Solved: Re: Error while exporting access rules using show ...

Sarath_M · ‎2018-04-19

I am trying to export the access logs using $MDS_FWDIR/scripts/web_api_show_package.sh command on our Management server which is R80. I can export all the FW rules and other IPS rules but i'm not able to export the NAT rules.

It gives me the following error.

Unexpected character (S) at position 39.
at org.json.simple.parser.Yylex.yylex(Yylex.java:610)
at org.json.simple.parser.JSONParser.nextToken(JSONParser.java:269)
at org.json.simple.parser.JSONParser.parse(JSONParser.java:118)
at org.json.simple.parser.JSONParser.parse(JSONParser.java:81)
at org.json.simple.parser.JSONParser.parse(JSONParser.java:75)
at com.checkpoint.mgmt_api.client.ApiClient.store(ApiClient.java:567)
at com.checkpoint.mgmt_api.client.ApiClient.apiCall(ApiClient.java:305)
at com.checkpoint.mgmt_api.client.ApiClient.apiCall(ApiClient.java:359)
at com.checkpoint.mgmt_api.examples.ShowRulebaseExample.showNATRulebase(ShowRulebaseExample.java:939)
at com.checkpoint.mgmt_api.examples.ShowRulebaseExample.getPackageData(ShowRulebaseExample.java:428)
at com.checkpoint.mgmt_api.examples.ShowRulebaseExample.main(ShowRulebaseExample.java:286)

Kindly let me know how to export the NAT rules as well.

Eugene_Grybinny · ‎2018-04-30

Hi Sarath,

Thanks a lot for the collaboration. We found the problem and are going to fix it soon.

It's because of the security protocol versions configured by default in different java versions. R80 uses java version 7 and R80.10+ uses java version 8, that's why it fails to run locally on R80 Management Server.

Meanwhile, as a workaround you can add the following property to JVM: -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2

So instead of

java -jar $MDS_FWDIR/api/samples/lib/web_api_show_package-jar-with-dependencies.jar -v

you should run

java -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 -jar $MDS_FWDIR/api/samples/lib/web_api_show_package-jar-with-dependencies.jar -v

We will inform you when the fix is ready.

View solution in original post

Robert_Decker · ‎2018-04-19

can you please specify which R80 version are you using (cpinfo -y all command)?

Robert.

Sarath_M · ‎2018-04-20

cpinfo -y all command output:

This is Check Point CPinfo Build 914000182 for GAIA
[FW1]
HOTFIX_R80_JHF_T76 Take: 8
HOTFIX_R80_JHF_76_CIRRUS2 Take: 35

FW1 build number:
This is Check Point Security Management Server R80 - Build 002
This is Check Point's software version R80 - Build 012

[SecurePlatform]
No hotfixes..

[CPinfo]
No hotfixes..

[SmartPortal]
No hotfixes..

[Reporting Module]
HOTFIX_R80_JHF_T76 Take: 8

[CPuepm]
HOTFIX_R80_JHF_T76 Take: 8

[CVPN]
No hotfixes..

[SmartLog]
HOTFIX_R80_JHF_T76 Take: 8

[MGMTAPI]
No hotfixes..

[R7520CMP]
No hotfixes..

[R7540CMP]
No hotfixes..

[R7540VSCMP]
No hotfixes..

[R76CMP]
No hotfixes..

[SFWR77CMP]
HOTFIX_R80_JUMBO_COMP

[R77CMP]
HOTFIX_R80_JUMBO_T76_COMP

[R75CMP]
No hotfixes..

[NGXCMP]
No hotfixes..

[EdgeCmp]
No hotfixes..

[SFWCMP]
No hotfixes..

[FLICMP]
No hotfixes..

[SFWR75CMP]
No hotfixes..

[CPUpdates]
BUNDLE_R80_JHF_T76 Take: 8
BUNDLE_R80_JHF_76_CIRRUS2 Take: 35

[DIAG]
No hotfixes..

