cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
J_Saun
J_Saun inside API / CLI Discussion and Samples 7 hours ago
views 1905 5 1

Checkpoint automation - many questions

Just starting to get into automating configuration tasks on Checkpoint R80. I have installed cpAnsible on a CentOS that has python running and did a simple group and object add which worked fine My questions:- Is Ansible just running built in Checkpoint CLI commands? If so, where do I get a list of those commands?- Why do I need Ansible?- why do I need Python on my local machine if I have Ansible? (sorry - just dont understand the relationship between the 2)- why do I need Python on the remote machine (the Checkpoint manager)- is this possible on any Checkpoint version lower than R80? If not, how is similar automation performed on lower versions of Checkpoint (R77, R65)?- is it possible to have a front end webform or something that passes request data (source, destination, port) to Python/Ansible/Checkpoint-directly and processes the request automatically? Thanks!

policyCleanUp.py issue

Hi there, Pretty new to Checkpoint API/Scripting but was trying to do a policy cleanup and this looks like it could be a huge help.-Running directly on SMS R80.20 M2-Check Point API Python SDK added and variable setRan policyCleanUp.py multiple ways - but to keep it simple examples belowas User # python policyCleanUp.py -op plan[2019-06-25 22:39:10] Failed to login. Error: APIResponse received a response which is not a valid JSON.User has access to management api in user settings, API is set to accept from all IP addressesusing the root flag# python policyCleanUp.py -op plan -r trueTraceback (most recent call last):File "policyCleanUp.py", line 1118, in <module>main()File "policyCleanUp.py", line 989, in maincheck_validation_for_mds(client, user_args.domain)File "policyCleanUp.py", line 935, in check_validation_for_mdsif int(api_res.data.get('total')) != 0:AttributeError: 'NoneType' object has no attribute 'get'Any ideas? This seemed like it would be really helpful to run for me.thanks!

Integrating Ansible with checkpoint R80.10 Take 479 throws error.

Hi All, We have Management server running on R80.10 take 479. I am integrating it with Ansible. I followed the Ansible deployment guide. But when i run ansible-playbook ansible-cp-test.yml, i get errors: TASK [login] ***********************************************************************************************************************************************************************************************fatal: [127.0.0.1]: FAILED! => {"changed": false, "module_stderr": "Shared connection to 127.0.0.1 closed.\r\n", "module_stdout": "Traceback (most recent call last):\r\n File \"/home/ankur/.ansible/tmp/ansible-tmp-1561117201.56-117286171471423/AnsiballZ_check_point_mgmt.py\", line 114, in \r\n _ansiballz_main()\r\n File \"/home/ankur/.ansible/tmp/ansible-tmp-1561117201.56-117286171471423/AnsiballZ_check_point_mgmt.py\", line 106, in _ansiballz_main\r\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\r\n File \"/home/ankur/.ansible/tmp/ansible-tmp-1561117201.56-117286171471423/AnsiballZ_check_point_mgmt.py\", line 49, in invoke_module\r\n imp.load_module('__main__', mod, module, MOD_DESC)\r\n File \"/tmp/ansible_check_point_mgmt_payload_93Ts0A/__main__.py\", line 8, in \r\nImportError: No module named cpapi\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}PLAY RECAP *************************************************************************************************************************************************************************************************127.0.0.1 : ok=1 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0 Ansible is installed on Ubuntu OS. Kindly guide.

Sample DLL Secure Authentication API (SAA)

Hello folks,Is it possible to get a working/sample DLL of Secure Authentication API (SAA)? Thanks,GH.

Script or API (Configurations)

Hello, Experts, I would like to create one script to get many informations: Global Properties \ Stateful InspectionGlobal Properties \ Hit countConfiguration of Threat Prevention Profile, etc I can´t find this informations in the API Reference Guide. Do you know how Can I get this informations by script or API? Best Regars

fwm -d load with mgmt_cli

Hello!Now that API reference was published I learned that mgmt_cli install-policy could be used instead of deprecated fwm load. With mgmt_cli build 991000021 (EA hero2) and fwm build 921000002 it didn't work (not even login).How about the fwm debug flag, used to troubleshoot policy compilation and installation - is there an equivalent with mgmt_cli ? Where are mgmt_cli logs (if any) stored ?Thank you!andreip

R80.20 Mgmt API issue

We need help with this issue happening in R80.20 , we see the API service stopping randomly and at that point we need to manually restart the service but of course we are trying to find out what is causing it to stop running randomly , this is very annoying. Below is the output of the API status when the issue happens:API Settings:---------------------Accessibility: Require all grantedAutomatic Start: EnabledProcesses:Name State PID More Information-------------------------------------------------API StoppedCPM Started 4929 Check Point Security Management Server is running and readyFWM Started 2192APACHE Started 4180Port Details:-------------------JETTY Internal Port: 50276APACHE Gaia Port: 4434 (a non-default port)When running mgmt_cli commands add '--port 4434'When using web-services, add port 4434 to the URL--------------------------------------------Overall API Status: The API Server Is Not Running!--------------------------------------------Notes:------------To collect troubleshooting data, please run 'api status -s <comment>'[Expert@cglscc4a:0]# api statusAPI Settings:---------------------Accessibility: Require all grantedAutomatic Start: EnabledProcesses:Name State PID More Information-------------------------------------------------API StoppedCPM Started 4929 Check Point Security Management Server is running and readyFWM Started 2192APACHE Started 4180Port Details:-------------------JETTY Internal Port: 50276APACHE Gaia Port: 4434 (a non-default port)When running mgmt_cli commands add '--port 4434'When using web-services, add port 4434 to the URL--------------------------------------------Overall API Status: The API Server Is Not Running!--------------------------------------------Notes:------------To collect troubleshooting data, please run 'api status -s <comment>'
Employee

GAIA API version 1.2 is now GA !

Hi all, I am happy to announce the release of GAIA API version 1.2 This version includes several stability fixes, fine tuning of the current I/S and new APIs. Some of the new capabilities of the new version: GAIA Groups management Show system routes (static and dynamic) Monitoring Cluster API Controlling password policy Show system diagnostics.Currently disk, memory and CPU are being monitor, more capabilities will be available in the future. Documentation: Examples per API Fine description of each API (default values per field and many more) I/S: Local loginUse the current SSH session to login to GAIA API and get a REST session (> gaia_api login)! Very useful - when it comes to scripting or running remove scripts via the mgmt. (run script feature) Info Use this link to check the recent APIs documentation Use this link to download the recent API engine and see the latest change-log Regards, Tal Martsiano
Inbar_Moskovich
inside API / CLI Discussion and Samples a week ago
views 23164 290 60
Employee+

Python tool for exporting/importing a policy package or parts of it

Overview ExportImportPolicyPackage tool enables you to export a policy package from a R80.x management database to a .tar.gz file, which can then be imported into any other R80.x management database. This tool can be used for backups, database transfers, testing and more. In the case you are exporting a policy package from a CMA, please verify that a global policy was NOT assigned to that CMA.The tool doesn't support exporting a policy with global policy assigned! Description This tool enables you to export a policy package (Access Policy, Threat Policy or both) from a management server into a .tar.gz file. Notice There are some types of objects that the script might not be able to export. In such a case, an appropriate dummy object will be exported instead, and a message will be logged into the log files to notify you of this. In the Check Point SmartConsole you can easily replace each of these objects by searching "export_error" in the search field, see where each object is used, create the necessary object manually, then replace it. Instructions Download the latest version from our GitHub repository: https://github.com/CheckPointSW/ExportImportPolicyPackage First, make sure you have [2.7.9 <= Python <= 2.7.14] installed on the machine running the script. To export a package, run the import_export_package.py script. An interactive menu will guide you the rest of the way. Command line flags may also be set in order to skip some or all of the menu. A lot more details can of course be accessed with the [-h] option. This option also prints the current version of the tool. Current tool version is V3.0. Limitations This export/import script does not gather all data from a given management server/CMA. In general, it is limited by the R80.x Management APIs. Specifically, this means: CMAs with a Global Policy assigned cannot be exported Workaround: unassign the Global Policy prior to export Gateway/Cluster objects have to be recreated Placeholder objects will be created UserCheck messages have to be recreated Placeholder objects will be created The Internal Certificate Authority will not be copied. This means: Re-establishing SIC with the appropriate gateways Re-generating VPN certificates Manually recreating HTTPS Inspection and DLP Rules Other objects not currently readable/writable via the R80.x API will not be copied Tested on version R80.x Source Code Availability The source code is available through GitHub: https://github.com/CheckPointSW/ExportImportPolicyPackage NOTICE: By using this sample code you agree to terms and conditions in this Terms and Conditions ...
makhonin
makhonin inside API / CLI Discussion and Samples a week ago
views 317 10

Could not establish secure channel for SSL/TLS over web service (R80.10)

Iam trying connect over powershell (invoke-webrequest) but got that error:Could not establish secure channel for SSL/TLS over web servicethat instruction is not helping https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk121353windows 10 1809 x64how to use web api?
Nüüül
Nüüül inside API / CLI Discussion and Samples a week ago
views 927 8 10

IPS Update Monitoring

Hi,I wrote a small script, using the SDK from Checkpoint (GitHub - CheckPointSW/cp_mgmt_api_python_sdk: Check Point API Python Development Kit ) for checking IPS Updates with my Monitoring Server (Centreon, based on Nagios, more or less )For the login, the SDK is used (i changed one option in Login part of mgmt_api.py: (unsafe_auto_accept --> true) should work with the default - false - too, but was easier for me.After successful logging in, we are parsing the API output from show-ip-status and comparing it with i.e actual date or "update available".After some calculating and comparing the script gives output, understandable for Nagios based systems.UNKNOWN = -1 - OK = 0 - WARNING = 1 - CRITICAL = 2GoodBad:And there is a state WARNING for 1 - 3 Days Delta from IPS UpdateThe Thresholds are freely configurable (on daily base).What would be good, is a possibility to get the current IPS Database version from Checkpoint, so, one might want to check the version against checkpoint, not, what the managment server found.I started working on this with the question of Sven Glock (IPS Monitoring ) in mind - maybe that kind of helps... and for my own of course To use it on Nagios Server you need:python installed (script worked with 2.7 and 3.7in the plugin folder i created an own "checkpoint" folder, containing the SDK and my script.Feel free to have a look, I´m sure, there is space for improvements.... Regards,Daniel
Employee

GAIA REST APIs on demand

Hi All, As some of you already knows, we’ve recently released GAIA API version 1.2, the version includes new features and several enhancements (link) Along side the future I/S changes and fine tuning of our framework we will also target a few new APIs. I would like to use this thread and welcome you to share your opinion and suggest APIs which you’ll find useful. We will do our best to approach each of these requirements. Thanks, Tal
Employee

Ansible warnings type (dict) to type ( string)

Hi team, I am trying to use ansible with Red Hat Enterprise server 8 for a customer. The Playbook created works fine, However i get warnings like the one shown below. I can login to the management server and the objects. Any workarounds or solutions for this?
Employee

Get early access to our new Threat Prevention APIs

Take control of new Threat Prevention APIs powered by the largest Threat Cloud in the industry: URL Reputation – for a domain/URL returns the classification and risk in accessing the resource File Reputation – for a file digest (md5/sha1/sha256/sha512) returns the risk in downloading the file without the need to scan it IP Reputation - for an IP address returns it’s classification and risk in accessing a resource hosted on it Mail Security – upload an email for scanning against malware and phishing attacks, based on award winning Sandblast engines All APIs are RESTful, simple to use and can be integrated as part of a SOAR application, home-made application and more! If you’re a Check Point customer interested in participating in the early availability stage drop me a mail at yoav@checkpoint.com
rkalidh
rkalidh inside API / CLI Discussion and Samples 2 weeks ago
views 2557 11

Export Policy using python

Hi all, Good day!!.Am new to check point and am trying to automate few tasks in check point. As a part of it, would like to automate policy export of all check point firewalls and send in mail for monthly review.https://github.com/CheckPointSW/ExportImportPolicyPackage : Export import package will help to export policies but when i run in python, am getting error as in attached screen shot. Am sure that something is missed.Please guide me if am not in right path.