cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
API / CLI Discussion and Samples

Do you have questions on how to use any of Check Point's API commands, including via the CLI using mgmt_cli? Looking for sample code? This is the place to find answers!

Harald_Hansen
Harald_Hansen inside API / CLI Discussion and Samples yesterday
views 3151 14 5

Search multiple CMA

In R77.30 one had the possibility to search all CMAs for object usage. I cannot find this feature in R80.10 MDS. There is no mention of the Cross-Domain Management Server Search function in the CP_R80.10_Multi-DomainSecurityManagement_AdminGuide.This was especially useful to find global object use, to limit the number of policies one had to push after updating a single object.Any suggestions for a replacement?Best regards,Harald

Having issues with publishing policy via web API

Hi,I have a powershell script that is meant to do the following but is failing on publishing policy.  The API gives me the following error but not sure why as I don't have any unpublished changes.  Below are the steps.-Add Host (Sucess)-Add Host to Group (Sucess)-Publish Policy (Fail)-Install Policy (Fail)2019-11-13 09:43:11,233 INFO [GUI] org.apache.cxf.interceptor.LoggingInInterceptor.log:250 [qtp2049910860-30] - Inbound Message----------------------------ID: 76Address: http://127.0.0.1:50276/web_api/add-hostEncoding: ISO-8859-1Http-Method: POSTContent-Type: application/jsonHeaders: {Accept=[text/plain], connection=[keep-alive], Content-Length=[92], content-type=[application/json], Host=[127.0.0.1:50276], User-Agent=[mgmt_cli_gui], X-chkp-debug=[GUI], X-chkp-sid=[aM8KIGMuWuP8rNWBhDI8LzLVXZtR6-z9kIVee-EFYmc], X-Forwarded-For=[127.0.0.1], X-Forwarded-Host=[127.0.0.1], X-Forwarded-Host-Port=[443], X-Forwarded-Server=[10.130.181.25]}Payload: {"groups":"AttackersList","ip-address":"144.139.158.155","name":"attacker-144.139.158.155"}--------------------------------------2019-11-13 09:43:11,238 INFO [GUI] com.checkpoint.management.web_api_is.utils.helpers.ApiCache.<init>:21 [qtp2049910860-30] - Cache created and initialized2019-11-13 09:43:11,239 INFO [GUI] com.checkpoint.management.web_api.web_services.WebApiEntryPoint.logRequestedCommandInfo:51 [qtp2049910860-30] - Executing [add-host] of version 1.3 (references 1)2019-11-13 09:43:11,834 ERROR [GUI] com.checkpoint.management.web_api.utils.WebApiCommandExceptionUtils.getErrorReply:94 [qtp2049910860-30] -com.checkpoint.web_services.faults.ValidationRemoteFault: 2 Blocking validation errors were found.at sun.reflect.GeneratedConstructorAccessor264.newInstance(Unknown Source)at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:57)at java.lang.reflect.Constructor.newInstance(Constructor.java:437)at org.apache.cxf.interceptor.ClientFaultConverter.processFaultDetail(ClientFaultConverter.java:182)at org.apache.cxf.interceptor.ClientFaultConverter.handleMessage(ClientFaultConverter.java:82)at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)at org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:113)at org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:69)at org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:34)at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:802)at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1642)at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1533)at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1336)at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:652)at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:516)at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:425)at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:326)at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:279)at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:139)at com.sun.proxy.$Proxy244.updateObjectWithReturnControlErrorLevel(Unknown Source)at com.checkpoint.management.web_api_is.utils.managers.RemoteObjectCrudManager.updateObjectWithReturn_aroundBody30(RemoteObjectCrudManager.java:24)at com.checkpoint.management.web_api_is.utils.managers.RemoteObjectCrudManager$AjcClosure31.run(RemoteObjectCrudManager.java:1)at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)at com.checkpoint.management.web_api_is.aspects.logging.WebApiMethodLoggerAspect.aroundMethodLoggerTest(WebApiMethodLoggerAspect.java:13)at com.checkpoint.management.web_api_is.utils.managers.RemoteObjectCrudManager.updateObjectWithReturn(RemoteObjectCrudManager.java:72)at com.checkpoint.management.web_api_is.core.handler.base.ApiObjectRequestHandler.doUpdateObjectForAdd(ApiObjectRequestHandler.java:34)at com.checkpoint.management.web_api_is.core.handler.base.ApiCrudRequestHandler.add_aroundBody0(ApiCrudRequestHandler.java:19)at com.checkpoint.management.web_api_is.core.handler.base.ApiCrudRequestHandler$AjcClosure1.run(ApiCrudRequestHandler.java:1)at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)at com.checkpoint.management.web_api_is.aspects.logging.WebApiMethodLoggerAspect.aroundMethodLoggerTest(WebApiMethodLoggerAspect.java:13)at com.checkpoint.management.web_api_is.core.handler.base.ApiCrudRequestHandler.add(ApiCrudRequestHandler.java:52)at com.checkpoint.management.web_api.core.handler.objects.network_objects.host.HostRequestHandler.add(HostRequestHandler.java:11)at sun.reflect.GeneratedMethodAccessor165.invoke(Unknown Source)at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)at java.lang.reflect.Method.invoke(Method.java:508)at com.checkpoint.management.web_api_is.utils.WebApiReflectionUtils.invoke(WebApiReflectionUtils.java:7)at com.checkpoint.management.web_api.web_services.WebApiEntryPoint.postEntryPoint(WebApiEntryPoint.java:81)at sun.reflect.GeneratedMethodAccessor120.invoke(Unknown Source)at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)at java.lang.reflect.Method.invoke(Method.java:508)at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:181)at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:97)at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:204)at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:101)at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:59)at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:96)at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:251)at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293)at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:212)at javax.servlet.http.HttpServlet.service(HttpServlet.java:755)at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:268)at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:686)at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1494)at org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:247)at org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:210)at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)at com.checkpoint.management.web_api.core.filter.LogCustomDebugFieldFilter.doFilter(LogCustomDebugFieldFilter.java:19)at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1474)at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:557)at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428)at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:255)at org.eclipse.jetty.server.handler.IPAccessHandler.handle(IPAccessHandler.java:203)at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:154)at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)at org.eclipse.jetty.server.Server.handle(Server.java:370)at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489)at org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:960)at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:1021)at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:865)at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:240)at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668)at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)at java.lang.Thread.run(Thread.java:785)

