cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
API / CLI Discussion and Samples

Do you have questions on how to use any of Check Point's API commands, including via the CLI using mgmt_cli? Looking for sample code? This is the place to find answers!

Tomer_Sole
inside API / CLI Discussion and Samples yesterday
views 12383 16 16
Mod

Automate deployment of Indicators of Compromise (IOC) with a new API.

The R80.20.M1 - Management Feature Release gives new API for something that previously we could only do from the SmartConsole GUI - deployment of IOC's.IOC's (Indicators of Compromise) are sources which are known as malicious.Steps to deploy IOC's with the Management API:1. Login to the Management Server with the login command. The response contains a session ID. Use it for the next steps.2. Add, edit or delete indicators. The session ID is a required parameter in the "sid" header.3. Publish your changes with the publish command.4. Install the Threat Prevention Policy on the gateways in which you would like to enforce this change, using the install-policy command. Remember, installing just the threat prevention part of the policy separates you from the network objects and access control changes that may have happened at the security management server. Examples of indicator command executions:Option A: define the indicators as part of the parameters:mgmt_cli add threat-indicator name "My_Indicator" observables.1.name "My_Observable" observables.1.mail-to "someone@somewhere.com" observables.1.confidence "medium" observables.1.severity "low" observables.1.product "AV" action "ask" profile-overrides.1.profile "My_Profile" profile-overrides.1.action "detect"Option B: place an indicators file - in CSV or STIX format - and import its raw data:mgmt_cli add threat-indicator name "My_Indicator" observables-raw-data ""Option C: edit the indicator action for a given threat profile. A threat profile is connected to some scope behind a gateway in the threat prevention policy.mgmt_cli set threat-indicator name "My_Indicator" action "prevent" profile-overrides.remove "My_Profile"Option 😧 show all indicators or one of the indicators:mgmt_cli show threat-indicatorsmgmt_cli show threat-indicator name "My_Indicator"Option E: delete some indicators:mgmt_cli delete threat-indicator name "My_Indicator"To get to it in SmartConsole:1. Open Security Policies2. Navigate to Threat Prevention-->Policy3. The bottom part changes to "Threat Tools". Click on "Indicators".Let us know your feedback on this.

Smart Move Error: During converting Fortinet OS to Checkpoint

Hi,  I am trying to convert Fortinet OS to Checkpoint GAIA R80.20 using SmartMove.But getting bellow error message during this process:Could not convert configuration file.Message: Value cannot be null.Parameter name: keyModule: mscorlibClass: Directory'2Method: FindEntry Error Message Please suggest.
Jim_Oqvist
inside API / CLI Discussion and Samples Wednesday
views 2918 7 19
Employee+

