cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
amy567
amy567 inside API / CLI Discussion and Samples 12 hours ago
views 114 3

checkpoint API

How to use checkpoint API to create IPv6 host address. Does any special configuration required to enable IPv6 API?

API: install-on does not accept group targets

Hi,I have a customer who's moving from R77 to R80 and due to various reasons we have had to import objects and rules via mgmt_cli. However the API does not permit a group of firewalls as an install-on target; I had to create a dummy gateway object as a placeholder and then replace a number of rules with the group (which we had successfully imported via API).Would it be possible to make this feature work in next API? ThanksJamie 

Developing Web portal using API

Hey Checkmates,I need a help.! i am assigned with the task to develop a web portal which will be provided to my team members.That portal should contain features to add-host , delete-host, make network groups, Allow/deny traffic (in this case ,user-based policies) to a specific website, send only user traffic log (not system logs) on portal.. etc and a little more functionality. However i m not supposed to provide all the firewall details and functionality (such as adding/deleting subnet) to my team members. From my research i found out that it can be done using RESTful APIs via browser.Please suggest me how can i get started ?such asA) Programming language to put in use ?B) IDEs and Frameworks ??C) How to use Firewall APIs ?D) libraries of programming language?Also, for the development purpose initially i will be using Checkpoint firewall in Vmware (virtrual environment) .Thank you. 
JozkoMrkvicka
JozkoMrkvicka inside API / CLI Discussion and Samples a week ago
views 21861 14 4

Manipulate Cluster Object with API

Hello guys,I am wondering if there is any way how to modify Cluster object using API tool. I know, that there are few commands to manipulate with "simple-gateway", but I would like to know if there is posibility to change something within Cluster Object, or even member(s) of Cluster. Lets say I want to add new interface (new VLAN) for cluster with 2 members in "Dashboard". Attaching screenshot what I would like to achieve.Of course I tried to use for example "show-simple-gateway" (see second attached screenshot) for Cluster, but I am getting following error:{ "code": "generic_error", "message": "Runtime error: com.checkpoint.objects.classes.dummy.CpmiGatewayCluster incompatible with com.checkpoint.objects.classes.dummy.CpmiGatewayCkp"}Is something like that posible ?Thank you for your answer.
Employee+

