cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Inbar_Moskovich
inside API / CLI Discussion and Samples 8 hours ago
views 12783 54 30
Employee+

Show Package - Tool to visualize a R80 policy package over HTML pages

OverviewCheck Point ShowPolicyPackage tool visualizes the contents of a R80 security policy package (layers, rulebases, objects) over HTML pages.DescriptionThe tool allows the security policy as well as objects in the R80 objects database to be exported into a readable format. This exported information represents a snapshot of the database.The tool generates a compressed file (.tar.gz) containing the following files:• HTML files - The objects and rules presented as html files. The "index.html" acts as a starting point andlists all the available items to display.• JSON files - The objects and rules exported as multiple JSON files.• Log file (e.g. show_package-yyyy-mm-dd_HH-MM-ss.elg) - A log file containing debug information.Instructions This tool is hosted on GitHub repository for public use, containing a stand-alone executable Java JAR file (plug & play) and accompanied source code:https://github.com/CheckPointSW/ShowPolicyPackagePlease follow the usage instructions and examples on this site. It contains valuable information.Any questions, clarifications, improvements and feedback is welcome.P.S. This tool is also delivered along with R80 management server releases. But the GitHub repository is the most updated and maintained source!Tested on versionR80.10, API version 1.1Source Code AvailabilityThe source code is now public on GitHub repository as mentioned above.NOTICE: By using this sample code you agree to terms and conditions in this Terms and Conditions
JPYDX
JPYDX inside API / CLI Discussion and Samples 12 hours ago
views 62 1

Installing SDK for ExportImport script

Hi, Please can someone help me out?I need to export my R80 policy to move onto another R80 policy.I am going to use the ExportImport packageI need install the SDK first and I think I am missing something simple.I have put both script packages in my home/admin folderTo install the SDK, I am running.../python2.7 /home/admin/cp_mgmt_api_python_sdk-master/opt/CPsuite-R80/fw1/Python/bin/python2.7: can't find '__main__' module in '/home/admin/cp_mgmt_api_python_sdk-master'I am getting lost - and trying to follow the instructions that are listed however it simply says to run this and not pip as pip isnt installed.  I have done export PYTHONPATH=$PYTHONPATH:/home/admin/cp_mgmt_api_python_sdk-master  But this just returned and did nothing which I presume is right?

Edit interfaces of ClusterXL objects via generic object API, changes not visible in SmartConsole

Hello,I understand that there will be an API in R80.40 to manipulate interfaces of cluster objects. Unfortunately, I cannot wait for R80.40 in my project here. So I tried to add interfaces via the generic API described in https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/CloudGuard-Automated-firewall-Cluster-Deployment-with-auto/m-p/60667/highlight/trueRoughly, I added interfaces to the cluster nodes and to the cluster object like this:# set cluster and members with newly created interfacesmgmt_cli set generic-object uid $cluster_uid interfaces.add.create "com.checkpoint.objects.classes.dummy.CpmiClusterInterface" interfaces.add.owned-object.netmask "255.255.255.0" interfaces.add.owned-object.ipaddr $vip_ip interfaces.add.owned-object.memberNetwork.create "com.checkpoint.objects.classes.dummy.CpmiSubnet" interfaces.add.owned-object.memberNetwork.owned-object.netmask "255.255.255.0" interfaces.add.owned-object.memberNetwork.owned-object.ipaddr $cluster_net_ip interfaces.add.owned-object.officialname $interface_name interfaces.add.owned-object.monitoredByCluster true interfaces.add.owned-object.ifindex $if_index --format json --session-file login.txt > cluster_set_response.jsonI created interfaces manually in Smartconsole and checked what entries were  created in the interface table of the member host and cluster objects with guidbedit. I was able to replicate these entries vai the gerneric object api. I also compared the output of get generic-object between the manual created ones and the ones created via the API.I actually can say, that my script is reproducing the manual action 1:1.BUT: There are 2 weired effects that I cannot explain and that block me from making further progress:1. When I create the interfaces via teh API and then go to Smartconsole, I won't find the new interfaces under "Network Management" of the firewall interface, while the new interfaces are definitely there in guidbedit or get generic object.2. When I create an interface manually in Smartconsole and then delete it via dbedit, the interfaces are still there in SmartConsole, while they are definitely gone in guidbedit and get generic-object.I understand that the widget for editing a firewall in R80 smartconsole is still using legacy code from R77, so is there some kind of sync to old style configuration files that needs to be done when the interfaces tables of a cluster is edited via the generic objects API?Any ideas how to solve that?
amy567
amy567 inside API / CLI Discussion and Samples Wednesday
views 168 3

checkpoint API

How to use checkpoint API to create IPv6 host address. Does any special configuration required to enable IPv6 API?