Add new user and assign to an existing group using the generic-object API calls

This document explains the steps to create a user in the R80.x Check Point Security Management Server and assign that user to an existing group using the generic-object API. DisclaimerThese APIs provide direct access to different objects and fields in the database. As a result if an objects schema change, scripts that relied on specific schema fields may break. As the generic-object(s) API calls have direct access to change different objects and fields in the database, they do not provide any data validation to ensure that the data added to the fields are following required format for this field. Therefore you have to ensure that the script or 3rd party system you are using to integrate with the management server is doing appropriate data validation before sending the API call. When you have the option, always prefer to use the documented API calls and not the generic API calls as they areThey are doing data validationThey are documentedThey are future compatibleThey are testedThey are supported by Technical Assistance Center (TAC) Data flowThe data flow for the generic API calls are the same as when using the documented API (Login) > (Add) > (Assign)  > (Publish) > (Logout)Login to session POST https://<mgmt-server>:<port>/web_api/loginAdd new user POST https://<mgmt-server>:<port>/web_api/add-generic-objectAssign newly created user to existing group POST https://<mgmt-server>:<port>/web_api/set-generic-objectPublish changes POST https://<mgmt-server>:<port>/web_api/publishLogout POST https://<mgmt-server>:<port>/web_api/logout Format of the API callsPlease refer to the Security Management API reference guide if you need more information about the login, publish and logout API calls. https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1Below is describing the formatting of the generic-objects API calls used to create a new user and add that user to an existing user group Request - 2         Add new userNote: When adding a new user the following fields are the minimal required fields, all other fields that are omitted will be created with default values.mgmt_cli:mgmt_cli add generic-object create "com.checkpoint.objects.classes.dummy.CpmiUser" name "myvpnuser" userc.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUserc" userc.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUsercIke"Web Services:{      "create" : "com.checkpoint.objects.classes.dummy.CpmiUser",     "name":"myvpnuser",     "userc" : {          "create" : "com.checkpoint.objects.classes.dummy.CpmiSpecificUserc",          "owned-object" : {                  "ike" : {                    "create" : "com.checkpoint.objects.classes.dummy.CpmiSpecificUsercIke"               }          }     }}‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍Example 1 - Adding a new user with “Check point Password” as authentication method.The password hash in the internalPassword object must be defined using a two character long salt string and a 4-8 character long key that needs to be encrypted with DES. The key is they user password in clear text and cannot contain spaces.You can for example use the following command in order to generate a password hash for the password Mypaswd!# cpopenssl passwd -crypt -salt $(cpopenssl rand -base64 2) 'Mypaswd!'‍‍‍mgmt._cli:# mgmt_cli -s id.txt -d "SMC User" -f json add generic-object create "com.checkpoint.objects.classes.dummy.CpmiUser" name "myvpnuser" email "myvpn@user.local" phoneNumber "00468118118" color "BLUE_1" authMethod "INTERNAL_PASSWORD" internalPassword "59WtGQ3UiC5lo" adminExpirationBaseData.create "com.checkpoint.objects.classes.dummy.CpmiAdminExpirationBaseData" adminExpirationBaseData.owned-object.expirationDate "10-Apr-2018" userc.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUserc" userc.owned-object.useGlobalEncryptionValues "true" userc.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUsercIke"‍‍‍  Web Services:HTTP POSTPOST https://<mgmt-server>:<port>/web_api/-add-generic-objectHeadersContent-Type: application/jsonX-chkp-sid: <The SID retrieved from the Login command>Body{            "create" : "com.checkpoint.objects.classes.dummy.CpmiUser",            "name":"myvpnuser",            "email":"myvpn@user.local",            "phoneNumber":"00468118118",            "color" : "BLUE_1",            "authMethod" : "INTERNAL_PASSWORD",            "internalPassword":"59WtGQ3UiC5lo",            "adminExpirationBaseData" : {                        "create" : "com.checkpoint.objects.classes.dummy.CpmiAdminExpirationBaseData",                        "owned-object" : {                                    "expirationDate" : "10-Apr-2018"                        }            },            "userc" : {                        "create" : "com.checkpoint.objects.classes.dummy.CpmiSpecificUserc",                        "owned-object" : {                                    "useGlobalEncryptionValues" : "true",                                    "ike" : {                                                "create" : "com.checkpoint.objects.classes.dummy.CpmiSpecificUsercIke"                                    }                        }            }}  Response - You need to retrieve the UID of the user object you just created in order to be able to add this user to a user groupResponse Body{….    "adminExpirationBaseData": {        "objId": "f871998d-8e2f-4108-b4af-35a144642897",        "checkPointObjId": null,        "domainId": "41e821a0-3720-11e3-aa6e-0800200c9fde",        "expirationDateVisualNotif": true,        "expirationDate": "25-Apr-2018",        "expirationDateMethod": "EXPIRE_AT",        "folderPath": "1edb57e2-37f3-468f-b613-4a2bcf4e5315",        "text": null,        "folder": "1edb57e2-37f3-468f-b613-4a2bcf4e5315",        "is_owned": false,        "ownedName": "myvpnuser"    },    "days": 127,    "email": "myvpnuser@test.local",    "authMethod": "INTERNAL_PASSWORD",    "tohour": "23:59",    "administrator": false,    "uid": "ac7fba44-6875-45d2-ad04-6c79508b2f30",……     "_original_type": "CpmiUser"…….} Example 2 - Adding a new user with “Radius” as authentication method towards any Radius server defined in the management server mgmt._cli:# mgmt_cli -s id.txt -d "SMC User" -f json add generic-object create "com.checkpoint.objects.classes.dummy.CpmiUser" name "myvpnuser" email "myvpn@user.local" phoneNumber "00468118118" color "BLUE_1" authMethod "RADIUS" adminExpirationBaseData.create "com.checkpoint.objects.classes.dummy.CpmiAdminExpirationBaseData" adminExpirationBaseData.owned-object.expirationDate "10-Apr-2018" userc.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUserc" userc.owned-object.useGlobalEncryptionValues "true" userc.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUsercIke"‍‍‍ Web Services:HTTP POSTPOST https://<mgmt-server>:<port>/web_api/-add-generic-objectHeadersContent-Type: application/jsonX-chkp-sid: <The SID retrieved from the Login command>Body{            "create" : "com.checkpoint.objects.classes.dummy.CpmiUser",            "name":"myvpnuser",            "email":"myvpn@user.local",            "phoneNumber":"00468118118",            "color" : "BLUE_1",            "authMethod" : "RADIUS ",            "adminExpirationBaseData" : {                        "create" : "com.checkpoint.objects.classes.dummy.CpmiAdminExpirationBaseData",                        "owned-object" : {                                    "expirationDate" : "10-Apr-2018"                        }            },            "userc" : {                        "create" : "com.checkpoint.objects.classes.dummy.CpmiSpecificUserc",                        "owned-object" : {                                    "useGlobalEncryptionValues" : "true",                                    "ike" : {                                                "create" : "com.checkpoint.objects.classes.dummy.CpmiSpecificUsercIke"                                    }                        }            }}  Response - You need to retrieve the UID of the user object you just created in order to be able to add this user to a user groupResponse Body{….    "adminExpirationBaseData": {        "objId": "f871998d-8e2f-4108-b4af-35a144642897",        "checkPointObjId": null,        "domainId": "41e821a0-3720-11e3-aa6e-0800200c9fde",        "expirationDateVisualNotif": true,        "expirationDate": "25-Apr-2018",        "expirationDateMethod": "EXPIRE_AT",        "folderPath": "1edb57e2-37f3-468f-b613-4a2bcf4e5315",        "text": null,        "folder": "1edb57e2-37f3-468f-b613-4a2bcf4e5315",        "is_owned": false,        "ownedName": "myvpnuser"    },    "days": 127,    "email": "myvpnuser@test.local",    "authMethod": "RADIUS",    "tohour": "23:59",    "administrator": false,    "uid": "ac7fba44-6875-45d2-ad04-6c79508b2f30",……     "_original_type": "CpmiUser"…….} Example 3 - Adding a new user with “Radius” as authentication method towards a specific radius server or radius group of servers.To specify the Radius server or group of server the object “radiusServer” shpuld contain the uid of the Radius server or group of server you want to assign to this user. mgmt_cli:# mgmt_cli -s id.txt -d "SMC User" -f json add generic-object create "com.checkpoint.objects.classes.dummy.CpmiUser" name "myvpnuser" email "myvpn@user.local" phoneNumber "00468118118" color "BLUE_1" authMethod "RADIUS" radiusServer "0972a020-2915-4a78-8868-135d13b3f7bb" adminExpirationBaseData.create "com.checkpoint.objects.classes.dummy.CpmiAdminExpirationBaseData" adminExpirationBaseData.owned-object.expirationDate "10-Apr-2018" userc.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUserc" userc.owned-object.useGlobalEncryptionValues "true" userc.