Solved: Re: Web API issues with run-script and install-pol...

Ryan_Pitman · ‎2017-09-19

Hello everyone,

We've recently deployed a test R80.10 management server in our environment, and I've started working on a couple of scripts to automate routine tasks. I'm really interested in the run-script and install-policy modules, but I'm having difficulty getting either of them to work when making calls to the web API. Here's the code I've come up with:

$checkpoint_mgmt_server = "10.X.X.X"

# Disable certificate check

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$True}

$login_url = "https://$checkpoint_mgmt_server/web_api/login"

$query_url = "https://$checkpoint_mgmt_server/web_api/run-script"

$creds_hash = @{"user"="admin";"password"="xxxxxx"}

$json_login_body = $creds_hash | ConvertTo-Json

# Login call

$json_login_response = Invoke-WebRequest -uri $login_url -ContentType "application/json" -Method "POST" -body $json_login_body -ErrorAction Stop

# Assign the sid to x-chkp-sid for future calls

$chkp_header = @{"x-chkp-sid"=($json_login_response | ConvertFrom-Json).sid}

# Create a string array with test-gateway as the only element

$install_target = @("test-gateway")

# Build the query body for run-script and convert it

$json_query_body = @{"script-name"="test";script="ls -la /var/tmp";targets=$install_target} | ConvertTo-Json

# Call the uri for run-script

$json_query_response = Invoke-WebRequest -uri $query_url -ContentType "application/json" -Method "POST" -body $json_query_body -Headers $chkp_header

Output:

Invoke-WebRequest : The remote server returned an error: (404) Not Found.
At line:1 char:24
+ ... _response = Invoke-WebRequest -uri $query_url -ContentType "applicati ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc
   eption
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

Query Body:

PS Y:\> $json_query_body
{
    "script": "ls -la /var/tmp",
    "script-name": "test",
    "targets": [
                    "test-gateway"
                ]
}

I've tried everything that I can think of to get this to work (using a simple string instead of the string array for targets, using the UID of the gateway, etc), but I'm getting the same result every time. If I leave one of the required parameters off (i.e. targets), I get a 400 bad request error, and I can browse to the URL from my PC, so it appears to be available. I've been able to get other API functions to work correctly (show-simple-gateway), but these are of course the two I'm really interested in.

The management server is running R80.10, and the gateway is at R77.30, and I can run the demo commands from the Command Line/API button within SmartConsole on the management server without any issues. I've yet to get either of these web calls to respond correctly though, so I was wondering if anyone had any insight. Thank you!

Charles_Currier · ‎2017-10-02

Need to define the domain in your session login:

$creds_hash = @{"user"="admin";"password"="xxxxxx","domain"="domainname"}
or as in the API v1.1 Reference

POST {{server}}/login Content-Type: application/json  {   "user" : "aa",   "password" : "aaaa",   "domain" : "Domain Name" }

Hope that clears it up.

View solution in original post

Neil_ZInk · ‎2017-09-21

I have been using the power-shell module posted -> https://community.checkpoint.com/docs/DOC-2163?commentID=2199#comment-2199

Tim_Koopman · ‎2017-09-25

I have not implemented the API calls Ryan is after yet. That said if it will help you Ryan I could get that implemented this week for you.

As for what might be wrong with your code a little hard to say. As long as the API is enabled and configured for your IP, then most 404 errors will still also return a JSON response including the Check Point error message. If you look at that you will probably have a better idea what the problem is.

As I implement this in my module I may find out if there are any tricks, and let you know, as the API documentation is not 100% for some calls.

Regards

Tim

Tim_Koopman · ‎2017-09-26

I actually got time today so I have added the commands you are trying to use to v0.5.2 of psCheckPoint.

As for tricks while using run-script. What you have looks good as long as the gateway "test-gateway" exists. That said this is one of the commands that the official documentations is incorrect for the response, and even what is mandatory or not.

The PowerShell command for run-script in psCheckPoint is Invoke-CheckPointScript.

I also implemented Get-CheckPointTask so that you can view the results.

Hope that helps.

Tim

Ryan_Pitman · ‎2017-09-26

Thank you Tim - I will look into these.

Charles_Currier · ‎2017-09-22

So the Basic questions First:

Confirm you have the API enabled (even if just to humor the suggestion)
Confirm that the machine you are running the API calls from is in the IP access list allowed to connect to / manage the SmartCenter.

If no changes there:

Your code - at first glance looks ok - are you running this in a linux or windows environment
You can do this through postman and test / confirm your calls / formatting
If working with Python or PowerShell - there are some modules that will help you - json formatting etc that you can find on the community site.

