- Products
- Learn
- Local User Groups
- Partners
-
More
Celebrate the New Year
With CheckMates!
Value of Security
Vendor Self-Awareness
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
Mobile Security
Buyer's Guide Out Now
Important! R80 and R80.10
End Of Support around the corner (May 2021)
I am trying to deploy a new domain through the web api on R80.20 but I am stuck with an error:
curl -s -k -H "Content-Type: application/json" -H "X-chkp-sid: $SID" -X POST -d '{ "name" : "Domain01", "servers" : { "ip-address" : "10.11.12.10", "name" : "Domain01-mgmt", "multi-domain-server" : "CPMGT03", "comments" : "Customer01" }}' $cp_api_url/add-domain
!{
! "code" : "generic_err_invalid_parameter",
! "message" : "Invalid parameter for [servers]. Invalid value"
As far as I can tell from the API reference, it should be fine: https://sc1.checkpoint.com/documents/latest/APIs/#web/add-domain~v1.3%20
Another thing:
When it comes time to deploy the VS, I will be using a command that looks something like this:
curl -s -k -H "Content-Type: application/json" -H "Accept: bla" -H "X-chkp-sid: $SID" -X POST -d '{"script-name":"VSX Provisioning","script":"vsx_provisioning_tool -s localhost -u admin -p admin-password -o add vd name $cp_vs_name vsx $VSX_Cluster type vs main_ip $NB_VM_PRI_IP, $NB_VS_INT","targets":"$MDM_Server"}' $cp_api_url/run-script | ./jq
What do I define '"targets":"$MDM_Server"' as? Where do I find the information that is to go in my variable $MDM-server? It might be simple answer, but I cannot see it logically.
All this is on a R80.20 MDM-server.
Breaktrough!!
I needed to set target to the CMA that is created during the domain deployment in /add-domain. That made it work!
Ok, I'll give that a try for the Domain deployment.
As for VSX deployment I have been leaning up against this post: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Creating-VSX-Virtual-Systems-usin...
Which has lead me to do a sequence like this:
SID=`curl -s -k -H "Content-Type: application/json" -H "Accept: bla" -X POST "$cp_api_url/login" -d "{\"user\":\"$cp_user\",\"password\":\"$password\"}" -s | awk -F\" '/sid/ {print $4}'`
< above Domain deployment to $cp_api_url/add-domain >
< above VSX deployment using $cp_api_url/run-script >
And then afterwards logging out of MDS and then into domain to do stuff like add objects, rules, sections etc., which works fine.
Should I do the following instead:
1. Login to MDS using above command
2. Deploy Domain
3. Logout of MDS ($cp_api_url/logout)
4. Login to Domain like this: SID=`curl -s -k -H "Content-Type: application/json" -H "Accept: bla" -X POST "$cp_api_url/login" -d "{\"user\":\"$cp_user\",\"password\":"\"$password\"",\"domain\":\"$CP_Domain\"}" | awk -F\" '/sid/ {print $4}'`
5. Deploy VSX
6. Wait for task to finish
7. Deploy objects, rules, sections etc.
Still need to figure out what the "target": refers to though... 😞
Still not sure I understand, because the vsx_provisioning_tool runs on the MDM server.
Example: If I have my multi Domain Server to be fwmgmt01 and each node in the cluster (called VSX_Cluster_1) is called fw01a and fw01b.Should my target then be VSX_Cluster_1 or fw01a+fw01b ?
After a while of testing I am not any further with this vsx_provisioning_tool via web api at all. It's fighting me all the way!
Breaktrough!!
I needed to set target to the CMA that is created during the domain deployment in /add-domain. That made it work!
I agree with @Maarten_Sjouw seems like domain / CMA is not set correctly in your command
url -s -k -H "Content-Type: application/json" -H "Accept: bla" -H "X-chkp-sid: $SID" -X POST -d '{"script-name":"VSX Provisioning","script":"vsx_provisioning_tool -s localhost -u admin -p admin-password -o add vd name $cp_vs_name vsx $VSX_Cluster type vs main_ip $NB_VM_PRI_IP, $NB_VS_INT","targets":"$MDM_Server"}' $cp_api_url/run-script | ./jq
so you would need to supply correct CMA IP (where actual VS will belong) instead of localhost.
Plus I'm not entirely sure why do you have to variables passed two main_ip? it should be jus a single IP of that VS.
Thanks, I have corrected the localhost parameter. Makes sense too.
As for the two main ip variables, there are only one. They are seperated by a komma. $NB_VM_PRI_IP is the primary ip fetched from Netbox IPAM in an earlier step and $NB_VS_INT is the generated string for adding interfaces to the vs, fetched from Netbox IPAM. I had to make sure that I could deploy a random amount of interfaces, based on how many was documented in our IPAM.
The idea is to document first, then deploy in production based on what is documented in our IPAM. That could be 1 nic or 8.
