Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Tomer_Sole
Mentor
Mentor

Did you know? Add Snort Protections with R80.10 API

1. Place the snort protections file on your Management server

2. Import it to your Security Management Server:

a. Login with valid Check Point admin credentials, so that the change will be audited by the relevant admin account.

mgmt_cli login user "[username]" password "[password]"

b. Import the protections file

mgmt_cli add threat-protections package-path "/path/to/community.rules" package-format "snort"

c. This command is asynchronous and returns a task ID. Track the progress of this task either with the "show task" command:

mgmt_cli show task task-id "2eec70e5-78a8-4bdb-9a76-cfb5601d0bcb"

(given 2eec70e5-78a8-4bdb-9a76-cfb5601d0bcb as the "task-id" value in the result of step b)

or with this utility Using a-synchronous commands (e.g. publish, install-policy and run-script) 

d. Publish your changes 

mgmt_cli publish 

e. The "publish" command is also asynchronous, so you will need to track its progress similar to step c

f. Install Policy 

mgmt_cli install-policy policy-package "standard" access true threat-prevention true targets.1 "corporate-gateway"

g. The "install-policy" command is also asynchronous, so you will need to track its progress similar to step c

Now you can add your custom protections or connect between your feeds and the gateway automatically. Audit logs and SmartConsole UI reflect this change.

2 Replies
Eric_Ferland
Employee
Employee

Hi Tomer,

Can you elaborate on "connect between your feeds and the gateway automatically"? Example perhaps.

0 Kudos
Tomer_Sole
Mentor
Mentor

Hi, sorry for slacking at the end Smiley Happy 

Let's say you pay for subscription to some 3rd party domain www.ExclusiveProtectionRules.com/feed.csv which contains list of .snort files each with logics to detect IPS.

You can place on a remote host a script in Python or bash or something, that polls that URL every now and then, and when it detects that new entries were added, downloads the new .snort files, places them on the Management Server and remotely calls the Management API commands.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events