Showing results for 
Search instead for 
Did you mean: 
Create a Post
inside API / CLI Discussion and Samples 7 hours ago
views 3880 6 9

Dynamic Block Lists for Check Point firewalls

I have cooked together some further improvements on Check Points 'block TOR' scripts and built a small service around it. This is not an official Check Point function/product and is provided by me in my spare time.At this moment the following blocklists are implemented:OpenBLEmerging Threats: Known Compromised HostsTOR exit AllTalosDshieldThe feeds are downloaded, sanity checked and then published on for free. I am currently running all lists on two separate clusters without any noticeable performance hit. Of course ymmv so all feedback is appreciated. If you want to try it out go to: https://cpdbl.netScreenshot of the interface:Gateway details:These scripts utilize the rate limiting policy in SecureXL. Therefore blocking is done in fastpath and should not impact performance noticably.Connections from IPs listed in the activated blocklists are only blocked INBOUND. Outgoing communications are currently allowed. I have roadmapped a toggle for this.VSX is not supported for now.Workflow:The server( downloads all the lists nightly andValidates that all entries are valid IPs.Baselines the lists, makes sure a list does not suddenly grow enormously.Publishes the lists for the clients to download.The client:Downloads fresh lists every 12 hoursTimes out entries in the block-table after 12 hours, hence if is unavailable all entries will be removed at this time.Validates that only entries containing numbers and "-" are read into the system. (to stop possible code injection)Installs validated entries into blocking tables and waits for 12 hours before starting over again.To monitor the blocked IP addresses:R77.30:In SmartView Tracker, search for "SecureXL message: Quota violation".R80:In SmartLog, search for "blade:Firewall Alert".
Aathi inside API / CLI Discussion and Samples 11 hours ago
views 102 6

Installation targets showing "ALL Gateways in Smartdashboard"

Hi Team. I have created a new policy and gateway via playbook .while executing the policy is installing on the correct target which i mentioned on the ansible playbook.while looking the manage policies on dashboard the installation targets is showing as all gateways even though i mentioned the particular targets on the playbook. Please find the below playbook.- name: "Push Access Policy"check_point_mgmt:command: install-policyparameters:policy-package: "{{hostname}}_Policy"access: "true"threat-prevention: "false"targets: "{{hostname}}"session-data: "{{login_response}}"Here hostname is nothing but the firewall hostname. After pushing the policy while showing on the dashboard the target is showing ALL gateways not the hostname that is particular firewall.Kindly help on this.

Management API Reference Is it written incorrectly?

Hi all~ I have a question about Management API Reference.There is a parameter related to Group.(dereference-group-members) It is supposed to be supported from API Version 1.2 in Management API Reference.But R80.10(API 1.2) doesn't support dereference-group-members parameter. my test result below :/web-api/show-groups{"details-level" : "full","dereference-group-members" : "true"} Result{"code": "generic_err_invalid_parameter_name","message": "Unrecognized parameter [dereference-group-members]"} I tested it in AWS. Check Point CloudGuard IaaS PAYG NGTP R80.10 Is the reference wrong???

Is ther any API to check the hosts and networks already created in checkpoint Managment server

Hi Teamwe have automated checkpoint rule creation through ansible playbook. As per the syntax we have to use add-host if any new hosts and set host for already existing hosts.most of the hosts are already created in our environment and also very are facing difficulties to identify the whether its new hosts or existing hosts .mostly we have to check manually whether the hosts are already created or not.Please let me know is there any other way to sort out this issue(any API to sync the already created objects)Kindly help me on the same. RegardsAthi
Tim_Koopman inside API / CLI Discussion and Samples yesterday
views 1261 9 6