I have now tried a few things to try and deploy a new domain, none of which have worked.
cp_api_url="https://fwmgmt.mydomain.net/web_api"
SID=`curl -s -k -H "Content-Type: application/json" -H "Accept: bla" -X POST "$cp_api_url/login" -d "{\"user\":\"cp_username\",\"password\":\"$password\"}" -s | awk -F\" '/sid/ {print $4}'`
Above works just fine, below is fubar:
First attempt is by the book, according to API reference guide (API Reference link) :
curl -s -k -H "Content-Type: application/json" -H "X-chkp-sid: $SID" -X POST -d '{ "name" : "Domain01", "servers" : { "ip-address" : "172.20.20.1", "name" : "Domain01-mgmt", "multi-domain-server" : "cpMGT01", "comments" : "Domain-test" }}' $cp_api_url/add-domain
Second attempt is from suggestions in this thread:
curl -s -k -H "Content-Type: application/json" -H "X-chkp-sid: $SID" -X POST -d '{ "name" : "Domain01", "servers.ip-address" : "172.20.20.1", "servers.name" : "Domain01-mgmt", "servers.multi-domain-server" : "cpMGT01", "servers.comments" : "Domain-test" }' $cp_api_url/add-domain
The error code I get is "generic_err_invalid_parameter" and it is frustrating as h...!
I am beginning to think something is completely wrong in the documentation!
Can someone shed any light on this?
I finally got the domain-deployment working:
The test-script is like this:
cp_user=$1
password=$2
CP_Domain=TestDomain
CMA_IP=10.64.54.250
CMA=Test-mgmt
MDM_Server=CPMGT01
cp_api_url="https://fwmgmt/web_api"
cp_vs_name=vs-Test
VSX_Cluster=VSX_Cluster_1
NB_VM_PRI_IP=7.7.7.1
NB_VS_INT="add interface name bond1.3333 ip 7.7.7.1/29, add interface name bond1.3334 ip 192.168.100.1/24"
# check if an array contains a specific value
containsElement () {
local array="${@:2}"
for((i=0;i<${#array[@]};i++))
do
if [ "${array[$i]}" == "$1" ]; then
return 0
fi
done
return 1
}
# check the status of a task. is it "in progress"? if 'yes' return 0, else return '1'
is_status_in_progress() {
# call the 'show-task' API, save result to a JSON file.
curl -s -k -H "Content-Type: application/json" -H "X-chkp-sid: $SID" -X POST -d '{ "task-id" : "'$CP_TASKID'" }' $cp_api_url/show-task | jq > show_task_result.json
# use JQ to get the status. $STATUS is an array becuase there could be 'child' tasks.
STATUS=$(jq -r '.tasks[].status' show_task_result.json)
PERCENTAGE=$(jq -r '.tasks[]."progress-percentage"' show_task_result.json)
# go over the array look for 'in progress'
containsElement "in progress" ${STATUS[@]}
IS_IN_PROGRESS=$?
}
# as long as the task is in progress, wait 3 seconds and check again.
wait_for_task() {
is_status_in_progress
while [ $IS_IN_PROGRESS == "0" ]
do
echo "in progress. $PERCENTAGE Percent completed"
is_status_in_progress
sleep 3
done
}
SID=`curl -s -k -H "Content-Type: application/json" -H "Accept: bla" -X POST "$cp_api_url/login" -d "{\"user\":\"$cp_user\",\"password\":\"$password\"}" -s | awk -F\" '/sid/ {print $4}'`
CP_TASKID=`curl -s -k -H "Content-Type: application/json" -H "X-chkp-sid: $SID" -X POST -d '{"name":"'$CP_Domain'","servers":{"ip-address":"'$CMA_IP'","name":"'$CMA'","multi-domain-server":"'$MDM_Server'"}}' $cp_api_url/add-domain | jq | grep '"task-id"' | awk -F'["]' '{ print $4 }'`
#Wait for deployment is done
echo "Deploying new domain $CP_Domain"
wait_for_task
#Add domain to trusted-client
echo "Deployment status for domain $CP_Domain: ${STATUS[@]}"
#reset task-id variable
CP_TASKID=
echo "Adding Domain to trusted-client AnyHost"
curl -s -k -H "Content-Type: application/json" -H "X-chkp-sid: $SID" -X POST -d '{"name":"AnyHost","domains-assignment":{"add":"'$CP_Domain'"}}' $cp_api_url/set-trusted-client # send to log
#publish Trusted client addition
CP_TASKID=`curl -s -k -H "Content-Type: application/json" -H "Accept: bla" -H "X-chkp-sid: $SID" -X POST -d '{}' $cp_api_url/publish | jq | grep '"task-id"' | awk -F'["]' '{ print $4 }'`
echo "Publishing new trusted client config"
wait_for_task
echo "Publishing status for trusted client AnyHost for $CP_Domain: ${STATUS[@]}"
<here would go further deployment scripting, like VSX deployment>
echo "logging out"
#curl -k -H "Content-Type: application/json" -H "Accept: bla" -H "X-chkp-sid: $SID" -X POST -d '{}' $cp_api_url/logout
rm ./show_task_result.json
Hopefully someone else can make use of this somewhere.
Hi,
I'm attempting to use the vsx_provisioning tool for the first time. I've created a script which contains the following:
add vd name TestVS vsx VSXCL type vs instances 4 instance6 0 main_ip 1.1.1.1 calc_topo_auto false, which running this I get
Failed to get object <One of the VSX cluster nodes> (table=network_object,uid=)
Failed to execute line number 2.
Any ideas how to troubleshoot this?
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY