Showing results for 
Search instead for 
Did you mean: 
Create a Post
inside API / CLI Discussion and Samples yesterday
views 2815 22 26

CloudGuard: Automated firewall Cluster Deployment with auto-scaling option

If you are playing with the API's, you will realise there is no API call yet available for Cluster Deployment. In the meantime, with little help from R&D, we've created this automation script: "" The script run from the management server and as many functions available. We leverage DBEDIT code and API Calls to help automate the cluster deployment and auto-scaling. Here the function available: # createClusterObject (4 variables needed):This will create the cluster object: CreateClusterObject Cluster_Name Cluster_IP SYNC_Network SYNC_Netmask EX: ./ createClusterObject vSECCluster # Adding Member 1: # createMemberObject (8 Variables):This will add member 1 into the cluster object createMemberObject Cluster_Name Member_Name Management_IP Management_Netmask Sync_IP Sync_Mask External_IP External_Netmask EX: ./ createMemberObject vSECCluster member1 ./ createSICWithObject vSECCluster member1 MXEydzNlNHI= # Adding Member 2:This will add member 2 into the cluster object./ createMemberObject vSECCluster member2 createSICWithObject vSECCluster member2 MXEydzNlNHI= # createSICWithObject This function create the SIC with previously defined cluster member. IMPORTANT NOTE: SIC password needs to be encoded in base64 Once the members are added into the cluster object, we need to define the virtual IP (VIP). This second script do the job: Cluster_Name VIP Interface_Name EX: for a Cluster with 3 interfaces, we call the script 3 times: ./ vSECCluster eth0./ vSECCluster eth1 # NEED VIP ON SYNC INTERFACE FOR AUTOSCALEUP AND DOWN option./ vSECCluster eth2 Now its time to push the policy: # pushing Policy:installPolicyOnObject Cluster_Name Policy_Package_Name./ installPolicyOnObject vSECCLuster AutomationTest Now we have a cluster with two members auto deployed. This open up the door for Auto-Scaling. Since we have a HA cluster deployed, we can add a cluster member and switch the cluster mode to LoadSharing. This part of the script doing this function: #!/bin/bash ## First, we need to add cluster member 3:echo "=========================="echo "Adding member3 to cluster "echo "=========================="./ createMemberObject vSECCluster member3 createSICWithObject vSECCluster member3 MXEydzNlNHI=./ installPolicyOnObject vSECCLuster AutomationTestecho "==========================" echo "=========================="echo "set cluster in LoadSharingMode"./ setHAMode vSECCluster LoadSharingecho "==========================" # 5# pushing Policy:echo "=========================="echo "Installing policy..."echo "=========================="./ installPolicyOnObject vSECCLuster AutomationTest We now have a cluster of 3 members in loadsharing mode. To Scale-Down we just need to delete member3 and switch back to HA mode: #!/bin/bash echo "=========================="echo "Scaling down..."echo "=========================="./ setHAMode vSECCluster HighAvailability./ deleteMemberObject member3 vSECClusterecho "=========================="echo "Installing policy..."echo "=========================="./ installPolicyOnObject vSECCLuster AutomationTest One way to orchestrate is if by using Ansible and calling those scripts with SSH command on the management server. See attached Ansible Document for an how to. For a quick test, Here is a bash script example to call all those functions: #!/bin/bash# 1# Creating cluster Object:echo "=========================="echo "Creating cluster object..."echo "=========================="./ createClusterObject vSECCluster "==========================" # 2# Adding Member 1:echo "=========================="echo "Adding member1 to cluster "echo "=========================="./ createMemberObject vSECCluster member1 createSICWithObject vSECCluster member1 MXEydzNlNHI=echo "==========================" # 3# Adding Member 2:echo "=========================="echo "Adding member2 to cluster "echo "=========================="./ createMemberObject vSECCluster member2 createSICWithObject vSECCluster member2 MXEydzNlNHI=echo "==========================" # 4# Creating Cluster Virtual IP:echo "==========================="echo "Creating cluster virtual IP"echo "==========================="mgmt_cli login --root true > login.txt./ vSECCluster eth0./ vSECCluster eth1 # NEED VIP ON SYNC INTERFACE FOR AUTOSCALEUP AND DOWN./ vSECCluster eth2mgmt_cli publish -s login.txtmgmt_cli logout -s login.txtrm login.txtecho "==========================" # 5# pushing Policy:echo "=========================="echo "Installing policy..."echo "=========================="./ installPolicyOnObject vSECCLuster AutomationTest I hope you enjoy and happy Scripting! 🙂 For the full list of White Papers, go here.

