cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
API / CLI Discussion and Samples

Do you have questions on how to use any of Check Point's API commands, including via the CLI using mgmt_cli? Looking for sample code? This is the place to find answers!

SmartConsole CLI - getting all rulebases for all policies in a domani

Using the "show access-rulebase name "<insert_name>" --format json" command provides me data that I am looking for, but doing so for each and every rulebase in the domain would take a long time.  Is there a command that I am not finding, or a parameter in the existing command, that would allow for the data to be provided for all rulebases within a domain?Any help would be appreciated.  

problem adding interoperable device via web API

Hello GuysI am trying to create interoperable device via python web API (I have v1.1)I have this payload to put into commend 'add-generic-object'object = { 'create': 'com.checkpoint.objects.classes.dummy.CpmiGatewayPlain', 'name': deviceName, 'ipaddr': deviceIP, 'thirdPartyEncryption': True, 'osInfo': { 'osName': 'Gaia' }, 'vpn': { 'create': 'com.checkpoint.objects.classes.dummy.CpmiVpn', 'owned-object': { 'vpnClientsSettingsForGateway': { 'create': 'com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway', 'owned-object': { 'endpointVpnClientSettings': { 'create': 'com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway', 'owned-object': { 'endpointVpnEnable': True } } } }, 'ike': { 'create': 'com.checkpoint.objects.classes.dummy.CpmiIke', }, 'sslNe': { 'create': 'com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender', 'owned-object': { 'sslEnable': False, 'gwCertificate': 'defaultCert' } }, 'isakmpIpcompSupport': True, 'isakmpUniversalSupport': True, } }, 'dataSourceSettings': None, 'nat': None, 'encdomain': 'ADDRESSES_BEHIND_GW', 'ignore-warnings': True, 'color': color.upper()}After I run script, object is visible in Interoperable devices, but I cannot use is. It is NOT visible when I try it add to VPN communities and also when I try add VPN community to this object it ends with error: A blocking validation error was found: Gateway does not comply to 'Participant Gateways' of Meshed community. In order to comply the gateway needs to be VPN installed and of type Host / Gateway / Cluster / Interoperable device.Object can be 'fixed' via GUI by setting IPSec VPN -> Traditional mode configuration -> Select some enc and hash  (i.e. 3des sha1) -> OK, But I cannot find the way set this through set-gneric-objectthis does not work:{'uid': objectUID, 'vpn' : {'ike' : {'isakmpHashmethods': ['SHA1']}}}what am I doing wrong? Via dbedit it works, but I would like to use clearer way ...

Why query API with feature extraction send response with CP_EXTRACT_RESULT_UNSUPPORTED_FILE ?

Hi Team,I am trying to download pdf file for the earlier uploaded file. First, I sent upload api request with extraction feature and got response "UPLOAD_SUCCESS". Post that, I sent query api request with extract feature and got response "FOUND" but extract_result was "CP_EXTRACT_RESULT_UNSUPPORTED_FILE". I am getting same for txt and xml files. I want to get extracted_file_download_id so that I can send download api request to get pdf file.Please let me know how can I get download file id from query api response.Thanks,

Check Point - HEX to IP Converter Tool?

Is there a Check Point tool to easily convert hexadecimal values to IP addresses on the CLI?   I use the following lines in scripts:   hexaddr=$(echo 12cd34ef)ipaddr=$(printf "%d." $(echo $hexaddr | sed 's/../0x& /g' | tr ' ' '\n' | tac) | sed 's/\.$/\n/')echo $ipaddr   Is there an easier way?   Regards Heiko Ankenbrand

