This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SecNetEng
Contributor
‎2023-09-11 12:26 PM
Jump to solution

Get VS information in VSX in API

I am using the v1.9 management API (Check Point - Management API reference)

show-simple-gateways shows Maestro SGs and interoperable Check Point devices

show-simple-clusters shows traditional hardware clusters

I don't have any LSM systems, but I tried anyways (show-lsm-gateways and show-lsm-clusters)

No VSX systems are showed, traditional or on Maestro.

 

This was last discussed in 2016.

Solved: How to get VS information on VSX via API ? - Check Point CheckMates

Now that we are on R81.20, is there an undocumented feature to get this information?

If not, can we Pretty Please get a Jira for this missing feature? I really hurts the ability to script. Real world example: Add a backup log server to all my firewalls.

 

Thank you.

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2023-09-11 03:59 PM
In response to SecNetEng
Jump to solution

Official APIs for VSX are planned as part of R82.

View solution in original post

0 Kudos
5 Replies
Bob_Zimmerman
MVP Gold
MVP Gold
‎2023-09-11 12:44 PM
Jump to solution

VSs show up in show-gateways-and-servers. Here's redacted output from one of my production managements:

[Expert@MySmartCenter]# mgmt_cli -f json -r true show gateways-and-servers limit 500 | jq -c '.objects[]|[.name,.type]'
["vs_a_a","CpmiVsClusterNetobj"]
["vs_a_b","CpmiVsClusterNetobj"]
["vs_a_c","CpmiVsClusterNetobj"]
["vs_a_d","CpmiVsClusterNetobj"]
["vs_a_e","CpmiVsClusterNetobj"]
["vs_a_f","CpmiVsClusterNetobj"]
["vs_a_g","CpmiVsClusterNetobj"]
["vs_a_h","CpmiVsClusterNetobj"]
["sw_a_a","CpmiVsClusterNetobj"]
["vs_a_i","CpmiVsClusterNetobj"]
["sw_a_b","CpmiVsClusterNetobj"]
["MySmartCenter","checkpoint-host"]
["vsxClusterA","CpmiVsxClusterNetobj"]
["vsxClusterAMember1","CpmiVsxClusterMember"]
["vsxClusterAMember2","CpmiVsxClusterMember"]
["sw_b_a","CpmiVsClusterNetobj"]
["vs_b_a","CpmiVsClusterNetobj"]
["vs_b_b","CpmiVsClusterNetobj"]
["vs_b_c","CpmiVsClusterNetobj"]
["vs_b_d","CpmiVsClusterNetobj"]
["vs_b_e","CpmiVsClusterNetobj"]
["vs_b_f","CpmiVsClusterNetobj"]
["vs_b_g","CpmiVsClusterNetobj"]
["MyLogServer","checkpoint-host"]
["vsxClusterB","CpmiVsxClusterNetobj"]
["vsxClusterBMember1","CpmiVsxClusterMember"]
["vsxClusterBMember2","CpmiVsxClusterMember"]

VSX cluster members (useful for things like version checks, syslog config, etc.) are type CpmiVsxClusterMember.

VSX clusters are type CpmiVsxClusterNetobj.

On a cluster, VSs themselves are type CpmiVsClusterNetobj (they are technically clusters, though you generally don't have to manage the members). I don't have any non-clustered VSX firewalls, so I don't know what object type a non-clustered VS would have. Maybe CpmiVsNetobj?

0 Kudos
SecNetEng
Contributor
‎2023-09-11 12:51 PM
In response to Bob_Zimmerman
Jump to solution

Thank you for mentioning  show gateways-and-servers. However, this does not address the need to work with values and modify the properties.

I will try out your suggestion to see if I can at least see the existing backup log servers for my VSs.

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2023-09-11 01:08 PM
In response to SecNetEng
Jump to solution

You only mentioned getting the information. 😉

Once you have the objects' UUIDs, you could use the set-generic-object call, but it's not officially supported or stable in the API sense (output or expected input could change with no notice). Other than that, the API has very little support for VSX, correct. I mostly use the information I shared to do things which involve the physical VSX cluster members. For example, I have a periodic script running on my management which iterates through all the VSs, dumps their configs, copies all of the configs up to the management, runs a 'diff' on them, then sends me the results. This way, I know if somebody added some dynamic routing config on one member but forgot to put it on the other member. Keeps my failovers predictable.

0 Kudos
SecNetEng
Contributor
‎2023-09-11 02:09 PM
In response to Bob_Zimmerman
Jump to solution

Thank you for the replies Bob. It's rare to get such good feedback so quickly!

I did try your suggestion (with WebAPI), it gives limited information (redacted):

{
"uid": "12b4fd08-3179-674c-8528-76243a000000",
"name": "ProdFirewall1",
"type": "CpmiVsClusterNetobj",
"domain": {
"uid": "535ddc43-2317-4edb-a6dd-eb5891000000",
"name": "Prod",
"domain-type": "domain"
},
"icon": "NetworkObjects/vsx/vs_clust",
"color": "black"
}

My request is for a response from Check Point if after 7 years the fix is finally in the works.

My real world example (see above): Add a backup log server to all my firewalls. This is easily done for classic firewalls and Maestro SG's. I have a lot of VSX hosts these days (going to be adding 50+ more soon), and is a missing feature I would love to have.

 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-09-11 03:59 PM
In response to SecNetEng
Jump to solution

Official APIs for VSX are planned as part of R82.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events