By David Nykoluk
This document reviews the use of the Check Point Management API through utilizing the mgmt_cli which is one of three ways to interact with the API. We are utilizing shell scripting in this example. The other two options are web services and SmartConsole API interaction.
In this example, we will review the use case of changing object properties in bulk where it is not possible through the SmartConsole GUI. In this use case we have a number of hosts configured with a hide behind NAT property which needs to be modified on each host individually. Below is an image capturing the NAT rule base.
This is a small example. However, in a production environment this can be useful in saving time and effort changing properties on hundreds of objects such as hosts and networks.
Gathering Informaiton
Highlighted below are the hosts which we would like to change the hide NAT properties on by utilizing the API. There are 3 hosts named:
- - New Host 1
- - New Host 2
- - New Host 3
Reviewing the hosts’ properties we would like to change is the “Install on Gateway” value using the API.
First, we need to determine which properties on the hosts we need to modify. A simple method to use is to view the host properties is to dump the host object properties in JSON format. Below we are showing the host properties in JSON format and we are using JQ as a command-line processor for JSON to display and query the data.
The command syntax to display the host objects is
mgmt_cli -port 4434 -r true show host name "New Host 1" –format json | jq '.'
In the command above our MGMT WebUI port has been changed to 4434 so we need to specify the port to connect to otherwise the default port of 443 will be used. To determine what command needs to be run you can reference the API reference guide - https://sc1.checkpoint.com/documents/latest/APIs/index.html#~v1.2%20 or utilize other utilities such as Postman with the R80.10 API collection to determine which API commands need to be utilized. This will not be covered in detail in this document.
In the image below we can see the output of the show host command displaying the host properties of the host named “New Host 1”. Our goal was to change the NAT “Install on Gateway” properties of this host. To gather the information on the fields required we capture the NAT settings below.
New Host 1 is set to hide behind the a1400 gateway using a static NAT method behind the IP address of 13.5.6.7.
"nat-settings": {
"auto-rule": true, "ipv4-address": "13.5.6.7", "ipv6-address": "", "install-on": "a1400", "method": "static"
Next let’s review the “New Host 2” NAT properties to see how it differs from the “New Host 1” NAT properties.
Reviewing the output from above on “New Host 2” we can see that the NAT properties are defined with a hide NAT setting which is hiding the host behind a particular IP address behind the gateway a1400. The properties are different when compared to the static NAT properties of “New Host 1”.
"nat-settings": {
"auto-rule": true, "ipv4-address": "35.6.7.8", "ipv6-address": "", "hide-behind": "ip-address", "install-on": "a1400", "method": "hide"
Next, let’s review the “New Host 3” NAT properties to see how it differs from the “New Host 1” and “New Host 2” NAT properties.
Reviewing the output from above on “New Host 3” we can see that the NAT properties are defined with a hide NAT setting which is hiding the host behind the IP address of the gateway a1400. The properties are different when compared to the static NAT properties of “New Host 1” and hide NAT properties of “New Host 2”.
"nat-settings": { "auto-rule": true, "hide-behind": "gateway", "install-on": "a1400", "method": "hide"
In summary we have captured how the NAT properties can appear on hosts for the following NAT situations.
- - Static NAT – Install on Gateway (New Host 1)
- - Hide NAT – Hide behind IP, Install on Gateway (New Host 2)
- - Hide NAT – Hide behind GW, Install on Gateway (New Host 3)
Modifying Properties
Our goal in this use case example is to change the “Install on Gateway” property on hosts which have this defined as the GW “a1400” to CP1430 in this use case. We have captured where we need to make the change on the host properties in the section above now we need to build a script to modify the properties in bulk. To do this within this example we will be saving the host properties from the database to a text file in JSON format and will utilize JQ to query and extract data from the file.
In this use case it’s simple as we are only dealing with 3 hosts however in a larger production environment let’s assume we are dealing with hundreds of hosts and network objects which need to be modified.
Saving the Data to File in JSON
Below is the command to dump the hosts from the database in JSON format to a file named hosts.json. Remember these commands are running locally on the management station.
mgmt_cli --port 4434 -r true show hosts details-level full --format json >> hosts.json
To display the file enter the command below. This will display the entire file.
cat hosts.json | jq '.' |more
Finding the Data
Next, we need to find the data which we need to modify. Remember we are wanting to change the “Install on Gateway” properties where a particular gateway (a1400) is used to another gateway. The use case here may be a gateway swap where there are an excessive amount of properties to change on host objects which cannot be done in bulk within SmartConsole which require the API to perform the change in an efficient manner and time.
The 1st step is to query for the different NAT methods which we found in use above. We will first query for hide NAT hosts behind a particular gateway (a1400) using the command below.
cat hosts.json | jq '.objects[] | select(."nat-settings"."install-on" | contains ("a1400")) | select(."nat-settings"."hide- behind" | contains ("gateway")) '
This command output will provide us with the hosts which have Hide NAT behind the GW IP configured. We need to capture each NAT method separately to create the proper script actions to change the NAT settings on the hosts.
Next, we will query for hide behind IP hosts behind a particular gateway (a1400) using the command below:
cat hosts.json | jq '.objects[] | select(."nat-settings"."install-on" | contains ("a1400")) | select(."nat- settings"."method" | contains ("hide")) | select(."nat-settings"."hide-behind" | contains ("ip-address")) '
This command output will provide us with the hosts which have Hide NAT behind the a particular IP configured to be installed on the a1400 gateway. Notice how the command displays the entire host’s properties. We can use JQ to display the fields we want.
Next, we will query for Static NAT hosts behind a particular gateway (a1400)
cat hosts.json | jq '.objects[] | select(."nat-settings"."install-on" | contains ("a1400")) | select(."nat- settings"."method" | contains ("static"))'
This command output will provide us with the hosts which have Static NAT configured to be installed on the a1400 gateway.