cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
API / CLI Discussion and Samples

Do you have questions on how to use any of Check Point's API commands, including via the CLI using mgmt_cli? Looking for sample code? This is the place to find answers!

Dima_M
inside API / CLI Discussion and Samples 38m ago
views 719 6 6
Employee+

Check Point provider on Terraform is officially live!

      Hello all! We are glad to announce that Check Point provider on Terraform is officially live! Terraform is a very well-known solution for building, changing and versioning infrastructure. Terraform is cloud-agnostic and allows a single configuration to be used to manage multiple providers, and to even handle cross-cloud dependencies. This simplifies management and orchestration, helps to build and provision multi-cloud infrastructures. Check Point Provider can be used to automate security responses to threats, provision both physical and virtualized next-generation firewalls and automate routine Security Management configuration tasks, saving time and reducing configuration errors.With the Check Point provider, DevOps teams can automate their security and transform it into DevSecOps workflows. We’re now working to extend the list of supported API to include majority of Management and GAiA OS APIs and will have news very soon! This integration follows our integration with Ansible, introduced in 2019. We’re looking to accompany customers that use Terraform and Check Point and to build great stuff together. We also encourage you all to check out the provider, please feel free to share use cases and feedback, we’ll be glad to assist. You can contact myself mailto:dimam@checkpoint.com  and Eran Habad mailto:eranh@checkpoint.com 

Enabling CORS

Hi Checkmates,Project:- Developing a Customized web portal using Checkpoint API for different users via C# .Problem:- i made a add-host API call to checkpoint FW and getting the error in Browser >>Console. Error:-OPTIONS https://<FW_management_ip>/web_api/add-host 401(Unauthorized)Access to XMLHttpRequest at 'https://<FW_management_ip>/web_api/add-host' from origin 'http://localhost:53352' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. conclusion:- Some CORS policy has to be enabled or 'Access-Control-Allow-Origin' has to be included How to do this ?🤔

Not able to convert the ASA configuration using smart move tool

Am trying to convert my ASA config to CheckPoint by SmartMove and receive following error message:could not parse configuration file.Message: Unable to case object of type "ciscoMigration.cisco_groupobject" to type "Ciscomigration.cisco_object"Module: CiscoMigrationClass: Cisco_RouteMethod: ParsePls do the needful in resolving Thanks 

Retrieve policy details using api

I am trying to write a script to retrieve all policy details of R80 using web services api. I used show-package command to retrieve all policy package details . Also i made details-level full to retrieve all possible info. I wonder if this call will retrieve all the information about the package and all it's  objects ?here is my python code import requests, jsonhost = "" # hard code hostport = "" # hard code portdef api_call(ip_addr, port, command, json_payload, sid):url = 'https://' + ip_addr + ':' + port + '/web_api/' + commandif sid == '':request_headers = {'Content-Type' : 'application/json'}else:request_headers = {'Content-Type' : 'application/json', 'X-chkp-sid' : sid}r = requests.post(url,data=json.dumps(json_payload), headers=request_headers)return r.json()def login(user,password):payload = {'user':user, 'password' : password}response = api_call(host, port, 'login',payload, '')return response["sid"] def retrieve_policy(username,password,package_name):sid = login(username,password) #get sid after successful login to authenticate withretrieve_policy_data = {'name' : package_name,'details-level' : 'full'} #I made details-level full to retieve all possible inforetrieve_policy_result = api_call(host, port,'show-package', retrieve_policy_data ,sid)logout_result = api_call(host, port,"logout", {},sid) #logoutreturn retrieve_policy_result #all package details returned in json format 

adding network object with mgmt_cli batch CSV file

i try to add number of network object with cli tool but i received an error.i followed sk113078 and did exactly the same and received the error:Line 2: code: "generic_err_invalid_parameter_name"message: "Unrecognized parameter [name]"Line 3: code: "generic_err_invalid_parameter_name"message: "Unrecognized parameter [name]"Line 4: code: "generic_err_invalid_parameter_name"message: "Unrecognized parameter [name]"Executed command failed. Changes are discarded. the csv is:name,subnet,subnet-masknetwork1,10.10.10.0,255.255.255.0network2,20.20.20.0,255.255.255.0network3,30.30.30.0,255.255.255.0  i have R80.20 take: 103

Query API with Feature extraction sends response with extract_result CP_EXTRACT_RESULT_NOT_SCRUBBED

