Re: BASH Framework for Management API Commands

Bob_Zimmerman · ‎2023-01-21

I'm working on a program which interacts with Check Point's management API. As is common when programming anything substantial, I built some smaller tools to help me along the way. I thought I would share one, since it has broad applicability.

This is a script framework to abstract away some management API implementation details and concerns which annoyed me. Specifically, it handles counting how many API command you have run and publishing every 80, setting the session details after every publish, and publishing before logging out. Using it, you never need to explicitly publish. You write API commands, and they just work. I use it to add a predictable set of objects, policies, rules, and so on to new management VMs or after rebuilding my personal standalone.

#!/usr/bin/env bash
sessionName="Initial Build"
sessionDescription="Building my initial config for a new lab management."

publishEvery=80
changeCount=1
publishBatch=1

function mgmtCmd {
	commandToRun=""
	for element in "${@}"; do
		if [[ "$element" =~ \  ]]; then
			commandToRun="${commandToRun} \"${element}\""
		else
			commandToRun="${commandToRun} ${element}"
		fi
	done
	echo "${commandToRun}" | xargs mgmt_cli -s session.txt
	if [ $? -eq 0 ]; then
		echo "Success ${publishBatch}.${changeCount}"
		((changeCount+=1))
	else
		echo "Failed: ${commandToRun}"
	fi
	if [ ${changeCount} -gt ${publishEvery} ]; then
		echo "Publishing..."
		publish
		setupSession
		((publishBatch+=1))
	fi
}

function publish {
	mgmt_cli -s session.txt publish
}

function setupSession {
	changeCount=1
	mgmt_cli -s session.txt set session new-name "${sessionName}" description "${sessionDescription}" > /dev/null
}

function login {
	mgmt_cli -r true login > session.txt
	setupSession
}

function logout {
	publish
	mgmt_cli -s session.txt logout > /dev/null
	rm session.txt
}

login
mgmtCmd add dns-domain name ".github.com" is-sub-domain false
mgmtCmd add network name "RFC 10/8" subnet4 "10.0.0.0" mask-length4 8 broadcast allow
mgmtCmd add tag name "Development"
...
...
...
mgmtCmd add package name "InstalledNowhere" access true
installedNowhereUuid=$(mgmt_cli -f json -s session.txt show package name "InstalledNowhere" details-level uid | jq '.uid')
mgmtCmd set generic-object uid "${installedNowhereUuid}" installationTargets "SPECIFIC_GATEWAYS"
logout

The mgmtCmd function doesn't return anything, so if you need to get output of a command (such as to find the UUID of an object you just created), you will need to call mgmt_cli directly as you can see in the last few lines.

Danny · ‎2023-01-21

Thx for sharing!

Bob_Zimmerman · ‎2023-10-21

I made a few internal improvements.

Added support for connecting to the management API on non-default ports. This helps when using the framework not for initial builds, but for building lots of things in an existing management.
Switched from a static "session.txt" file to store the session cookie to a temp file provided by mktemp. This way, each run of the script will get a different file. You could potentially run multiple instances at the same time now. Again, this is mostly useful for existing management servers which multiple admins might be modifying at once.
Added an argument to login to allow it to support logging in to a management domain. On a SmartCenter, this can be used to log in to System Data to change API settings, for example. It also allows the script to be used to build an MDS.

#!/usr/bin/env bash
sessionName="Initial Build"
sessionDescription="Building my initial config for a new lab management."

publishEvery=80
changeCount=1
publishBatch=1
apiPort=$(api status | grep 'APACHE Gaia Port' | awk '{print $NF}')
sessionCookie=$(mktemp)

function mgmtCmd {
	commandToRun=""
	for element in "${@}"; do
		if [[ "$element" =~ \  ]]; then
			commandToRun="${commandToRun} \"${element}\""
		else
			commandToRun="${commandToRun} ${element}"
		fi
	done
	echo "${commandToRun}" | xargs mgmt_cli --port "${apiPort}" -s "${sessionCookie}"
	if [ $? -eq 0 ]; then
		echo "Success ${publishBatch}.${changeCount}"
		((changeCount+=1))
	else
		echo "Failed: ${commandToRun}"
	fi
	if [ ${changeCount} -gt ${publishEvery} ]; then
		echo "Publishing..."
		publish
		setupSession
		changeCount=1
		((publishBatch+=1))
	fi
}

function publish {
	mgmt_cli --port "${apiPort}" -s "${sessionCookie}" publish
}

function setupSession {
	mgmt_cli --port "${apiPort}" -s "${sessionCookie}" set session new-name "${sessionName}" description "${sessionDescription}" > /dev/null
}

function login {
	mgmt_cli --port "${apiPort}" -d "${1}" -r true login > "${sessionCookie}"
	setupSession
}

function logout {
	publish
	mgmt_cli --port "${apiPort}" -s "${sessionCookie}" logout > /dev/null
	rm "${sessionCookie}"
}

login "System Data"
mgmtCmd set api-settings accepted-api-calls-from "all ip addresses that can be used for gui clients"
logout
api restart

login
mgmtCmd add dns-domain name ".github.com" is-sub-domain false
mgmtCmd add network name "RFC 10/8" subnet4 "10.0.0.0" mask-length4 8 broadcast allow
mgmtCmd add tag name "Development"
...
...
...
mgmtCmd add package name "InstalledNowhere" access true
installedNowhereUuid=$(mgmt_cli --port "${apiPort}" -f json -s "${sessionCookie}" show package name "InstalledNowhere" details-level uid | jq '.uid')
mgmtCmd set generic-object uid "${installedNowhereUuid}" installationTargets "SPECIFIC_GATEWAYS"
logout

Are you a member of CheckMates?

BASH Framework for Management API Commands