cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
API / CLI Discussion and Samples

Do you have questions on how to use any of Check Point's API commands, including via the CLI using mgmt_cli? Looking for sample code? This is the place to find answers!

Marcel_M
Marcel_M inside API / CLI Discussion and Samples 7 hours ago
views 217 4

Check Point Ansible Module in Ansible 2.8 Version with MDS

Hello, we are testing ansible automatisation on our MDS . I used this SK, but I can't find any information how to specify a special CMA Domain: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk114661&partition=General&product=Security  My Hosts File looks like this: /etc/ansible/hosts[checkpoint]1.1.1.1[checkpoint:vars]ansible_httpapi_use_ssl=Trueansible_httpapi_validate_certs=Falseansible_user=api-useransible_password=passwordansible_network_os=checkpoint My Ansible runbook lookes like that: cat create-host2.yml---- hosts: checkpointconnection: httpapi# domain: "Global"tasks:- name: add-hostcp_mgmt_host:ip_address: "192.0.2.1"name: "New Host 1"state: "present"Does anyone know how to specify a CMA Domani in this Version? In the old Version https://github.com/CheckPointSW/cpAnsible you could do this with the parameter -domain Can anyone help me with that? 

Need To Perform Mass Modification Of All User Accounts Expiration Dates

It came to my attention today that I have a large number of user accounts expiring on 1/1/2020. Given the number, it would be best to update these en masse. I have seen a couple other posts where some folks were accomplishing this using a series of API requests / changes. However, I also came across this older sk article: sk522 Can anyone comment whether this is still a valid method on an R80.30 SMS? I'm not opposed to going the API route if necessary, but this method seems to accomplish the same thing in a single command. Thanks! Dan 
Eric_Beasley
inside API / CLI Discussion and Samples yesterday
views 17262 22 33
Employee+

CLI API Example for exporting, importing, and deleting different objects using CSV files (v 00.33.00 and later)

