cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
API / CLI Discussion and Samples

Do you have questions on how to use any of Check Point's API commands, including via the CLI using mgmt_cli? Looking for sample code? This is the place to find answers!

Retrieve policy details using api

I am trying to write a script to retrieve all policy details of R80 using web services api. I used show-package command to retrieve all policy package details . Also i made details-level full to retrieve all possible info. I wonder if this call will retrieve all the information about the package and all it's  objects ?here is my python code import requests, jsonhost = "" # hard code hostport = "" # hard code portdef api_call(ip_addr, port, command, json_payload, sid):url = 'https://' + ip_addr + ':' + port + '/web_api/' + commandif sid == '':request_headers = {'Content-Type' : 'application/json'}else:request_headers = {'Content-Type' : 'application/json', 'X-chkp-sid' : sid}r = requests.post(url,data=json.dumps(json_payload), headers=request_headers)return r.json()def login(user,password):payload = {'user':user, 'password' : password}response = api_call(host, port, 'login',payload, '')return response["sid"] def retrieve_policy(username,password,package_name):sid = login(username,password) #get sid after successful login to authenticate withretrieve_policy_data = {'name' : package_name,'details-level' : 'full'} #I made details-level full to retieve all possible inforetrieve_policy_result = api_call(host, port,'show-package', retrieve_policy_data ,sid)logout_result = api_call(host, port,"logout", {},sid) #logoutreturn retrieve_policy_result #all package details returned in json format 
israelgl
israelgl inside API / CLI Discussion and Samples 4 hours ago
views 607 7

adding network object with mgmt_cli batch CSV file

i try to add number of network object with cli tool but i received an error.i followed sk113078 and did exactly the same and received the error:Line 2: code: "generic_err_invalid_parameter_name"message: "Unrecognized parameter [name]"Line 3: code: "generic_err_invalid_parameter_name"message: "Unrecognized parameter [name]"Line 4: code: "generic_err_invalid_parameter_name"message: "Unrecognized parameter [name]"Executed command failed. Changes are discarded. the csv is:name,subnet,subnet-masknetwork1,10.10.10.0,255.255.255.0network2,20.20.20.0,255.255.255.0network3,30.30.30.0,255.255.255.0  i have R80.20 take: 103

Query API with Feature extraction sends response with extract_result CP_EXTRACT_RESULT_NOT_SCRUBBED

Hi Experts, I am always getting extract result "CP_EXTRACT_RESULT_NOT_SCRUBBED" from query api. Please find my request below. Request#1Upload API request:{\"request\":{\"file_name\":\"DOCX.docx\",\"file_type\": \"docx\",\"features\":[\"extraction\"],\"extraction\":{\"method\":\"clean\"}}}Upload API Response:{  "response": {    "status": {      "code": 1002,      "label": "UPLOAD_SUCCESS",      "message": "The file was uploaded successfully."    },    "sha1": "8064ff3d851f273df43376cfcb9c2ebd47131c8b",    "md5": "f78a90963ca8a382da6611eb5cdbe2e3",    "sha256": "056c1f0d31faa557cdac687b0fcc5103cc4aa0dbf8027499303e182754c981b8",    "file_type": "docx",    "file_name": "DOCX.docx",    "features": [      "extraction"    ],    "extraction": {      "method": "clean",      "tex_product": false,      "status": {        "code": 1002,        "label": "UPLOAD_SUCCESS",        "message": "The file was uploaded successfully."      }    }  }} Request#2Query API Request:{"request": [{"sha1": "8064ff3d851f273df43376cfcb9c2ebd47131c8b","file_name": "DOCX.docx","file_type": "docx","features": ["extraction"],"extraction": {"method": "clean"}}]}Query API Response:{  "response": [    {      "status": {        "code": 1001,        "label": "FOUND",        "message": "The request has been fully answered."      },      "sha1": "8064ff3d851f273df43376cfcb9c2ebd47131c8b",      "file_type": "docx",      "file_name": "DOCX.docx",      "features": [        "extraction"      ],      "extraction": {        "method": "clean",        "extract_result": "CP_EXTRACT_RESULT_NOT_SCRUBBED",        "output_file_name": "DOCX.docx",        "extraction_data": {          "input_extension": "docx",          "input_real_extension": "docx",          "message": "Skipped",          "output_file_name": "",          "protection_name": "Potential malicious content extracted",          "protection_type": "Content Removal",          "protocol_version": "1.0",          "risk": 0.0,          "scrub_activity": "The file doesn't include cleanable parts",          "scrub_method": "Clean Document",          "scrub_result": 4.0,          "scrub_time": "0.04",          "scrubbed_content": ""        },        "tex_product": false,        "status": {          "code": 1001,          "label": "FOUND",          "message": "The request has been fully answered."        }      }    }  ]} Can someone please help me what mistake am I doing here ? why query api response is not sending download file id ?

