cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
API / CLI Discussion and Samples

Do you have questions on how to use any of Check Point's API commands, including via the CLI using mgmt_cli? Looking for sample code? This is the place to find answers!

ASAtoVSX - Translate your Cisco running config to VSX and more!

Hello everyone,I wanted to share with you a tool that we developed to help us automate a big part of a project.Long story short, we needed to migrate many virtual context from ASA to VSX. As you may know adding static routes and interfaces to a VS can be cumbersome. Especially if you have firewalls with +100 interfaces and +300 routes 😀The tool was developed in Golang and is open source.Keep in mind that this tool was developed for our use case, maybe you need to tinker around a bit regarding interfaces names. For example, you may need to replace "bond" with "eth"Feel free to fork it if you need.Download: ASAtoVSX Parser - Molten Minds Github Current features (Tested with ASA Version 9.4(4)5 and Check Point R80.30)Translates interfaces to vsx_provisioning_tool languageTranslates static routes to vsx_provisioning_tool languageMarks with # when an interface is downGenerates a vsx_provisioning_tool output with interfaces and static routesGenerates a JSON file containing all the interfacesGenerates a JSON file containing all the routes Translation examples ASACheck Point (vsx_provisioning_tool)Interfaceinterface Port-channelY.XXdescription ***nameif IFNAMEsecurity-level 30ip address 172.**.**.** 255.255.128.0!add interface name bondY.XX ip 172.**.**.** netmask 255.255.128.0Interface (Shutdown)Caso interfaz downinterface Port-channelY.XXdescription IFNAMEshutdownnameif IFNAMEsecurity-level 30ip address 10.**.**.** 255.255.255.248!#add interface name bondY.XX ip 10.**.**.** netmask 255.255.255.248Static routeroute IFNAME 10.**.**.** 255.255.255.255 10.**.**.** 1add route destination 10.**.**.** netmask 255.255.255.255 next_hop 10.**.**.**Default routeroute OUTSIDE 0.0.0.0 0.0.0.0 181.**.**.** 1add route destination default next_hop 186.**.**.** UsageUsage is really simple.1) Download the executable file from Github or compile the code yourself2) Extract running config and save it as a text file with UTF-8 format . At the moment the tool only allow inputs in this format.3) Using PowerShell execute the program command with the desired input file.4) Check the output filesvsx_provisioning_tool sample outputInterfaces JSON outputRoutes JSON output5) Add the desired header on the VSX output for vsx_provisioning_tool to create de VS. Example: add vd name VS-Name vsx VSX-FW instances 1 main_ip 172.1.2.36) Put the script in the management server that manages the involved VSX and use vsx_provisioning_tool to execute it7) Verify the new VS and push policy. LabSample VSX Lab prior scriptAfter we move the generated script to the management server we execute it.If any of the commands fail then the transaction will be canceled and reversed.User and passwords are for demonstration purposes only 😀Now check your VS and push policy 
Tomer_Sole
inside API / CLI Discussion and Samples yesterday
views 12295 15 16
Mod

Automate deployment of Indicators of Compromise (IOC) with a new API.

The R80.20.M1 - Management Feature Release gives new API for something that previously we could only do from the SmartConsole GUI - deployment of IOC's.IOC's (Indicators of Compromise) are sources which are known as malicious.Steps to deploy IOC's with the Management API:1. Login to the Management Server with the login command. The response contains a session ID. Use it for the next steps.2. Add, edit or delete indicators. The session ID is a required parameter in the "sid" header.3. Publish your changes with the publish command.4. Install the Threat Prevention Policy on the gateways in which you would like to enforce this change, using the install-policy command. Remember, installing just the threat prevention part of the policy separates you from the network objects and access control changes that may have happened at the security management server. Examples of indicator command executions:Option A: define the indicators as part of the parameters:mgmt_cli add threat-indicator name "My_Indicator" observables.1.name "My_Observable" observables.1.mail-to "someone@somewhere.com" observables.1.confidence "medium" observables.1.severity "low" observables.1.product "AV" action "ask" profile-overrides.1.profile "My_Profile" profile-overrides.1.action "detect"Option B: place an indicators file - in CSV or STIX format - and import its raw data:mgmt_cli add threat-indicator name "My_Indicator" observables-raw-data ""Option C: edit the indicator action for a given threat profile. A threat profile is connected to some scope behind a gateway in the threat prevention policy.mgmt_cli set threat-indicator name "My_Indicator" action "prevent" profile-overrides.remove "My_Profile"Option 😧 show all indicators or one of the indicators:mgmt_cli show threat-indicatorsmgmt_cli show threat-indicator name "My_Indicator"Option E: delete some indicators:mgmt_cli delete threat-indicator name "My_Indicator"To get to it in SmartConsole:1. Open Security Policies2. Navigate to Threat Prevention-->Policy3. The bottom part changes to "Threat Tools". Click on "Indicators".Let us know your feedback on this.
Maik
Maik inside API / CLI Discussion and Samples yesterday
views 3313 8