So some more details will help point you in a better direction.

Ryan_Pitman · ‎2017-09-26

Charles,

1. The API is definitely enabled, I enabled it a couple of weeks ago and have double checked it. I'm able to successfully call login and show-simple-gateways without any issues, and I can use/parse the results.

2. I double checked this as well, and I'm currently allowing any IP address to hit the API URL (this is a sandbox environment that will eventually be torn down).

1. This is a Windows environment.

2. I actually downloaded postman (the standalone install, not the browser plugin) last week while I was troubleshooting, along with the R80 collection that someone had been kind enough to put together. Whenever I make a post call though, the HTML response that I get back is as follows: For full functionality of this site it is necessary to enable JavaScript. I tried searching through their documentation but hit a wall, and figured I'd revisit it this week. Downloading the browser plugin isn't an option, as any third party plugins will require an AD Group Policy update.

3. I work pretty much exclusively with PowerShell. I was a Windows engineer in a previous life and still enjoy automating as much as I can with it.

I'm not even sure it's a code issue at this point though, it might be environmental. On Thursday I started using the mgmt_cli executable, just to see if I could get different results, but I'm running into the same issues. I tried calling install_policy, but kept getting errors that it couldn't find the policy I was specifying (even though I know it was present, and yes the changes have been published). When I call show packages from the command line utility within SmartConsole, it returns all of the packages, as I'd expect. When I call it from the API though (either mgmt-cli or the web API), it returns 0 results. This is very similar to the issue I encountered with run-script, where it told me that it couldn't find the gateway, even though I know for a fact it was present.

From the command line utility within SmartConsole R80.10:
> show packages

packages:
- uid: "d947d97e-ae4e-464e-a54b-9d98e01652a7"
name: "ryanstestpolicy"
type: "package"
domain:
    uid: "a1327ee7-7a28-460d-9218-f3f7bbb10360"
    name: "FWM-Ryan_API_Testing"
    domain-type: "domain"
- uid: "188efd13-6d5c-42a5-a3c7-d8f6bcdb4757"
name: "Standard"
type: "package"
domain:
    uid: "a1327ee7-7a28-460d-9218-f3f7bbb10360"
    name: "FWM-Ryan_API_Testing"
    domain-type: "domain"
from: 1
to: 2
total: 2

From mgmt_cli on my PC (win 7)
mgmt_cli -m 10.X.X.X login user xxxxxxx password yyyyyyy
uid: "a580bd6f-5592-4672-b54e-a90e21ce2673"
sid: "QwHu86GAN-ybL5s6NSIHD6DkC-0rUvGIGkrDg1E-g6U"
url: https://10.X.X.X:443/web_api
session-timeout: 600
last-login-was-at:
posix: 1506014982363
iso-8601: "2017-09-21T13:29-0400"
api-server-version: "1.1"

mgmt_cli -m 10.X.X.X --session-id QwHu86GAN-ybL5s6NSIHD6DkC-0rUvGIGkrDg1E-g6U show packages
packages: []
total: 0

Charles_Currier · ‎2017-09-26

Your answer to #2 concerns me - I think you need to review the privileges in SmartConsole -> Manage & Settings ->Permissions & Administrators -> Administrators for any restrictions and check trusted Clients to be sure Any is the only setting - for instance. Then if no issues there - check under SmartConsole -> Manage & Settings -> Blades -> Management API and confirm that your windows machine is in the community of All IP Addresses that can be ... or just All IP Addresses. There may be something cludgey - that is why I am suggesting you verify theses things - because basically I suspect you are getting an Access Denied - due to the machine you are accessing from. Since the code works.

If no issue - there may be other issues but keep it simple 1st.

Ryan_Pitman · ‎2017-09-27

The account that I'm using is a multi domain super user. It's a local account that I created, and I'm able to call the API to run other commands without any issues (add host, show simple gateways, etc). The Management API settings are set to accept API calls from "All IP addresses."

Charles_Currier · ‎2017-10-02

Need to define the domain in your session login:

$creds_hash = @{"user"="admin";"password"="xxxxxx","domain"="domainname"}
or as in the API v1.1 Reference

POST {{server}}/login Content-Type: application/json  {   "user" : "aa",   "password" : "aaaa",   "domain" : "Domain Name" }

Hope that clears it up.

Ryan_Pitman · ‎2017-10-03

That fixed it. Thank you so much!

Charles_Currier · ‎2017-10-03

Glad to have helped and happy to see that you stuck with this !

Keep posting !

Are you a member of CheckMates?

Web API issues with run-script and install-policy from PowerShell in R80.10