Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Luca_Tinelli
Explorer

Threat Prevention Profile API Malware DNS Trap

Hello Guys,

I'm trying to create a query in order to show and modify (adding/removing) entries on the "Malware DNS Trap" feature on Threat Prevention Profiles.

The problem is that from both documentation on: 

https://sc1.checkpoint.com/documents/latest/APIs/index.html#web/show-threat-profile~v1.3%20

 

and querying with "show-threat-profile" in FULL detail-levels, I cannot see any output reminding to that.

Is there someone that already experienced it and came out with a solution or is there simply someone that could help me out? 🙂

 

 

Thanks a lot,

Luca

1 Reply
PhoneBoy
Admin
Admin

Unfortunately, there is no official API for these settings.
You can see and modify it with the generic-object API.
Once you have the UID of your threat profile, you can see the settings as follows:

[Expert@MGMT:0]# mgmt_cli -r true --format json show generic-object uid 079c86f0-0c53-4518-9a4e-167a9c1c492e | jq '.malwareDnsTrapSettings'
{
  "objId": "292e317a-88a8-4e74-a33f-0e20d871e5cd",
  "checkPointObjId": null,
  "domainsPreset": null,
  "domainId": "41e821a0-3720-11e3-aa6e-0800200c9fde",
  "resolveIpv4RequestsTo": true,
  "specificIpaddr": "5.5.5.5",
  "ipv4ModeSelection": "SPECIFIED_IP",
  "folderPath": "1dc7816c-2c8e-40a3-a4ed-34dd462ebf4f",
  "text": null,
  "folder": "1dc7816c-2c8e-40a3-a4ed-34dd462ebf4f",
  "is_owned": false,
  "ownedName": ""
}

To change the IP of the DNS trap:

[Expert@MGMT:0]# mgmt_cli -r true set generic-object uid 079c86f0-0c53-4518-9a4e-167a9c1c492e malwareDnsTrapSettings.specificIpaddr "6.6.6.6"

Of course, now that I've read the question again, I realize this wasn't the question you asked.
However, because I did go to some effort to figure this out, I'm leaving the answer here in case anyone else wants to know.

It turns out, the objects that show up in the "Internal DNS Servers" part of the profile is not set in the profile anywhere.
It is a flag that is set in those specific host objects.
Which would mean querying all the host objects to see which ones have the flag set (dns-server true).
Haven't worked out the exact syntax to accomplish this with jq, but I assume it can be done.

To turn an existing host object into a DNS server (and thus show up on this tab):

[Expert@MGMT:0]# mgmt_cli -r true set host name "DNS Server" host-servers.dns-server true

Making something not a DNS server (and thus disappear from this tab) would be:

[Expert@MGMT:0]# mgmt_cli -r true set host name "DNS Server" host-servers.dns-server false

Hope that helps.

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events