Scripts in Python

Good Afternoon,I like to know if I can develop scripts in Python. If someone have information about I appreciate your answer. ThanksBRLenin
Employee+

Python scripts to clone objects from local domain to global domain

OverviewThese scripts copy objects from a given local domain to the global domain.These scripts use the Python library Python library for using the management APIsDescriptionIn order to clone single object that his type is known run 'local_<object type>_to_global.py' -o <Object id> <Flags>In order to clone single object that his type is unknown run 'local_object_to_global.py' -o <Object id> <Flags>In order to clone more than one object :Add tag with <Tag name> (using SmartConsole or add-tag command on the command line) to the objects that need to be cloned.Run 'local_global_by_tag.py' <Tag name> <Flags> Flags:   mandatory:-d <local domain name> : The local domain that contains the object that need to be cloned.-n <prefix>: The new global object name will be as follow : prefix_<local_object_name>.mandatory if running the script not on the management server:-s <Server IP> :The IP address or name of the Check Point Management Server.-u <User name>optional-p <port number> : Default value '443' -g <Global domain name> : Default value 'Global' Notes :     1. The script supports only the following objects types: host, network, address_range, network group, tcp service, udp service, service group.          For objects that are not one of these types, the script will not clone them and print an error.     2. In case a group object needs to be cloned, the script will clone the group and all the objects it contains.     3. Objects that contain the 'nat-settings' field will be cloned without this filed.The scripts creates:     1. logfile.txt     2. json_objects.json contains list of  {<original object uid> : <cloned global object uid>}     3. csv_file.csv contains {<original object uid>, <original object name>, <cloned global object name> <cloned global object uid>}          In case the global object wasn't created the <cloned global object name> <cloned global object uid> will remain empty.InstructionsFollow the steps below:     1. Unzip attached zip file     2. Download the Python library from the link above.     3. Extract the Python library folder to the folder containing the script.     4. Use the html guide (localToGlobal.html) to run the relevant scriptTested on versionR80, API version 1.0Source Code AvailabilityThe source code is now public on GitHub repository:GitHub - CheckPoint-APIs-Team/LocalToGlobal: Check Point LocalToGlobal tool enables you to copy objects from a local dom… NOTICE: By using this sample code you agree to terms and conditions in this Not authorized to view the specified document 1042...

Is there a way to make API calls using other methods for authentication?

We are exploring the vast wonders of the R80.30 API commands and would like to expand further but have some security concerns.  What we need is a way to make API calls (that does more than read) and not have to hard code the credentials into the call itself.Is there some type of API key that can be used for this type of work or some other method we can use to encrypt this?  A fear is that if the box is compromised, then a bad actor could just crack open the content and have some real fun, or possibly even sniff the credentials while we are making a call.Thanks,Patrick
Admin

mgmt_cli to delete all objects matching a pattern

This came across my mail from an internal source and it's too good not to share. A small bit of scripting with show-objects and delete-batch-objects can remove all objects (up to the 500 object limit of show-objects) based on a pattern. mgmt_cli login -u aa -p aaaa > /tmp/sid.txt.$$mgmt_cli -s /tmp/sid.txt.$$ delete objects-batch objects.1.type group $(mgmt_cli -s /tmp/sid.txt.$$ -f json show objects filter test-group- limit 500 | jq '.objects[].name' | cat -n | sed -r 's/^\s+([0-9]+)/objects.1.list.\1.name/' | tr '\n' ' ')mgmt_cli -s /tmp/sid.txt.$$ publish Explanation of commands: mgmt_cli -s /tmp/sid.txt.$$ delete objects-batch objects.1.type host Perform batch delete on the results of the next rows $(…) Treat the output of the command in parenthesis as command line arguments mgmt_cli -s /tmp/sid.txt.$$ -f json show-objects filter test-host- limit 500 Get objects containing test-host- jq '.objects[].name' Get the object names cat -n Add a line number to each name sed -r 's/^\s+([0-9]+)/objects.1.list.\1.name/' Replace each line number n with objects.1.list.n.name tr '\n' ' ' Put all the separate lines together on the same line as input to the delete-objects-batch command    

Enabling CORS

Hi Checkmates,Project:- Developing a Customized web portal using Checkpoint API for different users via C# .Problem:- i made a add-host API call to checkpoint FW and getting the error in Browser >>Console. Error:-OPTIONS https://<FW_management_ip>/web_api/add-host 401(Unauthorized)Access to XMLHttpRequest at 'https://<FW_management_ip>/web_api/add-host' from origin 'http://localhost:53352' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. conclusion:- Some CORS policy has to be enabled or 'Access-Control-Allow-Origin' has to be included How to do this ?🤔

Check Point Visio Stencils

Is there any available file for with Check Point visio stencils?? I can not find any file in PartnerMAP and would be very helpful for Check Point partners for make network diagrams.

Is it possible to use the API to batch create users?

