cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

show package name "New_Standard_Package_1" --version 1.2 --format json command execution issues

Hi Team , I tried to give firewall name / policy name / CMA name. But it is now allowing to execute the command. What should be the value?generic_err_invalid_parameter_nameRegardsRevathi
Employee

How to script the creation of a VIP IP / Topology ?

hello, One of my customer is asking how to automate the creation of a VIP.I looked in the API reference guide in the section 'network object' - 'simple gateway' : 'interfaces'Check Point - Management API reference and can not find it. Any idea ? Regards,

Check Point R80 firewall - Adding IP address to existing host

Hi Team, We are using v1.3 API of Check Point R80 fiewall. We're trying to figure if there is an API that allows us to add additional IP address (one or many) to an existing host object in the Check Point R80 firewall.
Employee+

Ansible-based automation for CheckPoint Management Server and CheckPoint Gateways

Hello all, I would like to share with you a tool for automatic configuration of Check Point management server and Check Point gateways. The tool is based on CP Management API, CP GAiA API, Ansible and enables a range of gateways and management related configuration actions. The tool is easily extendable. The tool can be considered as a good starting point for the automation of your Check Point environment. For management server Following configuration is possible on management server: Create/delete network, ranges, services objects Create/delete policy packages Add rules to the policy packages Add gateways, establish SIC Install policy on the gateways For gateways Following configuration is possible on gateways in accordance to various gateways attributes like CMA, SW version, gateway type, platform type, gateway IP. DNS configuration Users configuraion Expert password configuration User public keys copy ... Which means you can configure DNS, Users, Expert password or Users public keys specifically for gateways in certain CMAs or for gateways having certain SW version, or platform type, or IP address. Below are the tool structure and the steps for the gateways configuration part. Ansible playbook starts Dynamic Inventory Script Dynamic Inventory Script gets the list of all gateways from SMS or MDS via MGMT API. Dynamic Inventory Script reads the services configuration files. Dynamic Inventory Script creates the Ansible inventory files based on gateways list and services configuration. Ansible configures the gateways via GAiA API (and via SSH for expert mode) according to inventory files. License, warranty, contact The tool is provided with APACHE2.0 and without any liability, warranty or support. In case, you are interested in support or customization please contact Check Point Profession Services under: PS-AUTOMATION@MICHAEL.CHECKPOINT.COM. Detailed tool information is provided in the attached documentations and videos. I hope the tool will be beneficial for you and I would appreciate your feedback. 🙂 Regards, Yevgeniy

'run-script' api command restrictions for 3rd party management tools

Hello, dear colleagues!Few weeks ago our company faced with an issue with integration between CheckPoint and 3rd party management solution(in our case - Skybox). According to Skybox documentation, since R80.10 version their system should use API commands instead of OPSEC CPMI protocol. What's more, CheckPoint also doesn't recommend to use OPSEC CPMI commands for R80 management considering this protocol as deprecated, look at sk63026. After some tests in lab enviroment we made conclusion that skybox really couldn't use CPMI protocol for R80.10+ versions and their decision to use API was right. But Skybox insist to use super-user account and it's totally unacceptable.The point is that we don't trust to skybox product so much to assign them super-user privillege. Furthermore, we have strict responsobility boundary between IT and security department and skybox administrators are employees of security dept. who shouldn't have permissions to write into CheckPoint rulebase and configurtaion.During investigation we understood that skybox didn't recieve 'netstat -rne' and 'ifconfig' after CheckPoint configuration polling. Skybox use 'run-script' API call to receive that information and of course we can give customized profile with read only permission + permission to use one-time scripts instead of super-user account. But it doesn't fully solve this issue because we can send any bash command to any gateway which is managing by our SmartManagement. For example, we can send 'rm -rf / --no-preserve-root' by run-script api call to each gateway and all other CheckPoint devices and it works well.However, we tried to restrict API permissions with another customized profile which can run only with repository scripts, but unfortunately there are no API command to use repository scripts.Dear CheckPoint stuff, are you going to implement 'run-script' permission restrictions? Or may be somebody know how to fetch routing table with netstat command and interface table with ifconfig command in API without any chance to interrupt system(I mean without permissions to do configuration changes, delete files, etc)?run-script‌api‌