CheckPoint.NET Class Library for Web API

Hello All,I have started a new project of creating a .NET class library for talking to the Web API easily. My goal is to make it rather simple to integrate any .NET application to Check Point in a standard way. While I personally have a few custom internal projects that will use it, I will also be looking at migrating psCheckPoint PowerShell module to it once it is ready.So while this project is in early stages I am interested in any questions, requests or comments anyone may have, as well has if anyone wants to help with the project in any way.If you are interested you can watch its progress on GitHub.GitHub - tkoopman/CheckPoint.NET Tim.
Aathi inside API / CLI Discussion and Samples Thursday
views 175 15

cp_conf sic init 1234 norestart is not working via ansible

Hi Team, I am trying to reset the SIC without restart by using below command via ansible and getting the error .Kinldy help on this. Playbook:- name: SIC key generationcommand: "{{ item }}"with_items:- /opt/CPshrd-R80/bin/cp_conf sic init Infy123+ norestart- /opt/CPshrd-R80/bin/cpwd_admin stop -name CPD -path "/opt/CPshrd-R80/bin/cpd_admin" -command "cpd_admin stop"- /opt/CPshrd-R80/bin/cpwd_admin start -name CPD -path "/opt/CPshrd-R80/bin/cpd" -command "cpd" Error in ansible:failed: [10.6 (item=/opt/CPshrd-R80/bin/cp_conf sic init Infy123+ norestart) => {"changed": true, "cmd": ["/opt/CPshrd-R80/bin/cp_conf", "sic", "init", "Infy123+", "norestart"], "delta": "0:00:00.018486", "end": "2019-07-17 07:50:20.309823", "item": "/opt/CPshrd-R80/bin/cp_conf sic init Infy123+ norestart", "msg": "non-zero return code", "rc": 127, "start": "2019-07-17 07:50:20.291337", "stderr": "/opt/CPshrd-R80/bin/cp_conf: error while loading shared libraries: cannot open shared object file: No such file or directory", "stderr_lines": ["/opt/CPshrd-R80/bin/cp_conf: error while loading shared libraries: cannot open shared object file: No such file or directory"], "stdout": "", "stdout_lines": []}failed: (item=/opt/CPshrd-R80/bin/cpwd_admin stop -name CPD -path "/opt/CPshrd-R80/bin/cpd_admin" -command "cpd_admin stop") => {"changed": true, "cmd": ["/opt/CPshrd-R80/bin/cpwd_admin", "stop", "-name", "CPD", "-path", "/opt/CPshrd-R80/bin/cpd_admin", "-command", "cpd_admin stop"], "delta": "0:00:00.019825", "end": "2019-07-17 07:50:20.956607", "item": "/opt/CPshrd-R80/bin/cpwd_admin stop -name CPD -path \"/opt/CPshrd-R80/bin/cpd_admin\" -command \"cpd_admin stop\"", "msg": "non-zero return code", "rc": 127, "start": "2019-07-17 07:50:20.936782", "stderr": "/opt/CPshrd-R80/bin/cpwd_admin: error while loading shared libraries: cannot open shared object file: No such file or directory", "stderr_lines": ["/opt/CPshrd-R80/bin/cpwd_admin: error while loading shared libraries: cannot open shared object file: No such file or directory"], "stdout": "", "stdout_lines": []}failed: (item=/opt/CPshrd-R80/bin/cpwd_admin start -name CPD -path "/opt/CPshrd-R80/bin/cpd" -command "cpd") => {"changed": true, "cmd": ["/opt/CPshrd-R80/bin/cpwd_admin", "start", "-name", "CPD", "-path", "/opt/CPshrd-R80/bin/cpd", "-command", "cpd"], "delta": "0:00:00.019049", "end": "2019-07-17 07:50:21.613861", "item": "/opt/CPshrd-R80/bin/cpwd_admin start -name CPD -path \"/opt/CPshrd-R80/bin/cpd\" -command \"cpd\"", "msg": "non-zero return code", "rc": 127, "start": "2019-07-17 07:50:21.594812", "stderr": "/opt/CPshrd-R80/bin/cpwd_admin: error while loading shared libraries: cannot open shared object file: No such file or directory", "stderr_lines": ["/opt/CPshrd-R80/bin/cpwd_admin: error while loading shared libraries: cannot open shared object file: No such file or directory"], "stdout": "", "stdout_lines": []} Kinldy help on this. RegardsAthimoolam.A
Iain_King inside API / CLI Discussion and Samples Thursday
views 1647 3 8