API Cluster build

Hello All,Can somebody tell me if there is any possibility how to add a Cluster to the Mgmt (CMA) over the API?I found only the "add-simple-gateway" but nothign else?Thanks for infoRadek
rkalidh inside API / CLI Discussion and Samples yesterday
views 5168 16

Export Policy using python

Hi all, Good day!!.Am new to check point and am trying to automate few tasks in check point. As a part of it, would like to automate policy export of all check point firewalls and send in mail for monthly review. : Export import package will help to export policies but when i run in python, am getting error as in attached screen shot. Am sure that something is missed.Please guide me if am not in right path.

Functionality - API vs. SmartConsole

When teaching the Check Point Certified Automation Specialist (CCAS) class, a common question I get is what types of Management operations cannot be performed through the API and must be performed through the SmartConsole GUI instead. I have a bit of an unofficial list but would like to compile an authoritative list with the CheckMates community; various API limitations have been discussed in prior threads like this. Some ground rules: 1) Only releases that are GA like R80.30 and earlier may be discussed, so if an API limitation is resolved in an upcoming release like R80.40 that doesn't count 2) dbedit is not the API and doesn't really count, but feel free to discuss workarounds for the various limitations 3) This list of limitations is for the Management API, not the Threat Prevention API, Identity Awareness API, etc. 4) Features available through the API that are not available in the SmartConsole GUI (like specific Hit Count history) should not be included (that could be a separate post) So without further ado, here is the list of Management operations that cannot be performed via the Management API and must be performed through a GUI instead, please feel free to add items to this list or provide corrections: 1) Manipulation of gateway cluster objects 2) Geo Policy 3) HTTPS Inspection 4) Mobile Access Blade 5) Anti-spam & Mail Blade 6) DLP Blade (not Content Awareness) 7) SmartEvent Event Policy Tuning (performed in a separate GUI from SmartConsole) 😎 SmartUpdate License Manipulation (performed in a separate GUI from SmartConsole) 9) QoS Blade/Policies (not APCL/URLF Limits) 10) GUIDBedit operations (performed in a separate GUI from SmartConsole) Thanks everyone!

Add users to existing access-role

Hello,I am trying to add an AD user to an existing group.Code I tried:set access-role name "Test_Access_Role" users "test1" machines "any" networks "any" remote-access-clients "any"Every command I enter returns an error message.what am I missing?
Ed_Eades inside API / CLI Discussion and Samples Friday
views 13753 14 5

Bulk Add Network Objects

I am looking for advice on how to bulk add network objects. I need to add around 550 networks and we are on GAIA R80.10. I have read some about dbedit, Using a dbedit script to create new network objects and network object groups, but I am not sure if that would still be the best method. I will also mention I have never used dbedit. When adding these network objects I would also like to add a description on each network object. The dbedit link does not include the syntax for the description. I came across a thread on cpug that If R80, there are more robust CLI for these things. You can find documentation and several examples at in advance!

