Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Silesio
Contributor

How To's - Interact with Check Point Management API on Gaia R81

Hi there, in this post we’re going to see how to interact with Check Point Management API. We are going to run some API commands using GAIA CLI (clish), Windows CLI and SmartConsole CLI.

Before starting, be sure to enable to enable API on SmartConsole > Manage & Settings > Blades > Management API > Advanced Settings > Accept call from: All IP addresses.

1.png

This change requires us to restart the api service. Login into management server and restart the api service by running the command api restart

2.png

After some minutes we can verify the api status service by running the command api status

3.png

As we are already at Gaia clish, we’ll begin performing some operations here.

First we have to log in as a management user by running the command mgmt login. Another variation for this command is to use mgmt login without the user argument, but for some reason the authentication failed.

4.png

To use api commands the syntax is mgmt + command + parameters. For example let’s list all the network objects by running the command mgmt show-networks

5.png

The result is printed in json format. This means that we can leverage this output using python (I'll right more about this in the future).

Let’s change the DMZ network name, by running the command mgmt set network name DMZ new-name DMZ-API color “blue”

6.png

When we change an object value, the object will be locked for the current session until we publish the change.

7.png

Let’s publish the change by running the command mgmt publish

8.png

And we have success. Let’s verify by running the command mgmt show network name DMZ-API

9.png

We can also verify by looking at SmartConsole

10.png

Now let's install a policy by running the command mgmt install-policy policy-package MainSite access true threat-prevention true targets.1 A-GW-CLUSTER

11.png

We should get a successful result

12.png

13.png

Windows cli console

Now let’s run some commands using windows cli console. We’ll have to use the Check Point tool mgmt_cli.exe, located in C:\Program Files (x86)\CheckPoint\SmartConsole\R81\PROGRAM folder.

When using the mgmt_cli tool, in order for a command to run, it is mandatory to provide login credentials or use a session-id token that was obtained previously using the ‘login’ command.

Let’s login into mgmt_server by running the command mgmt_cli login –u silesio –p admin1234 –m 192.168.234.11

14.png

Now let’s see all the hosts by running the command mgmt_cli show hosts –u silesio –p admin1234 –m 192.168.234.11

15.png

Calling mgmt_cli with credentials (provided explicitly or entered by prompt) will result in performing four different operations:

  1. Log into the management server using the supplied credentials
  2. Execute the command
  3. Publish
  4. Logout

Let’s delete the host H_192.168.20.1 by running the command mgmt_cli delete host name H_192.168.20.1 –u silesio –p admin1234 –m 192.168.234.11

16.png

We can also run the commands without specifying the credentials all the time. Let’s create a file to store the session and use it whenever we want to run a command.

Open the windows prompt as administrator.

17.png

Type the command mgmt_cli –u silesio –p admin1234 –m 192.168.234.11 > session.txt

18.png

Let’s add a new host by running the command mgmt_cli add host name "New Host API" ip-address 172.30.30.1 color green -s session.txt

19.png

Notice that the change, wasn’t published. In the above example, the output from the login command is redirected to a file called "session.txt". By using the "-s" parameter, the rest of the commands read "session.txt" and automatically extract the session-id from this file.

20.png

We can confirm the new host was created successfully.

21.png

SmartConsole CLI

Lastly, let’s use the SmartConsole CLI.

When typing commands inside the window they just work - There is no need to provide a username, password or the ip-address of the management server because this information was already provided in the GUI’s login dialog and the commands are executed in that context.

The syntax is identical to the commands used previously. The main difference, here we don’t have to add mgmt command.

22.png

Let’s add two groups, and a new network inside of one of the groups.

23.png

24.png

25.png

To save the changes we have to publish.

26.png

It appears that the publish command isn’t supported inside SmartConsole CLI, so we have publish manually.

27.png

 

These are some of the commands that we can use to interact with Check Point Management API. They are more helpful for bulk operations like adding more than 100 objects, or even to automate some repetitive tasks. 

I hope you enjoyed this post, leave your comments below and I'll see you on the next one.

Reference:

https:// sc1.checkpoint.com/documents/latest/APIs/index.html#cli/introduction~v1.7%20 

 

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

This got posted twice…what happened to cause that?

0 Kudos
Silesio
Contributor

Probably an error while posting. I think this happens whenever there is a link in the post.

If you noticed, I had to add a blank space in the url.

0 Kudos
PhoneBoy
Admin
Admin

That shouldn’t cause an error…

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events