Check Point Ansible Module in Ansible 2.8 Version with MDS

Hello, we are testing ansible automatisation on our MDS . I used this SK, but I can't find any information how to specify a special CMA Domain: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk114661&partition=General&product=Security  My Hosts File looks like this: /etc/ansible/hosts[checkpoint]1.1.1.1[checkpoint:vars]ansible_httpapi_use_ssl=Trueansible_httpapi_validate_certs=Falseansible_user=api-useransible_password=passwordansible_network_os=checkpoint My Ansible runbook lookes like that: cat create-host2.yml---- hosts: checkpointconnection: httpapi# domain: "Global"tasks:- name: add-hostcp_mgmt_host:ip_address: "192.0.2.1"name: "New Host 1"state: "present"Does anyone know how to specify a CMA Domani in this Version? In the old Version https://github.com/CheckPointSW/cpAnsible you could do this with the parameter -domain Can anyone help me with that? 

Help Exporting Rulebase Data

Hi, I have what i thought would be a simple requirement to export our rulebase to csv for me to share some information on some specific rules. I have looked around the forum and have struggled to land the best and simplest way of doing this.The export option in R80 smartdashboard GUI does not work for me as i need to understand the nested groups or the objects / subnets inside of the groups as well as the high level group information.Is there anything around that is already pre-written script wise to make this happen? running python directly from my machine will be a challenge and my scripting knowledge is limited. Running R80.20. Any help would be really appreciated.

Finding a URL in all custom Application/Sites rather than just one

Hi,I have a script currently utilising the mgmt api to open a specific application/site and show all the URL's listed. I then can then grep a saved output to find a single URL. I look to add filtering built into the script but has anyone had any experience with looping over all application/sites to find a single URL?Tom
Jin_Zhou
Jin_Zhou inside API / CLI Discussion and Samples a week ago
views 201 2

How to use run-script to get IPS information on a VS of VSX?

I am trying to use run-script to get IPS information on a VS of VSX. Say VS 3 on cli I could do following:vsenv 3ips statBut if I put it in run-script as follow, api could not find vsenv command.mgmt_cli -r true -d Mydomain -VSX run-script script-name test script "vsenv3; ips stat" targets.1 vsx1 -f json Also tried to put the two commands in a script, test.sh:#!/bin/bashvsenv 3ips statthen runmgmt_cli -r true -d Mydomain -VSX run-script script-name test script "/mydir/test.sh" targets.1 vsx1 -f jsonit does not work either. Any idea how to get this to work or any way that can get IPS info on VS?
Ed_Eades
Ed_Eades inside API / CLI Discussion and Samples a week ago
views 16621 15 6

