Showing results for 
Search instead for 
Did you mean: 
Create a Post
API / CLI Discussion and Samples

Do you have questions on how to use any of Check Point's API commands, including via the CLI using mgmt_cli? Looking for sample code? This is the place to find answers!

Maik inside API / CLI Discussion and Samples 8 hours ago
views 3302 8

Show changes from session => from a single session

Hello guys, I want to write a small script that lists all the created, deleted and modified rules and host objects for a given session/revision uid. The management API reference guide includes two possible commands that should do the job: - show session uid <session_uid>>> This lists all the general details of a session like e.g. the user, the change sum, the description, the application that has been used in order to publish the given session etc. Here everything is working as expected - show changes from-session <session_uid> to-session <session_uid>>> This command lists all changes in a given time or session frame... so this means I can use the above mentioned "from-session" => "two-sessions" arguments or the "from-date" => "to-date" arguments. However it seems like that it is not possible to list all changes from just one single session. The seemingly required arguments have default values if no UIDs for the sessions are specified:from-sessionstringDefault: The session before to-session to-sessionstringDefault: The last published session But here lays another problem - as the from-session defaults to "the session before to-session" while the to-session argument defaults to "the last published session", this leads to the result that the command gives you the last two sessions if you do not specify any arguments. Still, it does not allow you to just see the changes from a single session. My idea was to give the from and to argument the same session uid, but this results in the following error: > show changes from-session <my_session_uid1> to-session <my_session_uid1> --------------------------------------------- Time: [15:43:07] 27/3/2019 --------------------------------------------- "Show Changes" failed (100%) tasks: - task-id: "abcdef01-2345-6789-b58a-3559264bf1dc" task-name: "Show Changes" status: "failed" progress-percentage: 100 progress-description: "Diff operation failed: Unable to build the diff reply." suppressed: falseSo the command requires a diff in between both parameters while a simple "show changes from-uid" or "show changes uid" does not exist. Do I miss something or is there really no possibility to track the changes of a given single session? Regards,Maik

API calls to be handled only within one session

Hello all, I am working on some script and I would like to have some questions sorted out about API performance and best practise. I am on R80.30 MDS and using API version 1.5. My idea is to have opened only 1 session (via login), store session into a variable (or file) and during the entire script, working only with this one session. Means, no other sessions will be opened as I don't want to have an additional load on the machine for login and logout operations.If I am using "-r true" for any API calls (let's say show domains), will it mean that in the background there will be a new login and logout ? At the moment I am struggling with "show packages" for a specific domain and the fact that -s parameter isn't working.The code looks like that: #!/bin/bash mgmt_cli login user "aa" password "aaaa" --format json > sid.txt mgmt_cli show packages -d "My_Domain" -s sid.txt --format json mgmt_cli logout -s sid.txt rm sid.txt   And it doesn't give me the desired output - packages of the domain "My_Domain".In case I use the following syntax, all is working fine (note -r true parameter instead of -s sid.txt): #!/bin/bash mgmt_cli login user "aa" password "aaaa" --format json > sid.txt mgmt_cli show packages -d "My_Domain" -r true --format json mgmt_cli logout -s sid.txt rm sid.txt​ But the working solution will result that I will have 2 sessions opened, right ? And I want only 1, not more. What I am missing here ? Thank you.

Check Point provider on Terraform is officially live!

      Hello all! We are glad to announce that Check Point provider on Terraform is officially live! Terraform is a very well-known solution for building, changing and versioning infrastructure. Terraform is cloud-agnostic and allows a single configuration to be used to manage multiple providers, and to even handle cross-cloud dependencies. This simplifies management and orchestration, helps to build and provision multi-cloud infrastructures. Check Point Provider can be used to automate security responses to threats, provision both physical and virtualized next-generation firewalls and automate routine Security Management configuration tasks, saving time and reducing configuration errors.With the Check Point provider, DevOps teams can automate their security and transform it into DevSecOps workflows. List of API included in current provider is below, we’re now working to extend this list to support majority of Management and GAiA OS APIs and will have news very soon! This integration follows our integration with Ansible, introduced in 2019. We’re looking to accompany customers that use Terraform and Check Point and to build great stuff together. We also encourage you all to check out the provider, please feel free to share use cases and feedback, we’ll be glad to assist. You can contact myself  and Eran Habad 