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUsercIke"‍‍‍ Web Services:HTTP POSTPOST https://<mgmt-server>:<port>/web_api/-add-generic-objectHeadersContent-Type: application/jsonX-chkp-sid: <The SID retrieved from the Login command>Body{            "create" : "com.checkpoint.objects.classes.dummy.CpmiUser",            "name":"myvpnuser",            "email":"myvpn@user.local",            "phoneNumber":"00468118118",            "color" : "BLUE_1",            "authMethod" : "RADIUS ",            "radiusServer" :  "0972a020-2915-4a78-8868-135d13b3f7bb",            "adminExpirationBaseData" : {                        "create" : "com.checkpoint.objects.classes.dummy.CpmiAdminExpirationBaseData",                        "owned-object" : {                                    "expirationDate" : "10-Apr-2018"                        }            },            "userc" : {                        "create" : "com.checkpoint.objects.classes.dummy.CpmiSpecificUserc",                        "owned-object" : {                                    "useGlobalEncryptionValues" : "true",                                    "ike" : {                                                "create" : "com.checkpoint.objects.classes.dummy.CpmiSpecificUsercIke"                                    }                        }            }}  Response - You need to retrieve the UID of the user object you just created in order to be able to add this user to a user groupResponse Body{….    "adminExpirationBaseData": {        "objId": "f871998d-8e2f-4108-b4af-35a144642897",        "checkPointObjId": null,        "domainId": "41e821a0-3720-11e3-aa6e-0800200c9fde",        "expirationDateVisualNotif": true,        "expirationDate": "25-Apr-2018",        "expirationDateMethod": "EXPIRE_AT",        "folderPath": "1edb57e2-37f3-468f-b613-4a2bcf4e5315",        "text": null,        "folder": "1edb57e2-37f3-468f-b613-4a2bcf4e5315",        "is_owned": false,        "ownedName": "myvpnuser"    },    "days": 127,    "email": "myvpnuser@test.local",    "authMethod": "RADIUS",    "tohour": "23:59",    "administrator": false,    "uid": "ac7fba44-6875-45d2-ad04-6c79508b2f30",……     "_original_type": "CpmiUser"…….}  Request - 3   Assign newly created user to existing group.To assign a user to a group you need to provide the UID of the group you want to change and you need to add the user UID to that group.To get the UID of an object you can use# mgmt_cli –s id.txt true -f json show generic-objects name "name of object" details-level "full"Or in Web ServicesHTTP POST https://<mgmt-server>:<port>/web_api/show-generic-objectsHeaders   Content-Type: application/json          X-chkp-sid: <The SID retrieved from the Login command>Body               {                        "name" : " Clientless-vpn-user",                        "details-level" : "full"                   }‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍mgmt_climgmt_cli -s id.txt -d "SMC User" -f json set generic-object uid "d5654c00-a153-5148-b451-a5c5d9909895" emptyFieldName.add.1 "ac7fba44-6875-45d2-ad04-6c79508b2f30"‍‍‍Web Services:HTTP POSThttps://<mgmt-server>:<port>/web_api/set-generic-objectHeadersContent-Type: application/jsonX-chkp-sid: <The SID retrieved from the Login command>Body{    "uid" : "d5654c00-a153-5148-b451-a5c5d9909895",    "emptyFieldName": { "add": " ac7fba44-6875-45d2-ad04-6c79508b2f30" }} Response – will show you the object properties with the new expiration dateResponse Body{….    "email" : "",    "emptyFieldName" : [ "ea511503-86f1-4616-bd04-4c2a4141b059", "ea2fb4e7-8b1e-44c3-b0e6-91178132f529", "fc182f23-40ec-49ab-a11b-86ac8e12259f", "1d1046c8-3863-4cd6-87de-7d723a63a80f", "a0abbf0f-979a-4757-a7f7-3b0023e9c6ab" ],    "type" : "usrgroup",    "groups" : [ ],   },……… Full Example:The following CLI example will create a user with username “myvpnuser” password “Mypaswd!” and assign that user to group “Clientless-vpn-user”mgmt_cli -r true -d "SMC User" -f json login > id.txtvarUidUsr=$(mgmt_cli -s id.txt -d "SMC User" -f json add generic-object create "com.checkpoint.objects.classes.dummy.CpmiUser" name "myvpnuser" email "myvpn@user.local" phoneNumber "00468118118" color "BLUE_1" authMethod "INTERNAL_PASSWORD" internalPassword $(cpopenssl passwd -crypt -salt $(cpopenssl rand -base64 2) 'Mypaswd!') adminExpirationBaseData.create "com.checkpoint.objects.classes.dummy.CpmiAdminExpirationBaseData" adminExpirationBaseData.owned-object.expirationDate "10-Apr-2018" userc.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUserc" userc.owned-object.useGlobalEncryptionValues "true" userc.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiSpecificUsercIke" | /opt/CPshrd-R80/jq/jq -r '.uid')varUidGrp=$(mgmt_cli -s id.txt -d "SMC User" -f json show generic-objects name "Clientless-vpn-user" |  /opt/CPshrd-R80/jq/jq -r '.objects[] | select (.["type"] | contains ("CpmiUserGroup")) | .uid')mgmt_cli -s id.txt -d "SMC User" -f json set generic-object uid "$varUidGrp" emptyFieldName.add.1 "$varUidUsr"mgmt_cli -s id.txt -d "SMC User" -f json publishmgmt_cli -s id.txt -d "SMC User" -f json logout‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