OverviewThe export, import, delete using CSV files scripts in this post, currently version 00.33.00 and later, dated 2019-01-19 and later, are intended to allow operations on an existing R80, R80.10, R80.20[.Mx], R80.30[.Mx] Check Point management server (SMS or MDM) from bash on the management server or a management server able authenticate and reach the target management server.These scripts show examples of:an export of objects and services with full and standard json outputan export of hosts, networks, groups, groups-with-exclusion, address-ranges, dns-domains, host interfaces, and group members to csv output [future services and other object dumps to csv is pending further research]an import of hosts, networks, groups, groups-with-exclusion, address-ranges, dns-domains, host interfaces, and group members from csv output generated by the export to csv operations above or custom csv files with valid objects.a set operation (change existing objects) for hosts, networks, groups, groups-with-exclusion, address-ranges, dns-domains, host interfaces, and group members from csv output generated by the export to csv operations above or custom csv files with valid objects.  (As of version 00.24.00).  Script added to specifically set values using CSV file for all objects for which a CSV file is found, specifically the:   "cli_api_set-update_objects_from_csv.sh"a script to delete groups-with-exclusion, groups, address-ranges, dns-domains, networks, hosts, using csv files created by an object name export to csv for the respective items deleted.  NOTE:  DANGER!, DANGER!, DANGER!  Use at own risk with extreme care!scripts provided to just count the objects the script could find in the environment (as of version 00.23.00), specifically the:   "cli_api_get_object_totals.sh" and "cli_api_get_object_totals_w_group_member_count.sh".script operations for export of more than 500 objects of a specific type.export complex object elements, like Group Members and Host Interfaces to CSV files for import via the --batch option.export of full JSON and CSV for only objects that are not created by "System", so exporting only custom added or administrator modified objects.MDM tool to export domains to domains_list.txt file for reference in other script callsNOTE: As of version 00.29.00 all cli_api*.sh scripts require "common" script folder to handle command line parameters!  Don't forget to copy this folder also.EXPORT SCRIPTS NOW HANDLE > 500 OBJECTS FOR ALL CSV  AND JSON EXPORTS (version 00.24.00)EXPORT SCRIPTS NOW DEFAULT TO EXPORTING ALL OBJECTS INSTEAD OF NON-SYSTEM OBJECTS FOR FULL JSON AND CSV OPERATION.  CLI COMMANDS ENABLE FULL DUMP OF ALL OBJECTS INSTEAD OF THOSE CREATED BY "System":  --SO and --NSO for show System Objects and No Show System Objects.  (version 00.29.02)AS OF VERSION 00.33.00, THE PORT FOR MANAGEMENT WEB SSL PORT IS IDENTIFIED AUTOMATICALLY IF EXECUTING AGAINST THE LOCAL MANAGEMENT HOST.Where to Find, Contact, Support, and Terms of ServiceScripts are provided as-is without express or implied warranty, guarantee, assumption of liability, or SLA for resolution as they are examples of how to use the API and may not always apply to the situation they are used in and are subject to limitations of the API engine or utilized Check Point management version.At no time is this post an implied assumption of duty to change the example scripts IAW requests.  If you need an API script developed, contact Check Point Professional Services or a qualified Check Point Channel Partner with DevOps capabilities.CLI API Script approach may change at any time, which may require accessing older GitHub branches or releases.CLI API Scripts are provided with stipulation that the implementor is capable of using CLI and understands API operations.Check out GITHUB for latest versions : GitHub - mybasementcloud/R8x-export-import-api-scripts: Check Point R8x Export, Import, [and more] API scripts for bash … (version 00.33.00 as of 2019-01-19)For direct questions, you can hit me up at ericb@checkpoint.com  Response time may vary based on schedule, availability, and issue presented.For questions about issues with scripts please provide the information identified in the FEEDBACK section at the bottom of this article. DescriptionThis post includes a set of scripts in two (2) packages, a Development Branch which may be an advanced version still under construction and an Operations Branch that should work as expected.  All script files end with .sh for shell and are intended for Check Point bash implementation on R80, R80.10, R80.20[.Mx], and R80.30[Mx] or later.  Scripts in the packages have specific purposes and scripts call sub-scripts for extensive repeated operations and basic actions (e.g. handling CLI parameters).  The packages also include specific expected default directory folders that are not created by the script action.General Information:<yyyy-mm-dd-hhmm-tz> is a date time group (DTG) generated at time of execution and used for the full operation of the respective script, providing consistent information for a specific script run.  Example:  2017-01-05-1346CST  for January 5, 2017, at 13:46 hrs CST.Output Generated by Scripts:Output from the scripts is directed to a sub-folder (default is a dump folder with DTG sub-folder, e.g. ./dump/<yyyy-mm-dd-hhmm-tz>) and further placed in sub-folders based on script:  csv, full, standard, import, delete. Example:Multi-Domain Management operations scripts that handle multiple domains in their operation will create a sub-folder for the domain and then create the specific output based on that domain in the domain specific folder.  Note that the scripts automatically handle the default "System Data" and "Global" domains.  When executing the scripts with specific domain selected, that domain is the folder name between the DTG folder and the output folders.Example:NOTE:  Current CSV output includes additional files used in the process that are raw data in a WIP folder, sorted raw data, csv header, and the original data with header.NOTE:  When operating on MDM, the stated domain in the -d parameter is used as a subfolder to collect the specific data for that dumped domain.ScriptsScripts a provided in an Operations and Development branch folder structure.  Operations branch implies that these are stable operational scripts for their stated purpose, and expected to work as such under the tested versions where applicable.  Development branch may include advanced, early availability version of the scripts where development is not yet complete for migration to Operations branch.Main script types provided are MDM scripts, Session Cleanup scripts, common scripts used by other scripts, Export Import scripts, and script Templates.Script Type(main folder)Script NameScript PurposeOutput formats_templatesTemplates for developing scripts with the basic capabilities of the provided version level of the template.api_mgmt_cli_shell_template_with_cmd_line_parameters.template.<version>.shTemplate for scripts using provided approach that includes built-in command line parameter handler operations.Text log fileOutput dependent on chosen template implementationapi_mgmt_cli_shell_template_with_cmd_line_parameters_script.template.<versions>.shTemplate for scripts using common scripts approach for handling command line parametersText log fileOutput dependent on chosen template implementationapi_mgmt_cli_shell_template_action_handler.template.<version>.shTemplate for action sub-script called by another script, with basic handling for version mismatchlog to originating script based on verbose level settingtest._templates.<version>.shRough testing script for validating if templates functionText log fileOutput dependent on chosen template implementationcommonCommon scripts called by the scripts and utilized by the templates in the _template folder.  This folder and expected scripts are replicated to the utilizing script folder for direct access, so will be found under _templates, export_import, and Session_Cleanupcmd_line_parameters_handler.action.common.<level>.<version>.shAction sub-script called to execute operations to handle command line parameters standard to all scripts in that versionlog to originating script based on verbose level settingidentify_gaia_and_installation.action.common.<level>.