API: install-on does not accept group targets

Hi,I have a customer who's moving from R77 to R80 and due to various reasons we have had to import objects and rules via mgmt_cli. However the API does not permit a group of firewalls as an install-on target; I had to create a dummy gateway object as a placeholder and then replace a number of rules with the group (which we had successfully imported via API).Would it be possible to make this feature work in next API? ThanksJamie 

Developing Web portal using API

Hey Checkmates,I need a help.! i am assigned with the task to develop a web portal which will be provided to my team members.That portal should contain features to add-host , delete-host, make network groups, Allow/deny traffic (in this case ,user-based policies) to a specific website, send only user traffic log (not system logs) on portal.. etc and a little more functionality. However i m not supposed to provide all the firewall details and functionality (such as adding/deleting subnet) to my team members. From my research i found out that it can be done using RESTful APIs via browser.Please suggest me how can i get started ?such asA) Programming language to put in use ?B) IDEs and Frameworks ??C) How to use Firewall APIs ?D) libraries of programming language?Also, for the development purpose initially i will be using Checkpoint firewall in Vmware (virtrual environment) .Thank you. 
JozkoMrkvicka
JozkoMrkvicka inside API / CLI Discussion and Samples 2 weeks ago
views 21869 14 4

Manipulate Cluster Object with API

Hello guys,I am wondering if there is any way how to modify Cluster object using API tool. I know, that there are few commands to manipulate with "simple-gateway", but I would like to know if there is posibility to change something within Cluster Object, or even member(s) of Cluster. Lets say I want to add new interface (new VLAN) for cluster with 2 members in "Dashboard". Attaching screenshot what I would like to achieve.Of course I tried to use for example "show-simple-gateway" (see second attached screenshot) for Cluster, but I am getting following error:{ "code": "generic_error", "message": "Runtime error: com.checkpoint.objects.classes.dummy.CpmiGatewayCluster incompatible with com.checkpoint.objects.classes.dummy.CpmiGatewayCkp"}Is something like that posible ?Thank you for your answer.
Employee+

