Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
icon Uncategorized

Introduction to Management API and JQ

By David Nykoluk

This document reviews the use of the Check Point Management API through utilizing the mgmt_cli which is one of three ways to interact with the API. We are utilizing shell scripting in this example. The other two options are web services and SmartConsole API interaction.

In this example, we will review the use case of changing object properties in bulk where it is not possible through the SmartConsole GUI. In this use case we have a number of hosts configured with a hide behind NAT property which needs to be modified on each host individually. Below is an image capturing the NAT rule base.

This is a small example. However, in a production environment this can be useful in saving time and effort changing properties on hundreds of objects such as hosts and networks.

Gathering Informaiton

Highlighted below are the hosts which we would like to change the hide NAT properties on by utilizing the API. There are 3 hosts named:

  • -  New Host 1
  • -  
...;
TO READ THE FULL POST it's simple and free
10 Comments
Schmidty9
Explorer

This was a great intro for finding data. Did I miss where you actually changed the data and uploaded it back into the configuration? I thought maybe it was in the next article, but it just loops back to this page. 

Chris

PhoneBoy
Admin
Admin

Hi @Schmidty9 at the moment we only have one article for this specific CP4B topic. This specific example is parsing data from the API using jq. Modifying the data is outside the scope of this article, but maybe something we can cover in a future article.

Meanwhile there are plenty of examples in the API/CLI Discussion space, where you can also ask any specific questions you have around this.

janveu4u2
Explorer

In this article I remarked a typing error. It is in the text command beginning "chat" instead of "cat". There is no error in the screen captures. This article is very interesting but I think I will needs more examples and more practicals.

ggmeza
Participant

Hi, can you share and example with API WEB with postman?

Thanks.

_Val_
Admin
Admin

@janveu4u2 where do you see that typo?


Atlantic_Suppor
Explorer

Umm where does it actually show how to modify the value.  The beginning paragraph reads "In this example, we will review the use case of changing object properties in bulk where it is not possible through the SmartConsole GUI".

 

So while the gave how to find the information it does not actually have how to modify the value???

Juan_Concepcion
Advisor

Here is the missing content on how to actually accomplish the bulk changes - same concept can be used to update network objects and manual nats as well:

 

# First we dump hosts to a file:

DUMP HOSTS TO FILE
mgmt_cli -r true show hosts details-level full --format json > hosts.json

 

# We will then extract the information for:

  1.  Hide NAT
  2. Hide Behind IP NAT
  3. Static NAT

------------- HIDE NAT -----------------------------

1. Dump only Hide NAT objects to a file

jq '.objects[] | select(."nat-settings"."install-on" | contains ("my-test-gw")) | select(."nat-settings"."hide-behind" | contains ("gateway"))' hosts.json > hide_nat.txt

 

2. Convert that data into management cli commands:

cat hide_nat.txt | jq '. | [ .name,."nat-settings"."auto-rule",."nat-settings"."hide-behind",."nat-settings"."install-on" ] |@csv' -r | tr -d '"'| awk -F, '{print "mgmt_cli -r true set host name "$1 " nat-settings.auto-rule "$2" nat-settings.hide-behind "$3" nat-settings.install-on "$4}' > update_nat_hide.txt

------------- HIDE BEHIND IP NAT -----------------------------

1. Dump Hide Behind IP NAT objects to a file

jq '.objects[] | select(."nat-settings"."install-on" | contains ("my-test-gw")) | select(."nat-settings"."method" | contains ("hide")) | select(."nat-settings"."hide-behind" | contains ("ip-address")) ' hosts.json >> hide_behind_ip.txt

 

2. Convert that data into management cli commands:

cat hide_behind_ip.txt | jq '. | [ .name,."nat-settings"."auto-rule",."nat-settings"."hide-behind",."nat-settings"."install-on",."nat-settings"."ipv4-address" ] |@csv' -r | tr -d '"' | awk -F, '{print "mgmt_cli -r true set host name "$1 " nat-settings.auto-rule "$2" nat-settings.hide-behind "$4" nat-settings.install-on "$5" nat-settings.ipv4-address "$3}' > update_nat_hide_ip.txt

------------- STATIC IP NAT -----------------------------

1. Dump Static IP NAT objects to a file

jq '.objects[] | select(."nat-settings"."install-on" | contains ("my-test-gw")) | select(."nat-settings"."method" | contains ("static"))' hosts.json