<version>.shAction sub-script called to execute operations to identify version of Gaia of host and Check Point installation typelog to originating script based on verbose level settingexport_importScripts for export, import, set, and delete operationscli_api_export_objects.shScript to export all supported objects to JSON (full and standard) and CSVJSON Full, JSON Standard, CSVText log filecli_api_export_objects_to_json_full.shScript to export all supported objects to JSON fullJSON Full, JSON Standard, CSVText log filecli_api_export_objects_to_json_standard.shScript to export all supported objects to JSON standardJSON Full, JSON Standard, CSVText log filecli_api_export_objects_actions.shAction sub-script to execute export of objects to JSON (full or standard) for calling script.log to originating script based on verbose level settingcli_api_export_objects_actions_to_csv.shAction sub-script to execute export of objects to CSV (full or standard) for calling script.log to originating script based on verbose level settingcli_api_export_objects_to_csv.shScript to export all supported objects to CSVCSVText log filecli_api_export_all_domains_objects.shScript to export all supported objects in all domains on an MDS to JSON (full and standard) and CSVJSON Full, JSON Standard, CSVText log filecli_api_export_all_domains_objects_to_csv.shScript to export all supported objects in all domains on an MDS to CSVCSVText log filecli_api_import_objects_from_csv.shScript to import all supported objects from supplied CSV files (only supplied files are processed)JSON resultsText log filecli_api_set-update_objects_from_csv.shScript to set (updated) all supported objects from supplied CSV files (only supplied files are processed)JSON resultsText log filecli_api_delete_objects_using_csv.shScript to delete all supported objects from supplied CSV files by name (only supplied files are processed)JSON resultsText log filecli_api_get_object_totals.shDump the number of each object from all supported objects.Text log filecli_api_get_object_totals_w_group_member_count.shDump the number of each object from all supported objects, including count of group members per group.Text log fileapi_add_csv_error_handling_to_csv_file.shFor versions (e.g. R80.10) where CSV import and set operations require that ignore error, ignore warning, and set-if-exists are in the actual CSV file.  Adds necessary columns to front of existing CSV file rows with headers.CSVText log fileapi_subpend_csv_error_handling_to_csv_files.shFor versions (e.g. R80.10) where CSV import and set operations require that ignore error, ignore warning, and set-if-exists are in the actual CSV file.  Adds necessary columns to end (back) of existing CSV file rows with headers.CSVText log fileMDMMulti-Domain Management general scriptsMDM_Get_Domains_List_<version>.shScript will generate a list of current domains on an MDS for manual re-use laterTextSession_CleanupSession Cleanup scripts to first list the current sessions open on a management server and also provide options to clean-up (delete) session that are not locked or pending publish operations (zero locks).remove_zerolocks_sessions.<version>.shIdentify and delete zero lock sessionsText result of operationremove_zerolocks_web_api_sessions.<version>.shIdentify and delete zero lock sessions with user web_apiText result of operationshow_zerolocks_sessions.<version>.shIdentify zero lock sessionsText result of operationshow_zerolocks_web_api_sessions.<version>.shIdentify zero lock sessions with user web_apiText result of operationInstructionsTo utilize the scripts, download the scripts from this repository post, extract the script files and directory folders [import and delete actions], then upload those files and directory folders to a working target folder location (e.g. /var/tmp/api-scripts) on the target management server where the scripts will execute from.  Once uploaded to a working folder the relevant scripts are executed like any other bash script.  If executing directly from the folder where the script is located use "./<script>.sh" for execution.  If script modifications are made outside of Check Point Linux, it is recommended to first run "dos2unix <script>.sh" to ensure compatibility with bash shell.Each script accepts command line parameters to control important inputs that have some defined defaults.If the "-p <password>" parameter is not used, the user is prompted for the console user/administrators password, as in this example:If the "-r"  or "--root" parameter is used then the above prompt should be skipped as in standard mgmt_cli execution.Command Line ParametersThe scripts all (except actions sub-scripts) can take Command Line Parameters (CLI parameters).  To get a dump of the active CLI parameters for a specific script run it with "--help" or "-?".  Example  (version 00.23.00):Command line parameters support multiple input formats as displayed, and can be mixed and matched as needed.This is the standard help output for cli_api_export_objects.sh script, which is the standard baseline for all scripts in this package release:[Expert@X:0]# ./cli_api_get_object_totals.sh --helpScript:  cli_api_get_object_totals  Script Version: v00x23x00API version = 1.1./cli_api_get_object_totals.sh [-?][-v]|[-r]|[-u <admin_name>] [-p <password>]]|[-P <web ssl port>] [-m <server_IP>] [-d <domain>] [-s <session_file_filepath>]|[-x <export_path>] [-i <import_path>] [-k <delete_path>] [-l <log_path>] Script Version:  00.23.00  Date:  2017-07-22 Standard Command Line Parameters:  Show Help                  -? | --help  Verbose mode               -v | --verbose  Authenticate as root       -r | --root  Set Console User Name      -u <admin_name> | --user <admin_name> |                             -u=<admin_name> | --user=<admin_name>  Set Console User password  -p <password> | --password <password> |                             -p=<password> | --password=<password>  Set [web ssl] Port         -P <web-ssl-port> | --port <web-ssl-port> |                             -P=<web-ssl-port> | --port=<web-ssl-port>  Set Management Server IP   -m <server_IP> | --management <server_IP> |                             -m=<server_IP> | --management=<server_IP>  Set Management Domain      -d <domain> | --domain <domain> |                             -d=<domain> | --domain=<domain>  Set session file path      -s <session_file_filepath> |                             --session-file <session_file_filepath> |                             -s=<session_file_filepath> |                             --session-file=<session_file_filepath>  Set log file path          -l <log_path> | --log-path <log_path> |                             -l=<log_path> | --log-path=<log_path>  Set export file path       -x <export_path> | --export <export_path> |                             -x=<export_path> | --export=<export_path>  session_file_filepath = fully qualified file path for session file  log_path = fully qualified folder path for log files  export_path = fully qualified folder path for export file NOTE:  Only use Management Server IP (-m) parameter if operating from a        different host than the management host itself. Example: General : ]# cli_api_get_object_totals -u fooAdmin -p voodoo -P 4434 -m 192.168.1.1 -d fooville -s "/var/tmp/id.txt" -l "/var/tmp/script_dump/" Example: Export: ]# cli_api_get_object_totals -u fooAdmin -p voodoo -P 4434 -m 192.168.1.1 -d fooville -s "/var/tmp/id.txt" -l "/var/tmp/script_dump/" -x "/var/tmp/script_dump/export/"Standard Command Line Parameters: Parameter PurposeParameter value and optionsDefault ValueDescriptionShow Help-? | --helpn/aShow help for scriptVerbose Mode-v | --verbosen/a (not set)Show details of operations and values during execution.  bash environment variable APISCRIPTVERBOSE can be set to TRUE to run in verbose mode from start without Command Line Parameter.Example:export APISCRIPTVERBOSE=TRUEAuthenticate as root-r | --rootn/aInstead of using administrator user name and password operate as rootSet Console User Name-u <admin_name>--user <admin_name>-u=<admin_name>--user=<admin_name>administratorSet the username of console user/administrator executing the script.<admin_name> username for console/administrator, e.g. adminSet Console User password-p <password>--password <password>-p=<password>--password=<password>n/aSet the password to be used for console user/administrator authentication.If not used the default operation will prompt for the console user/administrator password.<password> password to use for console user/administrator.NOTE:  Entry is visible when used.Set Management Server IP-m <server_IP>--management <server_IP>-m=<server_IP>--management=<server_IP>localhostSet the IP address of the management server to use for this operation.<server_IP> is the TCP/IP address of the target management server, e.g. 10.10.100.66NOTE:  DO NOT USE THIS PARAMETER IF OPERATING THE SCRIPT FROM THE HOSTING MDS OR SMS, SINCE AUTHENTICTATION WILL FAIL.Set Management Domain-d <domain>--domain <domain>-d=<domain>--domain=<domain>not setSet the management domain to use for this operation on a Multi-Domain Management Server<domain> is the domain to use for the operation, e.g. foovilleSet session file path-s <session_file_filepath>-session-file <session_file_filepath>-s=<session_file_filepath>-session-file=<session_file_filepath>./id.txtSet the full path and file name to the session ID file<session_file_filepath> full path to the session ID file, e.g. /var/tmp/id.txtWeb SSL PortNEW-P <web_ssl_port> | --port <web_ssl_port> | -P=<web_ssl_port> | --port=<web_ssl_port>443Web SSL Port of the Management server, default is 443, but can be set explicity to address changes to multiportal, thus change to API web port.Session Timeout--session-timeout <session_time_out>10 - 3600600 defaultsecondsConfigure session timeout value for login operation executedSystem Object Export--NSO | --no-system-objects--SO | --system-objects--NSOConfigure export of System Objects created by "System".  By Default this value is set to --NSO or --no-system-objects and objects created by "System" are ignored during the export of full JSON or CSV information.  Standard JSON export always will do all objects found since the search for "System" objects is not possible with the supplied JSON stream.  To enable export of "System" created objects, utilise the --SO or --system-objects parameter.  For JSON output --NSO will generate zero length files as the dump.Log File path-l <log_path>--log-path <log_path>-l=<log_path>--log-path =<log_path>folder pathSet the path for log files generated by the script.