Hi Experts, I am always getting extract result "CP_EXTRACT_RESULT_NOT_SCRUBBED" from query api. Please find my request below. Request#1Upload API request:{\"request\":{\"file_name\":\"DOCX.docx\",\"file_type\": \"docx\",\"features\":[\"extraction\"],\"extraction\":{\"method\":\"clean\"}}}Upload API Response:{  "response": {    "status": {      "code": 1002,      "label": "UPLOAD_SUCCESS",      "message": "The file was uploaded successfully."    },    "sha1": "8064ff3d851f273df43376cfcb9c2ebd47131c8b",    "md5": "f78a90963ca8a382da6611eb5cdbe2e3",    "sha256": "056c1f0d31faa557cdac687b0fcc5103cc4aa0dbf8027499303e182754c981b8",    "file_type": "docx",    "file_name": "DOCX.docx",    "features": [      "extraction"    ],    "extraction": {      "method": "clean",      "tex_product": false,      "status": {        "code": 1002,        "label": "UPLOAD_SUCCESS",        "message": "The file was uploaded successfully."      }    }  }} Request#2Query API Request:{"request": [{"sha1": "8064ff3d851f273df43376cfcb9c2ebd47131c8b","file_name": "DOCX.docx","file_type": "docx","features": ["extraction"],"extraction": {"method": "clean"}}]}Query API Response:{  "response": [    {      "status": {        "code": 1001,        "label": "FOUND",        "message": "The request has been fully answered."      },      "sha1": "8064ff3d851f273df43376cfcb9c2ebd47131c8b",      "file_type": "docx",      "file_name": "DOCX.docx",      "features": [        "extraction"      ],      "extraction": {        "method": "clean",        "extract_result": "CP_EXTRACT_RESULT_NOT_SCRUBBED",        "output_file_name": "DOCX.docx",        "extraction_data": {          "input_extension": "docx",          "input_real_extension": "docx",          "message": "Skipped",          "output_file_name": "",          "protection_name": "Potential malicious content extracted",          "protection_type": "Content Removal",          "protocol_version": "1.0",          "risk": 0.0,          "scrub_activity": "The file doesn't include cleanable parts",          "scrub_method": "Clean Document",          "scrub_result": 4.0,          "scrub_time": "0.04",          "scrubbed_content": ""        },        "tex_product": false,        "status": {          "code": 1001,          "label": "FOUND",          "message": "The request has been fully answered."        }      }    }  ]} Can someone please help me what mistake am I doing here ? why query api response is not sending download file id ?

Scripts in Python

Good Afternoon,I like to know if I can develop scripts in Python. If someone have information about I appreciate your answer. ThanksBRLenin
Employee+

Python scripts to clone objects from local domain to global domain

OverviewThese scripts copy objects from a given local domain to the global domain.These scripts use the Python library Python library for using the management APIsDescriptionIn order to clone single object that his type is known run 'local_<object type>_to_global.py' -o <Object id> <Flags>In order to clone single object that his type is unknown run 'local_object_to_global.py' -o <Object id> <Flags>In order to clone more than one object :Add tag with <Tag name> (using SmartConsole or add-tag command on the command line) to the objects that need to be cloned.Run 'local_global_by_tag.py' <Tag name> <Flags> Flags:   mandatory:-d <local domain name> : The local domain that contains the object that need to be cloned.-n <prefix>: The new global object name will be as follow : prefix_<local_object_name>.mandatory if running the script not on the management server:-s <Server IP> :The IP address or name of the Check Point Management Server.-u <User name>optional-p <port number> : Default value '443' -g <Global domain name> : Default value 'Global' Notes :     1. The script supports only the following objects types: host, network, address_range, network group, tcp service, udp service, service group.          For objects that are not one of these types, the script will not clone them and print an error.     2. In case a group object needs to be cloned, the script will clone the group and all the objects it contains.     3. Objects that contain the 'nat-settings' field will be cloned without this filed.The scripts creates:     1. logfile.txt     2. json_objects.json contains list of  {<original object uid> : <cloned global object uid>}     3. csv_file.csv contains {<original object uid>, <original object name>, <cloned global object name> <cloned global object uid>}          In case the global object wasn't created the <cloned global object name> <cloned global object uid> will remain empty.InstructionsFollow the steps below:     1. Unzip attached zip file     2. Download the Python library from the link above.     3. Extract the Python library folder to the folder containing the script.     4. Use the html guide (localToGlobal.html) to run the relevant scriptTested on versionR80, API version 1.0Source Code AvailabilityThe source code is now public on GitHub repository:GitHub - CheckPoint-APIs-Team/LocalToGlobal: Check Point LocalToGlobal tool enables you to copy objects from a local dom… NOTICE: By using this sample code you agree to terms and conditions in this Not authorized to view the specified document 1042...

Is there a way to make API calls using other methods for authentication?

We are exploring the vast wonders of the R80.30 API commands and would like to expand further but have some security concerns.  What we need is a way to make API calls (that does more than read) and not have to hard code the credentials into the call itself.Is there some type of API key that can be used for this type of work or some other method we can use to encrypt this?  A fear is that if the box is compromised, then a bad actor could just crack open the content and have some real fun, or possibly even sniff the credentials while we are making a call.Thanks,Patrick
Admin

mgmt_cli to delete all objects matching a pattern

This came across my mail from an internal source and it's too good not to share. A small bit of scripting with show-objects and delete-batch-objects can remove all objects (up to the 500 object limit of show-objects) based on a pattern. mgmt_cli login -u aa -p aaaa > /tmp/sid.txt.$$mgmt_cli -s /tmp/sid.txt.$$ delete objects-batch objects.1.type group $(mgmt_cli -s /tmp/sid.txt.$$ -f json show objects filter test-group- limit 500 | jq '.objects[].name' | cat -n | sed -r 's/^\s+([0-9]+)/objects.1.list.\1.name/' | tr '\n' ' ')mgmt_cli -s /tmp/sid.txt.$$ publish Explanation of commands: mgmt_cli -s /tmp/sid.txt.$$ delete objects-batch objects.1.type host Perform batch delete on the results of the next rows $(…) Treat the output of the command in parenthesis as command line arguments mgmt_cli -s /tmp/sid.txt.$$ -f json show-objects filter test-host- limit 500 Get objects containing test-host- jq '.objects[].name' Get the object names cat -n Add a line number to each name sed -r 's/^\s+([0-9]+)/objects.1.list.\1.name/' Replace each line number n with objects.1.list.n.name tr '\n' ' ' Put all the separate lines together on the same line as input to the delete-objects-batch command    

Check Point Visio Stencils

Is there any available file for with Check Point visio stencils?? I can not find any file in PartnerMAP and would be very helpful for Check Point partners for make network diagrams.

Is it possible to use the API to batch create users?

We want to add a lot of users at the same time (they will be used for remote VPN logins, i.e., we are not talking about gaia or admin users..The API has great support for adding network objects and the like, but we have not found a way to easily add users.. Unfortunately, we do not have an easy way to use templates or AD groups either, so at this time we would really like to have a way to batch add a lot of users..
Yoav_Lasman
inside API / CLI Discussion and Samples a week ago
views 2252 3 7
Employee+

Get early access to our new Threat Prevention APIs

Take control of new Threat Prevention APIs powered by the largest Threat Cloud in the industry:   URL Reputation – for a domain/URL returns the classification and risk in accessing the resource File Reputation – for a file digest (md5/sha1/sha256/sha512) returns the risk in downloading the file without the need to scan it IP Reputation  - for an IP address returns it’s classification and risk in accessing a resource hosted on it Mail Security – upload an email for scanning against malware and phishing attacks, based on award winning Sandblast engines   All APIs are RESTful, simple to use and can be integrated as part of a SOAR application, home-made application and more! If you’re a Check Point customer interested in participating in the early availability stage drop me a mail at yoav@checkpoint.com
Eric_Speake
Eric_Speake inside API / CLI Discussion and Samples a week ago
views 2639 9 2

Listing the members of a network group

We are doing audits and cleanup of the network objects in our policy rules. I need to provide a list of servers in a specific network group. I have tried "$MDS_FWDIR/scripts/web_api_show_package.sh -k <policy_name>" but that seems to work only with the VS packages. I am running R80.10 on the management server.Thanks,EricSenior Systems Administrator
Michael_Nemeth
Michael_Nemeth inside API / CLI Discussion and Samples a week ago
views 1772 17 3

problem adding interoperable device via web API

Hello GuysI am trying to create interoperable device via python web API (I have v1.1)I have this payload to put into commend 'add-generic-object'object = { 'create': 'com.checkpoint.objects.classes.dummy.CpmiGatewayPlain', 'name': deviceName, 'ipaddr': deviceIP, 'thirdPartyEncryption': True, 'osInfo': { 'osName': 'Gaia' }, 'vpn': { 'create': 'com.checkpoint.objects.classes.dummy.CpmiVpn', 'owned-object': { 'vpnClientsSettingsForGateway': { 'create': 'com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway', 'owned-object': { 'endpointVpnClientSettings': { 'create': 'com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway', 'owned-object': { 'endpointVpnEnable': True } } } }, 'ike': { 'create': 'com.checkpoint.objects.classes.dummy.CpmiIke', }, 'sslNe': { 'create': 'com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender', 'owned-object': { 'sslEnable': False, 'gwCertificate': 'defaultCert' } }, 'isakmpIpcompSupport': True, 'isakmpUniversalSupport': True, } }, 'dataSourceSettings': None, 'nat': None, 'encdomain': 'ADDRESSES_BEHIND_GW', 'ignore-warnings': True, 'color': color.upper()}After I run script, object is visible in Interoperable devices, but I cannot use is. It is NOT visible when I try it add to VPN communities and also when I try add VPN community to this object it ends with error: A blocking validation error was found: Gateway does not comply to 'Participant Gateways' of Meshed community. In order to comply the gateway needs to be VPN installed and of type Host / Gateway / Cluster / Interoperable device.Object can be 'fixed' via GUI by setting IPSec VPN -> Traditional mode configuration -> Select some enc and hash  (i.e. 3des sha1) -> OK, But I cannot find the way set this through set-gneric-objectthis does not work:{'uid': objectUID, 'vpn' : {'ike' : {'isakmpHashmethods': ['SHA1']}}}what am I doing wrong? Via dbedit it works, but I would like to use clearer way ...