Showing results for 
Search instead for 
Did you mean: 
Create a Post
API / CLI Discussion and Samples

Do you have questions on how to use any of Check Point's API commands, including via the CLI using mgmt_cli? Looking for sample code? This is the place to find answers!


Create list of IPS protections set for packet capture in a specific profile

Used mgmt_cli to generate a json formatted file (ips.json) of all IPS protections (mgmt_cli show threat-protections details-level full) but cannot figure out how to parse out only the profiles with packet capture enabled. cat ips.json | jq ".protections [] | [.name, .profiles]"

Error when trying to export package by

Hi allI have a trouble when trying to export a package from SMC. The message like this :Exporting NAT policyGetting information from show-nat-rulebaseRetrieved 50 out of 65 rules (76%)Traceback (most recent call last):File "", line 59, in <module>export_package(client, args)File "D:\Python\ExportImportPolicyPackage-master\exporting\", line 59, in export_packagenat_data_dict, nat_unexportable_objects = export_nat_rulebase(["name"], client)File "D:\Python\ExportImportPolicyPackage-master\exporting\", line 13, in export_nat_rulebaserulebase_rules, general_objects = get_query_nat_rulebase_data(client, {"package": package})File "D:\Python\ExportImportPolicyPackage-master\exporting\", line 174, in get_query_nat_rulebase_dataif "Automatic Generated Rules : " in rulebase_item["name"]:KeyError: 'name'Does anyone have any ideas for this ?Thank youRegards

Adding a VLAN to a gateway object using Ansible?

I'm using the new Ansible module to orchestrate my lab, and have noticed a quirk in the documentation. From, there is a note on the interfaces item: "Network interfaces. When a gateway is updated with a new interfaces, the existing interfaces are removed." Has anyone tried adding a VLAN using the official modules? I'm thinking it might just be easier to call a script that connects via ssh and adds it via CLI...

Testing Controls for Bash Scripts

Given the amount of resources a bash script can consume, along with any possible service impact it might have, I have been trying to compile a list of 'testing controls' to benchmark any script against before using it on any Check Point device by carrying out the following steps in a lab environment:1) Observe the resources being consumed by the script. This can be done by having two additional Putty sessions open and run the following commands :- watch free -m- top 2) Ensure that there is no service impact by monitoring critical services such as VPN tunnels etc. 3) Ensure that only a specific group of admins have execution privileges over the script. I would appreciate other people's feedback on this topic, particularly of guys like @Robert_Decker and @Danny who are well versed in the art of scripting. My point is that I am after a process to follow when creating scripts for Check Point devices in order to get the maximum value while causing the least possible amount of disruption. Thanks in advance!   