<log_path> path (no following "/"), e.g. "./var/tmp/script/logs"Output File path-o <output_path>--output <output_path>-o=<output_path>--output =<output_path>folder pathSet the path for output files generated by the script.<export_path> path (no following "/"), e.g. "./var/tmp/script"Set export file pathCHANGED-x <export_path>--export <export_path>-x=<export_path>--export =<export_path>./dump/<yyyy-mm-dd-hhmm-tz>Set the path for export files generated by the script.<export_path> path (no following "/"), e.g. "./var/tmp/script"Set import file path-i <import_path>--import-path <import_path>-i=<import_path>--import-path=<import_path>./import.csvSet the path for input files required by the script.<import_path> path (no following "/"), e.g. "./var/tmp/script/input"Set delete file path-k <delete_path>--delete-path <delete_path>-k=<delete_path>--delete-path=<delete_path>./delete.csvSet the path for input files required by the script to identify what to delete.<delete_path> path (no following "/"), e.g. "./var/tmp/script/input"--NOWAITSkip waiting for key input on some operations or when running in verbose mode--CLEANUPWIPRemove the WIP folder created under some operational output operations (e.g. CSV exports) - PENDING IMPLEMENTATION--NODOMAINFOLDERSDon't generate the domain specific folders, files are domain specific so all collected - PENDING IMPLEMENTATION--CSVEXPORTADDIGNOREERRAutomatically modify the CSV file to include the presumed ignore error, warning, or set-if-exist values - PENDING IMPLEMENTATIONConfiguration Parameters in the Script [this section needs more work]NOTE:  This predicates some scripting ability and capability to use a text editor.  I recommend using the dos2unix command on any updated scripts once uploaded to the target management server host to ensure compatibility.These script examples attempt to provide some detail tailoring and configuration via variables set for the specific script.  Some of these configuration values are influenced by the Command Line Parameters that can be passed to the script.  This version does not make the approach overly generic (e.g. name of exported CSV file is hardcode in the import), and future versions of this example set may clearly abstract and configure command line input variables.Key values to configure for:Export, Import, and Delete scriptsVariableDefinitionAPICLIadminSmartConsole administrator name to use for operationsAPICLIsessionfilefilename and path to mgmt_cli session ID file generated by login and used for all subsequent mgmt_cli operationsExport ScriptsVariableDefinitionAPICLIpathrootroot of path for output filesAPICLIpathbasebase path for output files, generally uses $APICLIpathroot and for operations time delineation can utilize the $DATE variableAPICLIfileoutputpreGeneral prefix for the output file, prefixes the filename in the full output file pathAPICLIfileoutputextFile extension for operational output file, default is .txtAPICLIfileoutputsufixFile suffix for the operational output file, default is $DATE.$APICLIfileoutputext so generally<date_time_group>.txtAPICLIJSONfileoutputextFile extension for mgmt_cli json output file, default is .jsonNOTE:  this is not used in this exampleAPICLIJSONfileoutputsufixFile suffix for the mgmt_cli json output file, default is $DATE.$APICLIJSONfileoutputext so generally<date_time_group>.jsonNOTE:  this is not used in this exampleAPICLICSVfileoutputextFile extension for generated CSV file, default is .csvAPICLICSVfileoutputsufixFile suffix for the operational output file, default is $DATE.$APICLICSVfileoutputext so generally<date_time_group>.csvNOTE:  this was purposely done for the work utilizing this example, which stipulates a defined state of CSV output to export based on the time of execution.  For those wanting a generic approach, the value can be set to be more static and not include the $DATE value element.APICLIObjectLimit(DO NOT MODIFY THIS VALUE)This is the maximum number of groups to export, providing the limit value for the mgmt_cli show groups command to populate the array of groups to export members from.  The API supports a "limit" value of 0 to 500, and the default is set to 500 to ensure the maximum number of objects is collected.APICLIoutputfull file path to operational output file for later review of actionsImport ScriptsHeader 1Header 2APICLIfileoutputpreGeneral prefix for the output file, prefixes the filename in the full output file pathAPICLIfileoutputextFile extension for mgmt_cli json output file, default is .jsonAPICLIfileoutputsufixFile suffix for the mgmt_cli json output file, default is $DATE.$APICLIfileoutputext so generally<date_time_group>.jsonOutputPathRootroot of path for output filesOutputPathBasebase path for output files, generally uses $OutputPathRoot and for operations time delineation can utilize the $DATE variableCSVImportTypemgmt_cli type for import operation, in this example it is groupCSVImportPathRootThis is the path root for the location of the CSV file to import, in the example it is a sub-directory relative to the location of the scriptCSVImportPathFileThis is the file name of the CSV file to import, in this case hard-coded based the CSV output generated by the export operation.NOTE:  this was purposely done for the work utilizing this example, which stipulates a defined state of CSV output to import.  For those wanting a generic approach, the value can be set to be more static and not include the $DATE value element.CSVImportPathThis is the path to the CSV file to import based on the $CSVImportPathRoot and $CSVImportPathFile variables.OutputPathfull file path to operational output file for later review of actionsDelete ScriptsHeader 1Header 2APICLIfileoutputpreGeneral prefix for the output file, prefixes the filename in the full output file pathAPICLIfileoutputextFile extension for mgmt_cli json output file, default is .jsonAPICLIfileoutputsufixFile suffix for the mgmt_cli json output file, default is $DATE.$APICLIfileoutputext so generally<date_time_group>.jsonOutputPathRootroot of path for output filesOutputPathBasebase path for output files, generally uses $OutputPathRoot and for operations time delineation can utilize the $DATE variableCSVImportTypemgmt_cli type for import operation, in this example it is groupCSVImportPathRootThis is the path root for the location of the CSV file to import, in the example it is a sub-directory relative to the location of the scriptCSVImportPathFileThis is the file name of the CSV file to import, in this case hard-coded based the CSV output generated by the export operation.NOTE:  this was purposely done for the work utilizing this example, which stipulates a defined state of CSV output to import.  For those wanting a generic approach, the value can be set to be more static and not include the $DATE value element.CSVImportPathThis is the path to the CSV file to import based on the $CSVImportPathRoot and $CSVImportPathFile variables.OutputPathfull file path to operational output file for later review of actionsModification of the script sections to suit personal preference and requirements is strongly encouraged via the copy-paste operation.I may be updating these later, with some harmonization of common variables required and some abstraction options via command line parameters.Why and What for...These scripts were developed to address a pressing need in my own basement cloud laboratory, after some issues cropped up with my migrated management server, which has an original data base starting from R70 and migrated, upgraded, imported to Multi-Domain Management, and now exported from Multi-Domain Management, which has left the system a bit wonky and questionable.  By creating scripts to handle the output of objects from my existing management server, I can then use the CSV data to import to a clean, new installation, where I can start fresh, with all my objects, but probably none of the baggage or garbage from almost 9 years of lab/home use operations.  It is an excellent learning opportunity and mentors like Uri Bialik help with this very much.However, these scripts can also help with some other operations that may be necessary, probably requiring some tweaks, but the example can help a bunch for starting out, operations like:Duplicating group members after group import for laboratory environments, when building a from-scratch test environment, but wanting to use familiar objectsDuplicating group members after group import to a different Domain in Multi-Domain Management, when not wanting to use global objects.  This will require some adjustments to handle the Domain specification variables, but should not be rocket magic to make happen.Operations in Professional Services for either recovering from an exported baseline, or assisting with pre-migration testing operations, and rebuild operationsHaving a backup of objects on hand to utilize for bare-metal rebuild where a import or restore is not plausible or advisable.Future Improvements and Extensions:PARTIALLY Implemented - Implementing and improving error handling, currently omitted due to time constraint and for actual mgmt_cli operations a concept for approachJSON Implemented - Export, Import, and [yes also] Delete of Services, but very much focused on those created by the user, not the native Services delivered in the installationConfiguration of exported fields to CSV for more control at importInteractive selection of what items to export, import, or delete depending on scriptPort to Windows Power Shell scripting, once I figure out how to handled date-time-group values and jq in Windows Power Shell.Configuration of system objects creators to exclude, and parameter control to select specific creator objects.PARTIALLY Implemented - Common bash script element framework to simplify script development, which may mean more detailed script installation requirements.  