cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

R80.20 Mgmt API issue

We need help with this issue happening in R80.20 , we see the API service stopping randomly and at that point we need to manually restart the service but of course we are trying to find out what is causing it to stop running randomly , this is very annoying. Below is the output of the API status when the issue happens:API Settings:---------------------Accessibility: Require all grantedAutomatic Start: EnabledProcesses:Name State PID More Information-------------------------------------------------API StoppedCPM Started 4929 Check Point Security Management Server is running and readyFWM Started 2192APACHE Started 4180Port Details:-------------------JETTY Internal Port: 50276APACHE Gaia Port: 4434 (a non-default port)When running mgmt_cli commands add '--port 4434'When using web-services, add port 4434 to the URL--------------------------------------------Overall API Status: The API Server Is Not Running!--------------------------------------------Notes:------------To collect troubleshooting data, please run 'api status -s <comment>'[Expert@cglscc4a:0]# api statusAPI Settings:---------------------Accessibility: Require all grantedAutomatic Start: EnabledProcesses:Name State PID More Information-------------------------------------------------API StoppedCPM Started 4929 Check Point Security Management Server is running and readyFWM Started 2192APACHE Started 4180Port Details:-------------------JETTY Internal Port: 50276APACHE Gaia Port: 4434 (a non-default port)When running mgmt_cli commands add '--port 4434'When using web-services, add port 4434 to the URL--------------------------------------------Overall API Status: The API Server Is Not Running!--------------------------------------------Notes:------------To collect troubleshooting data, please run 'api status -s <comment>'
Inbar_Moskovich
inside API / CLI Discussion and Samples 4 hours ago
views 22842 290 60
Employee+

Python tool for exporting/importing a policy package or parts of it

Overview ExportImportPolicyPackage tool enables you to export a policy package from a R80.x management database to a .tar.gz file, which can then be imported into any other R80.x management database. This tool can be used for backups, database transfers, testing and more. In the case you are exporting a policy package from a CMA, please verify that a global policy was NOT assigned to that CMA.The tool doesn't support exporting a policy with global policy assigned! Description This tool enables you to export a policy package (Access Policy, Threat Policy or both) from a management server into a .tar.gz file. Notice There are some types of objects that the script might not be able to export. In such a case, an appropriate dummy object will be exported instead, and a message will be logged into the log files to notify you of this. In the Check Point SmartConsole you can easily replace each of these objects by searching "export_error" in the search field, see where each object is used, create the necessary object manually, then replace it. Instructions Download the latest version from our GitHub repository: https://github.com/CheckPointSW/ExportImportPolicyPackage First, make sure you have [2.7.9 <= Python <= 2.7.14] installed on the machine running the script. To export a package, run the import_export_package.py script. An interactive menu will guide you the rest of the way. Command line flags may also be set in order to skip some or all of the menu. A lot more details can of course be accessed with the [-h] option. This option also prints the current version of the tool. Current tool version is V3.0. Limitations This export/import script does not gather all data from a given management server/CMA. In general, it is limited by the R80.x Management APIs. Specifically, this means: CMAs with a Global Policy assigned cannot be exported Workaround: unassign the Global Policy prior to export Gateway/Cluster objects have to be recreated Placeholder objects will be created UserCheck messages have to be recreated Placeholder objects will be created The Internal Certificate Authority will not be copied. This means: Re-establishing SIC with the appropriate gateways Re-generating VPN certificates Manually recreating HTTPS Inspection and DLP Rules Other objects not currently readable/writable via the R80.x API will not be copied Tested on version R80.x Source Code Availability The source code is available through GitHub: https://github.com/CheckPointSW/ExportImportPolicyPackage NOTICE: By using this sample code you agree to terms and conditions in this Terms and Conditions ...
Nüüül
Nüüül inside API / CLI Discussion and Samples yesterday
views 871 8 10

IPS Update Monitoring

Hi,I wrote a small script, using the SDK from Checkpoint (GitHub - CheckPointSW/cp_mgmt_api_python_sdk: Check Point API Python Development Kit ) for checking IPS Updates with my Monitoring Server (Centreon, based on Nagios, more or less )For the login, the SDK is used (i changed one option in Login part of mgmt_api.py: (unsafe_auto_accept --> true) should work with the default - false - too, but was easier for me.After successful logging in, we are parsing the API output from show-ip-status and comparing it with i.e actual date or "update available".After some calculating and comparing the script gives output, understandable for Nagios based systems.UNKNOWN = -1 - OK = 0 - WARNING = 1 - CRITICAL = 2GoodBad:And there is a state WARNING for 1 - 3 Days Delta from IPS UpdateThe Thresholds are freely configurable (on daily base).What would be good, is a possibility to get the current IPS Database version from Checkpoint, so, one might want to check the version against checkpoint, not, what the managment server found.I started working on this with the question of Sven Glock (IPS Monitoring ) in mind - maybe that kind of helps... and for my own of course To use it on Nagios Server you need:python installed (script worked with 2.7 and 3.7in the plugin folder i created an own "checkpoint" folder, containing the SDK and my script.Feel free to have a look, I´m sure, there is space for improvements.... Regards,Daniel

Sample DLL Secure Authentication API (SAA)

Hello folks,Is it possible to get a working/sample DLL of Secure Authentication API (SAA)? Thanks,GH.
Employee

GAIA REST APIs on demand

Hi All, As some of you already knows, we’ve recently released GAIA API version 1.2, the version includes new features and several enhancements (link) Along side the future I/S changes and fine tuning of our framework we will also target a few new APIs. I would like to use this thread and welcome you to share your opinion and suggest APIs which you’ll find useful. We will do our best to approach each of these requirements. Thanks, Tal
Employee

Ansible warnings type (dict) to type ( string)

Hi team, I am trying to use ansible with Red Hat Enterprise server 8 for a customer. The Playbook created works fine, However i get warnings like the one shown below. I can login to the management server and the objects. Any workarounds or solutions for this?
Employee

GAIA API version 1.2 is now GA !