Having issues with publishing policy via web API

Hi,I have a powershell script that is meant to do the following but is failing on publishing policy.  The API gives me the following error but not sure why as I don't have any unpublished changes.  Below are the steps.-Add Host (Sucess)-Add Host to Group (Sucess)-Publish Policy (Fail)-Install Policy (Fail)2019-11-13 09:43:11,233 INFO [GUI] org.apache.cxf.interceptor.LoggingInInterceptor.log:250 [qtp2049910860-30] - Inbound Message----------------------------ID: 76Address: ISO-8859-1Http-Method: POSTContent-Type: application/jsonHeaders: {Accept=[text/plain], connection=[keep-alive], Content-Length=[92], content-type=[application/json], Host=[], User-Agent=[mgmt_cli_gui], X-chkp-debug=[GUI], X-chkp-sid=[aM8KIGMuWuP8rNWBhDI8LzLVXZtR6-z9kIVee-EFYmc], X-Forwarded-For=[], X-Forwarded-Host=[], X-Forwarded-Host-Port=[443], X-Forwarded-Server=[]}Payload: {"groups":"AttackersList","ip-address":"","name":"attacker-"}--------------------------------------2019-11-13 09:43:11,238 INFO [GUI]<init>:21 [qtp2049910860-30] - Cache created and initialized2019-11-13 09:43:11,239 INFO [GUI] [qtp2049910860-30] - Executing [add-host] of version 1.3 (references 1)2019-11-13 09:43:11,834 ERROR [GUI] [qtp2049910860-30] -com.checkpoint.web_services.faults.ValidationRemoteFault: 2 Blocking validation errors were sun.reflect.GeneratedConstructorAccessor264.newInstance(Unknown Source)at sun.reflect.DelegatingConstructorAccessorImpl.newInstance( java.lang.reflect.Constructor.newInstance( org.apache.cxf.interceptor.ClientFaultConverter.processFaultDetail( org.apache.cxf.interceptor.ClientFaultConverter.handleMessage( org.apache.cxf.phase.PhaseInterceptorChain.doIntercept( org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage( org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage( org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage( org.apache.cxf.phase.PhaseInterceptorChain.doIntercept( org.apache.cxf.endpoint.ClientImpl.onMessage( org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal( org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse( org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close( org.apache.cxf.transport.AbstractConduit.close( org.apache.cxf.transport.http.HTTPConduit.close( org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage( org.apache.cxf.phase.PhaseInterceptorChain.doIntercept( org.apache.cxf.endpoint.ClientImpl.doInvoke( org.apache.cxf.endpoint.ClientImpl.invoke( org.apache.cxf.endpoint.ClientImpl.invoke( org.apache.cxf.endpoint.ClientImpl.invoke( org.apache.cxf.frontend.ClientProxy.invokeSync( org.apache.cxf.jaxws.JaxWsClientProxy.invoke( com.sun.proxy.$Proxy244.updateObjectWithReturnControlErrorLevel(Unknown Source)at$ org.aspectj.runtime.reflect.JoinPointImpl.proceed($ org.aspectj.runtime.reflect.JoinPointImpl.proceed( sun.reflect.GeneratedMethodAccessor165.invoke(Unknown Source)at sun.reflect.DelegatingMethodAccessorImpl.invoke( java.lang.reflect.Method.invoke( sun.reflect.GeneratedMethodAccessor120.invoke(Unknown Source)at sun.reflect.DelegatingMethodAccessorImpl.invoke( java.lang.reflect.Method.invoke( org.apache.cxf.service.invoker.AbstractInvoker.performInvocation( org.apache.cxf.service.invoker.AbstractInvoker.invoke( org.apache.cxf.jaxrs.JAXRSInvoker.invoke( org.apache.cxf.jaxrs.JAXRSInvoker.invoke( org.apache.cxf.interceptor.ServiceInvokerInterceptor$ org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage( org.apache.cxf.phase.PhaseInterceptorChain.doIntercept( org.apache.cxf.transport.ChainInitiationObserver.onMessage( org.apache.cxf.transport.http.AbstractHTTPDestination.invoke( org.apache.cxf.transport.servlet.ServletController.invokeDestination( org.apache.cxf.transport.servlet.ServletController.invoke( org.apache.cxf.transport.servlet.ServletController.invoke( org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke( org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest( org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost( javax.servlet.http.HttpServlet.service( org.apache.cxf.transport.servlet.AbstractHTTPServlet.service( org.eclipse.jetty.servlet.ServletHolder.handle( org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter( org.eclipse.jetty.servlets.CrossOriginFilter.handle( org.eclipse.jetty.servlets.CrossOriginFilter.doFilter( org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter( org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter( org.eclipse.jetty.servlet.ServletHandler.doHandle( org.eclipse.jetty.server.handler.ScopedHandler.handle( org.eclipse.jetty.server.session.SessionHandler.doHandle( org.eclipse.jetty.server.handler.ContextHandler.doHandle( org.eclipse.jetty.servlet.ServletHandler.doScope( org.eclipse.jetty.server.session.SessionHandler.doScope( org.eclipse.jetty.server.handler.ContextHandler.doScope( org.eclipse.jetty.server.handler.ScopedHandler.handle( org.eclipse.jetty.server.handler.ContextHandlerCollection.handle( org.eclipse.jetty.server.handler.IPAccessHandler.handle( org.eclipse.jetty.server.handler.HandlerCollection.handle( org.eclipse.jetty.server.handler.HandlerWrapper.handle( org.eclipse.jetty.server.Server.handle( org.eclipse.jetty.server.AbstractHttpConnection.handleRequest( org.eclipse.jetty.server.AbstractHttpConnection.content( org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content( org.eclipse.jetty.http.HttpParser.parseNext( org.eclipse.jetty.http.HttpParser.parseAvailable( org.eclipse.jetty.server.AsyncHttpConnection.handle($ org.eclipse.jetty.util.thread.QueuedThreadPool.runJob( org.eclipse.jetty.util.thread.QueuedThreadPool$

How to delete more than 10,000 network objects at a time

Hi GuyesMay I ask a queation?How to delete more than 10,000 network objects at once?I want to delete 'Fortigate Tags' network objects.GAIA : R80.30 or R80.20Thanks 
DemisT inside API / CLI Discussion and Samples Wednesday
views 198 2

Ansible 2.9: using the new Check Point modules, getting invalid/incorrect password

Hey,With the new Check Point modules released in Ansible 2.9, I'm trying to run a simple Ansible playbook. Unfortunately when running the playbook, I'm getting an error that says:  fatal: [SMS]: UNREACHABLE! => {"changed": false, "msg": "Invalid/incorrect password: This system is for authorized use only.\nPermission denied, please try again.", "unreachable": true}  I have enabled the API from SmartConsole dashboard under Manage & Settings > Blades > Management API > All IP addresses and performed an API restart.I've also installed the relevant hotfix (Check_Point_R80.30_JHF_T76_Ansible_Hotfix_sk114661_FULL.tgz) and verified with show installer packages installed.The playbook looks like this:  --- - name: test hosts: management connection: httpapi gather_facts: no tasks: - name: show-networks cp_mgmt_network_facts: details_level: standard register: response   My host file looks like this:  [management:vars] ansible_connection=ssh ansible_user=<Smartconsole user> ansible_password=<SmartConsole password> ansible_python_interpreter="/opt/CPsuite-R8*/fw1/Python/bin/python" ansible_httpapi_validate_certs=False ansible_httpapi_use_ssl=True ansible_network_os=checkpoint   I've verified logging into Smart Console manually with these credentials, which is working. Also a curl command from the ansible host seems to be working: curl -vvvv -H "Content-Type: application/json" -X POST -d '{"user":"demis","password":"adminsystempass123"}' <a href="<a href="" target="_blank"></a>" target="_blank"><a href="</a" target="_blank"></a</a>> --insecure  What am I missing? Edit: I was using the SmartConsole username/password which is probably why the error occurred, but changing it to the Gaia OS username/password gives me this error:An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AssertionError: socket_path must be a value fatal: [SMS]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n File \"<stdin>\", line 102, in <module>\n File \"<stdin>\", line 94, in _ansiballz_main\n File \"<stdin>\", line 40, in invoke_module\n File \"/opt/CPsuite-R80.30/fw1/Python/lib/python2.7/\", line 192, in run_module\n fname, loader, pkg_name)\n File \"/opt/CPsuite-R80.30/fw1/Python/lib/python2.7/\", line 72, in _run_code\n exec code in run_globals\n File \"/tmp/ansible_cp_mgmt_network_facts_payload_FzOYM2/\", line 131, in <module>\n File \"/tmp/ansible_cp_mgmt_network_facts_payload_FzOYM2/\", line 126, in main\n File \"/tmp/ansible_cp_mgmt_network_facts_payload_FzOYM2/\", line 170, in api_call_facts\n File \"/tmp/ansible_cp_mgmt_network_facts_payload_FzOYM2/\", line 121, in __init__\nAssertionError: socket_path must be a value\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
Rambod_Fard inside API / CLI Discussion and Samples Wednesday
views 3600 19 3

SmartMove error - converting ASA to CheckPoint

I am trying to convert my ASA config to CheckPoint by SmartMove and receive following error message:"Object reference not set to an instance of an object"Does anyone have any suggestion? Thanks,

API Cluster build

Hello All,Can somebody tell me if there is any possibility how to add a Cluster to the Mgmt (CMA) over the API?I found only the "add-simple-gateway" but nothign else?Thanks for infoRadek

Reading logs in the Management API ?