Later with Power Shell port also for Power Shell.Addition of a global [or any use] naming pre-fix to each object exported to CSV to allow alternative import, e.g. to move objects from local domain to global domain on Multi Domain Management implementation.Addition of specific information fields for CSV export to help identify objects for other operations (e.g. not direct import), like uid, creator, state, etc.  These dumps may require more work to prepare if import is desiredNow on GITHUBGitHub - mybasementcloud/R8x-export-import-api-scripts: Check Point R8x Export, Import, [and more] API scripts for bash …FEEDBACKIf you need help with a problem using the script, please provide the following in any communication:R80.x version being used and management type (SMS or MDM)CLI level text capture (copy/paste of terminal window for execution) with the script run in "-v" (verbose mode) to ensure we see all comments and information from the execution Do not use the "--password" option to ensure that you're password is not provided, I don't want to knowEnsure all command line parameters passed are correctany CSV or JSON output generated for the problem object(s), this can be compressed to save e-mail spaceif importing, setting, or deleting values the utilized CSV file(s)a short explanation of what you are trying to accomplish and what is not being met, since we may be operating on different assumptionsCode VersionCode version 0.29.02 and laterTested on versionR80, API version 1.0R80.10 EA, API version 1.? [2016-12 EA package]R80.10 GA, API version 1.1R80.10 New Kernel EA, API version 1.1R80.10 GA for Smart-1 525, 5050, 5150, API version 1.1R80.20 EA T354, EA T395 MDM and SMS, R80.20 GoGo EA 3.10 kernel gatewaysR80.20 GA T101R80.30 EA (Public)Known LimitationsCode versionLimitation IdentifiedAll up to currentRESOLVED with v00.29.02 releaseUsing the -r or --root command line operation fails to execute authentication due to a limitation in approach with parametrized command line parameters for the mgmt_cli command.  This issue is being escalated for technical clarification since the same values entered directly (instead of by evaluation parameter) works.AllUsing the -m or --management command line parameter is only supported when script is not executed on the actual management server host that is the target.  When executing the script on the actual management server host, DO NOT use the -m or --management command line parameter with management IP address.Change LogCode versionKey Changes0.17.25Updated scripts to include comprehensive Command Line parameter handling (CLI parameters)Added specific scripts for explicit object export to csv.Added delete objects package for clean-up opererationsRefined operation of scripts to leverage sub routines for repeated operations with extensive parameterization to simplify adding more objects and servicesSolved the way to pass variable to JQ element in export operationThink I've solved the MDS JQ location problem with older scripts.Providing packaged sets for export, export of specific objects, import, delete, and template shell version 0.5.00.21.00Updated to correct issues with assumptions around how command line parameters for management, domain, and port work.Now able to handle domain, management server0.22.00Corrected issue with changes to file naming that caused action scripts to fail0.23.00New scripts provided to just count the objects the script could find in the environment (as of version 00.23.00), specifically the "cli_api_get_object_totals.sh" and "cli_api_get_object_totals_w_group_member_count.sh".  Which is useful to determine if what the api sees given the input parameters and user rights is what the admin expects or should see, specifically to help with Multi-Domain operations, which may still need some more tweaking.-P | --port <web ssl port> parameter added to support other than port 443 for management hosts-o | --output CLI parameter renamed to -x | --export to conform with actual purposeCheck for zero size groups added to export operations for group membersExport scripts now handled > 500 objects (current maximum api limit value) and will iterate in 500 chunk steps to process object sets larger than 500 objects.  json files will be broken out in 500 object sets with the name adding an increment value in sets of 500.  CSV files are still single, since they are built differently.For import added version 1.1 api support for "set-if-exists" option, with api version checking.Added more dependency checking before start and overhauled some operations to enable easier changes.0.24.00New script added to set values of existing objects (as of version 00.24.00), specifically the "cli_api_set-update_objects_from_csv.sh" in the Import Objects set.  It will process all expected input files, and skip operations where it does not find a file.Added handling for export, import, and set for host's interface objects.  NOTE:  The .interfaces[].subnet-mask value is not utilized, instead explict .interfaces[].mask-length4 and .interfaces[].mask-length6 are utilized.Export scripts not handle > 500 objects on all exported object types and formats (both CSV and JSON), this now includes the handling of group members and host interfaces, which required more programming thought to identify the approach.Reduced the default wait time in "read -t <waittime>" from 600 to 15 and added the value $WAITTIME that can be set higher if desired.  Future addition of --waittime <wait-time> and --nowait options are under consideration.0.25.00Corrected semantic issue with detecting empty object types (i.e. no objects of that type), now the CSV export will not exit the whole script if no objects are foundExtracted the Command Line Parameter Handler to a dedicated subscript to simplify editing the other scripts.Addressed a semantic issue with web ssl-port not available before identifing the API version and not having the jq location available on MDM versus SMS installationsPrepared some main export files for future object handling expansionNOTE:  This is the last version that will have dedicated specific object handling scripts, the next script set will have an option to configure which objects to handle interactively0.25.01Correct spelling mistakes for output [an ongoing process--always]0.27.05Major overhaul of script operational approach in some functions with logical fixes to semantic approach.Updated command line parameter handler to varriant 003.  As of version 00.27.05 all cli_api*.sh scripts require "cmd_line_parameters_handler.action.common.003.sh" script to handle command line parameters!  Don't forget to copy this file also.Added ability to configure export of objects created by "System" to remove potential for import of system objects and reduce size of output.  By Default this value is set to --NSO or --no-system-objects and objects created by "System" are ignored during the export of full JSON or CSV information.  Standard JSON export always will do all objects found since the search for "System" objects is not possible with the supplied JSON stream.  To enable export of "System" created objects, utilise the --SO or --system-objects parameter.  For JSON output --NSO will generate zero length files as the dump.Templates were also updated to reflect changes in command line handler and approach.0.29.02Resolved issues blocking use of -r parameter for local administrator authentication.  Only usable on the actual host and will not work with -m option (will indicate if identified).Corrected approach to selection of Check Point Data objects, since System creator is set by upgrade for all objects when upgrading from R77.30 and prior versions of management.Implemented "common" folder for common operations, where future common code elements will live their own version lives, like the CLI parameter handler in the current release.Restructured much of the internal code to fix issues and simplify future updates.Release folder structure and pressed files shared now reflects actual approach used in operation and provides total package, not just specifics.0.29.05Moved to providing Operations and Development branches for scripts in GitHub.General corrections and reworking operations.  Last release to include development of individual scripts for import and export of explicit objects.0.31.00Removed explicit objects import and export scripts from development operations and updates, and now legacy (version 00.29.05) variants of those scripts are provided under the Development branch under ../export_import.wip/_Deprecated_Scripts.Continued corrections and refactoring.  First release of the cli_api_export_all_domains_objects.sh and cli_api_export_all_domains_objects_to_csv_files.sh scripts to handle all objects in all domains on an MDS the user has rights to.0.33.00Production release with updates and working identification of local management host web ssl port for API login configuration.  Operational improvements and template corrections in preparation to adding more objects supported for CSV export and future changes to allow selection of operations.

