Hi there, in this post we’re going to see how to interact with Check Point Management API. We are going to run some API commands using GAIA CLI (clish), Windows CLI and SmartConsole CLI.
Before starting, be sure to enable to enable API on SmartConsole > Manage & Settings > Blades > Management API > Advanced Settings > Accept call from: All IP addresses.
This change requires us to restart the api service. Login into management server and restart the api service by running the command api restart
After some minutes we can verify the api status service by running the command api status
As we are already at Gaia clish, we’ll begin performing some operations here.
First we have to log in as a management user by running the command mgmt login. Another variation for this command is to use mgmt login without the user argument, but for some reason the authentication failed.
To use api commands the syntax is mgmt + command + parameters. For example let’s list all the network objects by running the command mgmt show-networks
The result is printed in json format. This means that we can leverage this output using python (I'll right more about this in the future).
Let’s change the DMZ network name, by running the command mgmt set network name DMZ new-name DMZ-API color “blue”
When we change an object value, the object will be locked for the current session until we publish the change.
Let’s publish the change by running the command mgmt publish
And we have success. Let’s verify by running the command mgmt show network name DMZ-API
We can also verify by looking at SmartConsole
Now let's install a policy by running the command mgmt install-policy policy-package MainSite access true threat-prevention true targets.1 A-GW-CLUSTER
We should get a successful result
Windows cli console
Now let’s run some commands using windows cli console. We’ll have to use the Check Point tool mgmt_cli.exe, located in C:\Program Files (x86)\CheckPoint\SmartConsole\R81\PROGRAM folder.
When using the mgmt_cli tool, in order for a command to run, it is mandatory to provide login credentials or use a session-id token that was obtained previously using the ‘login’ command.
Let’s login into mgmt_server by running the command mgmt_cli login –u silesio –p admin1234 –m 192.168.234.11
Now let’s see all the hosts by running the command mgmt_cli show hosts –u silesio –p admin1234 –m 192.168.234.11
Calling mgmt_cli with credentials (provided explicitly or entered by prompt) will result in performing four different operations:
- Log into the management server using the supplied credentials
- Execute the command
Let’s delete the host H_192.168.20.1 by running the command mgmt_cli delete host name H_192.168.20.1 –u silesio –p admin1234 –m 192.168.234.11
We can also run the commands without specifying the credentials all the time. Let’s create a file to store the session and use it whenever we want to run a command.
Open the windows prompt as administrator.
Type the command mgmt_cli –u silesio –p admin1234 –m 192.168.234.11 > session.txt
Let’s add a new host by running the command mgmt_cli add host name "New Host API" ip-address 172.30.30.1 color green -s session.txt
Notice that the change, wasn’t published. In the above example, the output from the login command is redirected to a file called "session.txt". By using the "-s" parameter, the rest of the commands read "session.txt" and automatically extract the session-id from this file.
We can confirm the new host was created successfully.
Lastly, let’s use the SmartConsole CLI.
When typing commands inside the window they just work - There is no need to provide a username, password or the ip-address of the management server because this information was already provided in the GUI’s login dialog and the commands are executed in that context.
The syntax is identical to the commands used previously. The main difference, here we don’t have to add mgmt command.
Let’s add two groups, and a new network inside of one of the groups.
To save the changes we have to publish.
It appears that the publish command isn’t supported inside SmartConsole CLI, so we have publish manually.
These are some of the commands that we can use to interact with Check Point Management API. They are more helpful for bulk operations like adding more than 100 objects, or even to automate some repetitive tasks.
I hope you enjoyed this post, leave your comments below and I'll see you on the next one.