Add sources inside bash scripts

To my understanding, the call for Check Point shell script (source /etc/profile.d/ needs to be added at the very start of the script right after the sha-bang as per link below: couldn't help but notice however that in several other scripts like the health check script that several sources are specified: #====================================================================================================#  Check Point Sources#====================================================================================================source /etc/profile.d/ 2> /dev/nullsource /etc/profile.d/ 2> /dev/nullsource $MDSDIR/scripts/ 2> /dev/nullsource $MDS_SYSTEM/shared/ 2> /dev/nullsource $MDS_SYSTEM/shared/ 2> /dev/null As such, could somebody please explain to me if there are other calls we could use in our scripts apart from source /etc/profile.d/ thanks in advance.

SmartConsole CLI - getting all rulebases for all policies in a domani

Using the "show access-rulebase name "<insert_name>" --format json" command provides me data that I am looking for, but doing so for each and every rulebase in the domain would take a long time.  Is there a command that I am not finding, or a parameter in the existing command, that would allow for the data to be provided for all rulebases within a domain?Any help would be appreciated.  

problem adding interoperable device via web API

Hello GuysI am trying to create interoperable device via python web API (I have v1.1)I have this payload to put into commend 'add-generic-object'object = { 'create': 'com.checkpoint.objects.classes.dummy.CpmiGatewayPlain', 'name': deviceName, 'ipaddr': deviceIP, 'thirdPartyEncryption': True, 'osInfo': { 'osName': 'Gaia' }, 'vpn': { 'create': 'com.checkpoint.objects.classes.dummy.CpmiVpn', 'owned-object': { 'vpnClientsSettingsForGateway': { 'create': 'com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway', 'owned-object': { 'endpointVpnClientSettings': { 'create': 'com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway', 'owned-object': { 'endpointVpnEnable': True } } } }, 'ike': { 'create': 'com.checkpoint.objects.classes.dummy.CpmiIke', }, 'sslNe': { 'create': 'com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender', 'owned-object': { 'sslEnable': False, 'gwCertificate': 'defaultCert' } }, 'isakmpIpcompSupport': True, 'isakmpUniversalSupport': True, } }, 'dataSourceSettings': None, 'nat': None, 'encdomain': 'ADDRESSES_BEHIND_GW', 'ignore-warnings': True, 'color': color.upper()}After I run script, object is visible in Interoperable devices, but I cannot use is. It is NOT visible when I try it add to VPN communities and also when I try add VPN community to this object it ends with error: A blocking validation error was found: Gateway does not comply to 'Participant Gateways' of Meshed community. In order to comply the gateway needs to be VPN installed and of type Host / Gateway / Cluster / Interoperable device.Object can be 'fixed' via GUI by setting IPSec VPN -> Traditional mode configuration -> Select some enc and hash  (i.e. 3des sha1) -> OK, But I cannot find the way set this through set-gneric-objectthis does not work:{'uid': objectUID, 'vpn' : {'ike' : {'isakmpHashmethods': ['SHA1']}}}what am I doing wrong? Via dbedit it works, but I would like to use clearer way ...

Why query API with feature extraction send response with CP_EXTRACT_RESULT_UNSUPPORTED_FILE ?

Hi Team,I am trying to download pdf file for the earlier uploaded file. First, I sent upload api request with extraction feature and got response "UPLOAD_SUCCESS". Post that, I sent query api request with extract feature and got response "FOUND" but extract_result was "CP_EXTRACT_RESULT_UNSUPPORTED_FILE". I am getting same for txt and xml files. I want to get extracted_file_download_id so that I can send download api request to get pdf file.Please let me know how can I get download file id from query api response.Thanks,

Check Point - HEX to IP Converter Tool?