Remove bed nat cli

Hallo.I can to remove bad nat from cli?Thanks

Using the API to map an Access Layer to a Policy Package

Hi friends-I'm looking to use the API  to add a rule to a layer and then install policy on the appropriate package (or packages for a shared layer).  In SmartConsole, when I view layers (Manage policies and layers...), it shows me the package(s) the layer is used on, but I can't seem to find that mapping in the API.  I've tried both show access-layer and show access-layers, but neither give me the packages.  I tried doing a where-used on my layer UID, but that just gives me an error.  I've noticed that showing all my packages lists the layers that are used, but what about the other way around?  How do find which policy(ies) my access layer is a part of?I'm on v1.5.Thanks!

Help Exporting Rulebase Data

Hi, I have what i thought would be a simple requirement to export our rulebase to csv for me to share some information on some specific rules. I have looked around the forum and have struggled to land the best and simplest way of doing this.The export option in R80 smartdashboard GUI does not work for me as i need to understand the nested groups or the objects / subnets inside of the groups as well as the high level group information.Is there anything around that is already pre-written script wise to make this happen? running python directly from my machine will be a challenge and my scripting knowledge is limited. Running R80.20. Any help would be really appreciated.

Script in creating object and add in a object group using CLI

What is the command line script to create object/object group and add object in an object group. Like hundred of objects (IPs).I am using Checkpoint R80.10.

