This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Roberts12
Explorer
‎2023-01-22 05:55 AM
Jump to solution

python api script

Hi,

I have installed latest version of checkpoint mgmt R81.20 in a test environment and want to use the latest API: https://sc1.checkpoint.com/documents/latest/APIs/#introduction~v1.9%20

I want to automate some tasks using python script from my desktop pc, not run the script directly on checkpoint gateway. I tried with checkpoints official python SDK: https://github.com/CheckPointSW/cp_mgmt_api_python_sdk

But the API commands for the python SDK do not match with the latest Management API Reference v1.9 from checkpoint?

For example from python sdk example:

add_rule_response = client.api_call("add-access-rule",
{"name": rule_name, "layer": "Network", "position": "top"})

 

and example from Management API Reference v1.9:

Command

add access-rule layer "Network" position 1 name "Rule 1" service.1 "SMTP" service.2 "AOL" vpn "MyIntranet"

 

And also I do not find in the documentation for the python SDK all the avaible commands and how to handle session etc. Since the commands are not identical I wonder how to proceed.

 

Please advice and help me get started.

 

If i want to use latest Management API Reference v1.9, should i instead use web api in the python script instead of the python sdk?

Regards

0 Kudos
1 Solution

Accepted Solutions
Nüüül
Advisor
‎2023-01-24 01:35 AM
Jump to solution

Hello,

i believe you mixed up the different ways to leverage the api. 

"add-access-rule" uses web service

"add access-rule" uses the mgmt cli (which is calling API too but is called via cli at management server)

you can switch between them in the documentation - see attached screenshot.
When you are logging in into the API, a session id is generated and sent back to you as response. This session id you will need to add at the following request´s header.

 

Example for callin web API with SDK:

 

 

with APIClient(client_args) as client:
    # If Error occurs due to fingerprint mismatch
    if client.check_fingerprint() is False:
        #output_text.update({"Message":"Could not get the server's fingerprint - Check connectivity with the server."})
        print("UNKNOWN! Logging into SMS not successful! Please troubleshoot/debug script! "+str(output_text))
        raise SystemExit()
    # login to server:
    login_res = client.login(api_user, api_pwd)

 

 

 

so:

documentation is acurate - when using the correct way to call the api

SDK simplifies things like session handling - to understand all the things, you can manually write https requests towards the API with correct headers and so.

 

in case you need help, feel free to reach out

View solution in original post

Preview file
16 KB
4 Replies
StuartGreen
Employee
Employee
‎2023-01-23 02:30 AM
Jump to solution

Hi, I would start with the REST API and use something simple like Python requests to manage the connections. I've worked on several projects recently and didn't need the full SDK. Depending on what you're trying to work on, you might find that something like Ansible is more convenient for you. There are some examples of both approaches here https://developer.checkpoint.com or I've used a simple wrapper package here https://github.com/chkp-stuartgreen/policy-automation-poc/blob/main/packages/simplecpapi.py where I didn't want the full SDK, but didn't want to repeat lots of code either. 

Nüüül
Advisor
‎2023-01-24 01:35 AM
Jump to solution

Hello,

i believe you mixed up the different ways to leverage the api. 

"add-access-rule" uses web service

"add access-rule" uses the mgmt cli (which is calling API too but is called via cli at management server)

you can switch between them in the documentation - see attached screenshot.
When you are logging in into the API, a session id is generated and sent back to you as response. This session id you will need to add at the following request´s header.

 

Example for callin web API with SDK:

 

 

with APIClient(client_args) as client:
    # If Error occurs due to fingerprint mismatch
    if client.check_fingerprint() is False:
        #output_text.update({"Message":"Could not get the server's fingerprint - Check connectivity with the server."})
        print("UNKNOWN! Logging into SMS not successful! Please troubleshoot/debug script! "+str(output_text))
        raise SystemExit()
    # login to server:
    login_res = client.login(api_user, api_pwd)

 

 

 

so:

documentation is acurate - when using the correct way to call the api

SDK simplifies things like session handling - to understand all the things, you can manually write https requests towards the API with correct headers and so.

 

in case you need help, feel free to reach out

Preview file
16 KB
Roberts12
Explorer
‎2023-01-24 03:50 AM
In response to Nüüül
Jump to solution

Thank you for the explanation! if you have more examples to share it would be appreciated.
I can run the example scripts from the github repo, but when I extend the script with more functions and more API calls I get this error message: 
Failed to add the access-rule: '1', Error:
code: generic_err_wrong_session_id
message: Wrong session id [XwGUCgAvdFDB2_8vTN2KBXV-XCynk4Zp12Q]. Session may be expired. Please check session id and resend the request

0 Kudos
Nüüül
Advisor
‎2023-01-24 04:02 AM
In response to Roberts12
Jump to solution

I wrote some scripts leveraging the SDK - like: https://github.com/leinadred/CP_IPS-Update-Monitoring4Nagios or https://github.com/leinadred/py_cp-updatable-objects

difficult to say, without being able to see your script. but i think you went out of the "with" procedure, so SDK logged you out. As API is "opened" like a file, with is closing it (and logs off the connection) when leaving the file.

 

So your "working procedures" will have to be inside of the "opened file"

in https://github.com/leinadred/py_cp-updatable-objects from line 59 (res_repo =....)

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events