Export all rules referencing a list of IPs

I recently had the need to build a table out of all of the rules referencing any IP address in a list of addresses. Basically a rule audit for all the rules involved in a given application.USAGEThe script should be run as root (in expert mode, and with elevated privileges if you use low-privilege users) on the SmartCenter or MDS. Doesn't need any credentials. It does everything via the API in read-only mode.Usage is given right at the top of the script. It also prints the usage if you run the script with no switches or if you run it with the -h switch: [Bob_Zimmerman@MySmartCenter]# ./ -h Usage: ./ [-d] [-h] [-J file] [-j file] [-c file] [-O] Default output is pretty-print JSON to STDOUT, suitable for output redirection. -d Increase debug level, up to twice. -h Print this usage information. -J file Write pretty-print JSON output to . -j file Write compact JSON output to . One line per rule. -c file Write quote-delimited CSV output to . -O Write pretty-print JSON output to STDOUT. list List of IPs to search for, separated by spaces. As you can see, it currently has options for compact JSON output, pretty JSON output, and quote-delimited CSV output. It should be pretty clear from the code how to write a new output formatter. Just needs a new variable for the name, a new switch in the getopts case statement, a little output prep work, and a new item in the "masterOutput" function.The only privileged commands it uses right now are 'cpprod_util FwIsFirewallMgmt' (to detect if it is run on a firewall instead of a management) and 'mdsstat' (to detect if it is a SmartCenter or MDS), within a few lines of each other at the bottom. You can make a version which will work only on a SmartCenter or only on an MDS, and it would work as an unprivileged user.KNOWN LIMITATIONSIt currently accepts only IP addresses. Haven't yet gotten around to writing logic for spotting CIDR notation, or for looking up networks once I've found them in the input.There's a big case statement in the middle for dereferencing objects. It includes all the object types I personally needed, but I'm sure there are plenty which are not included.I'm pretty sure there are error cases I don't handle properly, such as if none of the IP addresses are found.I don't know if you can build a cycle of groups (as an example, group A contains group B, group B contains group C, group C contains group A), but I don't do any detection for that.

Updatable objects logos?

Hi communityWe are using updatable objects within our security policies and they are working fine. Despite it being a trivial things the logos for the objects e.g Amazon Services or S3 Services are not displayed next to the object name, It just shows a horizontal line. It would be nice if it shows the correct logo?Has anyone seen this before?ThanksPaul
Danny inside API / CLI Discussion and Samples a week ago
views 336 10 18

