This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Veeraselvam_man
Contributor
‎2018-06-12 12:46 AM

What is the Usage of "export" command

Hi all,

Now I am learning about Checkpoint Restful API functionalists.

Please share me the usage of "export" function in Restful API access:
    https://<mgmt-server>:<port>/web_api/export
    https://sc1.checkpoint.com/documents/latest/APIs/index.html#web/export~v1.1%20
    
Is that export command output will contains complete configuration details?

Like paloalto below Restful API access:

   https://<paloalto-server>/api/?type=config&action=get&xpath=/config&REST_API_TOKEN=1900994597

Thanks & Regards,
M.VeeraSelvam.
Labels
6 Replies
Joshua_Hatter
Employee
Employee
‎2018-06-12 06:05 AM

I hope Eugene Grybinnyk‌ or Robert Decker‌ can comment as I'm not entirely sure how to properly interact with this.

The command produces a response which contains a loopback link for a follow up query once the task has completed successfully. 

example:

"result-link-url" : "http://127.0.0.1:50276/web_api/result-link/1bef11d4-1aa8-48f3-9ba5-bb943b714f33?X-chkp-sid=d8Cud186nxPz_b3Q_paYi1Xf5ryDbUPvPcrxHv5nZzo"

I didn't know how to follow up and query for the response, so I simply curled it from local host with curl_cli -O <link>
This produced nothing, I double checked the api.elg logs and found it received my command but error-ed out.
But I could discern enough information that it did try to send me a file name
4425ad5d-b5ef-446e-902b-749a1c6818b3.tar.gz.
I performed a linux search for the filename and found it in:
/opt/CPsuite-R80/fw1/api/export/export_2018_06_12_07_37/4425ad5d-b5ef-446e-902b-749a1c6818b3.tar.gz

After extracting on my windows machine, my incredibly small lab CMA produced a 163MB file named objects.json.

0 Kudos
Eugene_Grybinny
Employee Alumnus
Employee Alumnus
‎2018-06-12 07:02 AM
In response to Joshua_Hatter

1) API command export always generates a localhost link. But this link is working from outside (you need to replace http://127.0.0.1:50276 with https://<server-remote-ip>/)

2) API command export generates a link accompanied with the current session token as a GET parameter X-chkp-sid and when running mgmt_cli -r true export the generated link session token is already invalid (because adding -r true means - login, execute the command, publish if necessary, logout). But the link will work if to replace the invalid token with the valid one.

0 Kudos
Veeraselvam_man
Contributor
‎2018-06-12 09:52 AM
In response to Eugene_Grybinny

Is there any way to export complete checkpoint firewall configuration file using restful api?

like below paloalto restful api access:

https://paloalto-server/api/?type=config&action=get&xpath=/config&REST_API_TOKEN=1900994597

Thanks & Regards,
M.VeeraSelvam.
0 Kudos
PhoneBoy
Admin
Admin
‎2018-06-12 11:48 AM
In response to Veeraselvam_man

Define what you mean by "configuration", because that can refer to:

  • Security Policy configuration:
    • If you want to get all policies configured on all gateways as well as all objects, you might try this script: Python tool for exporting/importing a policy package or parts of it
    • If you want to get only what's loaded on a specific gateway, that's a little more tricky.
      • The gateway only contains a compiled version of the objects/policy which is not in a format that is readily exportable.
      • Use something like the following to execute "fw stat" on the Security Gateway from the R80.x Management API: how to use the web api to run the run-script
      • Once you have that, you can fetch the access layer as described here: Re: How to fetch/export Configuration and Rule File?
      • Note that layers can include other layers, so you may need to parse the output to get the sublayers that are referenced.
      • If Threat Prevention is used, you will need to execute commands to gather this policy information as well.
      • None of the above includes objects, which will have to be queried individually based on what's in the active policies.
  • OS configuration
    • Currently not available directly from a REST API but similar to above, you can execute something like "show configuration" using run-script.
    • This does not get anything that was configured in Expert mode.
    • A REST API for Gaia OS is planned in the near future (R80.20).

If you can describe in more detail what the purpose behind gathering this information is, we can provide more specific advice.

0 Kudos
Veeraselvam_man
Contributor
‎2018-06-13 02:47 AM
In response to PhoneBoy

Thanks for the information's Dameon Welch Abernathy

Configuration file will contains complete (rule/Interface/nat/Objects/Groups/Policy/etc) details of the Firewall. Other firewall vendors (Fortinet, Cisco, Palo Alto, Sonicwall, WatchGuard,Juniper) are providing option to export this configuration file, i am expecting similar export option in checkpoint firewall.

Using this configuration file we can perform backup/restore operations and also generate Nipper(Third party tool) security audit report.

Is there anyway to export this configuration file using restful API?

Thanks & Regards,
M.VeeraSelvam.
0 Kudos
PhoneBoy
Admin
Admin
‎2018-06-13 12:38 PM
In response to Veeraselvam_man

Unlike the vendors you mention, there is not a single configuration file that contains both the security configuration and the OS/interface configuration on Check Point.

What is available on the Security Gateway itself is:

  • A compiled version of the Security Policy--not exportable
  • The OS/interface configuration, which can be exported as described above.

The Security Policy configuration is stored on the management and can be exported as I described above.

If you had to replace a physical gateway, provided you have the basic OS configuration, it's possible to push the security policy configuration from the management.