ASAtoVSX - Translate your Cisco running config to VSX and more!

Hello everyone,I wanted to share with you a tool that we developed to help us automate a big part of a project.Long story short, we needed to migrate many virtual context from ASA to VSX. As you may know adding static routes and interfaces to a VS can be cumbersome. Especially if you have firewalls with +100 interfaces and +300 routes 😀The tool was developed in Golang and is open source.Keep in mind that this tool was developed for our use case, maybe you need to tinker around a bit regarding interfaces names. For example, you may need to replace "bond" with "eth"Feel free to fork it if you need.Download: ASAtoVSX Parser - Molten Minds Github Current features (Tested with ASA Version 9.4(4)5 and Check Point R80.30)Translates interfaces to vsx_provisioning_tool languageTranslates static routes to vsx_provisioning_tool languageMarks with # when an interface is downGenerates a vsx_provisioning_tool output with interfaces and static routesGenerates a JSON file containing all the interfacesGenerates a JSON file containing all the routes Translation examples ASACheck Point (vsx_provisioning_tool)Interfaceinterface Port-channelY.XXdescription ***nameif IFNAMEsecurity-level 30ip address 172.**.**.** 255.255.128.0!add interface name bondY.XX ip 172.**.**.** netmask 255.255.128.0Interface (Shutdown)Caso interfaz downinterface Port-channelY.XXdescription IFNAMEshutdownnameif IFNAMEsecurity-level 30ip address 10.**.**.** 255.255.255.248!#add interface name bondY.XX ip 10.**.**.** netmask 255.255.255.248Static routeroute IFNAME 10.**.**.** 255.255.255.255 10.**.**.** 1add route destination 10.**.**.** netmask 255.255.255.255 next_hop 10.**.**.**Default routeroute OUTSIDE 0.0.0.0 0.0.0.0 181.**.**.** 1add route destination default next_hop 186.**.**.** UsageUsage is really simple.1) Download the executable file from Github or compile the code yourself2) Extract running config and save it as a text file with UTF-8 format . At the moment the tool only allow inputs in this format.3) Using PowerShell execute the program command with the desired input file.4) Check the output filesvsx_provisioning_tool sample outputInterfaces JSON outputRoutes JSON output5) Add the desired header on the VSX output for vsx_provisioning_tool to create de VS. Example: add vd name VS-Name vsx VSX-FW instances 1 main_ip 172.1.2.36) Put the script in the management server that manages the involved VSX and use vsx_provisioning_tool to execute it7) Verify the new VS and push policy. LabSample VSX Lab prior scriptAfter we move the generated script to the management server we execute it.If any of the commands fail then the transaction will be canceled and reversed.User and passwords are for demonstration purposes only 😀Now check your VS and push policy 
Maik
Maik inside API / CLI Discussion and Samples Tuesday
views 3336 8