Pre-R80.10 dynamic objects from DNS A record lists.. one liner examples

Ever want to allow access to "" or "" or some large lists of A record hosts (like AWS or Azure hosted front end elastic load balancers.. or akamai hosted stuff etc)?Domain objects not doing it for you? (reverse lookups only the first address)Logical server objects not doing it for you (like they do in AWS/Azure autoscaling?)Not on R80.10 yet?Create a dynamic object as a destination.. then on the command line do the following:The dynamic object name here is "dynamic_dns_hosts" and must match the dynamic object created in the policy editor (smartconsole).//[Expert@gw-913127:0]# dynamic_objects -n dynamic_dns_hostsOperation completed successfullyTo populate the dynamic object run the following:[Expert@gw-913127:0]# dig +short|sort -u|awk '{print $1" "$1}'|xargs dynamic_objects -a -o dynamic_dns_hosts -rOperation completed successfullyLog update success//Check the object has been updated (shows both in the logs in tracker as well)://[Expert@gw-913127:0]# dynamic_objects -lobject name : CPDShieldrange 0 : name : dynamic_dns_hostsrange 0 : 1 : 2 : 3 : 4 : 5 : 6 : 7 : 8 : 9 : completed successfully//It's possible to write this into cron (scheduled_task) or run in a while loop. It's possible also to depopulate the object, delete the object and all the other things too.If you're interested in doing this in python, there's some cool tools here (someone at checkpoint wrote it):chkp / dynobj — Bitbucket

Group membership export with IP address

I have a group object that contains close to 600 devices. I can export the group to a csv but it only contains the group information. If I search for a specific device, I can export a csv with hostname, IP address, and description. However, I cannot export a csv with the members of a group with the hostname, IP address, and description. I've looked into some APIs but did not have much luck. Any and all assistance is greatly appreciated.
Danny inside API / CLI Discussion and Samples a week ago
views 144 2 2

Bash - Name and IP of any Gateway?

I‘m looking for a way to retrieve the name and IP address of any Check Point gateway locally on the system exactly as they are shown in the gateway list of SmartConsole, including VS systems. Environment: Expert Mode (Bash). For Non-VS systems this could be easily performed via: grep `hostname` /etc/hosts However, I need a solution that also works on VSX systems in different VS environments.
Raj_Khatri inside API / CLI Discussion and Samples 2 weeks ago
views 2658 2

Using mgmt_cli without automatic publish

I noticed when using SmartConsole CLI, changes are not automatically published. However, when using mgmt_cli, changes are automatically published. Is there a flag that can be used when using mgmt_cli so you can still review the changes made allowing you to perform a manual publish?
John_Lovinggood inside API / CLI Discussion and Samples 2 weeks ago
views 99517 44 10

Security Gateway Inventory

About 6 months ago, CP gave us a script to run from Provider 1 to grab all gateways and their corresponding model/software version. However, it was a very inconsistent result. Meaning that, some (active) gateways came back with just host name and IP and then some came back with host name/IP/OS Version/model number.Anybody aware of a way to pull : Gateway Info that includes (Hostname/IP/OS-Version/Model)? I know you can export a list through network objects, but I just want active count for inventory. Any such method/script?
Timothy_Hall inside API / CLI Discussion and Samples 2 weeks ago
views 277 2 2

