cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

How can we install on multiple firewalls using install policy comand from API CLI

Hi Team,I have explored the API reference posted in checkmates. It has given below command to deploy policy from API CLI to deploy on single firewall. Similarly, If we want to run policy installation on all firewalls of CMA. What is the command?API Referrence:https://sc1.checkpoint.com/documents/latest/APIs/index.html#gui-cli/install-policy~v1.2Single Firewall:mgmt_cli install-policy policy-package "standard" access true threat-prevention true targets.1 "corporate-gateway" --version 1.1 --format jsonMultiple Firewall:mgmt_cli install-policy policy-package "standard" access true threat-prevention true targets.1 "corporate-gateway corporate-gateway1 corporate-gateway2 " --version 1.1 --format jsonIn double quotes, can we include multiple firewalls by giving space?RegardsRevathi
Employee+

A tool for CheckPoint Management and CheckPoint automation with Ansible

Hello all, I would like to share with you a tool for automatic configuration of Check Point management server and Check Point gateways. The tool is based on CP Management API, CP GAiA API, Ansible and enables a range of gateways and management related configuration actions. The tool is easily extendable. The tool can be considered as a good starting point for the automation of your Check Point environment. For management server Following configuration is possible on management server: Create/delete network, ranges, services objects Create/delete policy packages Add rules to the policy packages Add gateways, establish SIC Install policy on the gateways For gateways Following configuration is possible on gateways in accordance to various gateways attributes like CMA, SW version, gateway type, platform type, gateway IP. DNS configuration Users configuraion Expert password configuration User public keys copy ... Which means you can configure DNS, Users, Expert password or Users public keys specifically for gateways in certain CMAs or for gateways having certain SW version, or platform type, or IP address. Below are the tool structure and the steps for the gateways configuration part. Ansible playbook starts Dynamic Inventory Script Dynamic Inventory Script gets the list of all gateways from SMS or MDS via MGMT API. Dynamic Inventory Script reads the services configuration files. Dynamic Inventory Script creates the Ansible inventory files based on gateways list and services configuration. Ansible configures the gateways via GAiA API (and via SSH for expert mode) according to inventory files. License, warranty, contact The tool is provided with APACHE2.0 and without any liability, warranty or support. In case, you are interested in support or customization please contact Check Point Profession Services under: PS-AUTOMATION@MICHAEL.CHECKPOINT.COM. Detailed tool information is provided in the attached documentations and videos. I hope the tool will be beneficial for you and I would appreciate your feedback. 🙂 Regards, Yevgeniy
Tomer_Sole
inside API / CLI Discussion and Samples yesterday
views 26888 12 3
Mod

How to export and import IPS profiles and their overridden protections in R80.10

Prior to R80, there was a closed-source tool by Check Point called export_import_profile.Starting with R80:1. The back-end representation of profiles and protections has changed, so the tool is no longer supported.2. The open API enable any customer to make their own export and import operations.Step 1: On the source machine, export the specific Threat Prevention ProfileThe show threat-profile command returns a structure of the profile's settings.Example:show threat-profile name MyOrganization details-level full uid: "fa1aa324-a8cc-4dbd-bc04-f31fdb8abf61"name: "MyOrganization "type: "threat-profile"domain: uid: "a0bbbc99-adef-4ef8-bb6d-defdefdefdef" name: "Check Point Data" domain-type: "data domain"active-protections-performance-impact: "medium"active-protections-severity: "Medium or above"confidence-level-low: "Inactive"confidence-level-medium: "Prevent"confidence-level-high: "Prevent"ips: trueips-settings: newly-updated-protections: "staging" exclude-protection-with-performance-impact: false exclude-protection-with-severity: falsethreat-emulation: trueanti-virus: trueanti-bot: trueStep 2: On the source machine, export IPS Protections which had their action override for this specific Threat Prevention ProfileThis part is a little tricky - you have to go over all protections, and only pick the ones that have a different action for your profile. The show threat-protections command returns the protections. There is no way to get all the IPS Protections as one response, since that would make the output so big it will fail to return. Therefore we have to use the "offset" parameter to advance and get 50 protections every time. In the example below, the first protection just happened to have an override action for the "MyOrganization" profile. The second protection did not have an override action for the "MyOrganization" profile.Example:show threat-protections offset 0 details-level fullprotections: - uid: "8027f5c8-1bac-cf49-99a3-59a89a35cdb6" name: "3Com Network Supervisor Directory Traversal" type: "threat-protection" domain: uid: "41e821a0-3720-11e3-aa6e-0800200c9fde" name: "SMC User" domain-type: "domain" severity: "High" confidence-level: "Medium" performance-impact: "Low" release-date: "20091124" update-date: "20091124" profiles: - name: "Basic" uid: "eb39a60d-c454-49f5-a28c-a89aa5bd2e09" default: action: "Inactive" track: "log" capture-packets: false final: action: "Inactive" track: "log" capture-packets: false - name: "Strict" uid: "caf8b711-d762-4c1e-82d5-6af2549b2869" default: action: "Prevent" track: "log" capture-packets: false final: action: "Prevent" track: "log" capture-packets: false - name: "MyOrganization" uid: "fa1aa324-a8cc-4dbd-bc04-f31fdb8abf61" default: track: "log" capture-packets: false override: action: "Prevent" track: "log" capture-packets: false final: action: "Prevent" track: "log" capture-packets: false comments: "" follow-up: false ipsAdditionalProperties: ... name: "3Com TFTP Server Transporting Mode Remote Buffer Overflow" type: "threat-protection" - name: "MyOrganization" uid: "fa1aa324-a8cc-4dbd-bc04-f31fdb8abf61" default: action: "Inactive" track: "log" capture-packets: false final: action: "Inactive" track: "log" capture-packets: false...Step 3: On the target machine, create the new profile.The add threat-profile command creates a new Threat Prevention Profile.You have to convert the output from step 1 to a command-line with the values.Example:add threat-profile name MyOrganization active-protections-performance-impact "medium" active-protections-severity "Medium or above" confidence-level-low "Inactive" confidence-level-medium "Prevent" confidence-level-high "Prevent" ips true ips-settings.newly-updated-protections "staging" ips-settings.exclude-protection-with-performance-impact false ips-settings.exclude-protection-with-severity false threat-emulation true anti-virus true anti-bot true Step 4: On the target machine, set protection actions for the specific protections that were exported at step 2.The set threat-protection command lets you change the action of the protection for a given profile.Example:set threat-protection name "3Com Network Supervisor Directory Traversal" overrides.1.profile MyOrganization overrides.1.action Prevent