Show changes from session => from a single session

Hello guys, I want to write a small script that lists all the created, deleted and modified rules and host objects for a given session/revision uid. The management API reference guide includes two possible commands that should do the job: - show session uid <session_uid>>> This lists all the general details of a session like e.g. the user, the change sum, the description, the application that has been used in order to publish the given session etc. Here everything is working as expected - show changes from-session <session_uid> to-session <session_uid>>> This command lists all changes in a given time or session frame... so this means I can use the above mentioned "from-session" => "two-sessions" arguments or the "from-date" => "to-date" arguments. However it seems like that it is not possible to list all changes from just one single session. The seemingly required arguments have default values if no UIDs for the sessions are specified:from-sessionstringDefault: The session before to-session to-sessionstringDefault: The last published session But here lays another problem - as the from-session defaults to "the session before to-session" while the to-session argument defaults to "the last published session", this leads to the result that the command gives you the last two sessions if you do not specify any arguments. Still, it does not allow you to just see the changes from a single session. My idea was to give the from and to argument the same session uid, but this results in the following error: > show changes from-session <my_session_uid1> to-session <my_session_uid1> --------------------------------------------- Time: [15:43:07] 27/3/2019 --------------------------------------------- "Show Changes" failed (100%) tasks: - task-id: "abcdef01-2345-6789-b58a-3559264bf1dc" task-name: "Show Changes" status: "failed" progress-percentage: 100 progress-description: "Diff operation failed: Unable to build the diff reply." suppressed: falseSo the command requires a diff in between both parameters while a simple "show changes from-uid" or "show changes uid" does not exist. Do I miss something or is there really no possibility to track the changes of a given single session? Regards,Maik

API calls to be handled only within one session

Hello all, I am working on some script and I would like to have some questions sorted out about API performance and best practise. I am on R80.30 MDS and using API version 1.5. My idea is to have opened only 1 session (via login), store session into a variable (or file) and during the entire script, working only with this one session. Means, no other sessions will be opened as I don't want to have an additional load on the machine for login and logout operations.If I am using "-r true" for any API calls (let's say show domains), will it mean that in the background there will be a new login and logout ? At the moment I am struggling with "show packages" for a specific domain and the fact that -s parameter isn't working.The code looks like that: #!/bin/bash mgmt_cli login user "aa" password "aaaa" --format json > sid.txt mgmt_cli show packages -d "My_Domain" -s sid.txt --format json mgmt_cli logout -s sid.txt rm sid.txt   And it doesn't give me the desired output - packages of the domain "My_Domain".In case I use the following syntax, all is working fine (note -r true parameter instead of -s sid.txt): #!/bin/bash mgmt_cli login user "aa" password "aaaa" --format json > sid.txt mgmt_cli show packages -d "My_Domain" -r true --format json mgmt_cli logout -s sid.txt rm sid.txt​ But the working solution will result that I will have 2 sessions opened, right ? And I want only 1, not more. What I am missing here ? Thank you.
Employee+

Check Point provider on Terraform is officially live!

      Hello all! We are glad to announce that Check Point provider on Terraform is officially live! Terraform is a very well-known solution for building, changing and versioning infrastructure. Terraform is cloud-agnostic and allows a single configuration to be used to manage multiple providers, and to even handle cross-cloud dependencies. This simplifies management and orchestration, helps to build and provision multi-cloud infrastructures. Check Point Provider can be used to automate security responses to threats, provision both physical and virtualized next-generation firewalls and automate routine Security Management configuration tasks, saving time and reducing configuration errors.With the Check Point provider, DevOps teams can automate their security and transform it into DevSecOps workflows. List of API included in current provider is below, we’re now working to extend this list to support majority of Management and GAiA OS APIs and will have news very soon! This integration follows our integration with Ansible, introduced in 2019. We’re looking to accompany customers that use Terraform and Check Point and to build great stuff together. We also encourage you all to check out the provider, please feel free to share use cases and feedback, we’ll be glad to assist. You can contact myself mailto:dimam@checkpoint.com  and Eran Habad mailto:eranh@checkpoint.com 