[VSEC]
HOTFIX_R80_JHF_76_CIRRUS2 Take: 35

[rtm]
No hotfixes..

Robert_Decker · ‎2018-04-20

Thank You.

I know that there was an issue with NAT rulebase that was fixed and delivered as a hotfix.

I'll check on Sunday the exact version and inform you.

Sorry for this inconvenience.

Robert.

Robert_Decker · ‎2018-04-23

Hi Sarath,

It seems that you have installed an older R80 management on your environment.

Our Show-Package tool has evolved big time since then (now on R80.10 installations) - bugs fixed, new features added, including a support for unicode.

Nevertheless, we will check how we can adjust our new version tool to your old installation and inform you.

Robert.

Sarath_M · ‎2018-04-25

Okay. Thank you.

Eugene_Grybinny · ‎2018-04-25

Hi Sarath,

Please check this repository https://github.com/CheckPointSW/ShowPolicyPackage to get the latest version of the Show Package tool. The version works with both R80 and R80.10 and can be used as a standalone tool remotely or put into the Security Management Server (to replace the bundled one).

Feel free to ask us questions in case you have ones.

Sarath_M · ‎2018-04-25

My plan of action is to download web_api_show_package-jar-with-dependencies.jar from the link provided and copy it into $MDS_FWDIR/api/samples/lib/ replacing the old file on the management server.

(I will back up the old file as well.)

Then run the command $MDS_FWDIR/scripts/web_api_show_package.sh.

Is this approach correct?

Robert_Decker · ‎2018-04-25

It is one of the approaches, as mentioned in the tool's instructions on GitHub - replace the old jar with the new one.

Robert.

Sarath_M · ‎2018-04-25

I have downloaded the new jar file in the release tab and replaced it but it is of 729KB and the old one which we have is 13059KB and the tool did not run and showed a severe error and exited.

[4/26/18 12:10 PM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: The parameters that were received:
[4/26/18 12:10 PM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: Limit number of object per page: 10
[4/26/18 12:10 PM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: Local Ips: [x.x.x.x, 127.0.0.1]
[4/26/18 12:10 PM com.checkpoint.mgmt_api.examples.MyLogger.severe()SEVERE]: ERROR: failed connecting to the server: 127.0.0.1
[4/26/18 12:10 PM com.checkpoint.mgmt_api.examples.ShowPackageTool.logoutReportAndExit()INFO]: Script stopped running due to severe error!
[4/26/18 12:10 PM com.checkpoint.mgmt_api.examples.ShowPackageTool.logoutReportAndExit()INFO]: dirPath: /home/myid/110d4c46-0bf0-4de3-b163-e1436ff67762
[4/26/18 12:10 PM com.checkpoint.mgmt_api.examples.ShowPackageTool.logoutReportAndExit()INFO]: tarGzPath: show_package-2018-04-26_12-10-06.tar.gz

I do not want to build the jar file as i'm not aware of those commands and do not know how to build them.

Robert_Decker · ‎2018-04-26

Can you please specify the parameters you are providing to the tool?

I need the exact command line you are running (you may use xxx for sensitive values).

The size of JAR files doesn't matter.

Robert.

Sarath_M · ‎2018-04-27

I have entered the below command on a side server. I can log into the GUI from this server and using the same credentials.

D:\java -jar .\web_api_show_package-jar-with-dependencies.jar -m x.x.x.x -u admin -p ***

[4/27/18 11:52 AM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: The parameters that were received: server:(-m)=x.x.x.x username:(-u)=admin password:(-p)=*****
[4/27/18 11:52 AM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: Limit number of object per page: 10
[4/27/18 11:52 AM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: Login As root: false
[4/27/18 11:52 AM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: Login with 'read-only' flag.
[4/27/18 11:52 AM com.checkpoint.mgmt_api.examples.MyLogger.severe()SEVERE]: An error occurred while logging in to the server. Exception: ERROR: Could not connect to API server, check 'api status' for more details. Error message: Error: failed to get string data
[4/27/18 11:52 AM com.checkpoint.mgmt_api.examples.ShowPackageTool.logoutReportAndExit()INFO]: Script stopped running due to severe error!
[4/27/18 11:52 AM com.checkpoint.mgmt_api.examples.ShowPackageTool.logoutReportAndExit()INFO]: dirPath: D:\c820221a-6745-41d9-a91d-0547cc52c498
[4/27/18 11:52 AM com.checkpoint.mgmt_api.examples.ShowPackageTool.logoutReportAndExit()INFO]: tarGzPath: show_package-2018-04-27_11-52-04.tar.gz

api status:

API Settings:
---------------------
Accessibility: Allow from all
Automatic Start: Enabled

Processes:

Name State PID More Information
-------------------------------------------------
API Started 26621
CPM Started 4816 Check Point Security Management Server is running and ready
FWM Started 7517

Port Details:
-------------------
JETTY Internal Port: 50276
APACHE Gaia Port: 443

--------------------------------------------
Overall API Status: Started
--------------------------------------------

Test SUCCESSFUL. The server is up and ready to receive connections

Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'

I tried running this script from the management server as well but did not work.

Robert_Decker · ‎2018-04-27

Hi Sarath,

Thanks for the information. We will check this on Sunday and inform you.

Robert.

Robert_Decker · ‎2018-04-29

Hi,

Please try running the following command on your management server -

java -jar $MDS_FWDIR/api/samples/lib/web_api_show_package-jar-with-dependencies.jar -v

using the new jar from github.

Let me know if this worked.

Robert.

Sarath_M · ‎2018-04-29

Hi,

Here is the output after running the command on the management server with the new jar file.

# java -jar $MDS_FWDIR/api/samples/lib/web_api_show_package-jar-with-dependencies.jar -v
Script stopped running due to severe error!
Result file location: show_package-2018-04-30_06-46-21.tar.gz

[4/30/18 6:46 AM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: The parameters that were received: showPackagesList:(-v)=true
[4/30/18 6:46 AM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: Limit number of object per page: 10
[4/30/18 6:46 AM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: Local Ips: [x.x.x.x, 127.0.0.1]
[4/30/18 6:46 AM com.checkpoint.mgmt_api.examples.MyLogger.severe()SEVERE]: ERROR: failed connecting to the server: 127.0.0.1
[4/30/18 6:46 AM com.checkpoint.mgmt_api.examples.ShowPackageTool.logoutReportAndExit()INFO]: Script stopped running due to severe error!
[4/30/18 6:46 AM com.checkpoint.mgmt_api.examples.ShowPackageTool.logoutReportAndExit()INFO]: dirPath: /home/xxxx/10de5284-8833-4179-aaab-04000d267e7c
[4/30/18 6:46 AM com.checkpoint.mgmt_api.examples.ShowPackageTool.logoutReportAndExit()INFO]: tarGzPath: show_package-2018-04-30_06-46-21.tar.gz

Eugene_Grybinny · ‎2018-04-30

Hi Sarath,

Thanks a lot for the collaboration. We found the problem and are going to fix it soon.

It's because of the security protocol versions configured by default in different java versions. R80 uses java version 7 and R80.10+ uses java version 8, that's why it fails to run locally on R80 Management Server.

Meanwhile, as a workaround you can add the following property to JVM: -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2

So instead of

java -jar $MDS_FWDIR/api/samples/lib/web_api_show_package-jar-with-dependencies.jar -v

you should run

java -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 -jar $MDS_FWDIR/api/samples/lib/web_api_show_package-jar-with-dependencies.jar -v

We will inform you when the fix is ready.

View solution in original post

Sarath_M · ‎2018-04-30

Awesome. Works superbly. Thank you very much.

Eugene_Grybinny · ‎2018-05-14

The fix is ready.

You can use version v1.2.3 without providing extra JVM properties.

Sarath_M · ‎2018-05-14

Thank you. It now works with just the command $MDS_FWDIR/scripts/web_api_show_package.sh on the management server.

Error while exporting access rules using show package script

Access Policy