When teaching the Check Point Certified Automation Specialist (CCAS) class, a common question I get is what types of Management operations cannot be performed through the API and must be performed through the SmartConsole GUI instead. I have a bit of an unofficial list but would like to compile an authoritative list with the CheckMates community; various API limitations have been discussed in prior threads like this. Some ground rules:
1) Only releases that are GA like R80.40 and earlier may be discussed, so if an API limitation is resolved in an upcoming release like R81 that doesn't count
2) dbedit is not the API and doesn't really count, but feel free to discuss workarounds for the various limitations
3) This list of limitations is for the Management API, not the Threat Prevention API, Identity Awareness API, etc.
4) Features available through the API that are not available in the SmartConsole GUI (like specific Hit Count history) should not be included (that could be a separate post)
So without further ado, here is the list of Management operations that cannot be performed via the Management API and must be performed through a GUI instead, please feel free to add items to this list or provide corrections:
1) Manipulation of gateway cluster objects Edit: Added in R80.40 API (v1.6)
2) Geo Policy Edit: Geo Updatable objects can be accessed via API starting in v1.3
3) HTTPS Inspection Edit: HTTPS Inspection Policy can be configured/accessed via API in R80.40+ (v1.6)
4) Mobile Access Blade Configuration
5) Anti-spam & Mail Blade Configuration
6) DLP Blade (not Content Awareness)
7) SmartEvent Event Policy Tuning (performed in a separate GUI from SmartConsole)
😎 SmartUpdate License Manipulation (performed in a separate GUI from SmartConsole) Edit: Could use run-script call to execute cplic operations as a "one-time" script, added in API 1.9. In earlier releases can do add repository-script then run-script script-name.
9) QoS Blade/Policies (not APCL/URLF Limits)
10) GUIDBedit Operations (performed in a separate GUI from SmartConsole) Edit: Could use run-script call to execute dbedit operations as a "one-time" script, added in API 1.9. In earlier releases can do add repository-script then run-script script-name from repository.
11) Performing an Install Database operation for an SMS/MDS Edit: Added in R80.40 API (v1.6)
12) Creating/Manipulating Interoperable VPN Objects (can partially be done with generic-object APIs) Edit: Added in R81.20 API (v1.9)
13) Creation and Manipulation of Account Unit Objects
14) Creation and Manipulation of Legacy User@Host Objects (not Access Roles)
15) Creation and Manipulation of Legacy UFP/CVP Objects (which are deprecated in R80.x anyway)
16) Manipulation of Geo Policy (deprecated in R81, use Geo Updatable Objects which are supported via API).
16) Endpoint Policies
17) Add/manipulate Content Awareness Data Types
18) Not all properties under Global Properties Advanced...Configure seem to be available.
19) Status & Traffic/System Counters report on Gateways & Servers tab (could use cpstat command to get this information)
20) Manipulation of Inspection Settings
21) Manage & Settings..Blades Advanced Settings
22) Smart Tasks (can only show them)
23) Create/Manipulate UserChecks
24) APCL/URLF Limit Actions
Updated 2023 IPS/AV/ABOT R81.20 Course now
available at maxpowerfirewalls.com