cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Management API Reference Is it written incorrectly?

Hi all~ I have a question about Management API Reference.There is a parameter related to Group.(dereference-group-members) It is supposed to be supported from API Version 1.2 in Management API Reference.But R80.10(API 1.2) doesn't support dereference-group-members parameter. my test result below :/web-api/show-groups{"details-level" : "full","dereference-group-members" : "true"} Result{"code": "generic_err_invalid_parameter_name","message": "Unrecognized parameter [dereference-group-members]"} I tested it in AWS. Check Point CloudGuard IaaS PAYG NGTP R80.10 Is the reference wrong???
Aathi
Aathi inside API / CLI Discussion and Samples yesterday
views 48 1

Is ther any API to check the hosts and networks already created in checkpoint Managment server

Hi Teamwe have automated checkpoint rule creation through ansible playbook. As per the syntax we have to use add-host if any new hosts and set host for already existing hosts.most of the hosts are already created in our environment and also very are facing difficulties to identify the whether its new hosts or existing hosts .mostly we have to check manually whether the hosts are already created or not.Please let me know is there any other way to sort out this issue(any API to sync the already created objects)Kindly help me on the same. RegardsAthi
DPB_Point
DPB_Point inside API / CLI Discussion and Samples yesterday
views 1098 10 1

API - Adding network objects with the same IP than others already created

HI!I am trying to create network objects in a checkpoint due to a migration. As in ASA we could have created objects with the same network range(duplicated objects), I am having several problems to migrate it succesfully.I am using a csv file in which I have included the objects with the syntax that Checkpoint allows. I use the following command:mgmt_cli add network -r true --batch prueba.csv -d IBDL_CALESI have also added the ignore-warnings field, ignore-errors and set-if-exists fields but none of them let me create the object that has the same IP or IP range than the ones that are created in the Checkpoint. The output I get is the following:Line 2: code: "err_validation_failed"message: "Validation failed with 1 warning"warnings:- message: "More than one network have the same IP x.x.x.x/y.y.y.y"Does Any of you know how to supress that warnings and create that duplicated objects? It's important to me creating them because they are a lot of objects(I have the same problem ith the hosts) and then We want to migrate the policies too and we must have the same objects than in the ASA.
Steven_Bade
Steven_Bade inside API / CLI Discussion and Samples yesterday
views 12781 23 5

Enabling web api

Probably a really basic question, but i can't seem to find anything. I'm attempting a simple login to R80.10 via the api. I'm using postman, when i send the POST i get a web page returned instead of json. <!DOCTYPE html><HTML> <HEAD> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE9,EmulateIE8"> <meta name="others" content="WEBUI LOGIN PAGE" /> <TITLE>Gaia</TITLE> <link rel="shortcut icon" href="https://community.checkpoint.com/login/fav.ico"> <link rel="stylesheet" type="text/css" href="https://community.checkpoint.com/login/ext-all.css" /> <link rel="stylesheet" type="text/css" href="https://community.checkpoint.com/login/login.css" /> <STYLE TYPE="text/css">.ext-ie .webui-login-fld{font-size: 11px;}</STYLE> <script type="text/javascript" src="/login/ext-base.js"></script> <script type="text/javascript" src="/login/ext-all.js"></script> <script type="text/javascript">var errMsgText = "";var bannerMsgText = "";bannerMsgText += "This system is for authorized use only.";var hostname='';var version='R80.10';var formAction="/cgi-bin/home.tcl";</script> <script type="text/javascript" src="/login/login.js"></script> </HEAD> <BODY> <noscript> <div style='font-size:20px;position:relative;top:100px;'>For full functionality of this site it is necessary to enable JavaScript.</div> </noscript> </BODY></HTML>Any pointers
Employee

Dynamic Block Lists for Check Point firewalls

I have cooked together some further improvements on Check Points 'block TOR' scripts and built a small service around it. This is not an official Check Point function/product and is provided by me in my spare time.At this moment the following blocklists are implemented:OpenBLEmerging Threats: Known Compromised HostsTOR exit nodesBruteforceBlockerBlocklist.de AllTalosDshieldThe feeds are downloaded, sanity checked and then published on cpdbl.net for free. I am currently running all lists on two separate clusters without any noticeable performance hit. Of course ymmv so all feedback is appreciated. If you want to try it out go to: https://cpdbl.netScreenshot of the interface:Gateway details:These scripts utilize the rate limiting policy in SecureXL. Therefore blocking is done in fastpath and should not impact performance noticably.Connections from IPs listed in the activated blocklists are only blocked INBOUND. Outgoing communications are currently allowed. I have roadmapped a toggle for this.VSX is not supported for now.Workflow:The server(cpdbl.net) downloads all the lists nightly andValidates that all entries are valid IPs.Baselines the lists, makes sure a list does not suddenly grow enormously.Publishes the lists for the clients to download.The client:Downloads fresh lists every 12 hoursTimes out entries in the block-table after 12 hours, hence if cpdbl.net is unavailable all entries will be removed at this time.Validates that only entries containing numbers and "-" are read into the system. (to stop possible code injection)Installs validated entries into blocking tables and waits for 12 hours before starting over again.To monitor the blocked IP addresses:R77.30:In SmartView Tracker, search for "SecureXL message: Quota violation".R80:In SmartLog, search for "blade:Firewall Alert".

Installation targets showing "ALL Gateways in Smartdashboard"

Hi Team. I have created a new policy and gateway via playbook .while executing the policy is installing on the correct target which i mentioned on the ansible playbook.while looking the manage policies on dashboard the installation targets is showing as all gateways even though i mentioned the particular targets on the playbook. Please find the below playbook.- name: "Push Access Policy"check_point_mgmt:command: install-policyparameters:policy-package: "{{hostname}}_Policy"access: "true"threat-prevention: "false"targets: "{{hostname}}"session-data: "{{login_response}}"Here hostname is nothing but the firewall hostname. After pushing the policy while showing on the dashboard the target is showing ALL gateways not the hostname that is particular firewall.Kindly help on this.

CheckPoint.NET Class Library for Web API

Hello All,I have started a new project of creating a .NET class library for talking to the Web API easily. My goal is to make it rather simple to integrate any .NET application to Check Point in a standard way. While I personally have a few custom internal projects that will use it, I will also be looking at migrating psCheckPoint PowerShell module to it once it is ready.So while this project is in early stages I am interested in any questions, requests or comments anyone may have, as well has if anyone wants to help with the project in any way.If you are interested you can watch its progress on GitHub.GitHub - tkoopman/CheckPoint.NET Tim.
Aathi
Aathi inside API / CLI Discussion and Samples Thursday
views 177 15

cp_conf sic init 1234 norestart is not working via ansible

Hi Team, I am trying to reset the SIC without restart by using below command via ansible and getting the error .Kinldy help on this. Playbook:- name: SIC key generationcommand: "{{ item }}"with_items:- /opt/CPshrd-R80/bin/cp_conf sic init Infy123+ norestart- /opt/CPshrd-R80/bin/cpwd_admin stop -name CPD -path "/opt/CPshrd-R80/bin/cpd_admin" -command "cpd_admin stop"- /opt/CPshrd-R80/bin/cpwd_admin start -name CPD -path "/opt/CPshrd-R80/bin/cpd" -command "cpd" Error in ansible:failed: [10.6 (item=/opt/CPshrd-R80/bin/cp_conf sic init Infy123+ norestart) => {"changed": true, "cmd": ["/opt/CPshrd-R80/bin/cp_conf", "sic", "init", "Infy123+", "norestart"], "delta": "0:00:00.018486", "end": "2019-07-17 07:50:20.309823", "item": "/opt/CPshrd-R80/bin/cp_conf sic init Infy123+ norestart", "msg": "non-zero return code", "rc": 127, "start": "2019-07-17 07:50:20.291337", "stderr": "/opt/CPshrd-R80/bin/cp_conf: error while loading shared libraries: libcpconfca.so: cannot open shared object file: No such file or directory", "stderr_lines": ["/opt/CPshrd-R80/bin/cp_conf: error while loading shared libraries: libcpconfca.so: cannot open shared object file: No such file or directory"], "stdout": "", "stdout_lines": []}failed: (item=/opt/CPshrd-R80/bin/cpwd_admin stop -name CPD -path "/opt/CPshrd-R80/bin/cpd_admin" -command "cpd_admin stop") => {"changed": true, "cmd": ["/opt/CPshrd-R80/bin/cpwd_admin", "stop", "-name", "CPD", "-path", "/opt/CPshrd-R80/bin/cpd_admin", "-command", "cpd_admin stop"], "delta": "0:00:00.019825", "end": "2019-07-17 07:50:20.956607", "item": "/opt/CPshrd-R80/bin/cpwd_admin stop -name CPD -path \"/opt/CPshrd-R80/bin/cpd_admin\" -command \"cpd_admin stop\"", "msg": "non-zero return code", "rc": 127, "start": "2019-07-17 07:50:20.936782", "stderr": "/opt/CPshrd-R80/bin/cpwd_admin: error while loading shared libraries: libcpwd_is.so: cannot open shared object file: No such file or directory", "stderr_lines": ["/opt/CPshrd-R80/bin/cpwd_admin: error while loading shared libraries: libcpwd_is.so: cannot open shared object file: No such file or directory"], "stdout": "", "stdout_lines": []}failed: (item=/opt/CPshrd-R80/bin/cpwd_admin start -name CPD -path "/opt/CPshrd-R80/bin/cpd" -command "cpd") => {"changed": true, "cmd": ["/opt/CPshrd-R80/bin/cpwd_admin", "start", "-name", "CPD", "-path", "/opt/CPshrd-R80/bin/cpd", "-command", "cpd"], "delta": "0:00:00.019049", "end": "2019-07-17 07:50:21.613861", "item": "/opt/CPshrd-R80/bin/cpwd_admin start -name CPD -path \"/opt/CPshrd-R80/bin/cpd\" -command \"cpd\"", "msg": "non-zero return code", "rc": 127, "start": "2019-07-17 07:50:21.594812", "stderr": "/opt/CPshrd-R80/bin/cpwd_admin: error while loading shared libraries: libcpwd_is.so: cannot open shared object file: No such file or directory", "stderr_lines": ["/opt/CPshrd-R80/bin/cpwd_admin: error while loading shared libraries: libcpwd_is.so: cannot open shared object file: No such file or directory"], "stdout": "", "stdout_lines": []} Kinldy help on this. RegardsAthimoolam.A
Iain_King
Iain_King inside API / CLI Discussion and Samples Thursday
views 1652 3 8

