When we can FINALLY expect such a basic feature like manipulating Cluster objects within R80 ? R80.30 is GA, without any single API command for this purpose. What a shame.

The cluster API was supposed to be released in R80.30 M1. This is postponed to R80.40 version.

Hi Mark,

First my code was for Cluster Object deployment. In your case, if you are using Simple Gateway deployment, don't use the Generic Object API.

What version of Management server are you using? (.10 .20 or .30) 

Keep in mind that each release has its own version of API:

That been said, in the API call "add simple-gateway", you have the option to add interfaces/IP addresses in a simpler way.

Something like this:

mgmt_cli add simple-gateway name "gw1" color "yellow" ipv4-address "192.0.2.230" version "R80" one-time-password "aaaa" firewall true vpn true application-control true url-filtering true ips true anti-bot true anti-virus true threat-emulation true interfaces.1.name "eth0" interfaces.1.ipv4-address "192.0.2.230" interfaces.1.ipv4-network-mask "255.255.255.128" interfaces.1.anti-spoofing true interfaces.1.topology "EXTERNAL" interfaces.2.name "eth1" interfaces.2.ipv4-address "192.0.2.88" interfaces.2.ipv4-network-mask "255.255.255.0" interfaces.2.anti-spoofing true interfaces.2.topology "INTERNAL" --format json

The online documentation is available here:

https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/add-simple-gateway~v1.5%20

Hope this help.

Nicolas.

If the object is already there, use the "set simple-gateway" instead to change or add an interface:

https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/set-simple-gateway~v1.5%20

I'll do a quick test, but the API is explicit about all existing interfaces being deleted when using that call?!

I'm basically trying to simulate a "get interfaces without topology" or an interface add on a device that has 30+ interfaces and is expected to grow as we add alot of vpnt interfaces.

Hi Mark, you are right. The set simple-gateway reset the whole topology and use only the interface you provide in the set command.

What we can do is to read the information from a show simple-gateway call before adding the new interface:

 show simple-gateway name gw1 --format json details-level full

This will give you a json like this:

[Expert@R80.20_Management:0]# cat simplegateway.json
{
"uid" : "6073406b-bc78-43aa-97ff-fcfaa6319fe9",
"name" : "gw1",
"type" : "simple-gateway",
"domain" : {
"uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
"name" : "SMC User",
"domain-type" : "domain"
},
"interfaces" : [ {
"name" : "eth0",
"ipv4-address" : "192.0.2.230",
"ipv4-network-mask" : "255.255.255.128",
"ipv4-mask-length" : 25,
"ipv6-address" : "",
"comments" : "",
"color" : "black",
"icon" : "NetworkObjects/network",
"topology" : "external",
"anti-spoofing" : true,
"anti-spoofing-settings" : {
"action" : "prevent"
},
"security-zone" : false
}, {
"name" : "eth1",
"ipv4-address" : "192.0.2.88",
"ipv4-network-mask" : "255.255.255.0",
"ipv4-mask-length" : 24,
"ipv6-address" : "",
"comments" : "",
"color" : "black",
"icon" : "NetworkObjects/network",
"topology" : "internal",
"topology-settings" : {
"ip-address-behind-this-interface" : "not defined",
"interface-leads-to-dmz" : false
},
"anti-spoofing" : true,
"anti-spoofing-settings" : {
"action" : "prevent"
},
"security-zone" : false
} ],
"ipv4-address" : "192.0.2.230",
"dynamic-ip" : false,
"version" : "R80",
"os-name" : "Gaia",
"hardware" : "Open server",
"sic-name" : "",
"sic-state" : "initialized",
"firewall" : true,
"firewall-settings" : {
"auto-maximum-limit-for-concurrent-connections" : true,
"maximum-limit-for-concurrent-connections" : 25000,
"auto-calculate-connections-hash-table-size-and-memory-pool" : true,
"connections-hash-size" : 131072,
"memory-pool-size" : 6,
"maximum-memory-pool-size" : 30
},
"vpn" : true,
"vpn-settings" : {
"maximum-concurrent-ike-negotiations" : 1000,
"maximum-concurrent-tunnels" : 10000
},
"application-control" : true,
"url-filtering" : true,
"ips" : true,
"content-awareness" : false,
"anti-bot" : true,
"anti-virus" : true,
"threat-emulation" : true,
"threat-extraction" : false,
"save-logs-locally" : false,
"send-alerts-to-server" : [ "R80.20_Management" ],
"send-logs-to-server" : [ "R80.20_Management" ],
"send-logs-to-backup-server" : [ ],
"logs-settings" : {
"rotate-log-by-file-size" : false,
"rotate-log-file-size-threshold" : 1000,
"rotate-log-on-schedule" : false,
"alert-when-free-disk-space-below-metrics" : "mbytes",
"alert-when-free-disk-space-below" : true,
"alert-when-free-disk-space-below-threshold" : 20,
"alert-when-free-disk-space-below-type" : "popup alert",
"delete-when-free-disk-space-below-metrics" : "mbytes",
"delete-when-free-disk-space-below" : true,
"delete-when-free-disk-space-below-threshold" : 5000,
"before-delete-keep-logs-from-the-last-days" : false,
"before-delete-keep-logs-from-the-last-days-threshold" : 0,
"before-delete-run-script" : false,
"before-delete-run-script-command" : "",
"stop-logging-when-free-disk-space-below-metrics" : "mbytes",
"stop-logging-when-free-disk-space-below" : true,
"stop-logging-when-free-disk-space-below-threshold" : 100,
"reject-connections-when-free-disk-space-below-threshold" : false,
"reserve-for-packet-capture-metrics" : "mbytes",
"reserve-for-packet-capture-threshold" : 500,
"delete-index-files-when-index-size-above-metrics" : "mbytes",
"delete-index-files-when-index-size-above" : false,
"delete-index-files-when-index-size-above-threshold" : 100000,
"delete-index-files-older-than-days" : false,
"delete-index-files-older-than-days-threshold" : 14,
"forward-logs-to-log-server" : false,
"perform-log-rotate-before-log-forwarding" : false,
"update-account-log-every" : 3600,
"detect-new-citrix-ica-application-names" : false,
"turn-on-qos-logging" : true
},
"groups" : [ ],
"comments" : "",
"color" : "yellow",
"icon" : "NetworkObjects/gateway",
"tags" : [ ],
"meta-info" : {
"lock" : "unlocked",
"validation-state" : "ok",
"last-modify-time" : {
"posix" : 1560216629523,
"iso-8601" : "2019-06-10T21:30-0400"
},
"last-modifier" : "admin",
"creation-time" : {
"posix" : 1560216612422,
"iso-8601" : "2019-06-10T21:30-0400"
},
"creator" : "admin"
},
"read-only" : false
}

From that json, we can show the information that we want. Interface name, ip, mask. JQ will be helpful here:

This JQ  will show all interfaces of the gw and format the output in CSV:

cat simplegateway.json | jq '.interfaces[] | [."name", ."ipv4-address", ."ipv4-network-mask"] | @csv' -r

"eth0","192.0.2.230","255.255.255.128"
"eth1","192.0.2.88","255.255.255.0"

You can then process the CSV with a loop to set simple-gateway interfaces + the new one.

Once done, a policy install will be required.

Hope this helps.

Nicolas.

Hey Nicolas,

Thanks for the prompt replies, ultimately I was hoping to use this approach to "ADD" non-destructively new interfaces to existing checkpoint management gateway objects.  And to be very specific, to be able to add numbered VPN interfaces.  I have Terraform based automation to spin up AWS transitGateway environments, connect them to a custom inter-region Checkpoint WAN routed tier, but just can't get what you'd think would be the trivial operation of updating the checkpoint management object completed.  Either a "network interface refresh with no topology" (like done in the management GUI), or manual adds of vpn tunnel interfaces in the management system.  Its frustrating to get stuck at what seemingly is an obvious need to edit existing objects.  Even if I was willing to export all the existing interface details somehow, and the use the simple-gateway API to "set" them all over (probably traffic disruptive), there seems to be no way to add VPN interfaces!

I'll probably take one last attempt at using this code to create an ethernet interface, and then edit all the properties of the interface ifindex:# to try to "convert" it to a vpn tunnel interface by setting the properties visible with a show-generic-object on a comparable functional VPN tunnel interface.

Again though, can't stress how crazy all of this coding is, when its just the result of a "missing"  single "non-destructive ADD simple-gateway VPN interface" API call.

Looks like I was inadvertantly grabbing some "Endpoint" uid instead of the gateway object uid, though commands were still succeeding to create an interface, it prevented me from successfully "set"/associating it.

The following code seems to work and is simplified to not include additional cluster properties.

iac_gwnetadd=$(mgmt_cli add generic-object create "com.checkpoint.management.cdm.objects.interfaces.EthernetInterface" name $int_name gatewayOwner $cp-gateway_uid gatewayNetwork $gatewaynetobject_uid $ip_addr ipv4MaskLength $mask_len --format json)

Thanks for your original article as everything else tried was pretty useless!

Hi Mark, you still need to figure out the AntiSpooging configuration. Since this is not a cluster, you should use the Set simple-gateway instead of generic-object and set only what you want to change in the API call. You will able to handle the set interface + Anti-Spoofing in 1 call: 

mgmt_cli set simple-gateway name "gw1" interfaces.1.name "eth0" interfaces.1.ipv4-address "192.0.2.230" interfaces.1.ipv4-network-mask "255.255.255.128" interfaces.1.anti-spoofing true interfaces.1.topology "internal"

You can use the UID instead of name if you prefer.

To be tested in your lab first.

Good luck 🙂

Nicolas.

#Get wan simplegateway uid:
iac_wan1gw_uid=$(mgmt_cli --port 4434 -r true show-generic-objects name "test-test" --format json | (${CPDIR}/jq/jq -r '.objects[] | select (.type == "simple-gateway") | .uid'))

# Add network interface to simplegateway
iac_wan1net1_uid=$(mgmt_cli --port 4434 -r true add generic-object create "com.checkpoint.management.cdm.objects.network.GatewayNetwork" name ${iac_int_name} clusterNetworkType "CLUSTER" gatewayOwner ${iac_wan1gw_uid} --format json | (${CPDIR}/jq/jq -r '.uid'))

# Add Ip address details, how to make this a point-to-point VPN connection?
mgmt_cli --port 4434 -r true add generic-object create "com.checkpoint.management.cdm.objects.interfaces.EthernetInterface" name ${iac_int_name} gatewayOwner ${iac_wan1gw_uid} gatewayNetwork ${iac_wan1net1_uid} ipv4Address ${iac_ipaddr} ipv4MaskLength 30

Note:

This creates an ethernet interface of unspecified topology.  Now if I could find out how to create a virtual VPN point-to-point interface!  Though I suspect this will still work....

FYI,

I'm working on a pre-relase off add simple-cluster API.  Its coming in R80.40. Stay tuned.