We want to add a lot of users at the same time (they will be used for remote VPN logins, i.e., we are not talking about gaia or admin users..The API has great support for adding network objects and the like, but we have not found a way to easily add users.. Unfortunately, we do not have an easy way to use templates or AD groups either, so at this time we would really like to have a way to batch add a lot of users..
Yoav_Lasman
inside API / CLI Discussion and Samples Wednesday
views 2237 3 7
Employee+

Get early access to our new Threat Prevention APIs

Take control of new Threat Prevention APIs powered by the largest Threat Cloud in the industry:   URL Reputation – for a domain/URL returns the classification and risk in accessing the resource File Reputation – for a file digest (md5/sha1/sha256/sha512) returns the risk in downloading the file without the need to scan it IP Reputation  - for an IP address returns it’s classification and risk in accessing a resource hosted on it Mail Security – upload an email for scanning against malware and phishing attacks, based on award winning Sandblast engines   All APIs are RESTful, simple to use and can be integrated as part of a SOAR application, home-made application and more! If you’re a Check Point customer interested in participating in the early availability stage drop me a mail at yoav@checkpoint.com
Eric_Speake
Eric_Speake inside API / CLI Discussion and Samples Wednesday
views 2627 9 2

Listing the members of a network group

We are doing audits and cleanup of the network objects in our policy rules. I need to provide a list of servers in a specific network group. I have tried "$MDS_FWDIR/scripts/web_api_show_package.sh -k <policy_name>" but that seems to work only with the VS packages. I am running R80.10 on the management server.Thanks,EricSenior Systems Administrator

problem adding interoperable device via web API

Hello GuysI am trying to create interoperable device via python web API (I have v1.1)I have this payload to put into commend 'add-generic-object'object = { 'create': 'com.checkpoint.objects.classes.dummy.CpmiGatewayPlain', 'name': deviceName, 'ipaddr': deviceIP, 'thirdPartyEncryption': True, 'osInfo': { 'osName': 'Gaia' }, 'vpn': { 'create': 'com.checkpoint.objects.classes.dummy.CpmiVpn', 'owned-object': { 'vpnClientsSettingsForGateway': { 'create': 'com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway', 'owned-object': { 'endpointVpnClientSettings': { 'create': 'com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway', 'owned-object': { 'endpointVpnEnable': True } } } }, 'ike': { 'create': 'com.checkpoint.objects.classes.dummy.CpmiIke', }, 'sslNe': { 'create': 'com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender', 'owned-object': { 'sslEnable': False, 'gwCertificate': 'defaultCert' } }, 'isakmpIpcompSupport': True, 'isakmpUniversalSupport': True, } }, 'dataSourceSettings': None, 'nat': None, 'encdomain': 'ADDRESSES_BEHIND_GW', 'ignore-warnings': True, 'color': color.upper()}After I run script, object is visible in Interoperable devices, but I cannot use is. It is NOT visible when I try it add to VPN communities and also when I try add VPN community to this object it ends with error: A blocking validation error was found: Gateway does not comply to 'Participant Gateways' of Meshed community. In order to comply the gateway needs to be VPN installed and of type Host / Gateway / Cluster / Interoperable device.Object can be 'fixed' via GUI by setting IPSec VPN -> Traditional mode configuration -> Select some enc and hash  (i.e. 3des sha1) -> OK, But I cannot find the way set this through set-gneric-objectthis does not work:{'uid': objectUID, 'vpn' : {'ike' : {'isakmpHashmethods': ['SHA1']}}}what am I doing wrong? Via dbedit it works, but I would like to use clearer way ...

IP Reputation API and Client_Key

Hi guys,I am trying to use IP Reputation API.I found this : https://github.com/CheckPointSW/reputation-service-apibut I can't get any working token. Error:Invalid Client-Key headerWhere can I find the right: Client_Key ?I tried with api_key form /opt/CPUserCheckPortal/phpincs/conf/TPAPI.ini without success. Thanks for your help. 
Employee

Dynamic Block Lists for Check Point firewalls

I have cooked together some further improvements on Check Points 'block TOR' scripts and built a small service around it. This is not an official Check Point function/product and is provided by me in my spare time.At this moment the following blocklists are implemented:OpenBLEmerging Threats: Known Compromised HostsTOR exit nodesBruteforceBlockerBlocklist.de AllTalosDshieldThe feeds are downloaded, sanity checked and then published on cpdbl.net for free. I am currently running all lists on two separate clusters without any noticeable performance hit. Of course ymmv so all feedback is appreciated. If you want to try it out go to: https://cpdbl.netScreenshot of the interface:Gateway details:These scripts utilize the rate limiting policy in SecureXL. Therefore blocking is done in fastpath and should not impact performance noticably.Connections from IPs listed in the activated blocklists are only blocked INBOUND. Outgoing communications are currently allowed. I have roadmapped a toggle for this.VSX is not supported for now.Workflow:The server(cpdbl.net) downloads all the lists nightly andValidates that all entries are valid IPs.Baselines the lists, makes sure a list does not suddenly grow enormously.Publishes the lists for the clients to download.The client:Downloads fresh lists every 12 hoursTimes out entries in the block-table after 12 hours, hence if cpdbl.net is unavailable all entries will be removed at this time.Validates that only entries containing numbers and "-" are read into the system. (to stop possible code injection)Installs validated entries into blocking tables and waits for 12 hours before starting over again.To monitor the blocked IP addresses:R77.30:In SmartView Tracker, search for "SecureXL message: Quota violation".R80:In SmartLog, search for "blade:Firewall Alert".