Pre-R80.10 dynamic objects from DNS A record lists.. one liner examples

Ever want to allow access to "google.com" or "google.com.au" or some large lists of A record hosts (like AWS or Azure hosted front end elastic load balancers.. or akamai hosted stuff etc)?Domain objects not doing it for you? (reverse lookups only the first address)Logical server objects not doing it for you (like they do in AWS/Azure autoscaling?)Not on R80.10 yet?Create a dynamic object as a destination.. then on the command line do the following:The dynamic object name here is "dynamic_dns_hosts" and must match the dynamic object created in the policy editor (smartconsole).//[Expert@gw-913127:0]# dynamic_objects -n dynamic_dns_hostsOperation completed successfullyTo populate the dynamic object run the following:[Expert@gw-913127:0]# dig +short my.changing.cloud.hostname.com google.com google.com.au|sort -u|awk '{print $1" "$1}'|xargs dynamic_objects -a -o dynamic_dns_hosts -rOperation completed successfullyLog update success//Check the object has been updated (shows both in the logs in tracker as well)://[Expert@gw-913127:0]# dynamic_objects -lobject name : CPDShieldrange 0 : 0.0.0.1 0.0.0.1object name : dynamic_dns_hostsrange 0 : 34.210.127.64 34.210.127.64range 1 : 34.213.84.59 34.213.84.59range 2 : 35.160.229.160 35.160.229.160range 3 : 35.163.99.121 35.163.99.121range 4 : 54.148.3.136 54.148.3.136range 5 : 54.186.179.15 54.186.179.15range 6 : 54.187.44.205 54.187.44.205range 7 : 54.244.5.167 54.244.5.167range 8 : 172.217.25.35 172.217.25.35range 9 : 216.58.203.110 216.58.203.110Operation completed successfully//It's possible to write this into cron (scheduled_task) or run in a while loop. It's possible also to depopulate the object, delete the object and all the other things too.If you're interested in doing this in python, there's some cool tools here (someone at checkpoint wrote it):chkp / dynobj — Bitbucket

Group membership export with IP address

I have a group object that contains close to 600 devices. I can export the group to a csv but it only contains the group information. If I search for a specific device, I can export a csv with hostname, IP address, and description. However, I cannot export a csv with the members of a group with the hostname, IP address, and description. I've looked into some APIs but did not have much luck. Any and all assistance is greatly appreciated.
Danny
Danny inside API / CLI Discussion and Samples 2 weeks ago
views 146 2 2

Bash - Name and IP of any Gateway?