Is there a Check Point tool to easily convert hexadecimal values to IP addresses on the CLI?   I use the following lines in scripts:   hexaddr=$(echo 12cd34ef)ipaddr=$(printf "%d." $(echo $hexaddr | sed 's/../0x& /g' | tr ' ' '\n' | tac) | sed 's/\.$/\n/')echo $ipaddr   Is there an easier way?   Regards Heiko Ankenbrand

Export all rules referencing a list of IPs

I recently had the need to build a table out of all of the rules referencing any IP address in a list of addresses. Basically a rule audit for all the rules involved in a given application.USAGEThe script should be run as root (in expert mode, and with elevated privileges if you use low-privilege users) on the SmartCenter or MDS. Doesn't need any credentials. It does everything via the API in read-only mode.Usage is given right at the top of the script. It also prints the usage if you run the script with no switches or if you run it with the -h switch: [Bob_Zimmerman@MySmartCenter]# ./ -h Usage: ./ [-d] [-h] [-J file] [-j file] [-c file] [-O] Default output is pretty-print JSON to STDOUT, suitable for output redirection. -d Increase debug level, up to twice. -h Print this usage information. -J file Write pretty-print JSON output to . -j file Write compact JSON output to . One line per rule. -c file Write quote-delimited CSV output to . -O Write pretty-print JSON output to STDOUT. list List of IPs to search for, separated by spaces.  As you can see, it currently has options for compact JSON output, pretty JSON output, and quote-delimited CSV output. It should be pretty clear from the code how to write a new output formatter. Just needs a new variable for the name, a new switch in the getopts case statement, a little output prep work, and a new item in the "masterOutput" function.The only privileged commands it uses right now are 'cpprod_util FwIsFirewallMgmt' (to detect if it is run on a firewall instead of a management) and 'mdsstat' (to detect if it is a SmartCenter or MDS), within a few lines of each other at the bottom. You can make a version which will work only on a SmartCenter or only on an MDS, and it would work as an unprivileged user.KNOWN LIMITATIONSIt currently accepts only IP addresses. Haven't yet gotten around to writing logic for spotting CIDR notation, or for looking up networks once I've found them in the input.There's a big case statement in the middle for dereferencing objects. It includes all the object types I personally needed, but I'm sure there are plenty which are not included.I'm pretty sure there are error cases I don't handle properly, such as if none of the IP addresses are found.I don't know if you can build a cycle of groups (as an example, group A contains group B, group B contains group C, group C contains group A), but I don't do any detection for that.
Ivo_Hrbacek inside API / CLI Discussion and Samples Wednesday
views 18467 21 5

users via API

Hi guys,I would like to ask if there are some plans to include handling users via API in future releases (local account creation, certificate generation, etc.)? Now there is no such possibility via API and I think it could be very handy when migrating from different platformsthx for info
inside API / CLI Discussion and Samples Tuesday
views 3253 1 5

How to Query Global Properties via CLI

There are two ways to achieve this:   R80.10 and earlier using dbedit: (see Editing the objects_5_0.C file via Check Point database editing utilities and the R77 CLI Reference Guide) print properties firewall_properties R80.x using the API/mgmt_cli (thanks @Uri_Bialik ‌for sharing): Get the UID of the Firewall Properties table mgmt_cli show-generic-objects name "firewall_properties" -r true objects: - uid: "42b7d2e2-4131-4c7c-8a99-ea3af38509e9"   name: "firewall_properties"   type: "CpmiFirewallProperties"   domain:     uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"     name: "SMC User"     domain-type: "domain" from: 1 to: 1 total: 1 Print the details of the object by UID: mgmt_cli show generic-object uid "42b7d2e2-4131-4c7c-8a99-ea3af38509e9" -r true -f json   In the future, we plan to have formal API support for querying and setting the various Global Property settings.