Looking for ISOmorphic Additional OS Configuration Script format

Hello Checkmates,As the subject indicates, I would like to rapidly deploy using the scripts which can be included in the additional OS configuration and am unsure regarding the format of the script.Does it follow standard clish commands and I can do as followsset domainname domain.localset dns primary 1.1.1.1set interface Mgmt ipv4-address 2.2.2.2 mask-length 24... etc
Employee

Script to Automate GAIA Configuration backup

Hi,i wrote below script for my customer to automate gaia configuration backup of gateway . Script runs on management and it can fetch the "show configuration" of all the gateway and create a file for individual gateway .Steps :Perform below on management server . Create a Directory called gaiagwbkp under /var/log Create a file called gateway_ip_list.txt under /opt/CPsuite-R80/fw1/scripts and add ip address of the gateway which is being managed by same management server[Expert@PROD-MGMT-R80:0]# cat gateway_ip_list.txt10.1.1.254[Expert@PROD-MGMT-R80:0]#Create a file called gaiafwbkp.sh under /opt/CPsuite-R80/fw1/scripts and copy the script content and change file permission*****************************************[Expert@PROD-MGMT-R80:0]# cat gaiafwbkp.sh#!/bin/shsource /opt/CPshrd-R80/tmp/.CPprofile.shfor dest in $(<gateway_ip_list.txt); dohostname=`cprid_util -server $dest -verbose rexec -rcmd /bin/bash -c "hostname"`now=$(date +"%m_%d_%Y")cprid_util -server $dest -verbose rexec -rcmd /bin/clish -c "show configuration" > /var/log/gaiagwbkp/$hostname$nowdone************************************4. run script gaiafwbkp.sh5. Schedule job from GAIA portal using job scheduler 6. if needed you can run another job to ftp this backup files to ftp server as well
Mod

postman_collection R80.30

Postman collection for Check Point R80.30 (1.5 API)

R80.20 Mgmt API issue

We need help with this issue happening in R80.20 , we see the API service stopping randomly and at that point we need to manually restart the service but of course we are trying to find out what is causing it to stop running randomly , this is very annoying. Below is the output of the API status when the issue happens:API Settings:---------------------Accessibility: Require all grantedAutomatic Start: EnabledProcesses:Name State PID More Information-------------------------------------------------API StoppedCPM Started 4929 Check Point Security Management Server is running and readyFWM Started 2192APACHE Started 4180Port Details:-------------------JETTY Internal Port: 50276APACHE Gaia Port: 4434 (a non-default port)When running mgmt_cli commands add '--port 4434'When using web-services, add port 4434 to the URL--------------------------------------------Overall API Status: The API Server Is Not Running!--------------------------------------------Notes:------------To collect troubleshooting data, please run 'api status -s <comment>'[Expert@cglscc4a:0]# api statusAPI Settings:---------------------Accessibility: Require all grantedAutomatic Start: EnabledProcesses:Name State PID More Information-------------------------------------------------API StoppedCPM Started 4929 Check Point Security Management Server is running and readyFWM Started 2192APACHE Started 4180Port Details:-------------------JETTY Internal Port: 50276APACHE Gaia Port: 4434 (a non-default port)When running mgmt_cli commands add '--port 4434'When using web-services, add port 4434 to the URL--------------------------------------------Overall API Status: The API Server Is Not Running!--------------------------------------------Notes:------------To collect troubleshooting data, please run 'api status -s <comment>'

set-if-exists example

Could I have an example on how to use "set-if-exists"? And what versions of the API is this command compatiable with?

R80.10 API install database

Is there a way to sync management/log servers via the "install database" via the API? Not having any luck finding it in the API reference guide.

How to create a radius server object via API?

Hi all, just wonderig how to create a radius server object via API in R80.20.I'm afraid it's not possible. Hopefully I'm wrong 😞 Cheers,Martin
PhoneBoy
inside API / CLI Discussion and Samples Sunday
views 1467 27 16
Admin

SmartMove

Overview Check Point SmartMove tool enables you to convert 3rd party database with firewall security policy and NAT to Check Point database. The tool parses Cisco ASA (version 8.3 and above), JunOS (version 12.1 and above), ScreenOS (version 6.3 and above), Fortinet (FortiOS version 5 and above), and Palo Alto Networks (Version 7 and above) configuration file and converts its objects, NAT and firewall policy to a Check Point R80.x compliant policy. For PAN, we also convert application definitions (including Application Groups and Application Filters). The tool is planned to support additional vendors and security configurations in the future. The tool generates bash scripts by utilizing Check Point Management API's command line interface, to migrate the converted policy into a R80.x Management (or Multi-Domain) server. Description The tool is developed using Microsoft C# language and .Net framework version 4.5 (WPF application). The project solution file is configured for Microsoft Visual Studio 2012 and above. Instructions Code is available on GitHub: SmartMove Tool can be downloaded from: sk111546 Code Version Code version 0.0.0 Tested on version R80.10, API version 1.1 NOTICE: By using this sample code you agree to terms and conditions in this Terms and Conditions ...

Command to set the expert password in CLI using playbooks/scripts

Hi Team, Is there any command to set expert password without user interactive.we are automating to create a new user and setting up a expert password through ansible. Please let me know if any commands works without manual intervention.as a single command we have to give expert password.if we five set-expert pass its asking us to give password manually.Please help me on the same. RegardsAathi

how to create a radius server object via API?

Hi all, does anyone know, how to create a radius server object via API?I'm afraid, it's not possible at all.Hopefully I'm wrong 😞 Cheers,Martin
Inbar_Moskovich
inside API / CLI Discussion and Samples a week ago
views 21318 289 60
Employee+

Python tool for exporting/importing a policy package or parts of it

Overview ExportImportPolicyPackage tool enables you to export a policy package from a R80.x management database to a .tar.gz file, which can then be imported into any other R80.x management database. This tool can be used for backups, database transfers, testing and more. In the case you are exporting a policy package from a CMA, please verify that a global policy was NOT assigned to that CMA.The tool doesn't support exporting a policy with global policy assigned! Description This tool enables you to export a policy package (Access Policy, Threat Policy or both) from a management server into a .tar.gz file. Notice There are some types of objects that the script might not be able to export. In such a case, an appropriate dummy object will be exported instead, and a message will be logged into the log files to notify you of this. In the Check Point SmartConsole you can easily replace each of these objects by searching "export_error" in the search field, see where each object is used, create the necessary object manually, then replace it. Instructions Download the latest version from our GitHub repository: https://github.com/CheckPointSW/ExportImportPolicyPackage First, make sure you have [2.7.9 <= Python <= 2.7.14] installed on the machine running the script. To export a package, run the import_export_package.py script. An interactive menu will guide you the rest of the way. Command line flags may also be set in order to skip some or all of the menu. A lot more details can of course be accessed with the [-h] option. This option also prints the current version of the tool. Current tool version is V3.0. Limitations This export/import script does not gather all data from a given management server/CMA. In general, it is limited by the R80.x Management APIs. Specifically, this means: CMAs with a Global Policy assigned cannot be exported Workaround: unassign the Global Policy prior to export Gateway/Cluster objects have to be recreated Placeholder objects will be created UserCheck messages have to be recreated Placeholder objects will be created The Internal Certificate Authority will not be copied. This means: Re-establishing SIC with the appropriate gateways Re-generating VPN certificates Manually recreating HTTPS Inspection and DLP Rules Other objects not currently readable/writable via the R80.x API will not be copied Tested on version R80.x Source Code Availability The source code is available through GitHub: https://github.com/CheckPointSW/ExportImportPolicyPackage NOTICE: By using this sample code you agree to terms and conditions in this Terms and Conditions ...
Ivan_Moore
Ivan_Moore inside API / CLI Discussion and Samples a week ago
views 1320 14

Is there a equivalent command to a global policy assignment with install?

in R77 I could run a command like this:mdscmd install-globalpolicy -install -l DOMAINand it would push out all policies in that domain.I can't find the "-install" option in R80 from the command line...seems to still be there in the GUII can do this:mgmt_cli assign-global-assignment global-domains Global dependent-domains DOMAIN -s ID.txt --format json which will do the same as the previous command without the "-install" Is it possible to do the "-install"?