mgmt api failes to start

Hello Guys,   I'm trying to start API on a machine I have and it fails to start  This is the end of api.elg file when I perform "api restart" in the terminal. Any ideas why I can't start the API on this machine?   Regards, Adiel -------------------------------------------------------------------------- 2019-10-04 03:15:27,812 WARN org.eclipse.jetty.webapp.WebAppContext.doStart:503 [main] - Failed startup of context o.e.j.w.WebAppContext{/web_api,file:/var/log/opt/CPsuite-R80/fw1/tmp/jetty-127.0.0.1-50276-web_api.war-_web_api-any-/webapp/},/opt/CPsuite-R80/fw1/api/webapps/web_api.warorg.springframework.beans.factory.BeanDefinitionStoreException: Unexpected exception parsing XML document from URL [jar:file:/opt/CPsuite-R80/fw1/api/lib/web_api_module_objects.jar!/com/checkpoint/management/web_api/config/web-api-module-objects-bean-config.xml]; nested exception is java.lang.RuntimeException: java.io.FileNotFoundException: class path resource [com/checkpoint/management/conf/cdm_web_services_config.xml] cannot be resolved to URL because it does not existat org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:412)at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:334)at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:302)at com.checkpoint.infrastructure.spring.IgnoringDuplicateFilesBeanDefinitionReader.loadBeanDefinitions(IgnoringDuplicateFilesBeanDefinitionReader.java:51)at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:174)at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:209)at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:180)at org.springframework.web.context.support.XmlWebApplicationContext.loadBeanDefinitions(XmlWebApplicationContext.java:125)at com.checkpoint.management.web_api.core.spring.WebApiIgnoringDuplicateBeansXmlWebApplicationContext.loadBeanDefinitions(WebApiIgnoringDuplicateBeansXmlWebApplicationContext.java:19)at org.springframework.context.support.AbstractRefreshableApplicationContext.refreshBeanFactory(AbstractRefreshableApplicationContext.java:131)at org.springframework.context.support.AbstractApplicationContext.obtainFreshBeanFactory(AbstractApplicationContext.java:522)at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:436)at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:384)at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:283)at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:111)at org.eclipse.jetty.server.handler.ContextHandler.callContextInitialized(ContextHandler.java:782)at org.eclipse.jetty.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:424)at org.eclipse.jetty.server.handler.ContextHandler.startContext(ContextHandler.java:774)at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:249)at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1242)at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:717)at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:494)at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)at org.eclipse.jetty.deploy.bindings.StandardStarter.processBinding(StandardStarter.java:39)at org.eclipse.jetty.deploy.AppLifeCycle.runBindings(AppLifeCycle.java:186)at org.eclipse.jetty.deploy.DeploymentManager.requestAppGoal(DeploymentManager.java:494)at org.eclipse.jetty.deploy.DeploymentManager.addApp(DeploymentManager.java:141)at org.eclipse.jetty.deploy.providers.ScanningAppProvider.fileAdded(ScanningAppProvider.java:145)at org.eclipse.jetty.deploy.providers.ScanningAppProvider$1.fileAdded(ScanningAppProvider.java:56)at org.eclipse.jetty.util.Scanner.reportAddition(Scanner.java:615)at org.eclipse.jetty.util.Scanner.reportDifferences(Scanner.java:540)at org.eclipse.jetty.util.Scanner.scan(Scanner.java:403)at org.eclipse.jetty.util.Scanner.doStart(Scanner.java:337)at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)at org.eclipse.jetty.deploy.providers.ScanningAppProvider.doStart(ScanningAppProvider.java:121)at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)at org.eclipse.jetty.deploy.DeploymentManager.startAppProvider(DeploymentManager.java:555)at org.eclipse.jetty.deploy.DeploymentManager.doStart(DeploymentManager.java:230)at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)at org.eclipse.jetty.util.component.AggregateLifeCycle.doStart(AggregateLifeCycle.java:81)at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:58)at org.eclipse.jetty.server.handler.HandlerWrapper.doStart(HandlerWrapper.java:96)at org.eclipse.jetty.server.Server.doStart(Server.java:282)at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)at org.eclipse.jetty.xml.XmlConfiguration$1.run(XmlConfiguration.java:1259)at java.security.AccessController.doPrivileged(AccessController.java:594)at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1182)at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:95)at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)at java.lang.reflect.Method.invoke(Method.java:508)at org.eclipse.jetty.start.Main.invokeMain(Main.java:473)at org.eclipse.jetty.start.Main.start(Main.java:615)at org.eclipse.jetty.start.Main.main(Main.java:96)Caused by: java.lang.RuntimeException: java.io.FileNotFoundException: class path resource [com/checkpoint/management/conf/cdm_web_services_config.xml] cannot be resolved to URL because it does not existat com.checkpoint.infrastructure.spring.IgnoringDuplicateFilesBeanDefinitionReader.getURL(IgnoringDuplicateFilesBeanDefinitionReader.java:61)at com.checkpoint.infrastructure.spring.IgnoringDuplicateFilesBeanDefinitionReader.loadBeanDefinitions(IgnoringDuplicateFilesBeanDefinitionReader.java:43)at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:174)at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:209)at org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader.importBeanDefinitionResource(DefaultBeanDefinitionDocumentReader.java:239)at org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader.parseDefaultElement(DefaultBeanDefinitionDocumentReader.java:196)at org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader.parseBeanDefinitions(DefaultBeanDefinitionDocumentReader.java:181)at org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader.doRegisterBeanDefinitions(DefaultBeanDefinitionDocumentReader.java:140)at org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader.registerBeanDefinitions(DefaultBeanDefinitionDocumentReader.java:111)at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.registerBeanDefinitions(XmlBeanDefinitionReader.java:493)at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:390)... 53 moreCaused by: java.io.FileNotFoundException: class path resource [com/checkpoint/management/conf/cdm_web_services_config.xml] cannot be resolved to URL because it does not existat org.springframework.core.io.ClassPathResource.getURL(ClassPathResource.java:179)at com.checkpoint.infrastructure.spring.IgnoringDuplicateFilesBeanDefinitionReader.getURL(IgnoringDuplicateFilesBeanDefinitionReader.java:58)... 63 more2019-10-04 03:15:27,815 INFO org.eclipse.jetty.deploy.DeploymentManager.addApp:132 [main] - Deployable added: /opt/CPsuite-R80/fw1/api/contexts/docs.xml2019-10-04 03:15:27,839 INFO org.eclipse.jetty.server.AbstractConnector.doStart:338 [main] - Started SelectChannelConnector@127.0.0.1:50276 ----------------------------------------------------------------------------------------------------------------------
Marc_Guyard
inside API / CLI Discussion and Samples 2 weeks ago
views 8694 10 4
Employee

run-script output

Hi,How can we retreive output for run-script API command ?I can see result on Dashboard but it's possible to have this by API ?Thanks
Tom_Cripps
Tom_Cripps inside API / CLI Discussion and Samples 2 weeks ago
views 228 2 2

Finding a URL in all custom Application/Sites rather than just one

Hi,I have a script currently utilising the mgmt api to open a specific application/site and show all the URL's listed. I then can then grep a saved output to find a single URL. I look to add filtering built into the script but has anyone had any experience with looping over all application/sites to find a single URL?Tom
Employee+

API: How to use args in run-script ?

