OK, does the Check Point has any estimation when this feature coudl be part of the API?

Could you send me any reference to documentation how to use CPMI to build a cluster by script ?

Thanks

Radek

To my knowledge, the timelines for incorporating this into the API have not been finalized.

I'm also not aware of any documentation for building a cluster using dbedit (the scriptable way to use CPMI) or if it is even possible.

I would communicate your requirements in this area to your Check Point SE, if you haven't already.

I have managed in the past to build a cluster object using dbedit. It was not without issues though and I think I ended up deleting and creating the cluster object manually in the end. 

The topology of the cluster had to be completed manually (I was reverse engineering using GUIDBedit and couldn't work out the dbedit commands for cluster topology (I think I ran out of time)) and a SIC reset also had to be done. I had used the CLI to push SIC certificates. Perhaps the SIC trust pulled from the server rather than pushed is better since a topology get occurs during SIC establishment.

Would be good to know when the API is up to the job (although I am about to look into it on R80.10) and until then if there is a work around until then. That is, other than simple objects created in API to half complete the job of creating the cluster object.

Regards,

Don

Thanks to Nicolas Boisse, you can use this utility - https://community.checkpoint.com/docs/DOC-2625.

Also, please note my caveat there.

Robert.

When we can FINALLY expect such a basic feature like manipulating Cluster objects within R80 ? R80.30 is GA, without any single API command for this purpose. What a shame.

The cluster API was supposed to be released in R80.30 M1. This is postponed to R80.40 version.

Basic feature ? Would be a thing everybody needs anyday - but honestly, creating and manipulating hundreds of cluster objects using API is not everybody's favorite daily game, most people still use the Dashboard and are happy nevertheless 😊

Not in case you are managing 30+ clusters with daily VLANs creation 🙂 Monkey job...

How is it possible that an API is released when u cant controll a cluster.
More or less the first thing when buying firewall the vendor always say "u need a cluster"

Struggling to find something to control VS, dose checkpoint see that as a cluster, single gw or something else?
Currently running R80.20 MDS with R80.30 3.1 VSX Clusters.

Hi,

There is currently no API endpoint for adding, changing or deleting VS on a VSX.  What we have is a vsx_provisioning_tool to perform these operations using the CLI, to achieve this over the RESTful Management API one could use a combination of the run-script api endpoint and vsx_provisioning_tool.

Here are two ansible playbook examples on how to create and delete VS on a VSX using a combination of run-script endpoint and the vsx_provisioning_tool. More information about the vsx_provisioning_tool can be found in the Check Point VSX R80.x Administration Guide

R80-AddVS.yml

---
# Example playbook to add Virtual System on a Check Point VSX
# Using management API run-script endpoint and the vsx_provisioning_tool binary
# Variables used in this playbook that are defined in vars.yml
#   mgmt_user        - Admin username for R80 Security Management API
#   mgmt_password    - Admin password for R80 Security Management API
#   mgmt_domain      - The Domain to make the changes in, set this to "SMC User" if this is a SMS
#   mgmt_server      - The MDS or SMS ip to connect to
#   mgmt_fingerprint - The API server fingerprint on MDS or SMS
#   dms_ip           - Domain Management Server IP for the domain where the VSX object exists
#   mgmt_user        - Management API admin user name
#   mgmt_password    - Management API admin user password
#   vsx_hostname     - Name of the VSX object where the virtual system should be created
#   script_targets   - list, Should contain name of dms that managed the domain with the VSX object

- hosts: "localhost"
  connection: local
  gather_facts: no
  vars_files:
  - vars.yml

  tasks:
  - name: "login"
    check_point_mgmt:
      command: login
      parameters:
        username: "{{mgmt_user}}"
        password: "{{mgmt_password}}"
        domain: "{{mgmt_domain}}"
        management: "{{mgmt_server}}"
      fingerprint: "{{mgmt_fingerprint}}"
    register: login_response
      
  - name: "Create VS on VXS with run-script"
    check_point_mgmt:
      command: run-script
      parameters:
       script-name: "Create VS vs{{item}} on VXS {{vsx_hostname}} with run-script"
       script: "$MDS_FWDIR/bin/vsx_provisioning_tool -s {{dms_ip}} -u {{mgmt_user}} -p {{mgmt_password}} -o add vd name vs{{item}} vsx {{vsx_hostname}} type vs, add interface name eth1.{{item}} ip 1.1.{{item}}.254 netmask 255.255.255.0, add interface name eth2.{{item}} ip 2.2.{{item}}.254 netmask 255.255.255.0"
       targets:
        "{{ script_targets }}"
      session-data: "{{login_response}}"
    with_sequence: start=10 end=12

  - name: "logout"
    check_point_mgmt:
      command: logout
      session-data: "{{login_response}}"

R80-RemoveVS.yml

---
# Example playbook to remove Virtual System on a Check Point VSX
# Using management API run-script endpoint and the vsx_provisioning_tool binary
# Variables used in this playbook that are defined in vars.yml
#   mgmt_user        - Admin username for R80 Security Management API
#   mgmt_password    - Admin password for R80 Security Management API
#   mgmt_domain      - The Domain to make the changes in, set this to "SMC User" if this is a SMS
#   mgmt_server      - The MDS or SMS ip to connect to
#   mgmt_fingerprint - The API server fingerprint on MDS or SMS
#   dms_ip           - Domain Management Server IP for the domain where the VSX object exists
#   mgmt_user        - Management API admin user name
#   mgmt_password    - Management API admin user password
#   vsx_hostname     - Name of the VSX object where the virtual system should be created
#   script_targets   - list, Should contain name of dms that managed the domain with the VSX object

- hosts: "localhost"
  connection: local
  gather_facts: no
  vars_files:
  - vars.yml

  tasks:
  - name: "login"
    check_point_mgmt:
      command: login
      parameters:
        username: "{{mgmt_user}}"
        password: "{{mgmt_password}}"
        domain: "{{mgmt_domain}}"
        management: "{{mgmt_server}}"
      fingerprint: "{{mgmt_fingerprint}}"
    register: login_response
      
  - name: "Remove VS on VXS with run-script"
    check_point_mgmt:
      command: run-script
      parameters:
       script-name: "Remove VS vs{{item}} on VXS {{vsx_hostname}} with run-script"
       script: "$MDS_FWDIR/bin/vsx_provisioning_tool -s {{dms_ip}} -u {{mgmt_user}} -p {{mgmt_password}} -o remove vd name vs{{item}}"
       targets:
        "{{ script_targets }}"
      session-data: "{{login_response}}"
    with_sequence: start=10 end=12

  - name: "logout"
    check_point_mgmt:
      command: logout
      session-data: "{{login_response}}"

Is there any confirmed release where the cluster object can be created in the API, using a simple command and not a lot of scripts?

Also. Is there a document, SK or thread that lists the known limitations of the current and/or previous API version?

Thanks,

Don

👍🏻

Due to constant questions I got about this while teaching a CCAS class, I started an unofficial list of operations that must be performed from a GUI client and cannot be accomplished via the API:

https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Functionality-API-vs-SmartConsole...

These limitations are generally because the operations listed must be handled in the older fwm process (which is not database-aware) instead of the new cpm process on the SMS/MDS.