This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Aathi
Contributor
‎2021-08-06 05:29 AM

mgmt_cli set simple-gateway removing existing interface on gateway

Hi Team.

 

After fetching the topology ,i am trying to change the topology settings, of newly created interfaces  by using set simple gateway command but its removing  all the existing interfaces.

is there any way to change topology settings of interfaces ,without affecting existing interfaces , all things we are doing api/mgmt cli commands.

 

Regards

Aathi

0 Kudos
9 Replies
PhoneBoy
Admin
Admin
‎2021-08-06 09:31 AM

Version/JHF level?
A precise example might help also.
@Omer_Kleinstern 

0 Kudos
PhoneBoy
Admin
Admin
‎2021-08-06 09:48 AM
In response to PhoneBoy

Actually, not necessary as it appears this is documented, expected behavior.
When a gateway is updated with a new interfaces, the existing interfaces are removed.”
See: https://sc1.checkpoint.com/documents/latest/APIs/#cli/set-simple-gateway~v1.8
Which means if you use the API to change the setting on one interface, you need to define the settings for all of the ones you want to keep.

Whether this should be the behavior is a separate question, of course.

0 Kudos
Thomas-Marko
Contributor
Contributor
‎2021-08-06 11:21 AM

As @PhoneBoy already mentioned, you always have to specify all interfaces at once. IMHO you have two possibilities now:

1. You can use the API endpoint get-interfaces, which does pretty the same as the "Get interfaces" button in the GUI and use the "use-defined-by-routes" parameter in addition, which tells the firewall to define the topology according to the routing table (which is in most cases a good idea). This happens dynamically every second.

2. You always set the complete list of interfaces the gateway has. You can do that for example through the api. First, you fetch the interfaces object of the gateway object with show-simple-gateway:

mgmt_cli -r true show-simple-gateway name <object-name> --format json | jq '.interfaces'

Now you can edit the necessary parameters and push back the changes with set-simple-gateway. Unfortunately it is not possible to push back the complete object as you get it from the API, as there are several parameters, which set-simple-gateway does not accept (or ignore).

You also can use an automation tool like Ansible to define your objects, but believe me: This can be really painful, as there is really much room for improvement for the Check Point Ansible collection, as well as for the API itself.

Cheers,
Thomas

0 Kudos
Aathi
Contributor
‎2021-08-09 10:57 AM
In response to Thomas-Marko

Hi @Thomas-Marko and @PhoneBoy ,

i have tried the first option ,still getting error while installing the policy. please find the attached error and hotfix details.

we are not willing to use option 2 as its risky and we need to run it on production env. 

Preview file
61 KB
Preview file
3 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2021-08-09 12:48 PM
In response to Aathi

Security Zones require topology to be defined, as described here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Which means you either don't use Zones or you define the interface topology. 

Which brings us back to actually making set-interfaces work the way you want.
Unfortunately, if you use the API to set the settings for one interface, you have to set them all, as stated in the documentation.
While @Thomas-Marko makes an excellent point about set-simple-gateway not returning everything about the gateway object (particularly the parts that don't have API support), I believe everything related to the interfaces does have API support.
That means the approach should work in this case.

And yes, I understand your concerns about using this in production, but this is why you test your code on something that is not your production environment first.
You can use the Demo Mode servers for this, so no need to spin up your own VM: https://community.checkpoint.com/t5/API-CLI-Discussion/Using-SmartConsole-Demo-Mode-Server-for-API-t... 

0 Kudos
Aathi
Contributor
‎2021-08-18 01:29 AM
In response to PhoneBoy

Hi @PhoneBoy @Thomas-Marko 

Is there any other way to resolve this issue.

in our env we are having 50+ interfaces,we cant recreate using set-simple gateway command.

why the first option is not working which Thomas mentioned.

 

0 Kudos
Art_Zalenekas
Employee
Employee
‎2021-08-18 06:30 AM
In response to Aathi

Please use the API call gateways-and-servers with details-level full which will give you all information about all gateways and servers. Set format in JSON, and them slice and dice as you wish. Ping if you need any help.

0 Kudos
PhoneBoy
Admin
Admin
‎2021-08-18 06:47 AM
In response to Aathi

Please provide a screenshot of the gateway object interface settings where you’ve attempted to defined the topology by routes and are getting the originally referenced policy installation error.

0 Kudos
Thomas-Marko
Contributor
Contributor
‎2021-08-20 03:13 AM
In response to Aathi

Hi,

hmm, maybe I do not understand the question correctly, but to achieve what you request as far as I understand it, you can simply do the following:

1. Read the existing object by issuing a POST request to the endpoint show-simple-gateway. You will get the data for your existing object. One part of this data is the "interfaces" array.