Add sources inside bash scripts

To my understanding, the call for Check Point shell script (source /etc/profile.d/CP.sh) needs to be added at the very start of the script right after the sha-bang as per link below:https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_CLI_ReferenceGuide/html_frameset.htm?topic=documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_CLI_ReferenceGuide/205751I couldn't help but notice however that in several other scripts like the health check script that several sources are specified: #====================================================================================================#  Check Point Sources#====================================================================================================source /etc/profile.d/CP.sh 2> /dev/nullsource /etc/profile.d/vsenv.sh 2> /dev/nullsource $MDSDIR/scripts/MDSprofile.sh 2> /dev/nullsource $MDS_SYSTEM/shared/sh_utilities.sh 2> /dev/nullsource $MDS_SYSTEM/shared/mds_environment_utils.sh 2> /dev/null As such, could somebody please explain to me if there are other calls we could use in our scripts apart from source /etc/profile.d/CP.sh?Many thanks in advance.

SmartConsole CLI - getting all rulebases for all policies in a domani

Using the "show access-rulebase name "<insert_name>" --format json" command provides me data that I am looking for, but doing so for each and every rulebase in the domain would take a long time.  Is there a command that I am not finding, or a parameter in the existing command, that would allow for the data to be provided for all rulebases within a domain?Any help would be appreciated.  
Michael_Nemeth
Michael_Nemeth inside API / CLI Discussion and Samples a week ago
views 1579 15 3

problem adding interoperable device via web API

Hello GuysI am trying to create interoperable device via python web API (I have v1.1)I have this payload to put into commend 'add-generic-object'object = { 'create': 'com.checkpoint.objects.classes.dummy.CpmiGatewayPlain', 'name': deviceName, 'ipaddr': deviceIP, 'thirdPartyEncryption': True, 'osInfo': { 'osName': 'Gaia' }, 'vpn': { 'create': 'com.checkpoint.objects.classes.dummy.CpmiVpn', 'owned-object': { 'vpnClientsSettingsForGateway': { 'create': 'com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway', 'owned-object': { 'endpointVpnClientSettings': { 'create': 'com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway', 'owned-object': { 'endpointVpnEnable': True } } } }, 'ike': { 'create': 'com.checkpoint.objects.classes.dummy.CpmiIke', }, 'sslNe': { 'create': 'com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender', 'owned-object': { 'sslEnable': False, 'gwCertificate': 'defaultCert' } }, 'isakmpIpcompSupport': True, 'isakmpUniversalSupport': True, } }, 'dataSourceSettings': None, 'nat': None, 'encdomain': 'ADDRESSES_BEHIND_GW', 'ignore-warnings': True, 'color': color.upper()}After I run script, object is visible in Interoperable devices, but I cannot use is. It is NOT visible when I try it add to VPN communities and also when I try add VPN community to this object it ends with error: A blocking validation error was found: Gateway does not comply to 'Participant Gateways' of Meshed community. In order to comply the gateway needs to be VPN installed and of type Host / Gateway / Cluster / Interoperable device.Object can be 'fixed' via GUI by setting IPSec VPN -> Traditional mode configuration -> Select some enc and hash  (i.e. 3des sha1) -> OK, But I cannot find the way set this through set-gneric-objectthis does not work:{'uid': objectUID, 'vpn' : {'ike' : {'isakmpHashmethods': ['SHA1']}}}what am I doing wrong? Via dbedit it works, but I would like to use clearer way ...

Why query API with feature extraction send response with CP_EXTRACT_RESULT_UNSUPPORTED_FILE ?

Hi Team,I am trying to download pdf file for the earlier uploaded file. First, I sent upload api request with extraction feature and got response "UPLOAD_SUCCESS". Post that, I sent query api request with extract feature and got response "FOUND" but extract_result was "CP_EXTRACT_RESULT_UNSUPPORTED_FILE". I am getting same for txt and xml files. I want to get extracted_file_download_id so that I can send download api request to get pdf file.Please let me know how can I get download file id from query api response.Thanks,
HeikoAnkenbrand
HeikoAnkenbrand inside API / CLI Discussion and Samples a week ago
views 32820 8 14

Check Point - HEX to IP Converter Tool?