Show changes from session => from a single session

Hello guys, I want to write a small script that lists all the created, deleted and modified rules and host objects for a given session/revision uid. The management API reference guide includes two possible commands that should do the job: - show session uid <session_uid>>> This lists all the general details of a session like e.g. the user, the change sum, the description, the application that has been used in order to publish the given session etc. Here everything is working as expected - show changes from-session <session_uid> to-session <session_uid>>> This command lists all changes in a given time or session frame... so this means I can use the above mentioned "from-session" => "two-sessions" arguments or the "from-date" => "to-date" arguments. However it seems like that it is not possible to list all changes from just one single session. The seemingly required arguments have default values if no UIDs for the sessions are specified:from-sessionstringDefault: The session before to-session to-sessionstringDefault: The last published session But here lays another problem - as the from-session defaults to "the session before to-session" while the to-session argument defaults to "the last published session", this leads to the result that the command gives you the last two sessions if you do not specify any arguments. Still, it does not allow you to just see the changes from a single session. My idea was to give the from and to argument the same session uid, but this results in the following error: > show changes from-session <my_session_uid1> to-session <my_session_uid1> --------------------------------------------- Time: [15:43:07] 27/3/2019 --------------------------------------------- "Show Changes" failed (100%) tasks: - task-id: "abcdef01-2345-6789-b58a-3559264bf1dc" task-name: "Show Changes" status: "failed" progress-percentage: 100 progress-description: "Diff operation failed: Unable to build the diff reply." suppressed: falseSo the command requires a diff in between both parameters while a simple "show changes from-uid" or "show changes uid" does not exist. Do I miss something or is there really no possibility to track the changes of a given single session? Regards,Maik

API calls to be handled only within one session

Hello all, I am working on some script and I would like to have some questions sorted out about API performance and best practise. I am on R80.30 MDS and using API version 1.5. My idea is to have opened only 1 session (via login), store session into a variable (or file) and during the entire script, working only with this one session. Means, no other sessions will be opened as I don't want to have an additional load on the machine for login and logout operations.If I am using "-r true" for any API calls (let's say show domains), will it mean that in the background there will be a new login and logout ? At the moment I am struggling with "show packages" for a specific domain and the fact that -s parameter isn't working.The code looks like that: #!/bin/bash mgmt_cli login user "aa" password "aaaa" --format json > sid.txt mgmt_cli show packages -d "My_Domain" -s sid.txt --format json mgmt_cli logout -s sid.txt rm sid.txt   And it doesn't give me the desired output - packages of the domain "My_Domain".In case I use the following syntax, all is working fine (note -r true parameter instead of -s sid.txt): #!/bin/bash mgmt_cli login user "aa" password "aaaa" --format json > sid.txt mgmt_cli show packages -d "My_Domain" -r true --format json mgmt_cli logout -s sid.txt rm sid.txt​ But the working solution will result that I will have 2 sessions opened, right ? And I want only 1, not more. What I am missing here ? Thank you.
Employee+

Check Point provider on Terraform is officially live!

      Hello all! We are glad to announce that Check Point provider on Terraform is officially live! Terraform is a very well-known solution for building, changing and versioning infrastructure. Terraform is cloud-agnostic and allows a single configuration to be used to manage multiple providers, and to even handle cross-cloud dependencies. This simplifies management and orchestration, helps to build and provision multi-cloud infrastructures. Check Point Provider can be used to automate security responses to threats, provision both physical and virtualized next-generation firewalls and automate routine Security Management configuration tasks, saving time and reducing configuration errors.With the Check Point provider, DevOps teams can automate their security and transform it into DevSecOps workflows. List of API included in current provider is below, we’re now working to extend this list to support majority of Management and GAiA OS APIs and will have news very soon! This integration follows our integration with Ansible, introduced in 2019. We’re looking to accompany customers that use Terraform and Check Point and to build great stuff together. We also encourage you all to check out the provider, please feel free to share use cases and feedback, we’ll be glad to assist. You can contact myself mailto:dimam@checkpoint.com  and Eran Habad mailto:eranh@checkpoint.com 

Add sources inside bash scripts

To my understanding, the call for Check Point shell script (source /etc/profile.d/CP.sh) needs to be added at the very start of the script right after the sha-bang as per link below:https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_CLI_ReferenceGuide/html_frameset.htm?topic=documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_CLI_ReferenceGuide/205751I couldn't help but notice however that in several other scripts like the health check script that several sources are specified: #====================================================================================================#  Check Point Sources#====================================================================================================source /etc/profile.d/CP.sh 2> /dev/nullsource /etc/profile.d/vsenv.sh 2> /dev/nullsource $MDSDIR/scripts/MDSprofile.sh 2> /dev/nullsource $MDS_SYSTEM/shared/sh_utilities.sh 2> /dev/nullsource $MDS_SYSTEM/shared/mds_environment_utils.sh 2> /dev/null As such, could somebody please explain to me if there are other calls we could use in our scripts apart from source /etc/profile.d/CP.sh?Many thanks in advance.