Export all rules referencing a list of IPs

I recently had the need to build a table out of all of the rules referencing any IP address in a list of addresses. Basically a rule audit for all the rules involved in a given application.USAGEThe script should be run as root (in expert mode, and with elevated privileges if you use low-privilege users) on the SmartCenter or MDS. Doesn't need any credentials. It does everything via the API in read-only mode.Usage is given right at the top of the script. It also prints the usage if you run the script with no switches or if you run it with the -h switch: [Bob_Zimmerman@MySmartCenter]# ./ipsToRules.sh -h Usage: ./ipsToRules.sh [-d] [-h] [-J file] [-j file] [-c file] [-O] Default output is pretty-print JSON to STDOUT, suitable for output redirection. -d Increase debug level, up to twice. -h Print this usage information. -J file Write pretty-print JSON output to . -j file Write compact JSON output to . One line per rule. -c file Write quote-delimited CSV output to . -O Write pretty-print JSON output to STDOUT. list List of IPs to search for, separated by spaces.  As you can see, it currently has options for compact JSON output, pretty JSON output, and quote-delimited CSV output. It should be pretty clear from the code how to write a new output formatter. Just needs a new variable for the name, a new switch in the getopts case statement, a little output prep work, and a new item in the "masterOutput" function.The only privileged commands it uses right now are 'cpprod_util FwIsFirewallMgmt' (to detect if it is run on a firewall instead of a management) and 'mdsstat' (to detect if it is a SmartCenter or MDS), within a few lines of each other at the bottom. You can make a version which will work only on a SmartCenter or only on an MDS, and it would work as an unprivileged user.KNOWN LIMITATIONSIt currently accepts only IP addresses. Haven't yet gotten around to writing logic for spotting CIDR notation, or for looking up networks once I've found them in the input.There's a big case statement in the middle for dereferencing objects. It includes all the object types I personally needed, but I'm sure there are plenty which are not included.I'm pretty sure there are error cases I don't handle properly, such as if none of the IP addresses are found.I don't know if you can build a cycle of groups (as an example, group A contains group B, group B contains group C, group C contains group A), but I don't do any detection for that.
Ivo_Hrbacek
Ivo_Hrbacek inside API / CLI Discussion and Samples Wednesday
views 18450 21 5

users via API

Hi guys,I would like to ask if there are some plans to include handling users via API in future releases (local account creation, certificate generation, etc.)? Now there is no such possibility via API and I think it could be very handy when migrating from different platformsthx for info
PhoneBoy
inside API / CLI Discussion and Samples Tuesday
views 3246 1 5
Admin

How to Query Global Properties via CLI

There are two ways to achieve this:   R80.10 and earlier using dbedit: (see Editing the objects_5_0.C file via Check Point database editing utilities and the R77 CLI Reference Guide) print properties firewall_properties R80.x using the API/mgmt_cli (thanks @Uri_Bialik ‌for sharing): Get the UID of the Firewall Properties table mgmt_cli show-generic-objects name "firewall_properties" -r true objects: - uid: "42b7d2e2-4131-4c7c-8a99-ea3af38509e9"   name: "firewall_properties"   type: "CpmiFirewallProperties"   domain:     uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"     name: "SMC User"     domain-type: "domain" from: 1 to: 1 total: 1 Print the details of the object by UID: mgmt_cli show generic-object uid "42b7d2e2-4131-4c7c-8a99-ea3af38509e9" -r true -f json   In the future, we plan to have formal API support for querying and setting the various Global Property settings.

Installation speed and verification on installation

Hi,This is something I notice when I was doing installation on the firewall. As I would like to push changes more regularly, I embarked on doing various speed test and found the results for a policy of size 10000 rules and 15000 objects.Policy Verification: 2 minutesPolicy Installation (single gateway): 4 minutesI have been trying to find a way to reduce the overall time taken and after some searching, I realize a few things. 1) Policy verification takes place in Policy installation.2) Policy installation compiles and sends entire package to gateway instead of the delta changesJust wondering if it is possible to reduce both timings. Also, if it is possible to do policy installation without verification if the management gateway detects that no new publishes happened after the last verification.Also, just playing with the thought if the verification can be sped up by looking at delta changes and doing verifications only on those changes (this will likely speed verification process up a lot)JL