Hello CheckMates!Could you provide me a hint on how to use args parameter in API (v1.1) call run-script to pass arguments to an OS command or script ? Using args with mgmt._cli, postman, SCconsole returns a failed task.e. g. :mgmt._cli -r true -f json run-script script-name "ping" script "ping" args " -c1 172.17.xxx.2" targets.1 "mgmt._server_itself"returns:"mgmt._server_itself - ping"  failed  (100%){<omitted for brevity>    "task-id" : "e1f9a669-2cf8-4248-bee7-437902810e9b",    "task-name" : "mgmt._server_itself - ping",    "status" : "failed",<omitted>      "statusCode" : "failed",      "statusDescription" : "Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline],  [-p pattern] [-s packetsize] [-t ttl] [-I interface or addressas if arguments in args string value are not passed to bash. Various arguments and escape sequences tried, same result.Passing all arguments in script value works:mgmt._cli -r true -f json run-script script-name "ping" script "ping -c1 172.17.xxx.2" targets.1 "mgmt._server_itself"returns:"mgmt._server_itself - ping"  succeeded  (100%){<omitted>    "task-id" : "0751191e-9fed-4bcf-851f-b97645dcea4c",    "task-name" : "mgmt_server_itself - ping",    "status" : "succeeded",<omitted>      "statusCode" : "succeeded",      "statusDescription" : "PING 172.17.xxx.2 (172.17.xxx.2) 56(84) bytes of data. 64 bytes from 172.17.xx.2: icmp_seq=1 ttl=128 time=0.110 ms,  --- 172.17.xxx.2 ping statistics ---, 1 packets transmitted,  1...",Screened api.elg, cpm.elg, fwm.elg for clues - didn't understand how script string and args string are passed to bash.Environment: R80.10, JHF T112 Thank you for your time,andreip
carlosgeib
carlosgeib inside API / CLI Discussion and Samples 2 weeks ago
views 224 1

Script to delete objects

Hello everybody.I'm doing a script to delete objects and rules. I'm having troubles to define if the object is the last in cell. In the SmartConsole, if I go to 'Where Used' in the object, I can see if it are the Last in Cell, but in the "mgmt_cli where used" there isn't a field with this information. Does anynone have this same problem? Is there another way to do this?Thanks for while.

Sandblast - Threat Prevention API - Upload a file via an Webinterface

Hi there,I'm currently playing around with the Threat Prevention API and my goal is to create a web interface to upload a suspicious file to the (on premise) Sandblast appliance.This is my current partly working Python(Flask) code:@app.route('/upload', methods=['GET', 'POST'])def upload():    if request.method == 'POST':        file = request.files['file']        resp=do_upload(file)        return render_template('index.html', msg='success', json=resp)    else:        return render_template('upload.html')def do_upload(file):    filestream = file.stream    hostname='https://LOCALSANDBLAST:18194/tecloud/api/v1/file/upload'    payload={"request":{"file_name":file.filename}}    files = {        'request': (None, json.dumps(payload), 'application/json'),        'file': (file.filename, filestream)    }    response=requests.post(hostname, files=files)    return response.text    print response.textHowever the response I get from the Threat Prevention API contains the code '1006' which according to the documentation is 'PARTIALLY_FOUND: Part of the request found. If the missing data is required, upload the file.'The complete response is attached to this post.What am I doing wrong? Am I not uploading the whole file?Can you maybe provide a working example for uploading and successfully querying a threat emulation via HASH afterwards?Would be very happy to hear your ideas / approaches.Thanks in advance,Johanna
Brambo
Brambo inside API / CLI Discussion and Samples 3 weeks ago
views 228 2

Delete and set multiple routes in VSX mode

Hi all, Until now all my questions have been answered by the various Checkmate Posts.This week I will be migrating a VSX R80.20 system from dedicated  physical interfaces, as internal and external to a combined internal bond, and a combined external bond interface for all the virtual systems to share. In order to do this, I have to delete the VLAN interfaces from the current physical interfaces. I have created a little script to do this. No problems there, but I also have to delete the static routes before I can delete the VLAN from the interface. The routes are visible in the routedx.conf files at OS level. But this file is created by a Checkpoint process that probably will overwrite the file when I change it.  SO - NO GO. The clish config also displays the routes.Adding a route here displays an error telling me that routes need to be added in the GUI. During the migration I have to delete and add about 50 routes since the interfaces will change. Is there a way to prepare this so I can do this using the CLI?I have read about the "run-script" option but that only looks useful to show information from the system.I don't want to use the GUI for this task because it takes a lot of time and a lot of mouse clicks.  Currently, I can't add images because its a sunday and somebody killed my management VM.Hope you can help me on this one.

Mgmt API - feature to update Gateway's MTA settings

Hi guys ,I am looking for the script/command needed to be run which takes care of MTA config ( adding mail domain , next hop  ) on gateway automatically everytime a new Gateway spins up .  Is there any know script/ cmd syntax I can use to do this in the below auto-provision of VMSS ??  I didn’t find any mgmt_cli command …