SmartConsole CLI - getting all rulebases for all policies in a domani

Using the "show access-rulebase name "<insert_name>" --format json" command provides me data that I am looking for, but doing so for each and every rulebase in the domain would take a long time.  Is there a command that I am not finding, or a parameter in the existing command, that would allow for the data to be provided for all rulebases within a domain?Any help would be appreciated.  

problem adding interoperable device via web API

Hello GuysI am trying to create interoperable device via python web API (I have v1.1)I have this payload to put into commend 'add-generic-object'object = { 'create': 'com.checkpoint.objects.classes.dummy.CpmiGatewayPlain', 'name': deviceName, 'ipaddr': deviceIP, 'thirdPartyEncryption': True, 'osInfo': { 'osName': 'Gaia' }, 'vpn': { 'create': 'com.checkpoint.objects.classes.dummy.CpmiVpn', 'owned-object': { 'vpnClientsSettingsForGateway': { 'create': 'com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway', 'owned-object': { 'endpointVpnClientSettings': { 'create': 'com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway', 'owned-object': { 'endpointVpnEnable': True } } } }, 'ike': { 'create': 'com.checkpoint.objects.classes.dummy.CpmiIke', }, 'sslNe': { 'create': 'com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender', 'owned-object': { 'sslEnable': False, 'gwCertificate': 'defaultCert' } }, 'isakmpIpcompSupport': True, 'isakmpUniversalSupport': True, } }, 'dataSourceSettings': None, 'nat': None, 'encdomain': 'ADDRESSES_BEHIND_GW', 'ignore-warnings': True, 'color': color.upper()}After I run script, object is visible in Interoperable devices, but I cannot use is. It is NOT visible when I try it add to VPN communities and also when I try add VPN community to this object it ends with error: A blocking validation error was found: Gateway does not comply to 'Participant Gateways' of Meshed community. In order to comply the gateway needs to be VPN installed and of type Host / Gateway / Cluster / Interoperable device.Object can be 'fixed' via GUI by setting IPSec VPN -> Traditional mode configuration -> Select some enc and hash  (i.e. 3des sha1) -> OK, But I cannot find the way set this through set-gneric-objectthis does not work:{'uid': objectUID, 'vpn' : {'ike' : {'isakmpHashmethods': ['SHA1']}}}what am I doing wrong? Via dbedit it works, but I would like to use clearer way ...

Why query API with feature extraction send response with CP_EXTRACT_RESULT_UNSUPPORTED_FILE ?

Hi Team,I am trying to download pdf file for the earlier uploaded file. First, I sent upload api request with extraction feature and got response "UPLOAD_SUCCESS". Post that, I sent query api request with extract feature and got response "FOUND" but extract_result was "CP_EXTRACT_RESULT_UNSUPPORTED_FILE". I am getting same for txt and xml files. I want to get extracted_file_download_id so that I can send download api request to get pdf file.Please let me know how can I get download file id from query api response.Thanks,

Check Point - HEX to IP Converter Tool?

Is there a Check Point tool to easily convert hexadecimal values to IP addresses on the CLI?   I use the following lines in scripts:   hexaddr=$(echo 12cd34ef)ipaddr=$(printf "%d." $(echo $hexaddr | sed 's/../0x& /g' | tr ' ' '\n' | tac) | sed 's/\.$/\n/')echo $ipaddr   Is there an easier way?   Regards Heiko Ankenbrand

Export all rules referencing a list of IPs

I recently had the need to build a table out of all of the rules referencing any IP address in a list of addresses. Basically a rule audit for all the rules involved in a given application.USAGEThe script should be run as root (in expert mode, and with elevated privileges if you use low-privilege users) on the SmartCenter or MDS. Doesn't need any credentials. It does everything via the API in read-only mode.Usage is given right at the top of the script. It also prints the usage if you run the script with no switches or if you run it with the -h switch: [Bob_Zimmerman@MySmartCenter]# ./ipsToRules.sh -h Usage: ./ipsToRules.sh [-d] [-h] [-J file] [-j file] [-c file] [-O] Default output is pretty-print JSON to STDOUT, suitable for output redirection. -d Increase debug level, up to twice. -h Print this usage information. -J file Write pretty-print JSON output to . -j file Write compact JSON output to . One line per rule. -c file Write quote-delimited CSV output to . -O Write pretty-print JSON output to STDOUT. list List of IPs to search for, separated by spaces.  As you can see, it currently has options for compact JSON output, pretty JSON output, and quote-delimited CSV output. It should be pretty clear from the code how to write a new output formatter. Just needs a new variable for the name, a new switch in the getopts case statement, a little output prep work, and a new item in the "masterOutput" function.The only privileged commands it uses right now are 'cpprod_util FwIsFirewallMgmt' (to detect if it is run on a firewall instead of a management) and 'mdsstat' (to detect if it is a SmartCenter or MDS), within a few lines of each other at the bottom. You can make a version which will work only on a SmartCenter or only on an MDS, and it would work as an unprivileged user.KNOWN LIMITATIONSIt currently accepts only IP addresses. Haven't yet gotten around to writing logic for spotting CIDR notation, or for looking up networks once I've found them in the input.There's a big case statement in the middle for dereferencing objects. It includes all the object types I personally needed, but I'm sure there are plenty which are not included.I'm pretty sure there are error cases I don't handle properly, such as if none of the IP addresses are found.I don't know if you can build a cycle of groups (as an example, group A contains group B, group B contains group C, group C contains group A), but I don't do any detection for that.
Ivo_Hrbacek
Ivo_Hrbacek inside API / CLI Discussion and Samples a week ago
views 18482 21 5

users via API

Hi guys,I would like to ask if there are some plans to include handling users via API in future releases (local account creation, certificate generation, etc.)? Now there is no such possibility via API and I think it could be very handy when migrating from different platformsthx for info
PhoneBoy
inside API / CLI Discussion and Samples a week ago
views 3260 1 5
Admin

How to Query Global Properties via CLI

There are two ways to achieve this:   R80.10 and earlier using dbedit: (see Editing the objects_5_0.C file via Check Point database editing utilities and the R77 CLI Reference Guide) print properties firewall_properties R80.x using the API/mgmt_cli (thanks @Uri_Bialik ‌for sharing): Get the UID of the Firewall Properties table mgmt_cli show-generic-objects name "firewall_properties" -r true objects: - uid: "42b7d2e2-4131-4c7c-8a99-ea3af38509e9"   name: "firewall_properties"   type: "CpmiFirewallProperties"   domain:     uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"     name: "SMC User"     domain-type: "domain" from: 1 to: 1 total: 1 Print the details of the object by UID: mgmt_cli show generic-object uid "42b7d2e2-4131-4c7c-8a99-ea3af38509e9" -r true -f json   In the future, we plan to have formal API support for querying and setting the various Global Property settings.

Installation speed and verification on installation

Hi,This is something I notice when I was doing installation on the firewall. As I would like to push changes more regularly, I embarked on doing various speed test and found the results for a policy of size 10000 rules and 15000 objects.Policy Verification: 2 minutesPolicy Installation (single gateway): 4 minutesI have been trying to find a way to reduce the overall time taken and after some searching, I realize a few things. 1) Policy verification takes place in Policy installation.2) Policy installation compiles and sends entire package to gateway instead of the delta changesJust wondering if it is possible to reduce both timings. Also, if it is possible to do policy installation without verification if the management gateway detects that no new publishes happened after the last verification.Also, just playing with the thought if the verification can be sped up by looking at delta changes and doing verifications only on those changes (this will likely speed verification process up a lot)JL
HeikoAnkenbrand
HeikoAnkenbrand inside API / CLI Discussion and Samples a week ago
views 15487 21 66

GEO Location Objects in Firewall Policy (with Dynamic Objects)

Currently no regional settings can be used in the Firewall Policy.This only works in the „Geo Policy“ and has the disadvantage that no special settings are possible. For example, no services like http can be specified.   This solution helps and creates Dynamic Objects with the IP ranges of the individual countries.   In the first step, a Dynamic Object is created on the gateway that contains all IP addresses of the appropriate country. To do this the script is executed on the gateway.   If the script is started the first time the country file is transferred from the management server to the gateway via scp.   All you have to do is enter the IP address, user name and password of the management server. The current country list is displayed. Now only the appropriate country must be selected.  For example "WLF". Afterwards dynamic object is created on the gateway with the following name „GEO_<country code>“. For example "GEO_WLF".   Now create a Dynamic Object with the same name in the management under „New>More>Network Objekts>Dynamic Objects >Dynamic Objekt“. For example "GEO_WLF" Now create a Firewall Policy with the Dynamic Objekt. Install Policy   Important! 1) On a cluster the script must be executed on both gateways. 2) This is not a supported CheckPoint solution!Script Version: - 0.7a final version - 0.7b bug fix (02.08.2018)   Regards, Heiko