GEO Location Objects in Firewall Policy (with Dynamic Objects)

Currently no regional settings can be used in the Firewall Policy.This only works in the „Geo Policy“ and has the disadvantage that no special settings are possible. For example, no services like http can be specified.   This solution helps and creates Dynamic Objects with the IP ranges of the individual countries.   In the first step, a Dynamic Object is created on the gateway that contains all IP addresses of the appropriate country. To do this the script is executed on the gateway.   If the script is started the first time the country file is transferred from the management server to the gateway via scp.   All you have to do is enter the IP address, user name and password of the management server. The current country list is displayed. Now only the appropriate country must be selected.  For example "WLF". Afterwards dynamic object is created on the gateway with the following name „GEO_<country code>“. For example "GEO_WLF".   Now create a Dynamic Object with the same name in the management under „New>More>Network Objekts>Dynamic Objects >Dynamic Objekt“. For example "GEO_WLF" Now create a Firewall Policy with the Dynamic Objekt. Install Policy   Important! 1) On a cluster the script must be executed on both gateways. 2) This is not a supported CheckPoint solution!Script Version: - 0.7a final version - 0.7b bug fix (02.08.2018)   Regards, Heiko

Python Tool - Export/Import

Hi all, I have used this tool succesfully before, but now for some reason its not working for me. Can anyone point out why I am getting this no matter what when I try to run? Traceback (most recent call last):File "import_export_package.py", line 39, in <module>payload=payload)File "C:\Python27\lib\site-packages\cpapi\mgmt_api.py", line 169, in loginlogin_res = self.api_call("login", credentials)File "C:\Python27\lib\site-packages\cpapi\mgmt_api.py", line 242, in api_callself.check_fingerprint()File "C:\Python27\lib\site-packages\cpapi\mgmt_api.py", line 547, in check_fingerprintserver_fingerprint = self.get_server_fingerprint()File "C:\Python27\lib\site-packages\cpapi\mgmt_api.py", line 439, in get_server_fingerprintcontext = ssl.create_default_context()AttributeError: 'module' object has no attribute 'create_default_context'

API calls to be handled only within one session

Hello all, I am working on some script and I would like to have some questions sorted out about API performance and best practise. I am on R80.30 MDS and using API version 1.5. My idea is to have opened only 1 session (via login), store session into a variable (or file) and during the entire script, working only with this one session. Means, no other sessions will be opened as I don't want to have an additional load on the machine for login and logout operations.If I am using "-r true" for any API calls (let's say show domains), will it mean that in the background there will be a new login and logout ? At the moment I am struggling with "show packages" for a specific domain and the fact that -s parameter isn't working.The code looks like that: #!/bin/bash mgmt_cli login user "aa" password "aaaa" --format json > sid.txt mgmt_cli show packages -d "My_Domain" -s sid.txt --format json mgmt_cli logout -s sid.txt rm sid.txt   And it doesn't give me the desired output - packages of the domain "My_Domain".In case I use the following syntax, all is working fine (note -r true parameter instead of -s sid.txt): #!/bin/bash mgmt_cli login user "aa" password "aaaa" --format json > sid.txt mgmt_cli show packages -d "My_Domain" -r true --format json mgmt_cli logout -s sid.txt rm sid.txt​ But the working solution will result that I will have 2 sessions opened, right ? And I want only 1, not more. What I am missing here ? Thank you.
mbouri
mbouri inside API / CLI Discussion and Samples a week ago
views 270 4

how I can gather in which rule is defined a group object with ansible cp_mgmt_group_facts

Hello,I'm using ansible to automate a lot of manual task, it works well for the moment but I'm not able to retrieve the information of rule name when I use cp_mgmt_group_facts (like whereused with smartdashboard), below the output of the json :ok: [localhost] => {"host_facts": {"ansible_facts": {"host": {"color": "black","comments": "","domain": {"domain-type": "domain","name": "SMC User","uid": "41e821a0-3720-11e3-aa6e-0800200c9fde"},"groups": [{"domain": {"domain-type": "domain","name": "SMC User","uid": "41e821a0-3720-11e3-aa6e-0800200c9fde"},"name": "Demo","type": "group","uid": "8ab21516-39e7-4507-9312-636631d6c5de"}],"icon": "Objects/host","interfaces": [],"ipv4-address": "104.45.16.183","meta-info": {"creation-time": {"iso-8601": "2019-12-15T07:07+0100","posix": 1576390077465},"creator": "admin","last-modifier": "admin","last-modify-time": {"iso-8601": "2019-12-15T07:07+0100","posix": 1576390077465},"lock": "unlocked","validation-state": "ok"},"name": "h-az-104.45.16.183","nat-settings": {"auto-rule": false},"read-only": false,"tags": [],"type": "host","uid": "15e386c6-4ef3-4155-903d-579707171494"}},"changed": false,"failed": false}} I test also with details_level : full  is there any simple way to retrieve this information without retrieving all the rule base and check on source and destination of each rule 😞Regards
Employee+

packet_captures.sh - Packet Captures for Dummies

  What is packet_captures.sh? packet_capture.sh is an open-source community tool which simplifies the way to collect: 1) tcpdump captures 2) FW Monitor captures 3) Kernel Debugs *ALWAYS during a maintenance window* More functionality coming when I stop being lazy!   The main benefits are: All captures and/or debugs are taken at the same time. All captures and/or debugs are zipped into a single .tgz to be pulled from the device No need to remember tcpdump or FW Monitor syntax   packet_captures.sh source code - HERE. How to use it? Put Script on GW Run the following commands from expert mode:dos2unix packet_captures.shchmod +x packet_captures.sh./packet_captures.sh Usage ./packet_captures.sh [-s <source IP>] [-d <destination IP>] [-p <port>] [-t] [-f] [-k] Flag Description -s Used to specify source IP for filtering tcpdump and FW Monitor captures. Multiple source IPs can be entered, each IP must be entered in [-s <source IP>] format -d Used to specify destination IP for filtering tcpdump and FW Monitor captures. Multiple destination IPs can be entered, each IP must be entered in [-d <destination IP>] format -p Used to specify port for filtering tcpdump and FW Monitor captures. Multiple ports can be entered, each port must be entered in [-p <port>] format -t Tells script to take a tcpdump on all relevent interfaces based on IPs provided with -s and -d flags. Tcpdump will be filtered according to source IP(s), dedstination IP(s), and port(s) provided to script. -f Tells script to take a FW Monitor capture. SecureXL will be disabled for captures on versions R80.10 and below. FW Monitor will be filtered according to source IP(s), dedstination IP(s), and port(s) provided to script. -k Tells script to take Kernel Debugs. Entering only -k flag will default to debugging the fw module with the drop flag (fw ctl debug -m fw + drop). You can select the module and flags that you want to debug by running the -k flag followed by the module and flags in double-quotes like so: -k "-m fw + drop". *DISCLAIMER - This open source tool is provided “As Is”.  No representations or warranties are provided with the use of this tool.

MDS - purge older revisions on each domain

 Scripts simply iterates over each domain on MDS and purging older revisions, by default it's keeping only 10 revisions.Requirements:Python 3MDS server How to run:python purge_revisions.py -m <management_ip> -u <user> -p <password> Adjustments:On line below you can change amount of how many revisions you want to keep, purge = client.api_call("purge-published-sessions", {'number-of-sessions-to-preserve': 10})

Identity Collector Service Account import

Has anyone come up with a way to automate importing a list of Service Accounts into an Identity Collector? I have a client that states they regularly add Service Accounts and would like to automate adding new ones. The problem is they do not have a defined naming scheme for the Service Accounts, so it would not be as easy as creating a regex to find them. User IDs are also not easily written as a regex, so doing a simple include instead of exclude is not an option either. Thoughts?