This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
jinal_panchal
Explorer
‎2024-05-08 06:51 AM
Jump to solution

Checkpoint Management API

We're targetting VPN and firewall blade logs for Checkpoint Firewall. 
While looking for that, I've found below management API references. So I was not sure if this management command would fetch VPN and firewall along with audit logs? Because while trying out the commands, we're not able to execute it successfully and need to get clarity on this. 

References:-

1. https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_LoggingAndMonitoring_AdminGuide/To...

2. https://sc1.checkpoint.com/documents/latest/APIs/#cli/show-logs~v1.9%20


Thanks in advance!!

0 Kudos
1 Solution

Accepted Solutions
Nitzan_Massad
Employee Alumnus
Employee Alumnus
‎2024-05-16 04:39 AM
Jump to solution

Hi, it's indeed possible to query Audit logs in a separate query. 

here is an example: 

mgmt_cli show logs new-query.time-frame "today" new-query.max-logs-per-request "2" new-query.type "audit" --format json

this query will retrieve 2 Audit logs from today as a result.

you can see documentation for this in our API documentation under a type of log 

https://sc1.checkpoint.com/documents/latest/APIs/#cli/show-logs~v1.7%20

 

View solution in original post

(2)
8 Replies
the_rock
MVP Platinum
MVP Platinum
‎2024-05-08 03:24 PM
Jump to solution

Happy to test it in my lab. Can you confirm commands you ran?

Best,

Andy

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
‎2024-05-08 04:10 PM
Jump to solution

What you've actually tried to do and the results will help.
Also, please specify version/JHF of your management server.

show-logs gives you access to Access Policy logs.
It does not appear to include Audit logs.

Note that this API is meant for retrieving data for specific queries similar to what you would type in SmartView/SmartConsole to view specific logs.
For streaming of access and audit logs to a SIEM or a syslog server, Log Exporter is a better bet: https://support.checkpoint.com/results/sk/sk122323

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2024-05-09 05:47 AM
Jump to solution

We just had a detailed discussion about the show-logs API call in the newly-updated CCAS R81.20 course I ran this week.

This command is not really intended to be used to retrieve bulk logs, but mainly to pull "top 10" log statistics that are available under the "Tops" tab in the SmartConsole GUI.  Logs can be pulled with this command but should really only be used when you know precisely what you are looking for; attendees reported that their mileage varied considerably when they tried to pull large numbers of logs through this command.  For bulk export of logs R81.20 has made the Log Exporter function available right in the SmartConsole via the new Log Exporter/SIEM objects.

For accessing audit logs I'd suggest checking out the run-script API call in conjunction with the fw log $FWDIR/log/fw.adtlog command.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
jinal_panchal
Explorer
‎2024-05-14 11:44 AM
Jump to solution

Sharing the commands I've tried out:

mgmt_cli show-logs new-query.filter product:FG VPN-1 & FireWall-1 new-query.time-frame today

 

mgmt_cli show logs new-query.time-frame "today" new-query.max-logs-per-request "2" new-query.filter "blade:\"Threat Emulation\""  --format json



Here, is the API reference: https://sc1.checkpoint.com/documents/latest/APIs/#introduction~v1.9%20
Let me know if this works or doesn't meet my requirement to fetch all VPN and Firewall logs.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-05-14 12:48 PM
In response to jinal_panchal
Jump to solution

This is what I get on my mgmt lab server.