For example:

 

"interfaces": [
        {
            "name": "eth0",
            "ipv4-address": "192.168.201.2",
            "ipv4-network-mask": "255.255.255.0",
            "ipv4-mask-length": 24,
            "ipv6-address": "",
            "comments": "",
            "color": "black",
            "icon": "NetworkObjects/network",
            "topology": "automatic",
            "topology-automatic-calculation": "internal",
            "topology-settings": {
                "ip-address-behind-this-interface": "not defined",
                "interface-leads-to-dmz": false
            },
            "anti-spoofing": false,
            "security-zone": false
        },
        {
            "name": "eth1",
            "ipv4-address": "192.168.200.2",
            "ipv4-network-mask": "255.255.255.0",
            "ipv4-mask-length": 24,
            "ipv6-address": "",
            "comments": "",
            "color": "black",
            "icon": "NetworkObjects/network",
            "topology": "automatic",
            "topology-automatic-calculation": "internal",
            "topology-settings": {
                "ip-address-behind-this-interface": "not defined",
                "interface-leads-to-dmz": false
            },
            "anti-spoofing": false,
            "security-zone": false
        }
    ]

 

2. Add a new interface if needed or make your changes to the existing ones and remove the "icon" and "topology-automatic-calculation" properties from the existing objects as they are not accepted by the api (@checkpoint: Can you please just ignore such properties? It would make life much easier, when working with api result objects).

In my example I made some changes and added a new interface to my existing gateway and sent a POST to the endpoint set-simple-gateway with the following data:

 

{
    "uid": "6e39115e-c236-41c6-b768-b56ccd056014",
    "interfaces": [
        {
            "name": "eth0",
            "ipv4-address": "192.168.201.2",
            "ipv4-network-mask": "255.255.255.0",
            "ipv4-mask-length": 24,
            "ipv6-address": "",
            "comments": "",
            "color": "black",
            "topology": "automatic",
            "topology-settings": {
                "ip-address-behind-this-interface": "network defined by the interface ip and net mask",
                "interface-leads-to-dmz": true
            },
            "anti-spoofing": true,
            "security-zone": true,
            "security-zone-settings": {
                "specific-zone": "DMZZone"
            }
        },
        {
            "name": "eth1",
            "ipv4-address": "192.168.200.2",
            "ipv4-network-mask": "255.255.255.0",
            "ipv4-mask-length": 24,
            "ipv6-address": "",
            "comments": "",
            "color": "black",
            "topology": "automatic",
            "topology-settings": {
                "ip-address-behind-this-interface": "not defined",
                "interface-leads-to-dmz": false
            },
            "anti-spoofing": false,
            "security-zone": false
        },
        {
            "name": "eth2",
            "ipv4-address": "192.168.203.2",
            "ipv4-network-mask": "255.255.255.0",
            "ipv4-mask-length": 24,
            "topology": "external",
            "anti-spoofing": true,
            "security-zone": true,
            "security-zone-settings": {
                "specific-zone": "ExternalZone"
            }
        }
    ]
}

 

 And I got back an http/200 with all my changes applied:

 

{
    "uid": "6e39115e-c236-41c6-b768-b56ccd056014",

---SNIP---

    "interfaces": [
        {
            "name": "eth0",
            "ipv4-address": "192.168.201.2",
            "ipv4-network-mask": "255.255.255.0",
            "ipv4-mask-length": 24,
            "ipv6-address": "",
            "comments": "",
            "color": "black",
            "icon": "NetworkObjects/network",
            "topology": "automatic",
            "topology-automatic-calculation": "internal",
            "topology-settings": {
                "ip-address-behind-this-interface": "not defined",
                "interface-leads-to-dmz": false
            },
            "anti-spoofing": true,
            "anti-spoofing-settings": {
                "action": "prevent"
            },
            "security-zone": true,
            "security-zone-settings": {
                "auto-calculated": false,
                "specific-zone": "DMZZone"
            }
        },
        {
            "name": "eth1",
            "ipv4-address": "192.168.200.2",
            "ipv4-network-mask": "255.255.255.0",
            "ipv4-mask-length": 24,
            "ipv6-address": "",
            "comments": "",
            "color": "black",
            "icon": "NetworkObjects/network",
            "topology": "automatic",
            "topology-automatic-calculation": "internal",
            "topology-settings": {
                "ip-address-behind-this-interface": "not defined",
                "interface-leads-to-dmz": false
            },
            "anti-spoofing": false,
            "security-zone": false
        },
        {
            "name": "eth2",
            "ipv4-address": "192.168.203.2",
            "ipv4-network-mask": "255.255.255.0",
            "ipv4-mask-length": 24,
            "ipv6-address": "",
            "comments": "",
            "color": "black",
            "icon": "NetworkObjects/network",
            "topology": "external",
            "anti-spoofing": true,
            "anti-spoofing-settings": {
                "action": "prevent"
            },
            "security-zone": true,
            "security-zone-settings": {
                "auto-calculated": false,
                "specific-zone": "ExternalZone"
            }
        }
    ],

--- SNIP ---
   
}

 

 

So I think that's that what you want to achieve, right?

Cheers,
Thomas

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events