUI, I can see the Firewall blade is greyed out.I tried to create firewall policy from Gaia CLI using the following commands: > mgmt add access-rule layer "Network" name "Rule1" service "Any" position 1 action "Accept" install-on "Policy Targets"> mgmt publishBut, still traffic is getting dropped by the Default Cleanup rule (which got installed during initial configuration time I think).The output of "cpstat fw" command also shows only the Initial Policy and not the new rule created,In out setup, I have to install/configure everything using Gaia CLI only.Can anyone suggest what I need to do to get it working?Thanks in advance.
Uri_Bialik
inside API / CLI Discussion and Samples 2 weeks ago
views 3218 18 9
Mod

Create objects for Azure Data-Center IP ranges - Python script

OverviewThis script generate group objects with the IP addresses of Microsoft Azure.Note:R80.20 has built-in functionality for addressing Azure's public IP addresses.There new functionality allows you to use Azure, AWS and Office365 objects in your security policy using the GUI.There's no need to use scripts like this one and the updates happens automatically (no need to publish policy).DescriptionDownload Microsoft's Azure Datacenter IP ranges from: https://www.microsoft.com/en-us/download/details.aspx?id=41653Run the attached Python script (the script does not have to run on the management server).Provide the script with: the management's server IP address, username, password, the path for the downloaded file from Microsoft.The script will now generate:Over 3000 networks (for example: azure_network_104.208.0.0/19)about 30 Group objects, one for each Azure region (for example: azure_region_useast)and a group object called azure_region_all - a group object that contain all the group region objects.When you get an updated file from Microsoft, you can run the tool again. When running for the second time the script will work much faster: instead of creating thousands of objects, it will only process the changes.InstructionsDownload the attached zip and extract it on any machine with Python 2.7.x.run:python azure.pyCode VersionCode version 1.2Tested on versionR80.10, API version 1.1NOTICE: By using this sample code you agree to terms and conditions in this Terms and Conditions...

not able to set session timeout with mgmt_cli

I can't seem to set a longer then default session timeout using management cli at the moment. For example, if i wanted to increase it to 1200 second over the default 600 seconds i am using the commandmgmt_cli --root true login session-name test-session-timeout session-description test-session-timeout session-timeout 1200 --format jsonBut after logging in if i run a show session using the returned session id - session timeout still shows as 600seconds. Has anyone else experienced this? i also tried with mgmt_cli --conn-timeout, same resultmgmt_cli --session-id $SID show sessionuid: "819cd746-8cd7-4263-bc9b-773ee0a56f65"name: "test-session-timeout"type: "session"domain:uid: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxx"name: "System Data"domain-type: "mds"state: "open"user-name: "WEB_API"description: "test-session-timeout"last-login-time:posix: 1564636139402iso-8601: "2019-08-01T06:08+0100"expired-session: falseapplication: "WEB_API"changes: 0in-work: trueip-address: "127.0.0.1"locks: 0email: ""phone-number: ""connection-mode: "read write"session-timeout: 600comments: ""color: "black"icon: "Objects/worksession"tags: []meta-info:lock: "unlocked"validation-state: "ok"last-modify-time:posix: 1564636140597iso-8601: "2019-08-01T06:09+0100"last-modifier: "WEB_API"creation-time:posix: 1564636139796iso-8601: "2019-08-01T06:08+0100"creator: "WEB_API"read-only: true
kevin_t
kevin_t inside API / CLI Discussion and Samples 2 weeks ago
views 811 3

Automated Policy Install Verification

Howdy All,I am currently scripting/automating our access control policy installation, to run nightly. This is working great, but I am trying to figure out a good way to send out an automatic update like "Policy has been installed on the following: "I am currently using the script itself to dump to a log, and checking that every morning, but would prefer an email or something similar.Thanks in advance for any insight!
Ron_Izraeli
inside API / CLI Discussion and Samples 2 weeks ago
views 928 7 5
Employee+

Show Gateways Interfaces Extension

An open-source HTML and JavaScript example for Check Point SmartConsole extensionShow interfaces in a dedicated tab under the gateway’s view. Currently, in order to see the topology of a gateway\cluster, one need to open the object editor and navigate to the topology tab.This extension will show the topology of a gateway under the gateway’s view, and saves the need to open the editor.CheckPointSW/smart-console-extensions · GitHub Getting StartedCopy or clone Show Gateways Interfaces example to your web-service for hosting (should support SSL)Install extension by pasting URL to extension.json file (e.g. https://your-page-path.com/extension.json). See How to extend and enhance SmartConsole? ContributorsMoran AmarAri Heber‌
Employee+

Ansible-based automation for Check Point Management Server and Check Point Gateways

Hello all, I would like to share with you a tool for automatic configuration of Check Point management server and Check Point gateways. The tool is based on CP Management API, CP GAiA API, Ansible and enables a range of gateways and management related configuration actions. The tool is easily extendable. The tool can be considered as a good starting point for the automation of your Check Point environment. For management server Following configuration is possible on management server: Create/delete network, ranges, services objects Create/delete policy packages Add rules to the policy packages Add gateways, establish SIC Install policy on the gateways For gateways Following configuration is possible on gateways in accordance to various gateways attributes like CMA, SW version, gateway type, platform type, gateway IP. DNS configuration Users configuraion Expert password configuration User public keys copy ... Which means you can configure DNS, Users, Expert password or Users public keys specifically for gateways in certain CMAs or for gateways having certain SW version, or platform type, or IP address. Below are the tool structure and the steps for the gateways configuration part. Ansible playbook starts Dynamic Inventory Script Dynamic Inventory Script gets the list of all gateways from SMS or MDS via MGMT API. Dynamic Inventory Script reads the services configuration files. Dynamic Inventory Script creates the Ansible inventory files based on gateways list and services configuration. Ansible configures the gateways via GAiA API (and via SSH for expert mode) according to inventory files. License, warranty, contact The tool is provided with APACHE2.0 and without any liability, warranty or support. In case, you are interested in support or customization please contact Check Point Profession Services under: PS-AUTOMATION@MICHAEL.CHECKPOINT.COM. Detailed tool information is provided in the attached documentations and videos. I hope the tool will be beneficial for you and I would appreciate your feedback. 🙂 Regards, Yevgeniy