R80.40 API v1.6 Changelog

Changelog What's New in v1.6    This release, API version 1.6, introduces several updates for existing APIs. Deprecated API commands from this version: show data-center command is deprecated, use show data-center-server instead. show data-centers command is deprecated, use show data-center-servers instead.    New APIs (35)  API Key (2) API command Description add api-key Add API key for administrator, to enable login with it. For the key to be valid publish is needed.When using mgmt_cli tool, add –f json to get the key in the command’s output delete api-key Delete the API key. For the key to be invalid publish is needed. Data Center Server (4) API command Description delete data-center-server Delete existing Data Center Server using name or uid. set data-center-server Edit existing Data Center Server using name or uid. Data Center Server represents the connection to a cloud environment. The Data Center Server contains Data Center Objects, these objects can be imported from it using the add-data-center-object command show data-center-server Retrieve existing Data Center Server using name or uid. show data-center-servers Retrieve existing Data Center Servers. LSV Profile (5) API command Description add lsv-profile Add a new Large Scale VPN object. When used inside a VPN Community, the object enables communication between a large amount of externally managed VPN peers. delete lsv-profile Delete existing LSV profile object using object name or uid. set lsv-profile Set LSV Profile object's fields. Set CA by uid or name, change peers limit or restrict encryption domain. show lsv-profile Retrieve existing LSV profile object using object name or uid. show lsv-profiles Retrieve all objects. Migration (4) API command Description backup-domain Back up the Domain database and applicable Check Point configuration. This command can be used in backup and restore operations. This command is available only in a Multi-Domain environment and when logged into the MDS domain. For known limitations see sk146953 migrate-export-domain Export the Domain database and applicable Check Point configuration. This command can be used in export and import operations. This command is available only when logged into the system domain. For known limitations see sk156072 migrate-import-domain Imports the exported Domain database and applicable Check Point configuration. This command can be used in import operations. This command is available only when logged into the system domain. For known limitations see sk156072 restore-domain Restores the backed-up Domain database and applicable Check Point configuration. This command can be used in restore operations. This command is available only in a Multi-Domain environment and when logged into the MDS domain. For known limitations see sk146953   Misc. (1) API command Description install-database Copies the user database and network objects information to specified targets.   Server Certificate (5) API command Description add server-certificate Import server certificates for inbound HTTPS traffic inspection.You can use the imported server certificates in the Certificate column of the HTTPS Inspection Policy. delete server-certificate Delete existing server certificate using name or uid. set server-certificate Edit existing server certificate using name or uid. show server-certificate Show existing server certificate using name or uid. show server-certificates Show existing server certificates. Session Management (2) API command Description revert-to-revision Revert the Management Database to the selected revision. verify-revert Verify the Management Database can revert to the selected revision. Simple Cluster (5) API command Description add simple-cluster Create new object. delete simple-cluster Delete existing object using object name or uid. set simple-cluster Edit existing object using object name or uid. show simple-cluster Retrieve existing object using object name or uid. show simple-clusters Retrieve all objects. SmartTasks (5) API command Description add smart-task Create new object. delete smart-task Delete existing object using object name or uid. set smart-task Edit existing object using object name or uid. show smart-task Retrieve existing object using object name or uid. show smart-tasks Retrieve all objects. Triggers (2) API command Description show smart-task-trigger Retrieve existing object using object name or uid. show smart-task-triggers Retrieve all objects.   Updated APIs (10)Threat Profile (3) API command Added fields Removed fields Updated fields Description set threat-profile 1 0 0 Edit existing object using object name or uid. show threat-profile 2 0 0 Retrieve existing object using object name or uid. add threat-profile 1 0 0 Create new object. Threat Protection (1) API command Added fields Removed fields Updated fields Description show threat-protections 1 0 0 Retrieve all objects. VPN Community Meshed (3) API command Added fields Removed fields Updated fields Description show vpn-community-meshed 1 0 0 Retrieve existing object using object name or uid. set vpn-community-meshed 2 0 0 Edit existing object using object name or uid. add vpn-community-meshed 2 0 0 Create new object. VPN Community Star (3) API command Added fields Removed fields Updated fields Description set vpn-community-star 2 0 0 Edit existing object using object name or uid. show vpn-community-star 1 0 0 Retrieve existing object using object name or uid. add vpn-community-star 2 0 0 Create new object.   Deprecated APIs (2)Data Center Server (2) API command Description show data-center Retrieve existing Data Center Server using name or uid. Starting from version 1.6 of the Check Point Management API, this command is deprecated . Use the show data-center-server command instead show data-centers Retrieve existing Data Center Servers. Starting from version 1.6 of the Check Point Management API, this command is deprecated . Use the show data-center-servers command instead    

Search multiple CMA

In R77.30 one had the possibility to search all CMAs for object usage. I cannot find this feature in R80.10 MDS. There is no mention of the Cross-Domain Management Server Search function in the CP_R80.10_Multi-DomainSecurityManagement_AdminGuide.This was especially useful to find global object use, to limit the number of policies one had to push after updating a single object.Any suggestions for a replacement?Best regards,Harald

