cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
API / CLI Discussion and Samples

Do you have questions on how to use any of Check Point's API commands, including via the CLI using mgmt_cli? Looking for sample code? This is the place to find answers!

Using the API to map an Access Layer to a Policy Package

Hi friends-I'm looking to use the API  to add a rule to a layer and then install policy on the appropriate package (or packages for a shared layer).  In SmartConsole, when I view layers (Manage policies and layers...), it shows me the package(s) the layer is used on, but I can't seem to find that mapping in the API.  I've tried both show access-layer and show access-layers, but neither give me the packages.  I tried doing a where-used on my layer UID, but that just gives me an error.  I've noticed that showing all my packages lists the layers that are used, but what about the other way around?  How do find which policy(ies) my access layer is a part of?I'm on v1.5.Thanks!
Marcel_M
Marcel_M inside API / CLI Discussion and Samples 15 hours ago
views 154 2

Check Point Ansible Module in Ansible 2.8 Version with MDS

Hello, we are testing ansible automatisation on our MDS . I used this SK, but I can't find any information how to specify a special CMA Domain: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk114661&partition=General&product=Security  My Hosts File looks like this: /etc/ansible/hosts[checkpoint]1.1.1.1[checkpoint:vars]ansible_httpapi_use_ssl=Trueansible_httpapi_validate_certs=Falseansible_user=api-useransible_password=passwordansible_network_os=checkpoint My Ansible runbook lookes like that: cat create-host2.yml---- hosts: checkpointconnection: httpapi# domain: "Global"tasks:- name: add-hostcp_mgmt_host:ip_address: "192.0.2.1"name: "New Host 1"state: "present"Does anyone know how to specify a CMA Domani in this Version? In the old Version https://github.com/CheckPointSW/cpAnsible you could do this with the parameter -domain Can anyone help me with that? 
Danieljax88
Danieljax88 inside API / CLI Discussion and Samples 16 hours ago
views 134 1 1

Help Exporting Rulebase Data

Hi, I have what i thought would be a simple requirement to export our rulebase to csv for me to share some information on some specific rules. I have looked around the forum and have struggled to land the best and simplest way of doing this.The export option in R80 smartdashboard GUI does not work for me as i need to understand the nested groups or the objects / subnets inside of the groups as well as the high level group information.Is there anything around that is already pre-written script wise to make this happen? running python directly from my machine will be a challenge and my scripting knowledge is limited. Running R80.20. Any help would be really appreciated.

Script in creating object and add in a object group using CLI

What is the command line script to create object/object group and add object in an object group. Like hundred of objects (IPs).I am using Checkpoint R80.10.

