Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Timothy_Hall
Legend Legend
Legend

Functionality - Mgmt API vs. SmartConsole - Revisited for R81.20-v1.9 / R82-v2.0

Several years ago I posted the article below (which has been updated along the way) asking what kinds of operations could not be executed via the management API and to be done manually in the SmartConsole:

Functionality - API vs. SmartConsole 

I'd like to revisit this topic for R81.20/API v 1.9 for purposes of teaching an upcoming Check Point Certified Automation Specialist (CCAS) class.  Here is my current list, however keep in mind that while some of these cannot be accessed directly through the API, one workaround is to use the run-script call to execute any command as a "one-time" script, which was added in API 1.9.  In earlier releases one can do add repository-script then run-script script-name.  Example of commands that could be run this way are cpstat and cplic.

So which ones am I missing for the latest API v1.9?  Thanks!

  1. Add/manipulate Content Awareness Data Types (resolved in R82 mgmt API v2.0)
  2. SmartEvent Event Policy Tuning (performed in a separate GUI from SmartConsole).  SmartEvent Views/Reports and the ability to schedule them are not available via API either.
  3. SmartUpdate License/Contract Manipulation via API (performed in a separate GUI from SmartConsole prior to R80.40, but now available in SmartConsole) - (Licenses (not contracts) cab be manipulated via the API starting in version 1.9.1)
  4. QoS Blade/Policies
  5. GUIDBedit Operations (performed in a separate GUI from SmartConsole) Could use run-script call to execute dbedit operations as a "one-time" script, added in API 1.9.  In earlier releases can do add repository-script then run-script script-name from the script repository.
  6. Creation and Manipulation of LDAP Account Unit Objects
  7. Creation and Manipulation of Legacy User@Host Objects (not Access Roles)
  8. Creation and Manipulation of Legacy UFP/CVP Objects (which are deprecated in R80.x anyway)
  9. Manipulation of Geo Policy (deprecated in R81, use Geo Updatable Objects which are fully supported via API).
  10. Endpoint Policies
  11. Not all properties under Global Properties...Advanced...Configure seem to be available via API. (resolved in R82 mgmt API v2.0)
  12. Status & Traffic/System Counters report on Gateways & Servers tab (could use cpstat command via run-script to get some of this information)
  13. Manipulation of Inspection Settings
  14. Working with IPS ThreatCloud Protections & Core Activations
  15. Manage & Settings...Blades Advanced Settings
  16. Smart Tasks (can only show them, can't create or manipulate) (resolved in API v1.6)
  17. Create/Manipulate UserChecks
  18. Functions unique to the SmartView Monitor GUI: 
    1. SAM Rules
    2. Alerting Thresholds
    3. Live VPN Tunnel Views
  19. Everything else that still has to be done by a administrator in the legacy SmartDashboard as of R81.20, namely:
    1. Legacy Mobile Access Blade Configuration (resolved in R82 mgmt API v2.0)
    2. Anti-spam & Mail Blade Configuration
    3. DLP Blade (not Content Awareness)
    4. Creation and Manipulation of External User Profiles (generic* user)
    5. Various HTTPS Inspection configuration elements such as Trusted CAs and updating the list, and certificate validation settings.  (resolved in R82 mgmt API v2.0)
  20. Setting a service to use a Protocol Handler of None/Blank (thanks to @Bob_Zimmerman)
  21. Creation and Manipulation of Log Exporter/SIEM server objects added in R81 & also Syslog server objects (thanks to @Bob_Zimmerman)
  22. While gateway objects can be created and manipulated through the management API, not all gateway object settings are accessible via API.  Examples: ISP Redundancy, Monitoring blade additional reports checkboxes, and Platform Hardware type.
  23. Certain configuration elements of a VPN Community object such as IP Compression, Disable NAT inside the community, and Use aggressive mode cannot be set/viewed via the API (thanks to @Alex-).
  24. VSX-related functions cannot be accessed at all through the Management API.  (Ability to run vsx-provisioning-tool via API was added in R82 mgmt API v2.0)
  25. Cannot create/manipulate APCL/URL bandwidth "Limit" objects.  (resolved in R82 mgmt API v2.0)
  26. Management API call get-interfaces does not support a Security Gateway object (SMO) that represents a Maestro Security Group or Scalable Platform.  (resolved in R82 mgmt API v2.0)
  27. Cannot view/manipulate CIFS resource objects.  (resolved in R82 mgmt API v2.0)
  28. Cannot view/manipulate third-party CA certificates utilized in VPNs among other places.   (resolved in R82 mgmt API v2.0)

Am I missing anything?  Thanks everyone!

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
8 Replies
Bob_Zimmerman
Authority
Authority

SmartConsole can set a service object to use no protocol (special value None). The API can't.

0 Kudos
Timothy_Hall
Legend Legend
Legend

Added to the list with credit, thanks!

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
PhoneBoy
Admin
Admin

That’s a pretty complete list.
Might have to add this to my session I do on the API 🙂

0 Kudos
Bob_Zimmerman
Authority
Authority

I just learned about a whole new object type, apparently added in R81: Log Exporter/SIEM. It's a way to configure Log Exporter in SmartConsole.

Doesn't seem to be covered by the API at all.

0 Kudos
Timothy_Hall
Legend Legend
Legend

Added to the list with credit, thanks!

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
PhoneBoy
Admin
Admin

@Omer_Kleinstern can you confirm?

0 Kudos
Bob_Zimmerman
Authority
Authority

One minor correction to myself. Log Exporter/SIEM objects do show up in 'show objects', which is partial API coverage. I don't see a way to define new ones or edit existing ones via the API. None of the interesting fields show up as of API v1.8.1. I don't have an R81.20 system handy to test API v1.9 or v1.9.1:

[Expert@DallasSA]# mgmt_cli -f json -r true show object uid e2b2000b-8a07-4623-82b0-48ec3c7ae33d details-level full
{
  "object" : {
    "uid" : "e2b2000b-8a07-4623-82b0-48ec3c7ae33d",
    "name" : "TestExporter",
    "type" : "LogExporter",
    "domain" : {
      "uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
      "name" : "SMC User",
      "domain-type" : "domain"
    },
    "color" : "black",
    "meta-info" : {
      "validation-state" : "ok",
      "last-modify-time" : {
        "posix" : 1688918286140,
        "iso-8601" : "2023-07-09T15:58+0000"
      },
      "last-modifier" : "admin",
      "creation-time" : {
        "posix" : 1688918286140,
        "iso-8601" : "2023-07-09T15:58+0000"
      },
      "creator" : "admin"
    },
    "tags" : [ ],
    "icon" : "Objects/log_exporter",
    "comments" : "",
    "display-name" : "",
    "customFields" : null
  }
}

Looking in that area of SmartConsole and comparing with the API documentation, the same is likely true for IF-MAP, Syslog, SecuRemote DNS, SecurID, Subordinate CA, and Trusted CA objects.

0 Kudos
Alex-
Leader Leader
Leader

Advanced properties of a VPN community, namely  IP Compression, Disable NAT inside the community and Use aggressive mode, can not be set or viewed with the API.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events