Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
PhoneBoy
Admin
Admin

Leveraging the R80.10 API to Automate and Streamline Security Operations

On 15th August 2017 we did a webinar with Ryan Darst‌ about the automation and orchestration capabilities you can achieve with the R80.10 API.  Specifically, this session covered:

  • Introduction to using the R80.10 APIs using a variety of tools from Postman to Ansible
  • Tips on leveraging the API from both the R80.10 CLI and from the RESTful API to do simple tasks from adding objects and services to adding rules
  • Additional use cases for using other features in the R80 API from policy verification to running scripts on gateways
  • A demonstration of a complete Check Point cloud auto-scaling environment using Ansible and the R80.10 APIs

The content presented is below:

Slides: How to use R80.10 API for Automation and Streamlined Security (PPT)

Video: How to use R80.10 API for Automation and Streamlined Security (Video) 

Scripts: CheckMates_Aug15_Demos.zip

Q&A: https://community.checkpoint.com/docs/DOC-2181?sr=search&searchId=a87f1f36-8fe9-4b5a-ac48-837a0d5457...

14 Replies
Muazzam_Saeed
Participant

It was really a great presentation and demo by Ryan Darst.

Question-1: Is this automation limited to cloud or can we create objects, rules etc in VSX environment?

Question-2: Any suggestions on integration with ticketing systems - to get the source, destination, ports and create objects and rules based on that information?

0 Kudos
PhoneBoy
Admin
Admin

Automation can be done with on-premise gateways with VSX as well (though creation and some configuration of VS still requires a CLI command)

Integration with ticketing systems requires some business-specific logic.

I know (in general) we are working on specific integrations with some of these systems to assist with that. 

0 Kudos
Ofir_Shikolski
Employee Alumnus
Employee Alumnus

q1 : You can use the API's put-file and run-script:

Check Point - Management API reference 
put-file file-path "/home/admin/" file-name "vsx_conf" file-content "vs ip 192.0.2.1\nvs2 ip 192.0.2.2" targets.1 "corporate-gateway" --format json
Check Point - Management API reference 
run-script script-name "Script Example: run /home/admin/vsx_conf" script "/home/admin/vsx_conf" targets.1 "corporate-gateway" --format json


Stefan_Stefanov
Explorer

Webinar was absolutely fantastic!

We want to test automation in our company so I downloaded a trial R80.10 version. Seems like Management API is not available there (nothing in Manage & Settings). Is it available only in licensed versions?

0 Kudos
Ofir_Shikolski
Employee Alumnus
Employee Alumnus

Management API Settings

  • Startup Settings
    • Select Automatic start to automatically start the API server when the Security Management Server starts.

      In these environments, Automatic start is selected by default:

      • Distributed Security Management Servers (without gateway functionality) with at least 4GB of RAM
      • Standalone Security Management Servers (with gateway functionality) with at least 8GB of RAM

    In other environments, to reduce the memory consumption on the management server, Automatic start is not selected by default.

  • Access Settings

    Configure IP addresses from which the API server accepts requests:

    • Management server only (default) - API server will accept scripts and web service requests only from the Security Management Server. You must open a command line interface on the server and use the mgmt_cli utility to send API requests.
    • All IP addresses that can be used for GUI clients - API server will accept scripts and web service requests from the same devices that are allowed access to the Security Management Server.
    • All IP addresses - API server will accept scripts and web-service requests from any device.

To apply changes, you must publish the session, and run the api restart command on the Security Management Server.

Václav_Brožík
Collaborator

The options mentioned by Ofir Sh can be found here in the SmartConsole:

MANAGE & SETTINGS > Blades > Management API > Advanced Settings...

I would also like to add that you can use the API over HTTPS also in the cloud demo. You have to: set an administrator's password, enable the API access, publish the session, copy the demo server's IP address.

0 Kudos
Stefan_Stefanov
Explorer

Guys, I know how to read documentation. I said I don't have such option on a trial license:

PhoneBoy
Admin
Admin

By trial license, do you mean the built-in 15-day one you get on install?

I know it works with ones generated from User Center.

0 Kudos
PhoneBoy
Admin
Admin

Even so I did a fresh install with R80.10, using the built-in license, and found the GUI option there.

Another way to enable the API is through the CLI, which I describe here: https://community.checkpoint.com/thread/1082

0 Kudos
Ofir_Shikolski
Employee Alumnus
Employee Alumnus

are you using MDM (MDS)? 

0 Kudos
Tomer_Sole
Mentor
Mentor

From your screenshot I see it's a Multi-Domain deployment and you have logged into one of your domain. API settings are managed in the MDS domain since it's one process for the server (since it has no inner state).

Please log into your MDS domain and set the settings.

Dameon Welch AbernathyOfir Sh Václav Brožík I challenge u to spot my proof for that being a multi-domain screenshot

0 Kudos
PhoneBoy
Admin
Admin

Challenge accepted Smiley Happy

The key appears to be here:


In an MDM (or at least the screenshot Stefan Stefanov‌), there is no Permissions & Administrators and Sync with UserCenter options.

The above screenshot is from my standalone (not MDM) manager.

Amit_Chaubey
Contributor

Hi, 

 I am using Terraform for infrastructure provisioning and Ansible for configuration in AWS to deploy checkpoint FIrewall R80, I am stuck on few points below, 

1. How to add URL for Egress filtering. We need to policy through Ansible so that Internal subnet can access the Some URL on the Internet and rest should be blocked.

2. How to add gateways in the Management server. 

3.How to enable other blades(IPS etc.) if required. 

4. How to config for lag management, I am planning to send to Splunk server. 

4. How we can define instance as the Management server. For Gateway I am using below in user data file.

my_user_data: |
#!/bin/bash
clish -c 'set user admin shell /bin/bash' -s
clish -c 'set static-route {{ aws_lb1_subnet_cidr }} nexthop gateway address {{ aws_internal_route }} on' -s
clish -c 'set static-route {{ aws_lb2_subnet_cidr }} nexthop gateway address {{ aws_internal_route }} on' -s
clish -c 'set static-route {{ aws_webserver_subnet_cidr }} nexthop gateway address {{ aws_internal_route }} on' -s
clish -c 'set static-route {{ aws_database_subnet_cidr }} nexthop gateway address {{ aws_internal_route }} on' -s
config_system -s 'install_security_gw=true&install_ppak=true&gateway_cluster_member=false&install_security_managment=false&ftw_sic_key=vpn12345';shutdown -r now;

Any help would be highly appreciable. 

0 Kudos
PhoneBoy
Admin
Admin

Questions 1-3 can be answered by reading the API documentation: Tip of the Day: Local R80.x API Documentation

I would search for and ask the specific API questions as seperate thread(s) here: Developers (Code Hub)

Question 4 should be solved with Log Exporter, see: Log Exporter guide‌ and Log Exporter - Splunk Integration Update

Question 5, you need to (at a minimum) modify the config_system line, see: How to run the First Time Configuration Wizard through CLI in Gaia R76 and above 

You probably need to do other things as well and it might be worth reviewing the CloudFormation script for installing Management in AWS.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events