cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

CLI Help

Hey everybody,

I am new to Checkpoint CLI and I want to organize and view certain things.

How would I be able to view all network objects, rules, etc?

I guess what commands would I use?

7 Replies
Admin
Admin

Re: CLI Help

The answer is largely version dependent.

If your management is R80+, then I'd start with the mgmt_cli tool, documented here: Check Point - Management API reference 

If you're using R77.30 and earlier, then I'd start with the dbedit command, documented here: Command Line Interface R77 

I would also have a look through the Developers (Code Hub)‌ space, which has a lot of discussion on the API/CLI.

Re: CLI Help

Hi Dameon,

We are on R80+ for Mgmt and the Mgmt API reference you have pointed doesn't really help in listing all network objects...There is a limit on the number of items listed 0-500 ad even then the output doesnt list the objects and their members. it only displays the object names which we can export form smart console\object explorer anyways.

0 Kudos
Admin
Admin

Re: CLI Help

Yes, the API has a limit to the number of items that can be output at once.

You would need to iterate with multiple API calls using the offset parameter to get the next 500 objects.

You also have to request the correct detail level in the API and correctly parse the output.

One example that exports various objects in CSV format: CLI API Example for exporting, importing, and deleting different objects using CSV files (v 00.29.02...

0 Kudos

Re: CLI Help

Thank you for the link... Unfortunately my current access is RO for all FW's we manage and cant get to expert mode to be able to execute those commands/scripts in the links shared. Will have to request our service provider for what i am after. 

0 Kudos
Admin
Admin

Re: CLI Help

You can do this with the API, but you're going to have to make successive API calls, like I said.

I managed to do the following from the CLI of a different Linux host (not the management server) running bash.

This assumes that "curl" and "jq" are installed, which are fairly common utilities (curl fetches web content, jq parses JSON output).

SID=`curl --silent --insecure -XPOST "https://10.6.5.250/web_api/v1.3/login" --data-binary "{\"user\": \"aa\", \"password\": \"aaaa\" }" -H "Content-Type: application/json" | jq -r .sid`

curl --silent --insecure -XPOST https://10.6.5.250/web_api/v1.3/show-hosts --data-binary "{ \"offset\": 0, \"limit\": 500, \"details-level\": \"full\" }" -H "Content-Type: application/json" -H "X-chkp-sid: $SID" | jq -r '.objects[] | .name + "," + ."ipv4-address"'

curl --silent --insecure -XPOST "https://10.6.5.250/web_api/v1.3logout" --data-binary "{}" -H "Content-Type: application/json" -H "X-chkp-sid: $SID"

The first command (starting with SID) does a login to the API with username aa / password aaaa, obtaining a session ID, and storing it in the shell variable SID.

The second command calls curl and will fetch the first 500 host objects from the management and output the name and IPv4 address of the object in a comma separated list.

  • You will need to repeat this command with different values for offset until you get all the objects.
  • You will also need similar commands to get other object types (e.g. networks, groups).
  • This is where the API documentation will help you: Check Point - Management API reference 

The third command (also a curl command) issues a logout command, invalidating the SID. 

There are probably programmatic ways to automate this further, but that should get you started.

Re: CLI Help

What is the checkpoint equal-ant command to cisco command show running-config ?

0 Kudos
Admin
Admin

Re: CLI Help

From an OS perspective (network/routing), you can use the the clish command show configuration.

Depending on the version, you may not be able to use this (as is) to recreate the running configuration. 

For the security gateway functions, there is no equivalent to show running-config on Cisco IOS.

This configuration is only stored on the local gateway in compiled form and cannot easily be dumped.