I‘m looking for a way to retrieve the name and IP address of any Check Point gateway locally on the system exactly as they are shown in the gateway list of SmartConsole, including VS systems. Environment: Expert Mode (Bash). For Non-VS systems this could be easily performed via: grep `hostname` /etc/hosts However, I need a solution that also works on VSX systems in different VS environments.
Raj_Khatri
Raj_Khatri inside API / CLI Discussion and Samples 2 weeks ago
views 2669 2

Using mgmt_cli without automatic publish

I noticed when using SmartConsole CLI, changes are not automatically published. However, when using mgmt_cli, changes are automatically published. Is there a flag that can be used when using mgmt_cli so you can still review the changes made allowing you to perform a manual publish?
John_Lovinggood
John_Lovinggood inside API / CLI Discussion and Samples 2 weeks ago
views 99542 44 10

Security Gateway Inventory

About 6 months ago, CP gave us a script to run from Provider 1 to grab all gateways and their corresponding model/software version. However, it was a very inconsistent result. Meaning that, some (active) gateways came back with just host name and IP and then some came back with host name/IP/OS Version/model number.Anybody aware of a way to pull : Gateway Info that includes (Hostname/IP/OS-Version/Model)? I know you can export a list through network objects, but I just want active count for inventory. Any such method/script?
Timothy_Hall
Timothy_Hall inside API / CLI Discussion and Samples 2 weeks ago
views 285 2 3

Functionality - API vs. SmartConsole

When teaching the Check Point Certified Automation Specialist (CCAS) class, a common question I get is what types of Management operations cannot be performed through the API and must be performed through the SmartConsole GUI instead. I have a bit of an unofficial list but would like to compile an authoritative list with the CheckMates community; various API limitations have been discussed in prior threads like this. Some ground rules: 1) Only releases that are GA like R80.30 and earlier may be discussed, so if an API limitation is resolved in an upcoming release like R80.40 that doesn't count 2) dbedit is not the API and doesn't really count, but feel free to discuss workarounds for the various limitations 3) This list of limitations is for the Management API, not the Threat Prevention API, Identity Awareness API, etc. 4) Features available through the API that are not available in the SmartConsole GUI (like specific Hit Count history) should not be included (that could be a separate post) So without further ado, here is the list of Management operations that cannot be performed via the Management API and must be performed through a GUI instead, please feel free to add items to this list or provide corrections: 1) Manipulation of gateway cluster objects 2) Geo Policy 3) HTTPS Inspection 4) Mobile Access Blade 5) Anti-spam & Mail Blade 6) DLP Blade (not Content Awareness) 7) SmartEvent Event Policy Tuning (performed in a separate GUI from SmartConsole) 😎 SmartUpdate License Manipulation (performed in a separate GUI from SmartConsole) 9) QoS Blade/Policies (not APCL/URLF Limits) 10) GUIDBedit operations (performed in a separate GUI from SmartConsole) Thanks everyone!
Inbar_Moskovich
inside API / CLI Discussion and Samples 2 weeks ago
views 24271 291 60
Employee+

Python tool for exporting/importing a policy package or parts of it

Overview ExportImportPolicyPackage tool enables you to export a policy package from a R80.x management database to a .tar.gz file, which can then be imported into any other R80.x management database. This tool can be used for backups, database transfers, testing and more. In the case you are exporting a policy package from a CMA, please verify that a global policy was NOT assigned to that CMA.The tool doesn't support exporting a policy with global policy assigned! Description This tool enables you to export a policy package (Access Policy, Threat Policy or both) from a management server into a .tar.gz file. Notice There are some types of objects that the script might not be able to export. In such a case, an appropriate dummy object will be exported instead, and a message will be logged into the log files to notify you of this. In the Check Point SmartConsole you can easily replace each of these objects by searching "export_error" in the search field, see where each object is used, create the necessary object manually, then replace it. Instructions Download the latest version from our GitHub repository: https://github.com/CheckPointSW/ExportImportPolicyPackage First, make sure you have [2.7.9 <= Python <= 2.7.14] installed on the machine running the script. To export a package, run the import_export_package.py script. An interactive menu will guide you the rest of the way. Command line flags may also be set in order to skip some or all of the menu. A lot more details can of course be accessed with the [-h] option. This option also prints the current version of the tool. Current tool version is V3.0. Limitations This export/import script does not gather all data from a given management server/CMA. In general, it is limited by the R80.x Management APIs. Specifically, this means: CMAs with a Global Policy assigned cannot be exported Workaround: unassign the Global Policy prior to export Gateway/Cluster objects have to be recreated Placeholder objects will be created UserCheck messages have to be recreated Placeholder objects will be created The Internal Certificate Authority will not be copied. This means: Re-establishing SIC with the appropriate gateways Re-generating VPN certificates Manually recreating HTTPS Inspection and DLP Rules Other objects not currently readable/writable via the R80.x API will not be copied Tested on version R80.x Source Code Availability The source code is available through GitHub: https://github.com/CheckPointSW/ExportImportPolicyPackage NOTICE: By using this sample code you agree to terms and conditions in this Terms and Conditions ...