This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
manh7890
Explorer
Tuesday

Need help with create a policy to block list ips

Hi i am just learn about checkpoint to day my goal is to make a policy so that checkpoint will block any connection of all the ip on the list to my computer but i am stuct any one can help or show me how to do it and also i can seem to call to web_api all way get 

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
</body></html>

at a old blog i see the setting to call web_api

checkpoint.png

but in my smart console i have with vpn and connect with https:// ip address  is seem to be enable my account it admin role so is any one can help me what i can do or if you know a blog or link to a page in docs is good for me 

console.jpg

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
Tuesday

Note there are many ways to block a list of IPs that don't involve using the API:

What does api status say on the management server?
Is that what you are attempting to via the API?

0 Kudos
manh7890
Explorer
Tuesday
In response to PhoneBoy

my main goal here is to make a side service it going to listen to kafka and add ip in message to list block of checkpoint so i going to need that api and my checkpoint is a license trial i can only call gaia api. Every time a call web_api i get You don't have permission to access this resource. i have login with admin account but still can activate the management api like the pic i send above 

0 Kudos
manh7890
Explorer
Tuesday
In response to PhoneBoy

My main goal is to make a service that going to listen to kafka, threatconnect ... to up date back to check point the list ip need to block so i need to work with the api . I am using  license trial of Checkpoint to build a demo is R81.10 with gaia api is v1.5 but i can seem to open the management api like the pic i send above i already using the admin account but the setting is still disable so my question is :
- is license trial can use management api
- and with or with out management api how can i add ip to my list block and how to set up that the checkpoint is going to take value of that list and block the ip

0 Kudos
PhoneBoy
Admin
Admin
Wednesday
In response to manh7890

The more you can tell us about the environment you're working with, the more likely we're able to help.
This includes the Check Point components you've installed, whatever it is you are using to access the API, and the related networking.
The exact API calls you're attempting making to which device will help as well. 

You can do everything you're trying to do with evaluation licenses.
There are two different APIs here:

You might want to review a Deep Dive session I did on using the Management API: https://community.checkpoint.com/t5/API-CLI-Discussion/Management-API-Best-Practices-October-2024-Vi... 
Working with the Management API (which requires making API calls to your Security Management Server, not the gateway) requires very specific steps:

  • Log in
  • Make the relevant changes
  • Publish the changes
  • Push policy to relevant gateway
  • Lot out

What you're attempting to do will require a policy install each time you make a change, which can be disruptive.
The other methods I suggested only need to have the relevant file updated and the gateways will be updated with the correct IPs to block.

The Gaia API cannot be used to block traffic (except maybe using a run-script that calls fwaccel dos or similar).
However, in R82, you can create a dynamic layer that has a policy that can be updated directly with the Gaia API.

 

0 Kudos
Jim_Oqvist
Employee
Employee
yesterday
In response to manh7890

Hi,

Looking at the screenshot you sent and base on the information that you say you connect to https:// to access the GUI, I can just assume that you are connecting using Web SmartConsole by accessing the GUI on this URL https://<mgmtsrv>/smartconsole

The Web SmartConsole does not contain all the configuration settings, we are regularly updating it to include more capabilities. More details here: https://support.checkpoint.com/results/sk/sk170314

For example, the setting to enable the management API to accept remote requests is currently not possible to set in Web SmartCosole.

If you want to set this using the GUI you need to us the SmartConsole application that have the full capability of all settings in the GUI. You can find the latest version for R81.10 SmartConsole application here: https://sc1.checkpoint.com/documents/Jumbo_HFA/R81.10_SC/R81.10/R81.10_Downloads.htm

If you do not want to download SmartConsole application another option is to change the API server to listen to remote calls by connecting to the management server over ssh and run the following command in clish or in Expertmode

clish:

mgmt login domain "System Data" user "admin"
mgmt set api-settings accepted-api-calls-from "All IP addresses"  --format json

Expert mode:

mgmt_cli set api-settings accepted-api-calls-from "All IP addresses" --root "true" --domain "System Data" --format json

More details about this command and how you can restrict access to certain IPs with it can be found here: https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/set-api-settings~v2%20

If I understand your goal correctly, you plan to have a predefined rule with block  action inplacera and you want to dynamically fill that rule with IPs without the need to reinstall the policy on the gateway every time there is a change to the list of IPs to block.

For this purpose as also suggested ny PhoneBoy I recommend you to use Generic Data Center Objects , since the SK sk167210 referred to in the admin guide seems to require login I for your convenience added a PDF version of that content to this post here. I have also asked our Tech writers to make sk167210 publicly available

Kind Regards

Jim

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top