I see no support for reading logs (audit or rule) in the R80.10 Management API.Am I missing it ?Is it likely to appear in future ?Thanks-gf-
inside API / CLI Discussion and Samples a week ago
views 18566 25 6

Getting a "Forbidden" error message (HTTP status code 403)

In some scenarios browsing to https://<management-server>/web_api/ may lead to seeing this error message:ForbiddenYou don't have permission to access /web_api/login on this server.What does it mean?It means that the API server is not configured to accept requests from the machine running your browser.For security reasons, the default settings for the API server allows him to accept requests only from the management server itself and not from any other IP address.If you want your management server to accept API requests from other machines, please follow this procedure:* Open SmartConsole and log into your management server. If you have a multi-domain environment, log into the MDS domain.* Click on the "Manage & Settings" button on the left.* Select "Blades"* Look for the "Management API" section and click on "Advanced Settings".Now you can choose between three options:1) Accept API calls from the management server only (the default setting)2) All IP addresses that can be used for GUI clients.    This option would allow the API server to accept requests only from IP addresses that can be used to connect with the management server using SmartConsole.3) All IP addressesOnce you make you selection:* Click the publish button* Use SSH to log into the management server in "expert mode" and type "api restart".
DemisT inside API / CLI Discussion and Samples a week ago
views 325 3

GAiA API failing to install with Ansible

Hi all, I have the following task in my ansible playbook for installing the GAiA API (version 1.3) on my gateways and SMS:- name: Install gaia_api  shell: ./  args:    chdir: /home/admin/gaia_api  register: output- name: Output  debug:    var: output.stdout_lines When I'm running the playbook on my gateways (reimaged with blink_image_1.1_Check_Point_R80.30_Gateway.tgz) and SMS (reimaged with blink_image_1.1_Check_Point_R80.30_Management.tgz), I'm getting the following output after performing a 'gaia_api status' on the gateways, but on the SMS everything seems to be working fine: [Expert@GW1:0]# gaia_api statusTraceback (most recent call last):File "/rest_api/ckp/client_util/", line 2, in <module>from objects.serverStatus import *File "/rest_api/ckp/objects/", line 1, in <module>from infra.annotations import *File "/rest_api/ckp/infra/", line 3, in <module>import rest_rbaFile "/rest_api/libs/", line 7, in <module>import sessions_managerFile "/rest_api/libs/", line 12, in <module>import rest_api_xml_parserFile "/rest_api/libs/", line 8, in <module>import command_factory as factFile "/rest_api/libs/", line 10, in <module>import clishFile "/rest_api/libs/", line 5, in <module>from flaskApi import getRequestHeaderFile "/rest_api/libs/", line 12, in <module>from flask import *ImportError: No module named flask I've checked the Ansible output and even though it says the installation completed successfully it's still giving me the output errors when running gaia_api status. But when I manually run the script it seems to be working.ok: [GW1] => {"output.stdout_lines": ["Starting gaia_api installation","Old version removed successfully","Installing gaia_api...","Successfully installed gaia_api, use \"gaia_api status\" to monitor the state"]} I have my Python interpreter set as: ansible_python_interpreter="/opt/CPsuite-R8*/fw1/Python/bin/python"Remarkably, when I use ansible_python_interpreter=python, I'm getting the following error on the gateways (not on the SMS): fatal: [GW2]: FAILED! => {"changed": false, "module_stderr": "Shared connection to closed.\r\n", "module_stdout": "/bin/sh: python: command not found\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": Which makes me think it's a Python issue.Any suggestions? I'd appreciate some input.
Zeke inside API / CLI Discussion and Samples 2 weeks ago
views 339 1

Trigger API system backups via API

Hello,I'm an absolute novice to firewalls, but I'm fairly familiar with automation using Ansible, Chef, Puppet, etc and the use of of the network engineers presented a use case to trigger "system backups". I'm already able to do configuration backups using Ansible, but the use case presented to me shows "system backups" being triggered from an MDS to multiple gateways. I'm curious about the capabilities of the management API to be able to programmatically trigger these system backups as they seem to contain more than just the "show configuration" command.can anyone point me in the right direction on how to execute this via API call or via a console (CLI/SSH)?Is this feasible/necessary? Regards, Zeke
Greg_Dunlap inside API / CLI Discussion and Samples 2 weeks ago
views 231 1 1

