Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
jinal_panchal
Explorer
Jump to solution

Checkpoint Management API

We're targetting VPN and firewall blade logs for Checkpoint Firewall. 
While looking for that, I've found below management API references. So I was not sure if this management command would fetch VPN and firewall along with audit logs? Because while trying out the commands, we're not able to execute it successfully and need to get clarity on this. 

References:-

1. https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_LoggingAndMonitoring_AdminGuide/To...

2. https://sc1.checkpoint.com/documents/latest/APIs/#cli/show-logs~v1.9%20


Thanks in advance!!

0 Kudos
1 Solution

Accepted Solutions
Nitzan_Massad
Employee
Employee

Hi, it's indeed possible to query Audit logs in a separate query. 

here is an example: 

mgmt_cli show logs new-query.time-frame "today" new-query.max-logs-per-request "2" new-query.type "audit" --format json

this query will retrieve 2 Audit logs from today as a result.

you can see documentation for this in our API documentation under a type of log 

https://sc1.checkpoint.com/documents/latest/APIs/#cli/show-logs~v1.7%20

 

View solution in original post

(2)
8 Replies
the_rock
Legend
Legend

Happy to test it in my lab. Can you confirm commands you ran?

Best,

Andy

0 Kudos
PhoneBoy
Admin
Admin

What you've actually tried to do and the results will help.
Also, please specify version/JHF of your management server.

show-logs gives you access to Access Policy logs.
It does not appear to include Audit logs.

Note that this API is meant for retrieving data for specific queries similar to what you would type in SmartView/SmartConsole to view specific logs.
For streaming of access and audit logs to a SIEM or a syslog server, Log Exporter is a better bet: https://support.checkpoint.com/results/sk/sk122323

0 Kudos
Timothy_Hall
Legend Legend
Legend

We just had a detailed discussion about the show-logs API call in the newly-updated CCAS R81.20 course I ran this week.

This command is not really intended to be used to retrieve bulk logs, but mainly to pull "top 10" log statistics that are available under the "Tops" tab in the SmartConsole GUI.  Logs can be pulled with this command but should really only be used when you know precisely what you are looking for; attendees reported that their mileage varied considerably when they tried to pull large numbers of logs through this command.  For bulk export of logs R81.20 has made the Log Exporter function available right in the SmartConsole via the new Log Exporter/SIEM objects.

For accessing audit logs I'd suggest checking out the run-script API call in conjunction with the fw log $FWDIR/log/fw.adtlog command.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
jinal_panchal
Explorer

Sharing the commands I've tried out:

mgmt_cli show-logs new-query.filter product:FG VPN-1 & FireWall-1 new-query.time-frame today

 

mgmt_cli show logs new-query.time-frame "today" new-query.max-logs-per-request "2" new-query.filter "blade:\"Threat Emulation\""  --format json



Here, is the API reference: https://sc1.checkpoint.com/documents/latest/APIs/#introduction~v1.9%20
Let me know if this works or doesn't meet my requirement to fetch all VPN and Firewall logs.

0 Kudos
the_rock
Legend
Legend

This is what I get on my mgmt lab server.

Andy

 

[Expert@CP-management:0]# mgmt_cli show-logs new-query.filter product:FG VPN-1 & FireWall-1 new-query.time-frame today
[1] 28470
-bash: FireWall-1: command not found
[Expert@CP-management:0]# Error: The parameters of show-logs command should be provided in pairs (key and value). You have provided an odd number of parameters which suggests that you are probably missing a parameter.
^C
[1]+ Exit 1 mgmt_cli show-logs new-query.filter product:FG VPN-1
[Expert@CP-management:0]# mgmt_cli show logs new-query.time-frame "today" new-query.max-logs-per-request "2" new-query.filter "blade:\"Threat Emulation\"" --format json
Username: admin
Password:
{
"logs" : [ ],
"logs-count" : 0,
"query-id" : "admin_441a7d2f-2c5d-4191-8b21-3931b3e227aa"
}
[Expert@CP-management:0]#

0 Kudos
PhoneBoy
Admin
Admin

The argument to new-query.filter will need to be enclosed in quotes.
I also don't believe that query is valid.
If the query string doesn't work in SmartView (https://mgmt-ip/smartview/ ), it won't work via the API.

0 Kudos
Nitzan_Massad
Employee
Employee

Hi, it's indeed possible to query Audit logs in a separate query. 

here is an example: 

mgmt_cli show logs new-query.time-frame "today" new-query.max-logs-per-request "2" new-query.type "audit" --format json

this query will retrieve 2 Audit logs from today as a result.

you can see documentation for this in our API documentation under a type of log 

https://sc1.checkpoint.com/documents/latest/APIs/#cli/show-logs~v1.7%20

 

(2)
the_rock
Legend
Legend

EXCELLENT @Nitzan_Massad 

From my lab.

Andy

 

[Expert@CP-management:0]# mgmt_cli show logs new-query.time-frame "today" new-query.max-logs-per-request "2" new-query.type "audit" --format json
Username: admin
Password:
{
"logs" : [ {
"severity" : "Informational",
"product_family" : "Network",
"product" : "WEB_API",
"sequencenum" : "1",
"subject" : "Administrator Login",
"sendtotrackerasadvancedauditlog" : "0",
"type" : "Audit",
"orig_log_server_attr" : [ {
"isCHKPObject" : "true",
"uuid" : "40bbf9f7-8ab5-dd4e-a387-8b4f8fdd9f0e",
"resolved" : "CP-management"
} ],
"administrator" : "admin",
"orig_log_server" : "172.16.10.252",
"additional_info" : "Authentication method: Unix Password",
"orig" : "CP-management",
"machine" : "localhost",
"marker" : "@A@@B@1715832000@C@1009",
"orig_log_server_ip" : "172.16.10.252",
"stored" : "true",
"calc_desc" : "admin logged ln to WEB_API",
"client_ip" : "127.0.0.1",
"time" : "2024-05-16T12:16:24Z",
"id" : "ac100afc-a019-ad0d-6645-f91802610000",
"operation_number" : "10",
"operation" : "Log In"
}, {
"severity" : "Informational",
"product_family" : "Network",
"product" : "Expert Shell",
"sequencenum" : "1",
"subject" : "Administrator Expert Shell login",
"sendtotrackerasadvancedauditlog" : "0",
"device_type" : "MGMT",
"type" : "Audit",
"orig_log_server_attr" : [ {
"isCHKPObject" : "true",
"uuid" : "40bbf9f7-8ab5-dd4e-a387-8b4f8fdd9f0e",
"resolved" : "CP-management"
} ],
"administrator" : "admin",
"device_name" : "CP-management",
"orig_log_server" : "172.16.10.252",
"additional_info" : "SSH connection by admin user to Expert Shell",
"orig" : "CP-management",
"marker" : "@A@@B@1715832000@C@1008",
"orig_log_server_ip" : "172.16.10.252",
"stored" : "true",
"calc_desc" : "admin logged ln to Expert Shell",
"client_ip" : "172.16.10.1",
"time" : "2024-05-16T12:16:08Z",
"id" : "ac100afc-a019-ad0d-6645-f90802610000",
"operation" : "Log In"
} ],
"logs-count" : 2,
"query-id" : "admin_65e16d5b-6b3a-40ce-a7ef-e1f61446350f"
}
[Expert@CP-management:0]#

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events