Functionality - API vs. SmartConsole

When teaching the Check Point Certified Automation Specialist (CCAS) class, a common question I get is what types of Management operations cannot be performed through the API and must be performed through the SmartConsole GUI instead. I have a bit of an unofficial list but would like to compile an authoritative list with the CheckMates community; various API limitations have been discussed in prior threads like this. Some ground rules: 1) Only releases that are GA like R80.30 and earlier may be discussed, so if an API limitation is resolved in an upcoming release like R80.40 that doesn't count 2) dbedit is not the API and doesn't really count, but feel free to discuss workarounds for the various limitations 3) This list of limitations is for the Management API, not the Threat Prevention API, Identity Awareness API, etc. 4) Features available through the API that are not available in the SmartConsole GUI (like specific Hit Count history) should not be included (that could be a separate post) So without further ado, here is the list of Management operations that cannot be performed via the Management API and must be performed through a GUI instead, please feel free to add items to this list or provide corrections: 1) Manipulation of gateway cluster objects 2) Geo Policy 3) HTTPS Inspection 4) Mobile Access Blade 5) Anti-spam & Mail Blade 6) DLP Blade (not Content Awareness) 7) SmartEvent Event Policy Tuning (performed in a separate GUI from SmartConsole) 😎 SmartUpdate License Manipulation (performed in a separate GUI from SmartConsole) 9) QoS Blade/Policies (not APCL/URLF Limits) 10) GUIDBedit operations (performed in a separate GUI from SmartConsole) Thanks everyone!
inside API / CLI Discussion and Samples 2 weeks ago
views 24233 291 60

Python tool for exporting/importing a policy package or parts of it

Overview ExportImportPolicyPackage tool enables you to export a policy package from a R80.x management database to a .tar.gz file, which can then be imported into any other R80.x management database. This tool can be used for backups, database transfers, testing and more. In the case you are exporting a policy package from a CMA, please verify that a global policy was NOT assigned to that CMA.The tool doesn't support exporting a policy with global policy assigned! Description This tool enables you to export a policy package (Access Policy, Threat Policy or both) from a management server into a .tar.gz file. Notice There are some types of objects that the script might not be able to export. In such a case, an appropriate dummy object will be exported instead, and a message will be logged into the log files to notify you of this. In the Check Point SmartConsole you can easily replace each of these objects by searching "export_error" in the search field, see where each object is used, create the necessary object manually, then replace it. Instructions Download the latest version from our GitHub repository: First, make sure you have [2.7.9 <= Python <= 2.7.14] installed on the machine running the script. To export a package, run the script. An interactive menu will guide you the rest of the way. Command line flags may also be set in order to skip some or all of the menu. A lot more details can of course be accessed with the [-h] option. This option also prints the current version of the tool. Current tool version is V3.0. Limitations This export/import script does not gather all data from a given management server/CMA. In general, it is limited by the R80.x Management APIs. Specifically, this means: CMAs with a Global Policy assigned cannot be exported Workaround: unassign the Global Policy prior to export Gateway/Cluster objects have to be recreated Placeholder objects will be created UserCheck messages have to be recreated Placeholder objects will be created The Internal Certificate Authority will not be copied. This means: Re-establishing SIC with the appropriate gateways Re-generating VPN certificates Manually recreating HTTPS Inspection and DLP Rules Other objects not currently readable/writable via the R80.x API will not be copied Tested on version R80.x Source Code Availability The source code is available through GitHub: NOTICE: By using this sample code you agree to terms and conditions in this Terms and Conditions ...
KonstantinS inside API / CLI Discussion and Samples 2 weeks ago
views 638 12

show-membership attribute - REST API

Hi all! We just upgraded one test system to R80.20 which brought us the API version 1.3.In the past (v1.1 and v.1.2) we were also getting the memberships while executing "show-hosts".Since v1.3 there is no members array in the response anymore.Only if we put "show-membership" : true in the request body, we are getting them... The documentation is saying that the default value for the attribute "show-membership" is true in all versions since v1.1.Was there a change in v1.3? Is the documentation wrong in this case? Regards,Konstantin
Saxo- inside API / CLI Discussion and Samples 2 weeks ago
views 82 1

Routing BGP advertisement

Hi all,How can i advertise correctly a route on BGP that is directly connected? When i run show bgp peer x.x.x.x advertise i don't see my network advertised, i think i made some wrong command, how can i advertise correctly a network to my peer? I already checked sk refer to bgp but explanation was a bit difficult to understand, somene can help me to figured it out?Thank you