cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Admin
Admin

Management API Best Practices TechTalk and Q&A

In this session, Ryan Darst talks about leveraging Check Point APIs for automation purposes. He lays out the best practices, gotchas, and will demonstrate some interesting automation cases.

Content is available to CheckMates members who are signed in.

Excerpt of session video:

(view in My Videos)

Full Video: Management API Best Practices Video 

Audio: Management API Best Practices by Check Point CheckMates

Slides: API Best Practices CheckMates Feb 2019 

Q&A will be posted as comments below.

Scripts are attached to this message.

2 Replies

Re: Management API Best Practices TechTalk and Q&A

Very good session

0 Kudos
Highlighted
Admin
Admin

Re: Management API Best Practices TechTalk and Q&A

Here is an edited version of the questions asked during the TechTalk.

How to automate installing policy via script?

Using the install-policy API.

How do I show all packages from a specific DMS on an MDS, by using web API calls?

The API call is show-packages. You would login against the DMS you wish to see the specific policy packages.

I want to build a web interface for site admins to manage some basic task using API, but I'm not a professional developer. Is there any easy way/ tool to do this?

There are a couple examples of this on CheckMates you can hack. Couple examples:

Is it possible to use the API to change the tracking settings of firewall rules in bulk?

In general, yes, but the API will only work on one rule at a time.

You will have to write a script/program that iterates through each rule.

See also: API - SmartConsole CLi - usual script commands like error check, if then etc. 

If i use the mgmt-cli, what is the actual timeout for the session key? Can I change it?

The default timeout is 600 seconds (10 minutes) and is an activity timeout.

You can extend it by passing the session-timeout parameter to the login command/API call.

It seems like limit is not 500 if you define it manually. I was able to receive about 700 rules via API using limit=1000

The actual limit for each API call varies.

While it is possible to go above these limits, we do not recommend it as the API calls may take a long time to complete and/or provide unpredictable results.

In new Ver1.4 can we create local users via the API?

While there is no formal API support for this as of yet, this can be done via generic-object API calls.

See: Add new user and assign to an existing group using the generic-object API calls 

Runtime error: You have reached the maximum number of active sessions. Ask another administrator to discard or publish some of your sessions.............. Can we discard session via API?

Yes, using the publish and discard APIs.

How to configure Postman?

Using the collections we've posted to CheckMates.

See: Postman Collections (links to all available) and the basics

Is there a Python library?

Yes, Python library for using R80 management server APIs

It's also installable via pip as well: GitHub - CheckPointSW/cp_mgmt_api_python_sdk: Check Point API Python Development Kit 

How to troubleshoot issues with the R80.x Management API?

Start with the command: api status -s

This collects the necessary log files into a tgz file that can be sent to TAC or reviewed on your own.

Is there a way how to merge 2 overlapping policies into one, avoiding to have duplicate rules in the final policy?

Theoretically, yes, but you would have to write the logic for this to analyze both rulebases to come up with the final merged one.

Check Point does offer a service called SmartOptimize that can assist with this task as well.

Are there Ansible modules?

Yes, see: Automate your R80 Management Server using Ansible

Is jq available on R80.x?

Yes it is.

How current is the integration with AlgoSec or similar tools regarding automation , etc... if there are some gaps Do you recommend i.e. Python...?

The management APIs have been available for a few years now, starting with the R80 release.

We worked with a number of vendors prior to the R80 release to ensure they could leverage the newer APIs.

You would have to discuss with your vendor of choice to see where they are at with regards to policy automation.

Can you schedule a policy push using an API, at a specific time?

The API does not support this, but you can decide when to make the API call to push policy (e.g. programmatically or via a cron job).

How do I create objects for which there is no specific API call?

You need to use the generic-object API call for this.

A couple starting points:

A few things to keep in mind when using generic-object API calls:

  • Where possible, always use official API calls as they are fully supported and backward/forward compatible.
  • generic-object API calls are not documented and not guaranteed to remain consistent between versions.
  • Even with the generic-object API call, some objects cannot be created and may require assistance from dbedit and/or SmartConsole.

What is the best practice method to automatically allow API calls from all IP addresses without going through the MGMT server GUI to allow that and then manually have to do an API restart?

This can be done with the set api-settings API/CLI command.

Note that a restart of the API server is still required for this to take effect.

When using Anisble we had some issue running the database override command, it would sometimes allow us to run other clish command and other time it would not and DB will be locked or complain about user. Has this been fixed or is there a solution?

We have a gateway-specific API now available: https://community.checkpoint.com/community/infinity-general/appliances-and-gaia/blog/2019/01/21/new-...

An Ansible module does not exist yet to leverage this API, but it is coming soon.

What calls are possible for VS provisioning in VSX?

The API does not directly support provisioning VSes in VSX yet.

However, using run-script or the Gaia API, you can call vsx_provisioning_tool to do it.

If using script calling old version (let say 1.0) on most recent management server API (let say 1.4) - will it understand it?

Provided you specify the 1.0 version in your API endpoint or specify the version via mgmt_cli, yes.