Hi Dameon,

We are on R80+ for Mgmt and the Mgmt API reference you have pointed doesn't really help in listing all network objects...There is a limit on the number of items listed 0-500 ad even then the output doesnt list the objects and their members. it only displays the object names which we can export form smart console\object explorer anyways.

Yes, the API has a limit to the number of items that can be output at once.

You would need to iterate with multiple API calls using the offset parameter to get the next 500 objects.

You also have to request the correct detail level in the API and correctly parse the output.

One example that exports various objects in CSV format: CLI API Example for exporting, importing, and deleting different objects using CSV files (v 00.29.02...‌

Thank you for the link... Unfortunately my current access is RO for all FW's we manage and cant get to expert mode to be able to execute those commands/scripts in the links shared. Will have to request our service provider for what i am after. 

You can do this with the API, but you're going to have to make successive API calls, like I said.

I managed to do the following from the CLI of a different Linux host (not the management server) running bash.

This assumes that "curl" and "jq" are installed, which are fairly common utilities (curl fetches web content, jq parses JSON output).

SID=`curl --silent --insecure -XPOST "https://10.6.5.250/web_api/v1.3/login" --data-binary "{\"user\": \"aa\", \"password\": \"aaaa\" }" -H "Content-Type: application/json" | jq -r .sid`

curl --silent --insecure -XPOST https://10.6.5.250/web_api/v1.3/show-hosts --data-binary "{ \"offset\": 0, \"limit\": 500, \"details-level\": \"full\" }" -H "Content-Type: application/json" -H "X-chkp-sid: $SID" | jq -r '.objects[] | .name + "," + ."ipv4-address"'

curl --silent --insecure -XPOST "https://10.6.5.250/web_api/v1.3logout" --data-binary "{}" -H "Content-Type: application/json" -H "X-chkp-sid: $SID"

The first command (starting with SID) does a login to the API with username aa / password aaaa, obtaining a session ID, and storing it in the shell variable SID.

The second command calls curl and will fetch the first 500 host objects from the management and output the name and IPv4 address of the object in a comma separated list.

• You will need to repeat this command with different values for offset until you get all the objects.
• You will also need similar commands to get other object types (e.g. networks, groups).
• This is where the API documentation will help you: Check Point - Management API reference 

The third command (also a curl command) issues a logout command, invalidating the SID. 

There are probably programmatic ways to automate this further, but that should get you started.

Hi PhoneBoy,

Finally gave this a try, Looks like having only 'Read Only' access isn't helping. I kept getting 'Null SID' error and tested in another tool (Postman) only to figure out that i do not have access to login via API.

Is there a tool in pipeline to allow read only users have access to take information dumps from the Management server, similar to the old 'Web Visualisation tool'?

Phoneboy.  Hope all is well.  Can you direct an old networking dude, no scripting background on how to export all the rules into a spreadsheet that I can see source, dest and ports?  I need to upgrade and I want all of the rules sets in had to check one by one afterwards.  Nothing else matters as far as content...just what I have noted above.  Many Thanks!

Personally I prefer WebVis R77.x to export all rules, objects and services into either a single html page (cpdb2html) or xml files (cpdb2web). Should be easy to copy the rules into Excel from HTML.

Thanks Danny how does one use this tool?  I believe I have the tool but I have never used it.  Thanks Danny.

The old confwiz tool might be another viable option:

https://downloads.checkpoint.com/dc//filedetails.htm?ID=12945&product=Confwiz&version=1007&os=1074&a...

From an OS perspective (network/routing), you can use the the clish command show configuration.

Depending on the version, you may not be able to use this (as is) to recreate the running configuration. 

For the security gateway functions, there is no equivalent to show running-config on Cisco IOS.

This configuration is only stored on the local gateway in compiled form and cannot easily be dumped.