R80.40 API v1.6 Changelog

Changelog What's New in v1.6    This release, API version 1.6, introduces several updates for existing APIs. Deprecated API commands from this version: show data-center command is deprecated, use show data-center-server instead. show data-centers command is deprecated, use show data-center-servers instead.    New APIs (35)  API Key (2) API command Description add api-key Add API key for administrator, to enable login with it. For the key to be valid publish is needed.When using mgmt_cli tool, add –f json to get the key in the command’s output delete api-key Delete the API key. For the key to be invalid publish is needed. Data Center Server (4) API command Description delete data-center-server Delete existing Data Center Server using name or uid. set data-center-server Edit existing Data Center Server using name or uid. Data Center Server represents the connection to a cloud environment. The Data Center Server contains Data Center Objects, these objects can be imported from it using the add-data-center-object command show data-center-server Retrieve existing Data Center Server using name or uid. show data-center-servers Retrieve existing Data Center Servers. LSV Profile (5) API command Description add lsv-profile Add a new Large Scale VPN object. When used inside a VPN Community, the object enables communication between a large amount of externally managed VPN peers. delete lsv-profile Delete existing LSV profile object using object name or uid. set lsv-profile Set LSV Profile object's fields. Set CA by uid or name, change peers limit or restrict encryption domain. show lsv-profile Retrieve existing LSV profile object using object name or uid. show lsv-profiles Retrieve all objects. Migration (4) API command Description backup-domain Back up the Domain database and applicable Check Point configuration. This command can be used in backup and restore operations. This command is available only in a Multi-Domain environment and when logged into the MDS domain. For known limitations see sk146953 migrate-export-domain Export the Domain database and applicable Check Point configuration. This command can be used in export and import operations. This command is available only when logged into the system domain. For known limitations see sk156072 migrate-import-domain Imports the exported Domain database and applicable Check Point configuration. This command can be used in import operations. This command is available only when logged into the system domain. For known limitations see sk156072 restore-domain Restores the backed-up Domain database and applicable Check Point configuration. This command can be used in restore operations. This command is available only in a Multi-Domain environment and when logged into the MDS domain. For known limitations see sk146953   Misc. (1) API command Description install-database Copies the user database and network objects information to specified targets.   Server Certificate (5) API command Description add server-certificate Import server certificates for inbound HTTPS traffic inspection.You can use the imported server certificates in the Certificate column of the HTTPS Inspection Policy. delete server-certificate Delete existing server certificate using name or uid. set server-certificate Edit existing server certificate using name or uid. show server-certificate Show existing server certificate using name or uid. show server-certificates Show existing server certificates. Session Management (2) API command Description revert-to-revision Revert the Management Database to the selected revision. verify-revert Verify the Management Database can revert to the selected revision. Simple Cluster (5) API command Description add simple-cluster Create new object. delete simple-cluster Delete existing object using object name or uid. set simple-cluster Edit existing object using object name or uid. show simple-cluster Retrieve existing object using object name or uid. show simple-clusters Retrieve all objects. SmartTasks (5) API command Description add smart-task Create new object. delete smart-task Delete existing object using object name or uid. set smart-task Edit existing object using object name or uid. show smart-task Retrieve existing object using object name or uid. show smart-tasks Retrieve all objects. Triggers (2) API command Description show smart-task-trigger Retrieve existing object using object name or uid. show smart-task-triggers Retrieve all objects.   Updated APIs (10)Threat Profile (3) API command Added fields Removed fields Updated fields Description set threat-profile 1 0 0 Edit existing object using object name or uid. show threat-profile 2 0 0 Retrieve existing object using object name or uid. add threat-profile 1 0 0 Create new object. Threat Protection (1) API command Added fields Removed fields Updated fields Description show threat-protections 1 0 0 Retrieve all objects. VPN Community Meshed (3) API command Added fields Removed fields Updated fields Description show vpn-community-meshed 1 0 0 Retrieve existing object using object name or uid. set vpn-community-meshed 2 0 0 Edit existing object using object name or uid. add vpn-community-meshed 2 0 0 Create new object. VPN Community Star (3) API command Added fields Removed fields Updated fields Description set vpn-community-star 2 0 0 Edit existing object using object name or uid. show vpn-community-star 1 0 0 Retrieve existing object using object name or uid. add vpn-community-star 2 0 0 Create new object.   Deprecated APIs (2)Data Center Server (2) API command Description show data-center Retrieve existing Data Center Server using name or uid. Starting from version 1.6 of the Check Point Management API, this command is deprecated . Use the show data-center-server command instead show data-centers Retrieve existing Data Center Servers. Starting from version 1.6 of the Check Point Management API, this command is deprecated . Use the show data-center-servers command instead    

Search multiple CMA

In R77.30 one had the possibility to search all CMAs for object usage. I cannot find this feature in R80.10 MDS. There is no mention of the Cross-Domain Management Server Search function in the CP_R80.10_Multi-DomainSecurityManagement_AdminGuide.This was especially useful to find global object use, to limit the number of policies one had to push after updating a single object.Any suggestions for a replacement?Best regards,Harald