Hi all, I am happy to announce the release of GAIA API version 1.2 This version includes several stability fixes, fine tuning of the current I/S and new APIs. Some of the new capabilities of the new version: GAIA Groups management Show system routes (static and dynamic) Monitoring Cluster API Controlling password policy Show system diagnostics.Currently disk, memory and CPU are being monitor, more capabilities will be available in the future. Documentation: Examples per API Fine description of each API (default values per field and many more) I/S: Local loginUse the current SSH session to login to GAIA API and get a REST session (> gaia_api login)! Very useful - when it comes to scripting or running remove scripts via the mgmt. (run script feature) Info Use this link to check the recent APIs documentation Use this link to download the recent API engine and see the latest change-log Regards, Tal Martsiano
Employee

Get early access to our new Threat Prevention APIs

Take control of new Threat Prevention APIs powered by the largest Threat Cloud in the industry: URL Reputation – for a domain/URL returns the classification and risk in accessing the resource File Reputation – for a file digest (md5/sha1/sha256/sha512) returns the risk in downloading the file without the need to scan it IP Reputation - for an IP address returns it’s classification and risk in accessing a resource hosted on it Mail Security – upload an email for scanning against malware and phishing attacks, based on award winning Sandblast engines All APIs are RESTful, simple to use and can be integrated as part of a SOAR application, home-made application and more! If you’re a Check Point customer interested in participating in the early availability stage drop me a mail at yoav@checkpoint.com
rkalidh
rkalidh inside API / CLI Discussion and Samples Thursday
views 2492 11

Export Policy using python

Hi all, Good day!!.Am new to check point and am trying to automate few tasks in check point. As a part of it, would like to automate policy export of all check point firewalls and send in mail for monthly review.https://github.com/CheckPointSW/ExportImportPolicyPackage : Export import package will help to export policies but when i run in python, am getting error as in attached screen shot. Am sure that something is missed.Please guide me if am not in right path.

Export rules.

Dear all, We want to export the rules as per following format from our firewall to carryout verification at our end. Currently we are not able to get any inbuilt function of API to do the work. Data required in following format : 1. Source : 2. Destination : 3. Port. We have groups in our firewall and rules may be given on the basis of group i.e. at the destination end or at source end, there may be a group of IPs. Aforementioned data should contains actual IPs & not the name of the groups.
Employee

Smartmove ASA services group

I use Smartmove to convert ASA configuration to R80.10, the Json or sh script created the service groups from the ASA configuration, but Json or sh script not use those service group when creating rules, it just simple add all members inside a service group into the "Services & Application" column. how to use service group in a rule instead of putting all group member in the rule ? Sunny

Could not establish secure channel for SSL/TLS over web service (R80.10)

Iam trying connect over powershell (invoke-webrequest) but got that error:Could not establish secure channel for SSL/TLS over web servicethat instruction is not helping https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk121353windows 10 1809 x64how to use web api?

API Cluster build

Hello All,Can somebody tell me if there is any possibility how to add a Cluster to the Mgmt (CMA) over the API?I found only the "add-simple-gateway" but nothign else?Thanks for infoRadek

How to remove a domain from an MDS admin via API

hi all, I'm trying to automate the admin deployment to and existing MDS via api.I can easily add a domain to an administrator:# mgmt_cli -r true set administrator name admin123 permissions-profile.add.1.domain SGFRTDMBOQ001_domain permissions-profile.add.1.profile "Read Write All" --------------------------------------------- Time: [16:45:45] 11/6/2019 --------------------------------------------- "Publish operation" in progress (60%) --------------------------------------------- Time: [16:45:55] 11/6/2019 --------------------------------------------- "Publish operation" succeeded (100%)But I'm not able to remove it:# mgmt_cli -r true set administrator name admin123 permissions-profile.remove.domain SGFRTDMBOQ001_domain code: "generic_err_invalid_parameter" message: "Invalid parameter for [permissions-profile]. Invalid value" Executed command failed. Changes are discarded. # mgmt_cli -r true set administrator name admin123 permissions-profile.remove.1.domain SGFRTDMBOQ001_domain code: "generic_err_invalid_parameter" message: "Invalid parameter for [permissions-profile]. Invalid value" Executed command failed. Changes are discarded. # mgmt_cli -r true set administrator name admin123 permissions-profile.remove.domain SGFRTDMBOQ001_domain permissions-profile.remove.profile "Read Write All" code: "generic_err_invalid_parameter" message: "Invalid parameter for [permissions-profile]. Invalid value" Executed command failed. Changes are discarded. #Any ideas? Cheers,Martin

Adding a Server object from mgmt_cli

I am working through automating Site-to-Site VPN creation, specifically cert-based Site-to-Site VPN.Have been unable to find a way to create a Trusted CA Server object via mgmt_cli. Is this something that should be possible? Are there generic-object workarounds that could serve this purpose?Any insight is appreciated.