Andy

 

[Expert@CP-management:0]# mgmt_cli show-logs new-query.filter product:FG VPN-1 & FireWall-1 new-query.time-frame today
[1] 28470
-bash: FireWall-1: command not found
[Expert@CP-management:0]# Error: The parameters of show-logs command should be provided in pairs (key and value). You have provided an odd number of parameters which suggests that you are probably missing a parameter.
^C
[1]+ Exit 1 mgmt_cli show-logs new-query.filter product:FG VPN-1
[Expert@CP-management:0]# mgmt_cli show logs new-query.time-frame "today" new-query.max-logs-per-request "2" new-query.filter "blade:\"Threat Emulation\"" --format json
Username: admin
Password:
{
"logs" : [ ],
"logs-count" : 0,
"query-id" : "admin_441a7d2f-2c5d-4191-8b21-3931b3e227aa"
}
[Expert@CP-management:0]#

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
‎2024-05-14 02:34 PM
In response to jinal_panchal
Jump to solution

The argument to new-query.filter will need to be enclosed in quotes.
I also don't believe that query is valid.
If the query string doesn't work in SmartView (https://mgmt-ip/smartview/ ), it won't work via the API.

0 Kudos
Nitzan_Massad
Employee Alumnus
Employee Alumnus
‎2024-05-16 04:39 AM
Jump to solution

Hi, it's indeed possible to query Audit logs in a separate query. 

here is an example: 

mgmt_cli show logs new-query.time-frame "today" new-query.max-logs-per-request "2" new-query.type "audit" --format json

this query will retrieve 2 Audit logs from today as a result.

you can see documentation for this in our API documentation under a type of log 

https://sc1.checkpoint.com/documents/latest/APIs/#cli/show-logs~v1.7%20

 

(2)
the_rock
MVP Platinum
MVP Platinum
‎2024-05-16 05:17 AM
In response to Nitzan_Massad
Jump to solution

EXCELLENT @Nitzan_Massad 

From my lab.

Andy

 

[Expert@CP-management:0]# mgmt_cli show logs new-query.time-frame "today" new-query.max-logs-per-request "2" new-query.type "audit" --format json
Username: admin
Password:
{
"logs" : [ {
"severity" : "Informational",
"product_family" : "Network",
"product" : "WEB_API",
"sequencenum" : "1",
"subject" : "Administrator Login",
"sendtotrackerasadvancedauditlog" : "0",
"type" : "Audit",
"orig_log_server_attr" : [ {
"isCHKPObject" : "true",
"uuid" : "40bbf9f7-8ab5-dd4e-a387-8b4f8fdd9f0e",
"resolved" : "CP-management"
} ],
"administrator" : "admin",
"orig_log_server" : "172.16.10.252",
"additional_info" : "Authentication method: Unix Password",
"orig" : "CP-management",
"machine" : "localhost",
"marker" : "@A@@B@1715832000@C@1009",
"orig_log_server_ip" : "172.16.10.252",
"stored" : "true",
"calc_desc" : "admin logged ln to WEB_API",
"client_ip" : "127.0.0.1",
"time" : "2024-05-16T12:16:24Z",
"id" : "ac100afc-a019-ad0d-6645-f91802610000",
"operation_number" : "10",
"operation" : "Log In"
}, {
"severity" : "Informational",
"product_family" : "Network",
"product" : "Expert Shell",
"sequencenum" : "1",
"subject" : "Administrator Expert Shell login",
"sendtotrackerasadvancedauditlog" : "0",
"device_type" : "MGMT",
"type" : "Audit",
"orig_log_server_attr" : [ {
"isCHKPObject" : "true",
"uuid" : "40bbf9f7-8ab5-dd4e-a387-8b4f8fdd9f0e",
"resolved" : "CP-management"
} ],
"administrator" : "admin",
"device_name" : "CP-management",
"orig_log_server" : "172.16.10.252",
"additional_info" : "SSH connection by admin user to Expert Shell",
"orig" : "CP-management",
"marker" : "@A@@B@1715832000@C@1008",
"orig_log_server_ip" : "172.16.10.252",
"stored" : "true",
"calc_desc" : "admin logged ln to Expert Shell",
"client_ip" : "172.16.10.1",
"time" : "2024-05-16T12:16:08Z",
"id" : "ac100afc-a019-ad0d-6645-f90802610000",
"operation" : "Log In"
} ],
"logs-count" : 2,
"query-id" : "admin_65e16d5b-6b3a-40ce-a7ef-e1f61446350f"
}
[Expert@CP-management:0]#

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events