Having issues with publishing policy via web API

Hi,I have a powershell script that is meant to do the following but is failing on publishing policy.  The API gives me the following error but not sure why as I don't have any unpublished changes.  Below are the steps.-Add Host (Sucess)-Add Host to Group (Sucess)-Publish Policy (Fail)-Install Policy (Fail)2019-11-13 09:43:11,233 INFO [GUI] org.apache.cxf.interceptor.LoggingInInterceptor.log:250 [qtp2049910860-30] - Inbound Message----------------------------ID: 76Address: http://127.0.0.1:50276/web_api/add-hostEncoding: ISO-8859-1Http-Method: POSTContent-Type: application/jsonHeaders: {Accept=[text/plain], connection=[keep-alive], Content-Length=[92], content-type=[application/json], Host=[127.0.0.1:50276], User-Agent=[mgmt_cli_gui], X-chkp-debug=[GUI], X-chkp-sid=[aM8KIGMuWuP8rNWBhDI8LzLVXZtR6-z9kIVee-EFYmc], X-Forwarded-For=[127.0.0.1], X-Forwarded-Host=[127.0.0.1], X-Forwarded-Host-Port=[443], X-Forwarded-Server=[10.130.181.25]}Payload: {"groups":"AttackersList","ip-address":"144.139.158.155","name":"attacker-144.139.158.155"}--------------------------------------2019-11-13 09:43:11,238 INFO [GUI] com.checkpoint.management.web_api_is.utils.helpers.ApiCache.<init>:21 [qtp2049910860-30] - Cache created and initialized2019-11-13 09:43:11,239 INFO [GUI] com.checkpoint.management.web_api.web_services.WebApiEntryPoint.logRequestedCommandInfo:51 [qtp2049910860-30] - Executing [add-host] of version 1.3 (references 1)2019-11-13 09:43:11,834 ERROR [GUI] com.checkpoint.management.web_api.utils.WebApiCommandExceptionUtils.getErrorReply:94 [qtp2049910860-30] -com.checkpoint.web_services.faults.ValidationRemoteFault: 2 Blocking validation errors were found.at sun.reflect.GeneratedConstructorAccessor264.newInstance(Unknown Source)at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:57)at java.lang.reflect.Constructor.newInstance(Constructor.java:437)at org.apache.cxf.interceptor.ClientFaultConverter.processFaultDetail(ClientFaultConverter.java:182)at org.apache.cxf.interceptor.ClientFaultConverter.handleMessage(ClientFaultConverter.java:82)at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)at org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:113)at org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:69)at org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:34)at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:802)at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1642)at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1533)at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1336)at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:652)at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:516)at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:425)at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:326)at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:279)at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:139)at com.sun.proxy.$Proxy244.updateObjectWithReturnControlErrorLevel(Unknown Source)at com.checkpoint.management.web_api_is.utils.managers.RemoteObjectCrudManager.updateObjectWithReturn_aroundBody30(RemoteObjectCrudManager.java:24)at com.checkpoint.management.web_api_is.utils.managers.RemoteObjectCrudManager$AjcClosure31.run(RemoteObjectCrudManager.java:1)at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)at com.checkpoint.management.web_api_is.aspects.logging.WebApiMethodLoggerAspect.aroundMethodLoggerTest(WebApiMethodLoggerAspect.java:13)at com.checkpoint.management.web_api_is.utils.managers.RemoteObjectCrudManager.updateObjectWithReturn(RemoteObjectCrudManager.java:72)at com.checkpoint.management.web_api_is.core.handler.base.ApiObjectRequestHandler.doUpdateObjectForAdd(ApiObjectRequestHandler.java:34)at com.checkpoint.management.web_api_is.core.handler.base.ApiCrudRequestHandler.add_aroundBody0(ApiCrudRequestHandler.java:19)at com.checkpoint.management.web_api_is.core.handler.base.ApiCrudRequestHandler$AjcClosure1.run(ApiCrudRequestHandler.java:1)at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)at com.checkpoint.management.web_api_is.aspects.logging.WebApiMethodLoggerAspect.aroundMethodLoggerTest(WebApiMethodLoggerAspect.java:13)at com.checkpoint.management.web_api_is.core.handler.base.ApiCrudRequestHandler.add(ApiCrudRequestHandler.java:52)at com.checkpoint.management.web_api.core.handler.objects.network_objects.host.HostRequestHandler.add(HostRequestHandler.java:11)at sun.reflect.GeneratedMethodAccessor165.invoke(Unknown Source)at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)at java.lang.reflect.Method.invoke(Method.java:508)at com.checkpoint.management.web_api_is.utils.WebApiReflectionUtils.invoke(WebApiReflectionUtils.java:7)at com.checkpoint.management.web_api.web_services.WebApiEntryPoint.postEntryPoint(WebApiEntryPoint.java:81)at sun.reflect.GeneratedMethodAccessor120.invoke(Unknown Source)at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)at java.lang.reflect.Method.invoke(Method.java:508)at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:181)at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:97)at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:204)at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:101)at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:59)at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:96)at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:251)at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293)at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:212)at javax.servlet.http.HttpServlet.service(HttpServlet.java:755)at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:268)at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:686)at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1494)at org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:247)at org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:210)at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)at com.checkpoint.management.web_api.core.filter.LogCustomDebugFieldFilter.doFilter(LogCustomDebugFieldFilter.java:19)at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1474)at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:557)at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428)at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:255)at org.eclipse.jetty.server.handler.IPAccessHandler.handle(IPAccessHandler.java:203)at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:154)at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)at org.eclipse.jetty.server.Server.handle(Server.java:370)at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489)at org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:960)at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:1021)at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:865)at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:240)at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668)at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)at java.lang.Thread.run(Thread.java:785)
Tom_Cripps
Tom_Cripps inside API / CLI Discussion and Samples a week ago
views 394 5 2

Finding a URL in all custom Application/Sites rather than just one

Hi,I have a script currently utilising the mgmt api to open a specific application/site and show all the URL's listed. I then can then grep a saved output to find a single URL. I look to add filtering built into the script but has anyone had any experience with looping over all application/sites to find a single URL?Tom
Jin_Zhou
Jin_Zhou inside API / CLI Discussion and Samples 2 weeks ago
views 209 2

How to use run-script to get IPS information on a VS of VSX?

I am trying to use run-script to get IPS information on a VS of VSX. Say VS 3 on cli I could do following:vsenv 3ips statBut if I put it in run-script as follow, api could not find vsenv command.mgmt_cli -r true -d Mydomain -VSX run-script script-name test script "vsenv3; ips stat" targets.1 vsx1 -f json Also tried to put the two commands in a script, test.sh:#!/bin/bashvsenv 3ips statthen runmgmt_cli -r true -d Mydomain -VSX run-script script-name test script "/mydir/test.sh" targets.1 vsx1 -f jsonit does not work either. Any idea how to get this to work or any way that can get IPS info on VS?
Ed_Eades
Ed_Eades inside API / CLI Discussion and Samples 2 weeks ago
views 16698 15 6

Bulk Add Network Objects

I am looking for advice on how to bulk add network objects.  I need to add around 550 networks and we are on GAIA R80.10.  I have read some about dbedit, Using a dbedit script to create new network objects and network object groups, but I am not sure if that would still be the best method.  I will also mention I have never used dbedit.  When adding these network objects I would also like to add a description on each network object.  The dbedit link does not include the syntax for the description. I came across a thread on cpug that If R80, there are more robust CLI for these things.  You can find documentation and several examples at https://community.checkpoint.com.Thanks in advance!
Charles_Currier
inside API / CLI Discussion and Samples 2 weeks ago
views 1507 9 12
Employee+

o365 dynamic objects script

This script pulls the current list of office365 IP Addresses referenced from Office 365 IP Address and URL Web service | Microsoft Docs to https://endpoints.office.com/endpoints/worldwide. It then creates dynamic objects for each set of Service Areas that have ipv4network ranges defined in the json document. Once run once an administrator should pull the resulting objects to populatethe policy and then rerun once policy is pushed.This does not have scheduling at this time.This has been updated to version 3.
Employee

Create list of IPS protections set for packet capture in a specific profile

Used mgmt_cli to generate a json formatted file (ips.json) of all IPS protections (mgmt_cli show threat-protections details-level full) but cannot figure out how to parse out only the profiles with packet capture enabled. cat ips.json | jq ".protections [] | [.name, .profiles]"