- CheckMates
- :
- Products
- :
- Developers
- :
- API / CLI Discussion
- :
- Threat Prevention Profile API Malware DNS Trap
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Threat Prevention Profile API Malware DNS Trap
Hello Guys,
I'm trying to create a query in order to show and modify (adding/removing) entries on the "Malware DNS Trap" feature on Threat Prevention Profiles.
The problem is that from both documentation on:
https://sc1.checkpoint.com/documents/latest/APIs/index.html#web/show-threat-profile~v1.3%20
and querying with "show-threat-profile" in FULL detail-levels, I cannot see any output reminding to that.
Is there someone that already experienced it and came out with a solution or is there simply someone that could help me out? 🙂
Thanks a lot,
Luca
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately, there is no official API for these settings.
You can see and modify it with the generic-object API.
Once you have the UID of your threat profile, you can see the settings as follows:
[Expert@MGMT:0]# mgmt_cli -r true --format json show generic-object uid 079c86f0-0c53-4518-9a4e-167a9c1c492e | jq '.malwareDnsTrapSettings'
{
"objId": "292e317a-88a8-4e74-a33f-0e20d871e5cd",
"checkPointObjId": null,
"domainsPreset": null,
"domainId": "41e821a0-3720-11e3-aa6e-0800200c9fde",
"resolveIpv4RequestsTo": true,
"specificIpaddr": "5.5.5.5",
"ipv4ModeSelection": "SPECIFIED_IP",
"folderPath": "1dc7816c-2c8e-40a3-a4ed-34dd462ebf4f",
"text": null,
"folder": "1dc7816c-2c8e-40a3-a4ed-34dd462ebf4f",
"is_owned": false,
"ownedName": ""
}
To change the IP of the DNS trap:
[Expert@MGMT:0]# mgmt_cli -r true set generic-object uid 079c86f0-0c53-4518-9a4e-167a9c1c492e malwareDnsTrapSettings.specificIpaddr "6.6.6.6"
Of course, now that I've read the question again, I realize this wasn't the question you asked.
However, because I did go to some effort to figure this out, I'm leaving the answer here in case anyone else wants to know.
It turns out, the objects that show up in the "Internal DNS Servers" part of the profile is not set in the profile anywhere.
It is a flag that is set in those specific host objects.
Which would mean querying all the host objects to see which ones have the flag set (dns-server true).
Haven't worked out the exact syntax to accomplish this with jq, but I assume it can be done.
To turn an existing host object into a DNS server (and thus show up on this tab):
[Expert@MGMT:0]# mgmt_cli -r true set host name "DNS Server" host-servers.dns-server true
Making something not a DNS server (and thus disappear from this tab) would be:
[Expert@MGMT:0]# mgmt_cli -r true set host name "DNS Server" host-servers.dns-server false
Hope that helps.