Python API Lib set

a few months ago i found a code snip on here of python calling the web api and i wanted to expand on it to make a more extensible library set. the library set with a test script ... a LOT of debug info is returned.  I've been able to take this and make web front ends via simple cgi calls to automate a lot of firewall object builds etc ..the idea is to call a function like add_a_host that will take arguments and do the json work for you ... and check things like does a host already exist with this IP.  or add_a_host_with_group which will add a host ... if a host object does NOT exist with this IP already.  if a host with that IP exist it will add that host object to the group name that is passed as an argument.   does similar things with networks and IP ranges. example:""" add a host object and add it to a group """ def add_a_host_with_group(ip_addr, name, ip, group, sid): print("temp -- in add_a_host<br>") check_host_obj = {"type" : "host", "filter" : ip, "ip-only" : "true"} chkhst = api_call(ip_addr, "show-objects", check_host_obj, sid) if(chkhst['total'] == 0): #need new host if(name_exist(ip_addr, name, sid) == False): host_to_add = {"name" : name, "ip-address" : ip, "groups" : group, "color" : "light green"} out1 = api_call(ip_addr, "add-host", host_to_add, sid) print(json.dumps(out1)) else: print("object with that name already exist") else: # host exist ... print("host already exist") existing_host_name = chkhst['objects'][0]['name'] # name of existing host add_host_to_group_json = { "name" : group, "members" : { "add" : existing_host_name } } out1 = api_call(ip_addr, "set-group", add_host_to_group_json, sid) print(json.dumps(out1)) so in the main code you can just do something like:apifunctions.add_a_host_with_group(ip_addr, "test176", "", "group1", sid) this will attempt to create a host object named "test176" with ip into a group named "group1" unless something already exist with that IP and then it will add that.ip_addr = raw_input("Enter IP of MDS : ") ip_cma = raw_input("Enter IP of CMA : ") user = raw_input("Enter P1 User : ") password = getpass.getpass('Enter P1 Password :') sid = apifunctions.login(user, password, ip_addr, ip_cma) will get you sid for the login. hope this is helpful.  it's been a huge time savor for me when we're building out policies and i can create a web form for engineers to dump data into and it will create / search for them.
inside API / CLI Discussion and Samples 2 weeks ago
views 18527 22 25

How-to use Postman with R80 Security Management API

What is Postman Postman is a free Google Chrome extension that can be used for testing and experimenting with web-services You can find the latest postman collection file for R80 Security Management API here postman_collection.json   Installation 1) Launch "Google Chrome" and enter "chrome://apps" in the URL bar. 2) Open "Web Store" 3) Search for "Postman" 4) Click on "Add to Chrome" and the following should appear: 5) Add the app and then click on "Launch App"   Setup Postman to work with the R80 Security Management API 1) You can import a list of APIs into your Postman environment using Postman's "collection" feature. This stored list of APIs can help you avoid syntax errors and save you time finding APIs. The various Postman collections can be found as follows: API v 1.00 R80 - API v 1.1 R80.10 - API v 1.2 R80.20.M1 - API v 1.3 R80.20 GA - API v 1.4 R80.20.M2 - API v 1.5 R80.30 - 2) Launch Postman, and click on the "import collection" button. 3) Select "choose files" and select the collection file that you have. After selecting the file, you should see something like this:      4) On the left part of the screen, you should now see the text similar to "Web API – take hero3– 991000104". Click on this text, to see the list of API calls grouped by categories. 5) To set-up the environment variable, click on "Manage environments" and click on add     ---->  6) Add a key called "server" and set it with the value: https://<your-mgmt-ip-address>/web_api 7) Add a key called "session", you can leave its value empty. 😎 Click the "Add" button, to exit this dialog. 9) Click the "X" button to exit the “Manage Environments” screen Activating and testing the R80 Security Management API 1) Open SmartConsole R80, and login to the R80 Security Management 2) When the GUI is opened, go to : Manage & settings -> Blades -> Management API -> Advanced Settings 3) Check “Automatic start”, and pick “All IP Addresses that can be used for GUI clients or All IP addresses”. 4) Press OK 5) Publish 6) Run the command api reconf from clish 7) Make sure the management API server is up and running. Browse to: https://<your-mgmt-ip-address>/api_docs/ You need to accept the self signed certificate warning 😎 You should now see the R80 Management API reference guide   9) In Postman: (A) change the postman environment to the one you set in the previous step. (B) locate the "Login" command in the list of APIs on the left and click on it.(C) Change the values for the user-name and password.(D) Click on the "send" button 10) The output of the "Login" command contains a session-ID (sid) value. This value should be used by all other API calls in the same session as a way to prove the authenticity of the user behind the API call. To set the session-ID for subsequent API calls select the sid value, right click and select "Set:" -> "session". 11) You're done! Choose any other API calls from the collection and run it.