I have a question about how to use the web api to run the run-script. We have a security concern with our current setup. We are using “Check Point's software version R80.10 - Build 423”. Integrated with Aruba and the identity access blade.
We have a beautiful integration with Aruba sending a post to Check Point, and then removing it when a user logs out. This is using json to post to the cluster vip. For my setup (/_IA_API/v1.0/add-identity)
{"shared-secret":"abc123","user":"Tom Cruise","ip-address":"1.1.1.1","machine":"Toms_Host","machine-os":"Microsoft Windows 7 Enterprise Edition","host-type":"Windows 7","identity-source":"ARUBA ClearPass Policy Manager","session-timeout":555,"user-groups":["aruba-guest-group"],"machine-groups":["aruba-guest-machine"],"roles":[],"fetch-user-groups":0,"fetch-machine-groups":0}
The gap comes with any existing sessions/connections, they do not get closed ie: remain open.
New ones are blocked. What we came up with is to use a web api post to run-script.
From the link it looks simple enough. https://sc1.checkpoint.com/documents/latest/APIs/index.html#web/run-script~v1.1
(POST https://<mgmt-server>:<port>/web_api/run-script)
POST {{server}}/run-script
Content-Type: application/json
X-chkp-sid: {{session}}
{
"script-name" : "Script Example: List files under / dir",
"script" : "ls -l /",
"targets" : [ "corporate-gateway" ]
}
So theoretically it looks possible… I would ideally like to send the same src as what is in the post above… ie: "ip-address":"%{Connection:Client-IP-Address}"
fw sam -v -t 60 -J src x.x.x.x
So far, no matter what I try I always get:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>404 Not Found</title>
</head>
<body>
<h1>Not Found</h1>
<p>The requested URL /run-script was not found on this server.</p>
</body>
</html>
In a video this was mentioned at around 35:00, but I cannot seem to find the corresponding code.
https://community.checkpoint.com/videos/5537
How to use R80.10 API for Automation and Streamlined Security (Video)
SAM block commands
All along, I have been trying to do this on the gateways… Cluster VIP. In reviewing. It looks like maybe I need to do this on the management server ip. If I do this. Wouldn’t I need to publish?
If I run this on the management server:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>403 Forbidden</title>
</head>
<body>
<h1>Forbidden</h1>
<p>You don't have permission to access /web_api/run-script
on this server.
<br />
</p>
</body>
</html>
Anybody have an idea to help close this gap?