Installation speed and verification on installation

Hi,This is something I notice when I was doing installation on the firewall. As I would like to push changes more regularly, I embarked on doing various speed test and found the results for a policy of size 10000 rules and 15000 objects.Policy Verification: 2 minutesPolicy Installation (single gateway): 4 minutesI have been trying to find a way to reduce the overall time taken and after some searching, I realize a few things. 1) Policy verification takes place in Policy installation.2) Policy installation compiles and sends entire package to gateway instead of the delta changesJust wondering if it is possible to reduce both timings. Also, if it is possible to do policy installation without verification if the management gateway detects that no new publishes happened after the last verification.Also, just playing with the thought if the verification can be sped up by looking at delta changes and doing verifications only on those changes (this will likely speed verification process up a lot)JL
HeikoAnkenbrand inside API / CLI Discussion and Samples a week ago
views 15467 21 66

GEO Location Objects in Firewall Policy (with Dynamic Objects)

Currently no regional settings can be used in the Firewall Policy.This only works in the „Geo Policy“ and has the disadvantage that no special settings are possible. For example, no services like http can be specified.   This solution helps and creates Dynamic Objects with the IP ranges of the individual countries.   In the first step, a Dynamic Object is created on the gateway that contains all IP addresses of the appropriate country. To do this the script is executed on the gateway.   If the script is started the first time the country file is transferred from the management server to the gateway via scp.   All you have to do is enter the IP address, user name and password of the management server. The current country list is displayed. Now only the appropriate country must be selected.  For example "WLF". Afterwards dynamic object is created on the gateway with the following name „GEO_<country code>“. For example "GEO_WLF".   Now create a Dynamic Object with the same name in the management under „New>More>Network Objekts>Dynamic Objects >Dynamic Objekt“. For example "GEO_WLF" Now create a Firewall Policy with the Dynamic Objekt. Install Policy   Important! 1) On a cluster the script must be executed on both gateways. 2) This is not a supported CheckPoint solution!Script Version: - 0.7a final version - 0.7b bug fix (02.08.2018)   Regards, Heiko

Python Tool - Export/Import

Hi all, I have used this tool succesfully before, but now for some reason its not working for me. Can anyone point out why I am getting this no matter what when I try to run? Traceback (most recent call last):File "", line 39, in <module>payload=payload)File "C:\Python27\lib\site-packages\cpapi\", line 169, in loginlogin_res = self.api_call("login", credentials)File "C:\Python27\lib\site-packages\cpapi\", line 242, in api_callself.check_fingerprint()File "C:\Python27\lib\site-packages\cpapi\", line 547, in check_fingerprintserver_fingerprint = self.get_server_fingerprint()File "C:\Python27\lib\site-packages\cpapi\", line 439, in get_server_fingerprintcontext = ssl.create_default_context()AttributeError: 'module' object has no attribute 'create_default_context'
mbouri inside API / CLI Discussion and Samples 2 weeks ago
views 273 4

how I can gather in which rule is defined a group object with ansible cp_mgmt_group_facts

Hello,I'm using ansible to automate a lot of manual task, it works well for the moment but I'm not able to retrieve the information of rule name when I use cp_mgmt_group_facts (like whereused with smartdashboard), below the output of the json :ok: [localhost] => {"host_facts": {"ansible_facts": {"host": {"color": "black","comments": "","domain": {"domain-type": "domain","name": "SMC User","uid": "41e821a0-3720-11e3-aa6e-0800200c9fde"},"groups": [{"domain": {"domain-type": "domain","name": "SMC User","uid": "41e821a0-3720-11e3-aa6e-0800200c9fde"},"name": "Demo","type": "group","uid": "8ab21516-39e7-4507-9312-636631d6c5de"}],"icon": "Objects/host","interfaces": [],"ipv4-address": "","meta-info": {"creation-time": {"iso-8601": "2019-12-15T07:07+0100","posix": 1576390077465},"creator": "admin","last-modifier": "admin","last-modify-time": {"iso-8601": "2019-12-15T07:07+0100","posix": 1576390077465},"lock": "unlocked","validation-state": "ok"},"name": "h-az-","nat-settings": {"auto-rule": false},"read-only": false,"tags": [],"type": "host","uid": "15e386c6-4ef3-4155-903d-579707171494"}},"changed": false,"failed": false}} I test also with details_level : full  is there any simple way to retrieve this information without retrieving all the rule base and check on source and destination of each rule 😞Regards