This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Timothy_Hall
Champion
Champion
‎2019-07-05 09:23 AM

Functionality - API vs. SmartConsole

When teaching the Check Point Certified Automation Specialist (CCAS) class, a common question I get is what types of Management operations cannot be performed through the API and must be performed through the SmartConsole GUI instead.  I have a bit of an unofficial list but would like to compile an authoritative list with the CheckMates community; various API limitations have been discussed in prior threads like this.  Some ground rules:

1) Only releases that are GA like R80.40 and earlier may be discussed, so if an API limitation is resolved in an upcoming release like R81 that doesn't count

2) dbedit is not the API and doesn't really count, but feel free to discuss workarounds for the various limitations

3) This list of limitations is for the Management API, not the Threat Prevention API, Identity Awareness API, etc.

4) Features available through the API that are not available in the SmartConsole GUI (like specific Hit Count history) should not be included (that could be a separate post)

So without further ado, here is the list of Management operations that cannot be performed via the Management API and must be performed through a GUI instead, please feel free to add items to this list or provide corrections:

1) Manipulation of gateway cluster objects  Edit: Added in R80.40 API (v1.6)

2) Geo Policy  Edit: Geo Updatable objects can be accessed via API starting in v1.3

3) HTTPS Inspection  Edit: HTTPS Inspection Policy can be configured/accessed via API in R80.40+ (v1.6)

4) Mobile Access Blade Configuration

5) Anti-spam & Mail Blade Confirguration

6) DLP Blade (not Content Awareness)

7) SmartEvent Event Policy Tuning (performed in a separate GUI from SmartConsole)

😎 SmartUpdate License Manipulation (performed in a separate GUI from SmartConsole)

9) QoS Blade/Policies (not APCL/URLF Limits)

10) GUIDBedit Operations (performed in a separate GUI from SmartConsole)

11) Performing an Install Database operation for an SMS/MDS  Edit: Added in R80.40 API (v1.6)

12) Creating Interoperable VPN Objects (can partially be done with generic-object APIs)

13) Creation and Manipulation of Account Unit Objects

14) Creation and Manipulation of Legacy User@Host Objects (not Access Roles)

15) Creation and Manipulation of Legacy UFP/CVP Objects (which are deprecated in R80.x anyway)

16) Endpoint Policies

Thanks everyone!

 

Updated 2023 IPS/AV/ABOT R81.20 Course now
available at maxpowerfirewalls.com
8 Replies
PhoneBoy
Admin
Admin
‎2019-07-05 04:25 PM

It's a good starting list.
There are a few others that don't have official APIs but may be (partially) accomplished using generic-object APIs.

1. Creating interoperable VPN objects (can partially be done with generic-object APIs)
2. LDAP objects
3. User@Host objects
4. Legacy UFP/CVP objects (which are deprecated in R80.x anyway)
5. Endpoint policies
0 Kudos
Paul_Nokel
Explorer
‎2019-07-08 11:55 PM

Hi,

 

this list can be really useful and help planning automation tasks.

 

The point that I miss the most:

- Almost anything related to IPS. Including excpetions.

 

Best regards,

Paul

JozkoMrkvicka
Mentor
Mentor
‎2019-08-18 02:09 PM
In response to Paul_Nokel

Not really SmartConsole related (even not for Managements), but following APIs would be also really great:

1. Complete FTW (First Time Wizard) via API
2. Add/Remove/Modify licenses via API
3. Configure RADIUS, NTP, SYSLOG, DNS, routes, VLANs, DHCP via API (partially included in Ender - Gaia REST API )

Kind regards,
Jozko Mrkvicka
0 Kudos
PhoneBoy
Admin
Admin
‎2019-09-05 07:38 AM
In response to Paul_Nokel

IPS is part of the overall Threat Prevention policy in R80.x, which definitely has API support.
0 Kudos
PhoneBoy
Admin
Admin
‎2019-09-05 07:43 AM

We can potentially remove Cluster Objects and HTTPS Inspection from this list in R80.40, based on the current EA feature set.
Geo Policy should be done using Updatable Objects in R80.20+, which is inherently more flexible than the traditional Geo Policy.
Mobile Access Blade is partially supported by API in R80.x if you use the unified policy approach.
0 Kudos
FedericoMeiners
Advisor
‎2019-09-05 01:43 PM

Associate interfaces to security zones? I couldn't find it neither in mgmt_cli or vsx_util

____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos
PhoneBoy
Admin
Admin
‎2019-09-05 02:32 PM
In response to FedericoMeiners

This is definitely doable using set simple-gateway.
It's one of the parameters you pass when modifying an interface, e.g. security-zone-settings
If you have a specific question about this, I highly recommend starting a new thread.
0 Kudos
Francesco-P
Contributor
‎2019-10-26 12:23 PM

Hi,

just to add the useful "Replace feature" available under "where used" in SmartConsole and not in api call.
Btw, this action is possible with some script

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