mgmt api failes to start

Hello Guys,   I'm trying to start API on a machine I have and it fails to start  This is the end of api.elg file when I perform "api restart" in the terminal. Any ideas why I can't start the API on this machine?   Regards, Adiel -------------------------------------------------------------------------- 2019-10-04 03:15:27,812 WARN org.eclipse.jetty.webapp.WebAppContext.doStart:503 [main] - Failed startup of context o.e.j.w.WebAppContext{/web_api,file:/var/log/opt/CPsuite-R80/fw1/tmp/jetty-127.0.0.1-50276-web_api.war-_web_api-any-/webapp/},/opt/CPsuite-R80/fw1/api/webapps/web_api.warorg.springframework.beans.factory.BeanDefinitionStoreException: Unexpected exception parsing XML document from URL [jar:file:/opt/CPsuite-R80/fw1/api/lib/web_api_module_objects.jar!/com/checkpoint/management/web_api/config/web-api-module-objects-bean-config.xml]; nested exception is java.lang.RuntimeException: java.io.FileNotFoundException: class path resource [com/checkpoint/management/conf/cdm_web_services_config.xml] cannot be resolved to URL because it does not existat org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:412)at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:334)at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:302)at com.checkpoint.infrastructure.spring.IgnoringDuplicateFilesBeanDefinitionReader.loadBeanDefinitions(IgnoringDuplicateFilesBeanDefinitionReader.java:51)at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:174)at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:209)at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:180)at org.springframework.web.context.support.XmlWebApplicationContext.loadBeanDefinitions(XmlWebApplicationContext.java:125)at com.checkpoint.management.web_api.core.spring.WebApiIgnoringDuplicateBeansXmlWebApplicationContext.loadBeanDefinitions(WebApiIgnoringDuplicateBeansXmlWebApplicationContext.java:19)at org.springframework.context.support.AbstractRefreshableApplicationContext.refreshBeanFactory(AbstractRefreshableApplicationContext.java:131)at org.springframework.context.support.AbstractApplicationContext.obtainFreshBeanFactory(AbstractApplicationContext.java:522)at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:436)at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:384)at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:283)at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:111)at org.eclipse.jetty.server.handler.ContextHandler.callContextInitialized(ContextHandler.java:782)at org.eclipse.jetty.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:424)at org.eclipse.jetty.server.handler.ContextHandler.startContext(ContextHandler.java:774)at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:249)at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1242)at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:717)at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:494)at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)at org.eclipse.jetty.deploy.bindings.StandardStarter.processBinding(StandardStarter.java:39)at org.eclipse.jetty.deploy.AppLifeCycle.runBindings(AppLifeCycle.java:186)at org.eclipse.jetty.deploy.DeploymentManager.requestAppGoal(DeploymentManager.java:494)at org.eclipse.jetty.deploy.DeploymentManager.addApp(DeploymentManager.java:141)at org.eclipse.jetty.deploy.providers.ScanningAppProvider.fileAdded(ScanningAppProvider.java:145)at org.eclipse.jetty.deploy.providers.ScanningAppProvider$1.fileAdded(ScanningAppProvider.java:56)at org.eclipse.jetty.util.Scanner.reportAddition(Scanner.java:615)at org.eclipse.jetty.util.Scanner.reportDifferences(Scanner.java:540)at org.eclipse.jetty.util.Scanner.scan(Scanner.java:403)at org.eclipse.jetty.util.Scanner.doStart(Scanner.java:337)at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)at org.eclipse.jetty.deploy.providers.ScanningAppProvider.doStart(ScanningAppProvider.java:121)at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)at org.eclipse.jetty.deploy.DeploymentManager.startAppProvider(DeploymentManager.java:555)at org.eclipse.jetty.deploy.DeploymentManager.doStart(DeploymentManager.java:230)at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)at org.eclipse.jetty.util.component.AggregateLifeCycle.doStart(AggregateLifeCycle.java:81)at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:58)at org.eclipse.jetty.server.handler.HandlerWrapper.doStart(HandlerWrapper.java:96)at org.eclipse.jetty.server.Server.doStart(Server.java:282)at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)at org.eclipse.jetty.xml.XmlConfiguration$1.run(XmlConfiguration.java:1259)at java.security.AccessController.doPrivileged(AccessController.java:594)at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1182)at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:95)at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)at java.lang.reflect.Method.invoke(Method.java:508)at org.eclipse.jetty.start.Main.invokeMain(Main.java:473)at org.eclipse.jetty.start.Main.start(Main.java:615)at org.eclipse.jetty.start.Main.main(Main.java:96)Caused by: java.lang.RuntimeException: java.io.FileNotFoundException: class path resource [com/checkpoint/management/conf/cdm_web_services_config.xml] cannot be resolved to URL because it does not existat com.checkpoint.infrastructure.spring.IgnoringDuplicateFilesBeanDefinitionReader.getURL(IgnoringDuplicateFilesBeanDefinitionReader.java:61)at com.checkpoint.infrastructure.spring.IgnoringDuplicateFilesBeanDefinitionReader.loadBeanDefinitions(IgnoringDuplicateFilesBeanDefinitionReader.java:43)at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:174)at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:209)at org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader.importBeanDefinitionResource(DefaultBeanDefinitionDocumentReader.java:239)at org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader.parseDefaultElement(DefaultBeanDefinitionDocumentReader.java:196)at org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader.parseBeanDefinitions(DefaultBeanDefinitionDocumentReader.java:181)at org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader.doRegisterBeanDefinitions(DefaultBeanDefinitionDocumentReader.java:140)at org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader.registerBeanDefinitions(DefaultBeanDefinitionDocumentReader.java:111)at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.registerBeanDefinitions(XmlBeanDefinitionReader.java:493)at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:390)... 53 moreCaused by: java.io.FileNotFoundException: class path resource [com/checkpoint/management/conf/cdm_web_services_config.xml] cannot be resolved to URL because it does not existat org.springframework.core.io.ClassPathResource.getURL(ClassPathResource.java:179)at com.checkpoint.infrastructure.spring.IgnoringDuplicateFilesBeanDefinitionReader.getURL(IgnoringDuplicateFilesBeanDefinitionReader.java:58)... 63 more2019-10-04 03:15:27,815 INFO org.eclipse.jetty.deploy.DeploymentManager.addApp:132 [main] - Deployable added: /opt/CPsuite-R80/fw1/api/contexts/docs.xml2019-10-04 03:15:27,839 INFO org.eclipse.jetty.server.AbstractConnector.doStart:338 [main] - Started SelectChannelConnector@127.0.0.1:50276 ----------------------------------------------------------------------------------------------------------------------
Marc_Guyard
inside API / CLI Discussion and Samples 2 weeks ago
views 8683 10 4
Employee

run-script output

Hi,How can we retreive output for run-script API command ?I can see result on Dashboard but it's possible to have this by API ?Thanks
Tom_Cripps
Tom_Cripps inside API / CLI Discussion and Samples 2 weeks ago
views 225 2 2

Finding a URL in all custom Application/Sites rather than just one

Hi,I have a script currently utilising the mgmt api to open a specific application/site and show all the URL's listed. I then can then grep a saved output to find a single URL. I look to add filtering built into the script but has anyone had any experience with looping over all application/sites to find a single URL?Tom
Employee+

API: How to use args in run-script ?

Hello CheckMates!Could you provide me a hint on how to use args parameter in API (v1.1) call run-script to pass arguments to an OS command or script ? Using args with mgmt._cli, postman, SCconsole returns a failed task.e. g. :mgmt._cli -r true -f json run-script script-name "ping" script "ping" args " -c1 172.17.xxx.2" targets.1 "mgmt._server_itself"returns:"mgmt._server_itself - ping"  failed  (100%){<omitted for brevity>    "task-id" : "e1f9a669-2cf8-4248-bee7-437902810e9b",    "task-name" : "mgmt._server_itself - ping",    "status" : "failed",<omitted>      "statusCode" : "failed",      "statusDescription" : "Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline],  [-p pattern] [-s packetsize] [-t ttl] [-I interface or addressas if arguments in args string value are not passed to bash. Various arguments and escape sequences tried, same result.Passing all arguments in script value works:mgmt._cli -r true -f json run-script script-name "ping" script "ping -c1 172.17.xxx.2" targets.1 "mgmt._server_itself"returns:"mgmt._server_itself - ping"  succeeded  (100%){<omitted>    "task-id" : "0751191e-9fed-4bcf-851f-b97645dcea4c",    "task-name" : "mgmt_server_itself - ping",    "status" : "succeeded",<omitted>      "statusCode" : "succeeded",      "statusDescription" : "PING 172.17.xxx.2 (172.17.xxx.2) 56(84) bytes of data. 64 bytes from 172.17.xx.2: icmp_seq=1 ttl=128 time=0.110 ms,  --- 172.17.xxx.2 ping statistics ---, 1 packets transmitted,  1...",Screened api.elg, cpm.elg, fwm.elg for clues - didn't understand how script string and args string are passed to bash.Environment: R80.10, JHF T112 Thank you for your time,andreip
carlosgeib
carlosgeib inside API / CLI Discussion and Samples 2 weeks ago
views 214 1

Script to delete objects

Hello everybody.I'm doing a script to delete objects and rules. I'm having troubles to define if the object is the last in cell. In the SmartConsole, if I go to 'Where Used' in the object, I can see if it are the Last in Cell, but in the "mgmt_cli where used" there isn't a field with this information. Does anynone have this same problem? Is there another way to do this?Thanks for while.

Sandblast - Threat Prevention API - Upload a file via an Webinterface

Hi there,I'm currently playing around with the Threat Prevention API and my goal is to create a web interface to upload a suspicious file to the (on premise) Sandblast appliance.This is my current partly working Python(Flask) code:@app.route('/upload', methods=['GET', 'POST'])def upload():    if request.method == 'POST':        file = request.files['file']        resp=do_upload(file)        return render_template('index.html', msg='success', json=resp)    else:        return render_template('upload.html')def do_upload(file):    filestream = file.stream    hostname='https://LOCALSANDBLAST:18194/tecloud/api/v1/file/upload'    payload={"request":{"file_name":file.filename}}    files = {        'request': (None, json.dumps(payload), 'application/json'),        'file': (file.filename, filestream)    }    response=requests.post(hostname, files=files)    return response.text    print response.textHowever the response I get from the Threat Prevention API contains the code '1006' which according to the documentation is 'PARTIALLY_FOUND: Part of the request found. If the missing data is required, upload the file.'The complete response is attached to this post.What am I doing wrong? Am I not uploading the whole file?Can you maybe provide a working example for uploading and successfully querying a threat emulation via HASH afterwards?Would be very happy to hear your ideas / approaches.Thanks in advance,Johanna
Brambo
Brambo inside API / CLI Discussion and Samples 2 weeks ago
views 224 2

Delete and set multiple routes in VSX mode

Hi all, Until now all my questions have been answered by the various Checkmate Posts.This week I will be migrating a VSX R80.20 system from dedicated  physical interfaces, as internal and external to a combined internal bond, and a combined external bond interface for all the virtual systems to share. In order to do this, I have to delete the VLAN interfaces from the current physical interfaces. I have created a little script to do this. No problems there, but I also have to delete the static routes before I can delete the VLAN from the interface. The routes are visible in the routedx.conf files at OS level. But this file is created by a Checkpoint process that probably will overwrite the file when I change it.  SO - NO GO. The clish config also displays the routes.Adding a route here displays an error telling me that routes need to be added in the GUI. During the migration I have to delete and add about 50 routes since the interfaces will change. Is there a way to prepare this so I can do this using the CLI?I have read about the "run-script" option but that only looks useful to show information from the system.I don't want to use the GUI for this task because it takes a lot of time and a lot of mouse clicks.  Currently, I can't add images because its a sunday and somebody killed my management VM.Hope you can help me on this one.

Mgmt API - feature to update Gateway's MTA settings

Hi guys ,I am looking for the script/command needed to be run which takes care of MTA config ( adding mail domain , next hop  ) on gateway automatically everytime a new Gateway spins up .  Is there any know script/ cmd syntax I can use to do this in the below auto-provision of VMSS ??  I didn’t find any mgmt_cli command …
Ram1
Ram1 inside API / CLI Discussion and Samples 3 weeks ago
views 224 1

Exporting IP dumps from management server

Hi all, I need to export all the IPs Which are present in the security policies of management server to an CSV file and send to an email address...how do i do it?..

Exact match for object lookup in the rulebase

Hi all,simple question: Is there any way to search in the rulebase an object by its exact name via api?When i search an object in the rulebase with its name i.e. "MyName", the output reports also rules with objects like "Old_myname_checkpoint".Case-insensitve mechanism is not a problem, but in my case i prefer to have an exact match just for the pattern that i'm looking for.I also tried in ignorant fashion: "^MyName$" 🙂I think that this could by tied to this note:"Note - Typing the token name into the search box does not always produce the same results as selecting from the list." as reported in the guide Thanks
Mike_A
Mike_A inside API / CLI Discussion and Samples 3 weeks ago
views 208 1 1

SmartConsole CLI - Validation Failed

I'm working on adding ~85 networks into an group. Some of the networks may already exist, and I'm OK with the duplicate for this process. If I use SmartConsole CLI to add the group and networks below, some fail when they are already present with the same subnet/mask. In SmartConsole if I manually create the same network I am able to accept the use of more than one network with the same network/mask combination and move forward.My question is, how can we accept the use of another network/subnet with a different name to be created and accepted, just like we would in SmartConsole by manually creating the network? Basically when the validation fails with the 1 warning, the network object never gets created or added to the group. I'm looking for some sort of an "accept warning" flag to create the new network in the script even if one exists already with a different name. > add group name CORE_NETWORKS> add network name network_10.2.15.0_b27 subnet 10.2.15.0 mask-length 27 groups CORE_NETWORKS> add network name network_10.2.1.0_b24 subnet 10.2.1.0 mask-length 24 groups CORE_NETWORKScode: "err_validation_failed"message: "Validation failed with 1 warning"warnings: - message: "More than one network have the same IP 10.2.1.0/255.255.255.0"> add network name network_10.2.6.0_b24 subnet 10.2.6.0 mask-length 24 groups CORE_NETWORKScode: "err_validation_failed"message: "Validation failed with 1 warning"warnings: - message: "More than one network have the same IP 10.2.6.0/255.255.255.0"> add network name network_10.2.7.0_b24 subnet 10.2.7.0 mask-length 24 groups CORE_NETWORKSFrom the commands above, just for testing and to articulate this in a post, the group is created. Out of the 4x networks attempted to be created only 2x are and added to the group.