FW Monitor SuperTool

One-liner (Bash) to assist running fw monitor on Check Point firewall gateways.In expert mode run: if [[ `$CPDIR/bin/cpprod_util FwIsFirewallModule 2>/dev/null` != *'1'* ]]; then echo; tput bold; echo ' Not a firewall gateway!'; tput sgr0; echo; else echo; printf '%.s-' {1..60}; echo; echo ' FW Monitor SuperTool'; printf '%.s-' {1..60}; echo; echo; tput bold; echo -n ' Add host IPs '; tput sgr0; echo -n '(leave empty for any): '; read _hosts; h='0'; case $_hosts in '') echo -n ' any '; tput setaf 2; echo 'OK'; tput sgr0;; *) _hosts=($(echo $_hosts | tr ',;:|()#<>' ' ' | tr -s ' ')); for i in ${_hosts[@]}; do if [[ `ipcalc -ms $i` == *'='* ]] && [[ $i == *'.'* ]]; then echo -n ' '$i' '; tput setaf 2; echo 'OK'; h='1'; tput sgr0; else echo -n ' '$i' '; tput setaf 1; echo 'Bad syntax!'; tput sgr0; fi; done; esac; echo; tput bold; echo -n ' Add ports '; tput sgr0; echo -n '(leave empty for any): '; read _ports; p='0'; case $_ports in '') echo -n ' any '; tput setaf 2; echo 'OK'; tput sgr0;; *) _ports=($(echo $_ports | tr ',;:|()#<>' ' ' | tr -s ' ')); for i in ${_ports[@]}; do if [[ $i != *[^0-9]* ]]; then echo -n ' '$i' '; tput setaf 2; echo 'OK'; p='1'; tput sgr0; else echo -n ' '$i' '; tput setaf 1; echo 'Bad syntax!'; tput sgr0; fi; done; esac; echo; tput bold; echo -n ' Add protocol '; tput sgr0; echo -n '(tcp, udp, icmp): '; read _prot; c='0'; case $_prot in '') echo -n ' any '; tput setaf 2; echo 'OK'; tput sgr0;; *) _prot=($(echo $_prot | tr ',;:|()#<>' ' ' | tr -s ' ')); for i in ${_prot[@]}; do case $i in tcp|udp|icmp) echo -n ' '$i' '; tput setaf 2; echo 'OK'; c='1'; tput sgr0;; *) echo -n ' '$i' '; tput setaf 1; echo 'Unknown protocol!'; tput sgr0; esac; done; esac; echo; tput bold; echo -n ' Capture to file '; tput sgr0; read -p '(leave empty for stdout): ' _file; if [[ -n $_file ]]; then tput setaf 2; echo -n ' Saving output to: '; tput sgr0; echo $_file; else tput setaf 2; echo ' Output to CLI'; tput sgr0; fi; echo; printf '%.s-' {1..60}; echo; _sxl='0'; echo -n ' [Executing:]# '; if [[ `fw monitor -h 2>&1` != *'-F'* ]]; then case `fwaccel stat | grep 'Accelerator Status :' | cut -c 22-` in on) _sxl='1'; esac; fi; if [[ $_sxl == '1' ]]; then _run='fwaccel off; fw monitor'; else _run='fw monitor'; fi; if [[ `fw monitor -h 2>&1` != *'-F'* ]]; then _run+=' -e "'; if [[ $h == '1' && $p == '1' ]]; then _run+='('; elif [[ $h == '1' && $c == '1' ]]; then _run+='('; fi; for i in ${_hosts[@]}; do if [[ `ipcalc -ms $i` == *'='* ]] && [[ $i == *'.'* ]]; then _run+='host('$i') and '; fi; done; if [[ $h == '1' && $p == '1' ]]; then _run=${_run%?????}; _run+=')'; elif [[ $h == '1' && $c == '1' ]]; then _run=${_run%?????}; _run+=')'; fi; if [[ $h == '1' && $p == '1' ]]; then _run+=' and ('; elif [[ $p == '1' && $c == '1' ]]; then _run+='('; elif [[ $h == '1' && $c == '1' ]]; then _run+=' and ('; fi; for i in ${_ports[@]}; do if [[ $i != *[^0-9]* ]]; then _run+='port('$i') or '; fi; done; if [[ $h == '1' && $p == '1' ]]; then _run=${_run%????}; _run+=')'; elif [[ $p == '1' && $c == '1' ]]; then _run=${_run%????}; _run+=')'; elif [[ $h == '0' && $p == '1' ]]; then _run=${_run%????}; elif [[ $h == '1' && $p == '0' ]]; then _run=${_run%?????}; fi; if [[ $h == '1' || $p == '1' ]]; then if [[ $c == '1' ]]; then _run+=' and ('; fi; fi; for i in ${_prot[@]}; do case $i in tcp) _run+='ip_p=6 or ';; udp) _run+='ip_p=11 or ';; icmp) _run+='ip_p=1 or '; esac; done; if [[ $h == '1' || $p == '1' ]]; then if [[ $c == '1' ]]; then _run=${_run%????}; _run+=')'; fi; elif [[ $h == '1' && $p == '0' && $c == '0' ]]; then _run=${_run%?????}; elif [[ $h == '0' && $p == '1' && $c == '0' ]]; then _run=${_run%?????}; elif [[ $h == '0' && $p == '0' && $c == '1' ]]; then _run=${_run%????}; fi; if [[ $h == '1' || $p == '1' || $c == '1' ]]; then _run+=', '; fi; _run+='accept;"'; else _run+=' -F "0,0,0,0,0"'; fi; if [[ -n $_file ]]; then _run+=' -o /var/log/'$_file; fi; if [[ $_sxl == '1' ]]; then _run+='; fwaccel on'; fi; tput bold; echo $_run; tput sgr0; read -sn1; case $REPLY in '') eval $_run;; *) echo 'Abort!'; esac; echo; unset _hosts _ports _prot _file _sxl _run i h p c; fi SuperTool interactively asks for all data to build up the correct syntax to run fw monitor. If gateways require the new -F syntax (R80.20 JHF 73+, R80.30 JHF?+) SuperTool adjusts the syntax accordingly. It also checks and deactivates SecureXL during fw monitor execution if necessary. SuperTool will be integrated soon within our ccc script. Attention! *Work in progress* SuperTool will be further improved in the upcoming days to support: full -F syntax (currently just filters all traffic) VSX controls decide between AND/OR for hosts NOT controls Kudos to the entire CheckMates community. Special greetings to: @Moti , @Timothy_Hall , @Kaspars_Zibarts , @Vladimir , @HeikoAnkenbrand , @PhoneBoy , @Valeri_Loukine , @Amit_Sharon , @Niran , @Yasushi_Kono1 and the entire Check Point Support and R&D Team. -- More one-liners -- One-liner for Address Spoofing TroubleshootingOne-liner to show VPN topology on gatewaysOne-liner to show Geo Policy on gateways
inside API / CLI Discussion and Samples a week ago
views 3037 31 34