Bulk Add Network Objects

I am looking for advice on how to bulk add network objects.  I need to add around 550 networks and we are on GAIA R80.10.  I have read some about dbedit, Using a dbedit script to create new network objects and network object groups, but I am not sure if that would still be the best method.  I will also mention I have never used dbedit.  When adding these network objects I would also like to add a description on each network object.  The dbedit link does not include the syntax for the description. I came across a thread on cpug that If R80, there are more robust CLI for these things.  You can find documentation and several examples at https://community.checkpoint.com.Thanks in advance!
Employee+

o365 dynamic objects script

This script pulls the current list of office365 IP Addresses referenced from Office 365 IP Address and URL Web service | Microsoft Docs to https://endpoints.office.com/endpoints/worldwide. It then creates dynamic objects for each set of Service Areas that have ipv4network ranges defined in the json document. Once run once an administrator should pull the resulting objects to populatethe policy and then rerun once policy is pushed.This does not have scheduling at this time.This has been updated to version 3.
Employee

Create list of IPS protections set for packet capture in a specific profile

Used mgmt_cli to generate a json formatted file (ips.json) of all IPS protections (mgmt_cli show threat-protections details-level full) but cannot figure out how to parse out only the profiles with packet capture enabled. cat ips.json | jq ".protections [] | [.name, .profiles]"
Employee+

Blocking TOR exit nodes with Python and R80.10 API

Hi all,I wrote a script in Python using our API. The goal was clear, block around 1k IP addresses automatically and in a visual way, not through fw sam rules You can execute this script every day manually or you can schedule it using Crontab for example.Tu use it in your environment you just need to change these variables at the begining and execute it! You can find the script here: GitHub - toledanosjesus/chkp After the first execution of the script, you just need to configure correctly your firewall policy. You need to have something similar to this:Be aware this script is using python 2.7. You'll need to modify it a bit in case you want to use python 3.xEnjoy!

Read-Only account for Gaia API?

For the GAIA API we are trying to create a role that allows the users to only use show commands, but currently all we can get working is a user with the full admin role. In our case we are using TacAcs authentication and the role associated to this also needs to be assigned otherwise it will not work. Any idea how to configure the role for a Read-Only API user?
Nüüül
Nüüül inside API / CLI Discussion and Samples 2 weeks ago
views 3195 19 14

Basic script for importing IP Address objects from feed (here office365)

Can be adapted to other feeds with CIDR addresses.Created Objects are then added to a group - defined at the topcompares current group members with new feed and adds new / removes unused ones.Logging is kind of ugly, but in progress. i planned to run this every day on my lab environment as cron. kind of works cheers,Danielany hints and improvements appreciated
udanap
udanap inside API / CLI Discussion and Samples 2 weeks ago
views 2918 3

How to merge policy packages in one R80.10 CMS to another existing R80.10 CMS using python tool?

Hi All,I need to import some policy packages from one R80.10 CMS to another R80.10 CMS. I used the python tool to export each and every policy packages from the first CMS. But when I tried to import them one by one to the 2nd CMS, first policy package was imported with its objects without any issues but when importing the 2nd policy package, new  objects were created with the name of  "NAME_COLLISION_RESOLVED_". I think it is because during the import of 1st policy package, majority of the objects were imported and during the 2nd policy package import, it tried to import same objects again and  met with name collisions. Then all those duplicated objects were renamed as NAME_COLLISION_RESOLVED_objects and saved as new objects. Is there anyway to overcome this issue? Or any other successful method to import those policies? I really appreciate you respondsThanks and Regards,udanap
Jaime_Gonzalez_
Jaime_Gonzalez_ inside API / CLI Discussion and Samples 2 weeks ago
views 14243 5 1

Re: Python tool for exporting/importing a policy package or parts of it

Hello,Also having problems while exporting package:Login failed: APIResponse received a response which is not valid JSON.I'm using Python:Python 2.7.9 (default, Mar  1 2015, 12:57:24)[GCC 4.9.2] on linux2Against R80 - Build 101Can you please help me with this?Thank you in advance.
PhongNN
PhongNN inside API / CLI Discussion and Samples 3 weeks ago
views 319 7 1

Error when trying to export package by import_export_package.py

Hi allI have a trouble when trying to export a package from SMC. The message like this :Exporting NAT policyGetting information from show-nat-rulebaseRetrieved 50 out of 65 rules (76%)Traceback (most recent call last):File "import_export_package.py", line 59, in <module>export_package(client, args)File "D:\Python\ExportImportPolicyPackage-master\exporting\export_package.py", line 59, in export_packagenat_data_dict, nat_unexportable_objects = export_nat_rulebase(show_package.data["name"], client)File "D:\Python\ExportImportPolicyPackage-master\exporting\export_nat_rulebase.py", line 13, in export_nat_rulebaserulebase_rules, general_objects = get_query_nat_rulebase_data(client, {"package": package})File "D:\Python\ExportImportPolicyPackage-master\exporting\export_objects.py", line 174, in get_query_nat_rulebase_dataif "Automatic Generated Rules : " in rulebase_item["name"]:KeyError: 'name'Does anyone have any ideas for this ?Thank youRegards