Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ohad
Explorer

Management API Reference + Threat emulation global exceptions

Dear all,

 

I am trying my best to work with the API document of CheckPoint:

https://sc1.checkpoint.com/documents/latest/APIs/index.html?#cli/show-threat-rule-exception-rulebase...

But as always its murky at best..

I have R81.10 with a custom policy and it own set of exceptions..

I want to "migrate" all those exceptions to the global exceptions since I am planning to move from the custom policy to the autonomous one... however its like 100 + rules...

As you can see in the example that they present:

mgmt_cli set threat-exception name "Exception Rule" layer "New Layer 1" rule-number 1 new-name "Last rule"

 

This example does not refer to the main global exceptions under threat preventions ==> Exceptions

 

I can tell that this is not the case since when using #mgmt_cli show threat-exception it shows the exceptions for the custom policy exceptions and not the global..

 

Any ideas would be appreciated 🙂 

 

 

0 Kudos
6 Replies
Daniel_Kuhl1
Employee
Employee

Have you tried using the following command: show exception-group name "Global Exceptions"

 

0 Kudos
Ohad
Explorer

Hi Daniel,

Thanks for the quick reply 🙂

The prompt gives me the upper box of the exceptions instead of the bottom box:

**I am attaching a screenshot of the smartconsole - As you can see the "comments" are the same between the output and the screenshot...

I need the Global exceptions rules themselves... not the group....

 

uid: "82006125-3aca-41ea-9a92-519d6065b810"
name: "Global Exceptions"
type: "exception-group"
domain:
uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
name: "SMC User"
domain-type: "domain"
apply-on: "all-threat-rules"
comments: "Out of the box global exception group for threat prevention"
color: "black"
icon: "ThreatPrevention/Exception_Group_Objects"
tags: []
meta-info:
lock: "unlocked"
validation-state: "ok"
last-modify-time:
posix: 1513272839206
iso-8601: "2017-12-14T19:33+0200"
last-modifier: "System"
creation-time:
posix: 1513272839206
iso-8601: "2017-12-14T19:33+0200"
creator: "System"
read-only: true

 

0 Kudos
Daniel_Kuhl1
Employee
Employee

Ah sorry, try this one: show threat-exception name "Test" exception-group-name "Global Exceptions"

You can extend the output by setting the detail level to full like this: 

show threat-exception name "Test" exception-group-name "Global Exceptions" details-level full
0 Kudos
Ohad
Explorer

Cool, it shows the rule now 🙂

Now for the 1 million question - How to add a rule to said group...

 

The syntax is:

mgmt_cli add threat-exception layer "New Layer 1" rule-number 1 position 1 name "Exception Rule" track "Log" protected-scope "All_Internet" protection-or-site "Adware.a" --format json

 

I am assuming it would be something like:

mgmt_cli add threat-exception layer "Global Exceptions" rule-number 12 name "Test12" source-name "ohad-pc" service-name "smtp" destination "ohad-pc" protection-or-site "Anti-Virus" action "Inactive" track "Log"

 

However I am getting an error message:

code: "generic_err_invalid_parameter_name"
message: "Unrecognized parameter [service-name]"

Executed command failed. Changes are discarded.

 

And if I were to plan ahead, I think the best way to go would be to export the current 100+ rules into a csv, and use the batch flag like when using:

 

mgmt_cli add host --batch hosts.csv

 

I dont see in the URL any provided information in case I want to use a batch file instead of single commands...

0 Kudos
PhoneBoy
Admin
Admin

It’s service, not service-name.
See: https://sc1.checkpoint.com/documents/latest/APIs/#cli/add-threat-exception~v1.9.1%20

Exporting the existing rules into a CSV is probably possible with some scripting involving the jq utility.
For it to be importable with the batch option, you need to construct the CSV correctly.
Consider you are passing name/value pairs via mgmt_cli.
The first (header) line includes the “names” you pass (e.g. layer, rule-number…).
Subsequent lines have the relevant values. 

 

0 Kudos
Daniel_Kuhl1
Employee
Employee

Hi @Ohad , try the API call below:

mgmt_cli add threat-exception name "Test12" position bottom exception-group-name "Global Exceptions" source "ohad-pc" service "smtp" destination "ohad-pc" protection-or-site "AntiVirus" action "Inactive" track "Log"

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events