Is there a Check Point tool to easily convert hexadecimal values to IP addresses on the CLI?   I use the following lines in scripts:   hexaddr=$(echo 12cd34ef)ipaddr=$(printf "%d." $(echo $hexaddr | sed 's/../0x& /g' | tr ' ' '\n' | tac) | sed 's/\.$/\n/')echo $ipaddr   Is there an easier way?   Regards Heiko Ankenbrand
Bob_Zimmerman
Bob_Zimmerman inside API / CLI Discussion and Samples 2 weeks ago
views 574 3 1

Export all rules referencing a list of IPs

I recently had the need to build a table out of all of the rules referencing any IP address in a list of addresses. Basically a rule audit for all the rules involved in a given application.USAGEThe script should be run as root (in expert mode, and with elevated privileges if you use low-privilege users) on the SmartCenter or MDS. Doesn't need any credentials. It does everything via the API in read-only mode.Usage is given right at the top of the script. It also prints the usage if you run the script with no switches or if you run it with the -h switch: [Bob_Zimmerman@MySmartCenter]# ./ipsToRules.sh -h Usage: ./ipsToRules.sh [-d] [-h] [-J file] [-j file] [-c file] [-O] Default output is pretty-print JSON to STDOUT, suitable for output redirection. -d Increase debug level, up to twice. -h Print this usage information. -J file Write pretty-print JSON output to . -j file Write compact JSON output to . One line per rule. -c file Write quote-delimited CSV output to . -O Write pretty-print JSON output to STDOUT. list List of IPs to search for, separated by spaces.  As you can see, it currently has options for compact JSON output, pretty JSON output, and quote-delimited CSV output. It should be pretty clear from the code how to write a new output formatter. Just needs a new variable for the name, a new switch in the getopts case statement, a little output prep work, and a new item in the "masterOutput" function.The only privileged commands it uses right now are 'cpprod_util FwIsFirewallMgmt' (to detect if it is run on a firewall instead of a management) and 'mdsstat' (to detect if it is a SmartCenter or MDS), within a few lines of each other at the bottom. You can make a version which will work only on a SmartCenter or only on an MDS, and it would work as an unprivileged user.KNOWN LIMITATIONSIt currently accepts only IP addresses. Haven't yet gotten around to writing logic for spotting CIDR notation, or for looking up networks once I've found them in the input.There's a big case statement in the middle for dereferencing objects. It includes all the object types I personally needed, but I'm sure there are plenty which are not included.I'm pretty sure there are error cases I don't handle properly, such as if none of the IP addresses are found.I don't know if you can build a cycle of groups (as an example, group A contains group B, group B contains group C, group C contains group A), but I don't do any detection for that.
Ivo_Hrbacek
Ivo_Hrbacek inside API / CLI Discussion and Samples 2 weeks ago
views 18511 21 5

users via API

Hi guys,I would like to ask if there are some plans to include handling users via API in future releases (local account creation, certificate generation, etc.)? Now there is no such possibility via API and I think it could be very handy when migrating from different platformsthx for info
PhoneBoy
inside API / CLI Discussion and Samples 2 weeks ago
views 3269 1 5
Admin

How to Query Global Properties via CLI

There are two ways to achieve this:   R80.10 and earlier using dbedit: (see Editing the objects_5_0.C file via Check Point database editing utilities and the R77 CLI Reference Guide) print properties firewall_properties R80.x using the API/mgmt_cli (thanks @Uri_Bialik ‌for sharing): Get the UID of the Firewall Properties table mgmt_cli show-generic-objects name "firewall_properties" -r true objects: - uid: "42b7d2e2-4131-4c7c-8a99-ea3af38509e9"   name: "firewall_properties"   type: "CpmiFirewallProperties"   domain:     uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"     name: "SMC User"     domain-type: "domain" from: 1 to: 1 total: 1 Print the details of the object by UID: mgmt_cli show generic-object uid "42b7d2e2-4131-4c7c-8a99-ea3af38509e9" -r true -f json   In the future, we plan to have formal API support for querying and setting the various Global Property settings.