Disable/Delete Rules with a Zero Hit Count (MDS or SMS)

**v3 and above now allows you to pick a specific access layer** **v4 added new functions thanks to user feedback. Now has the ability to navigate around section title headers and to handle of any size****v5 with a lot of work by Vincent Bacher‌ he determined that some larger policies need a time specified to search. This version added in a 6 month limit on hits prior to the day you run it (Today - 6Months.)**** v6 combined MDS & SMS into a single script. Added the ability to disable or delete rules based on UID or NAME. The disable script will add a commend 'Disabled by Zero Hits'This is a simple shell script that will allow you to parse a specific rulebase for rules with a ZERO hit count. The results will be output into a single file of mgmt_cli commands to disable or delete those rules.The script is setup to run on the Mgmt station itself and uses the 'mgmt_cli -r true' function and uses the -d DOMAIN flag to support SMS and MDS in a single scriptIt is highly recommended to run the 'DISABLE' version prior to running a 'DELETE' it will treat it as a staging for full deletionHow to UseMove script to the management station./cleanup-zero-hits.shEnter IP address of SMS or CMA you wish to checkFollow remaining prompts for optionsuid or nameThe script will ask if you want to export with uid or name. UID is more accurate as it does not change with position. This will prevent a situation where another admin is adding/removing rules from the rulebase before you are able to run the output file.You can take the delete/disable command file and run it.chmod 755 Output-Filename.txt./Output-Filename.txtOriginal files on github: GitHub - cpmidsouth/Delete-or-Disable-Zero-Hit-Rules: This script is designed to search a specifed rule base with ZERO h… NOTE: If you use inline layers within the rulebase you will need to search those as a separate layer. This script is not effective in a rulebase where multiple targets within the same rulebase. I am working on that one. Thanks to Vincent Bacher‌ for being my QA and spending way too much time testing with me. Feedback welcome this was a simple project that came out of a client request.
inside API / CLI Discussion and Samples a week ago
views 30233 292 60