 

2. Convert that data into management cli commands:

cat static_nat.txt | jq '. | [.name,."nat-settings"."auto-rule",."nat-settings"."ipv4-address",."nat-settings"."install-on" ] |@csv' -r | tr -d '"' | awk -F, '{print "mgmt_cli -r true set host name "$1 " nat-settings.auto-rule "$2" nat-settings.ipv4-address "$3" nat-settings.install-on "$4}' > update_nats_static.txt

 

You can then run the resulting batch files to update your objects - I'm sure it can be improved upon but at minimum it's a path moving forward to accomplish this in a semi-automated fashion without having to touch each object.

pepe
Explorer

Here is my simplified solution migrating the automatic NATs from the Gateway object "FW_MENEM" to "FW_LOHIZO"

If you have for example 2000 host type objects to modify , you must extract in batches of 500 at most

## We create a file with all the host objects
mgmt_cli -r true show hosts details-level full offset 0 limit 500 --format json > hosts.json
mgmt_cli -r true show hosts details-level full offset 500 limit 500 --format json >> hosts.json
mgmt_cli -r true show hosts details-level full offset 1000 limit 500 --format json >> hosts.json
mgmt_cli -r true show hosts detail-level full offset 1500 limit 500 --format json >> hosts.json

## Create the update_nat_hide.txt file with the hosts that have NATS Behind Gateway IP
jq '.objects[] | select(."nat-settings"."install-on" | contains ("FW_MENEM")) | select(."nat-settings"."hide-behind" | contains ("gateway"))' hosts.json | jq '. | [ .name,."nat-settings"."auto-rule",."nat-settings"."hide-behind",."nat-settings"."install-on" ] |@csv' -r | tr -d '"'| awk -F, '{print "mgmt_cli set host name "$1 " nat-settings.auto-rule "$2" nat-settings.hide-behind "$3" nat-settings.install-on FW_LOHIZO"" -s id.txt"}' > update_nat_hide.txt

## Create the update_nat_hide_ip.txt file with the hosts that have NATS Behind IP (IP diferentes al GW)
jq '.objects[] | select(."nat-settings"."install-on" | contains ("FW_MENEM")) | select(."nat-settings"."method" | contains ("hide")) | select(."nat-settings"."hide-behind" | contains ("ip-address")) ' hosts.json | jq '. | [ .name,."nat-settings"."auto-rule",."nat-settings"."hide-behind",."nat-settings"."install-on",."nat-settings"."ipv4-address" ] |@csv' -r | tr -d '"' | awk -F, '{print "mgmt_cli set host name "$1 " nat-settings.auto-rule "$2" nat-settings.hide-behind "$3" nat-settings.install-on FW_LOHIZO"" nat-settings.ipv4-address "$5" -s id.txt"}' > update_nat_hide_ip.txt

## Create the file update_nats_static.txt with the hosts that have NATS Statics
jq '.objects[] | select(."nat-settings"."install-on" | contains ("FW_MENEM")) | select(."nat-settings"."method" | contains ("static"))' hosts.json | jq '. | [.name,."nat-settings"."auto-rule",."nat-settings"."ipv4-address",."nat-settings"."install-on" ] |@csv' -r | tr -d '"' | awk -F, '{print "mgmt_cli set host name "$1 " nat-settings.auto-rule "$2" nat-settings.ipv4-address "$3" nat-settings.install-on FW_LOHIZO"" -s id.txt"}' > update_nats_static.txt


mgmt_cli login -u admin -p admin123 > id.txt

##### Execute the commands created in the three files
### update_nat_hide.txt
### update_nat_hide_ip.txt
### update_nats_static.txt

mgmt_cli publish -s id.txt

pepe
Explorer

Correction For Static NATs

## Create the file update_nats_static.txt with the hosts that have NATS Statics
jq '.objects[] | select(."nat-settings"."install-on" | contains ("FW_MENEM")) | select(."nat-settings"."method" | contains ("static"))' hosts.json | jq '. | [.name,."nat-settings"."auto-rule",."nat-settings"."ipv4-address",."nat-settings"."install-on" ] |@csv' -r | tr -d '"' | awk -F, '{print "mgmt_cli set host name "$1 " nat-settings.auto-rule "$2" nat-settings.ipv4-address "$3" nat-settings.method static nat-settings.install-on FW_LOHIZO"" -s id.txt"}' > update_nats_static.txt