Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Edwin_Graham
Explorer

CLI Help

Hey everybody,

I am new to Checkpoint CLI and I want to organize and view certain things.

How would I be able to view all network objects, rules, etc?

I guess what commands would I use?

14 Replies
PhoneBoy
Admin
Admin

The answer is largely version dependent.

If your management is R80+, then I'd start with the mgmt_cli tool, documented here: Check Point - Management API reference 

If you're using R77.30 and earlier, then I'd start with the dbedit command, documented here: Command Line Interface R77 

I would also have a look through the Developers (Code Hub)‌ space, which has a lot of discussion on the API/CLI.

Manny_Mekala
Participant

Hi Dameon,

We are on R80+ for Mgmt and the Mgmt API reference you have pointed doesn't really help in listing all network objects...There is a limit on the number of items listed 0-500 ad even then the output doesnt list the objects and their members. it only displays the object names which we can export form smart console\object explorer anyways.

0 Kudos
PhoneBoy
Admin
Admin

Yes, the API has a limit to the number of items that can be output at once.

You would need to iterate with multiple API calls using the offset parameter to get the next 500 objects.

You also have to request the correct detail level in the API and correctly parse the output.

One example that exports various objects in CSV format: CLI API Example for exporting, importing, and deleting different objects using CSV files (v 00.29.02...

0 Kudos
Manny_Mekala
Participant

Thank you for the link... Unfortunately my current access is RO for all FW's we manage and cant get to expert mode to be able to execute those commands/scripts in the links shared. Will have to request our service provider for what i am after. 

0 Kudos
PhoneBoy
Admin
Admin

You can do this with the API, but you're going to have to make successive API calls, like I said.

I managed to do the following from the CLI of a different Linux host (not the management server) running bash.

This assumes that "curl" and "jq" are installed, which are fairly common utilities (curl fetches web content, jq parses JSON output).

SID=`curl --silent --insecure -XPOST "https://10.6.5.250/web_api/v1.3/login" --data-binary "{\"user\": \"aa\", \"password\": \"aaaa\" }" -H "Content-Type: application/json" | jq -r .sid`

curl --silent --insecure -XPOST https://10.6.5.250/web_api/v1.3/show-hosts --data-binary "{ \"offset\": 0, \"limit\": 500, \"details-level\": \"full\" }" -H "Content-Type: application/json" -H "X-chkp-sid: $SID" | jq -r '.objects[] | .name + "," + ."ipv4-address"'

curl --silent --insecure -XPOST "https://10.6.5.250/web_api/v1.3logout" --data-binary "{}" -H "Content-Type: application/json" -H "X-chkp-sid: $SID"

The first command (starting with SID) does a login to the API with username aa / password aaaa, obtaining a session ID, and storing it in the shell variable SID.

The second command calls curl and will fetch the first 500 host objects from the management and output the name and IPv4 address of the object in a comma separated list.

  • You will need to repeat this command with different values for offset until you get all the objects.
  • You will also need similar commands to get other object types (e.g. networks, groups).
  • This is where the API documentation will help you: Check Point - Management API reference 

The third command (also a curl command) issues a logout command, invalidating the SID. 

There are probably programmatic ways to automate this further, but that should get you started.

Manny_Mekala
Participant

Hi PhoneBoy,

Finally gave this a try, Looks like having only 'Read Only' access isn't helping. I kept getting 'Null SID' error and tested in another tool (Postman) only to figure out that i do not have access to login via API.

Is there a tool in pipeline to allow read only users have access to take information dumps from the Management server, similar to the old 'Web Visualisation tool'?

0 Kudos
PhoneBoy
Admin
Admin

There is a specific permission for API access.
If your permission profile has this enabled, you will have API access consistent with the other permissions in the permissions profile.
0 Kudos
dannyclee
Explorer

Phoneboy.  Hope all is well.  Can you direct an old networking dude, no scripting background on how to export all the rules into a spreadsheet that I can see source, dest and ports?  I need to upgrade and I want all of the rules sets in had to check one by one afterwards.  Nothing else matters as far as content...just what I have noted above.  Many Thanks!

0 Kudos
PhoneBoy
Admin
Admin

0 Kudos
Danny
Champion Champion
Champion

Personally I prefer WebVis R77.x to export all rules, objects and services into either a single html page (cpdb2html) or xml files (cpdb2web). Should be easy to copy the rules into Excel from HTML.

0 Kudos
dannyclee
Explorer

Thanks Danny how does one use this tool?  I believe I have the tool but I have never used it.  Thanks Danny.

0 Kudos
Timothy_Hall
Champion
Champion

The old confwiz tool might be another viable option:

https://downloads.checkpoint.com/dc//filedetails.htm?ID=12945&product=Confwiz&version=1007&os=1074&a...

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Prashan_Attanay
Collaborator

What is the checkpoint equal-ant command to cisco command show running-config ?

0 Kudos
PhoneBoy
Admin
Admin

From an OS perspective (network/routing), you can use the the clish command show configuration.

Depending on the version, you may not be able to use this (as is) to recreate the running configuration. 

For the security gateway functions, there is no equivalent to show running-config on Cisco IOS.

This configuration is only stored on the local gateway in compiled form and cannot easily be dumped.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events