Python tool for exporting/importing a policy package or parts of it

Overview ExportImportPolicyPackage tool enables you to export a policy package from a R80.x management database to a .tar.gz file, which can then be imported into any other R80.x management database. This tool can be used for backups, database transfers, testing and more. In the case you are exporting a policy package from a CMA, please verify that a global policy was NOT assigned to that CMA.The tool doesn't support exporting a policy with global policy assigned! Description This tool enables you to export a policy package (Access Policy, Threat Policy or both) from a management server into a .tar.gz file. Notice There are some types of objects that the script might not be able to export. In such a case, an appropriate dummy object will be exported instead, and a message will be logged into the log files to notify you of this. In the Check Point SmartConsole you can easily replace each of these objects by searching "export_error" in the search field, see where each object is used, create the necessary object manually, then replace it. Instructions Download the latest version from our GitHub repository: First, make sure you have [2.7.9 <= Python <= 2.7.14] installed on the machine running the script. To export a package, run the script. An interactive menu will guide you the rest of the way. Command line flags may also be set in order to skip some or all of the menu. A lot more details can of course be accessed with the [-h] option. This option also prints the current version of the tool. Current tool version is V3.0. Limitations This export/import script does not gather all data from a given management server/CMA. In general, it is limited by the R80.x Management APIs. Specifically, this means: CMAs with a Global Policy assigned cannot be exported Workaround: unassign the Global Policy prior to export Gateway/Cluster objects have to be recreated Placeholder objects will be created UserCheck messages have to be recreated Placeholder objects will be created The Internal Certificate Authority will not be copied. This means: Re-establishing SIC with the appropriate gateways Re-generating VPN certificates Manually recreating HTTPS Inspection and DLP Rules Other objects not currently readable/writable via the R80.x API will not be copied Tested on version R80.x Source Code Availability The source code is available through GitHub: NOTICE: By using this sample code you agree to terms and conditions in this Terms and Conditions ...

Script that collects specific rules and exports them into csv/xml (R80.20)

I'm trying to make a script that collects rules with time objects and outputs them into an xml/csv file. The file must contain: the access policy package name the rules are behind and rules that have a time object. The rules with time objects will be listed if the rules are going to expire in 1 to 7 days (if a temporal rule expires in 8 days then it won't be listed, if it's 7 or less days then it will). What kind of info is shown about the rule when it's being exported? Number, Name, Source, Destination, VPN, Services & Applications, Time and Comments
Raymondn inside API / CLI Discussion and Samples 2 weeks ago
views 307 5

R80.10 API - Create Network with Tag and Associate to Group

hi there,I have been using this doc as my "menu" to explore various API use cases.( am able to create and delete network objects.However, I am not able to find examples how to assign an existing Tag to the network object, and how to associate the network object to an existing group.Any suggestions where I can find more info or examples?I have been playing this via Postman as well as Gaia "mgmt" interfaces. Thanks.

Unable to activate firewall blade

Hi everyone,I have installed an evaluation version of Al-in-one R80.10 Checkpoint Firewall in a VM.While opening the WebGUI, I can see the Firewall blade is greyed out.I tried to create firewall policy from Gaia CLI using the following commands: > mgmt add access-rule layer "Network" name "Rule1" service "Any" position 1 action "Accept" install-on "Policy Targets"> mgmt publishBut, still traffic is getting dropped by the Default Cleanup rule (which got installed during initial configuration time I think).The output of "cpstat fw" command also shows only the Initial Policy and not the new rule created,In out setup, I have to install/configure everything using Gaia CLI only.Can anyone suggest what I need to do to get it working?Thanks in advance.
inside API / CLI Discussion and Samples 2 weeks ago
views 3235 18 9

Create objects for Azure Data-Center IP ranges - Python script

OverviewThis script generate group objects with the IP addresses of Microsoft Azure.Note:R80.20 has built-in functionality for addressing Azure's public IP addresses.There new functionality allows you to use Azure, AWS and Office365 objects in your security policy using the GUI.There's no need to use scripts like this one and the updates happens automatically (no need to publish policy).DescriptionDownload Microsoft's Azure Datacenter IP ranges from: the attached Python script (the script does not have to run on the management server).Provide the script with: the management's server IP address, username, password, the path for the downloaded file from Microsoft.The script will now generate:Over 3000 networks (for example: azure_network_104.208.0.0/19)about 30 Group objects, one for each Azure region (for example: azure_region_useast)and a group object called azure_region_all - a group object that contain all the group region objects.When you get an updated file from Microsoft, you can run the tool again. When running for the second time the script will work much faster: instead of creating thousands of objects, it will only process the changes.InstructionsDownload the attached zip and extract it on any machine with Python azure.pyCode VersionCode version 1.2Tested on versionR80.10, API version 1.1NOTICE: By using this sample code you agree to terms and conditions in this Terms and Conditions...