Having issues with publishing policy via web API

Hi,I have a powershell script that is meant to do the following but is failing on publishing policy.  The API gives me the following error but not sure why as I don't have any unpublished changes.  Below are the steps.-Add Host (Sucess)-Add Host to Group (Sucess)-Publish Policy (Fail)-Install Policy (Fail)2019-11-13 09:43:11,233 INFO [GUI] org.apache.cxf.interceptor.LoggingInInterceptor.log:250 [qtp2049910860-30] - Inbound Message----------------------------ID: 76Address: http://127.0.0.1:50276/web_api/add-hostEncoding: ISO-8859-1Http-Method: POSTContent-Type: application/jsonHeaders: {Accept=[text/plain], connection=[keep-alive], Content-Length=[92], content-type=[application/json], Host=[127.0.0.1:50276], User-Agent=[mgmt_cli_gui], X-chkp-debug=[GUI], X-chkp-sid=[aM8KIGMuWuP8rNWBhDI8LzLVXZtR6-z9kIVee-EFYmc], X-Forwarded-For=[127.0.0.1], X-Forwarded-Host=[127.0.0.1], X-Forwarded-Host-Port=[443], X-Forwarded-Server=[10.130.181.25]}Payload: {"groups":"AttackersList","ip-address":"144.139.158.155","name":"attacker-144.139.158.155"}--------------------------------------2019-11-13 09:43:11,238 INFO [GUI] com.checkpoint.management.web_api_is.utils.helpers.ApiCache.<init>:21 [qtp2049910860-30] - Cache created and initialized2019-11-13 09:43:11,239 INFO [GUI] com.checkpoint.management.web_api.web_services.WebApiEntryPoint.logRequestedCommandInfo:51 [qtp2049910860-30] - Executing [add-host] of version 1.3 (references 1)2019-11-13 09:43:11,834 ERROR [GUI] com.checkpoint.management.web_api.utils.WebApiCommandExceptionUtils.getErrorReply:94 [qtp2049910860-30] -com.checkpoint.web_services.faults.ValidationRemoteFault: 2 Blocking validation errors were found.at sun.reflect.GeneratedConstructorAccessor264.newInstance(Unknown Source)at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:57)at java.lang.reflect.Constructor.newInstance(Constructor.java:437)at org.apache.cxf.interceptor.ClientFaultConverter.processFaultDetail(ClientFaultConverter.java:182)at org.apache.cxf.interceptor.ClientFaultConverter.handleMessage(ClientFaultConverter.java:82)at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)at org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:113)at org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:69)at org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:34)at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:802)at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1642)at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1533)at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1336)at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:652)at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:516)at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:425)at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:326)at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:279)at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:139)at com.sun.proxy.$Proxy244.updateObjectWithReturnControlErrorLevel(Unknown Source)at com.checkpoint.management.web_api_is.utils.managers.RemoteObjectCrudManager.updateObjectWithReturn_aroundBody30(RemoteObjectCrudManager.java:24)at com.checkpoint.management.web_api_is.utils.managers.RemoteObjectCrudManager$AjcClosure31.run(RemoteObjectCrudManager.java:1)at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)at com.checkpoint.management.web_api_is.aspects.logging.WebApiMethodLoggerAspect.aroundMethodLoggerTest(WebApiMethodLoggerAspect.java:13)at com.checkpoint.management.web_api_is.utils.managers.RemoteObjectCrudManager.updateObjectWithReturn(RemoteObjectCrudManager.java:72)at com.checkpoint.management.web_api_is.core.handler.base.ApiObjectRequestHandler.doUpdateObjectForAdd(ApiObjectRequestHandler.java:34)at com.checkpoint.management.web_api_is.core.handler.base.ApiCrudRequestHandler.add_aroundBody0(ApiCrudRequestHandler.java:19)at com.checkpoint.management.web_api_is.core.handler.base.ApiCrudRequestHandler$AjcClosure1.run(ApiCrudRequestHandler.java:1)at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)at com.checkpoint.management.web_api_is.aspects.logging.WebApiMethodLoggerAspect.aroundMethodLoggerTest(WebApiMethodLoggerAspect.java:13)at com.checkpoint.management.web_api_is.core.handler.base.ApiCrudRequestHandler.add(ApiCrudRequestHandler.java:52)at com.checkpoint.management.web_api.core.handler.objects.network_objects.host.HostRequestHandler.add(HostRequestHandler.java:11)at sun.reflect.GeneratedMethodAccessor165.invoke(Unknown Source)at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)at java.lang.reflect.Method.invoke(Method.java:508)at com.checkpoint.management.web_api_is.utils.WebApiReflectionUtils.invoke(WebApiReflectionUtils.java:7)at com.checkpoint.management.web_api.web_services.WebApiEntryPoint.postEntryPoint(WebApiEntryPoint.java:81)at sun.reflect.GeneratedMethodAccessor120.invoke(Unknown Source)at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)at java.lang.reflect.Method.invoke(Method.java:508)at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:181)at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:97)at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:204)at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:101)at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:59)at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:96)at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:251)at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293)at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:212)at javax.servlet.http.HttpServlet.service(HttpServlet.java:755)at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:268)at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:686)at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1494)at org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:247)at org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:210)at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)at com.checkpoint.management.web_api.core.filter.LogCustomDebugFieldFilter.doFilter(LogCustomDebugFieldFilter.java:19)at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1474)at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:557)at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428)at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:255)at org.eclipse.jetty.server.handler.IPAccessHandler.handle(IPAccessHandler.java:203)at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:154)at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)at org.eclipse.jetty.server.Server.handle(Server.java:370)at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489)at org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:960)at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:1021)at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:865)at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:240)at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668)at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)at java.lang.Thread.run(Thread.java:785)

Need To Perform Mass Modification Of All User Accounts Expiration Dates

It came to my attention today that I have a large number of user accounts expiring on 1/1/2020. Given the number, it would be best to update these en masse. I have seen a couple other posts where some folks were accomplishing this using a series of API requests / changes. However, I also came across this older sk article: sk522 Can anyone comment whether this is still a valid method on an R80.30 SMS? I'm not opposed to going the API route if necessary, but this method seems to accomplish the same thing in a single command. Thanks! Dan 

Finding a URL in all custom Application/Sites rather than just one

Hi,I have a script currently utilising the mgmt api to open a specific application/site and show all the URL's listed. I then can then grep a saved output to find a single URL. I look to add filtering built into the script but has anyone had any experience with looping over all application/sites to find a single URL?Tom
Jin_Zhou
Jin_Zhou inside API / CLI Discussion and Samples 2 weeks ago
views 203 2

How to use run-script to get IPS information on a VS of VSX?

I am trying to use run-script to get IPS information on a VS of VSX. Say VS 3 on cli I could do following:vsenv 3ips statBut if I put it in run-script as follow, api could not find vsenv command.mgmt_cli -r true -d Mydomain -VSX run-script script-name test script "vsenv3; ips stat" targets.1 vsx1 -f json Also tried to put the two commands in a script, test.sh:#!/bin/bashvsenv 3ips statthen runmgmt_cli -r true -d Mydomain -VSX run-script script-name test script "/mydir/test.sh" targets.1 vsx1 -f jsonit does not work either. Any idea how to get this to work or any way that can get IPS info on VS?
Ed_Eades
Ed_Eades inside API / CLI Discussion and Samples 2 weeks ago
views 16646 15 6

Bulk Add Network Objects

I am looking for advice on how to bulk add network objects.  I need to add around 550 networks and we are on GAIA R80.10.  I have read some about dbedit, Using a dbedit script to create new network objects and network object groups, but I am not sure if that would still be the best method.  I will also mention I have never used dbedit.  When adding these network objects I would also like to add a description on each network object.  The dbedit link does not include the syntax for the description. I came across a thread on cpug that If R80, there are more robust CLI for these things.  You can find documentation and several examples at https://community.checkpoint.com.Thanks in advance!
Charles_Currier
inside API / CLI Discussion and Samples 2 weeks ago
views 1501 9 12
Employee+

o365 dynamic objects script

This script pulls the current list of office365 IP Addresses referenced from Office 365 IP Address and URL Web service | Microsoft Docs to https://endpoints.office.com/endpoints/worldwide. It then creates dynamic objects for each set of Service Areas that have ipv4network ranges defined in the json document. Once run once an administrator should pull the resulting objects to populatethe policy and then rerun once policy is pushed.This does not have scheduling at this time.This has been updated to version 3.
Employee

Create list of IPS protections set for packet capture in a specific profile

Used mgmt_cli to generate a json formatted file (ips.json) of all IPS protections (mgmt_cli show threat-protections details-level full) but cannot figure out how to parse out only the profiles with packet capture enabled. cat ips.json | jq ".protections [] | [.name, .profiles]"
Employee+

Blocking TOR exit nodes with Python and R80.10 API

Hi all,I wrote a script in Python using our API. The goal was clear, block around 1k IP addresses automatically and in a visual way, not through fw sam rules You can execute this script every day manually or you can schedule it using Crontab for example.Tu use it in your environment you just need to change these variables at the begining and execute it! You can find the script here: GitHub - toledanosjesus/chkp After the first execution of the script, you just need to configure correctly your firewall policy. You need to have something similar to this:Be aware this script is using python 2.7. You'll need to modify it a bit in case you want to use python 3.xEnjoy!

Read-Only account for Gaia API?

For the GAIA API we are trying to create a role that allows the users to only use show commands, but currently all we can get working is a user with the full admin role. In our case we are using TacAcs authentication and the role associated to this also needs to be assigned otherwise it will not work. Any idea how to configure the role for a Read-Only API user?