How can we install on multiple firewalls using install policy comand from API CLI

Hi Team,I have explored the API reference posted in checkmates. It has given below command to deploy policy from API CLI to deploy on single firewall. Similarly, If we want to run policy installation on all firewalls of CMA. What is the command?API Referrence:https://sc1.checkpoint.com/documents/latest/APIs/index.html#gui-cli/install-policy~v1.2Single Firewall:mgmt_cli install-policy policy-package "standard" access true threat-prevention true targets.1 "corporate-gateway" --version 1.1 --format jsonMultiple Firewall:mgmt_cli install-policy policy-package "standard" access true threat-prevention true targets.1 "corporate-gateway corporate-gateway1 corporate-gateway2 " --version 1.1 --format jsonIn double quotes, can we include multiple firewalls by giving space?RegardsRevathi
Tomer_Sole
inside API / CLI Discussion and Samples Wednesday
views 26897 12 3
Mod

How to export and import IPS profiles and their overridden protections in R80.10

Prior to R80, there was a closed-source tool by Check Point called export_import_profile.Starting with R80:1. The back-end representation of profiles and protections has changed, so the tool is no longer supported.2. The open API enable any customer to make their own export and import operations.Step 1: On the source machine, export the specific Threat Prevention ProfileThe show threat-profile command returns a structure of the profile's settings.Example:show threat-profile name MyOrganization details-level full uid: "fa1aa324-a8cc-4dbd-bc04-f31fdb8abf61"name: "MyOrganization "type: "threat-profile"domain: uid: "a0bbbc99-adef-4ef8-bb6d-defdefdefdef" name: "Check Point Data" domain-type: "data domain"active-protections-performance-impact: "medium"active-protections-severity: "Medium or above"confidence-level-low: "Inactive"confidence-level-medium: "Prevent"confidence-level-high: "Prevent"ips: trueips-settings: newly-updated-protections: "staging" exclude-protection-with-performance-impact: false exclude-protection-with-severity: falsethreat-emulation: trueanti-virus: trueanti-bot: trueStep 2: On the source machine, export IPS Protections which had their action override for this specific Threat Prevention ProfileThis part is a little tricky - you have to go over all protections, and only pick the ones that have a different action for your profile. The show threat-protections command returns the protections. There is no way to get all the IPS Protections as one response, since that would make the output so big it will fail to return. Therefore we have to use the "offset" parameter to advance and get 50 protections every time. In the example below, the first protection just happened to have an override action for the "MyOrganization" profile. The second protection did not have an override action for the "MyOrganization" profile.Example:show threat-protections offset 0 details-level fullprotections: - uid: "8027f5c8-1bac-cf49-99a3-59a89a35cdb6" name: "3Com Network Supervisor Directory Traversal" type: "threat-protection" domain: uid: "41e821a0-3720-11e3-aa6e-0800200c9fde" name: "SMC User" domain-type: "domain" severity: "High" confidence-level: "Medium" performance-impact: "Low" release-date: "20091124" update-date: "20091124" profiles: - name: "Basic" uid: "eb39a60d-c454-49f5-a28c-a89aa5bd2e09" default: action: "Inactive" track: "log" capture-packets: false final: action: "Inactive" track: "log" capture-packets: false - name: "Strict" uid: "caf8b711-d762-4c1e-82d5-6af2549b2869" default: action: "Prevent" track: "log" capture-packets: false final: action: "Prevent" track: "log" capture-packets: false - name: "MyOrganization" uid: "fa1aa324-a8cc-4dbd-bc04-f31fdb8abf61" default: track: "log" capture-packets: false override: action: "Prevent" track: "log" capture-packets: false final: action: "Prevent" track: "log" capture-packets: false comments: "" follow-up: false ipsAdditionalProperties: ... name: "3Com TFTP Server Transporting Mode Remote Buffer Overflow" type: "threat-protection" - name: "MyOrganization" uid: "fa1aa324-a8cc-4dbd-bc04-f31fdb8abf61" default: action: "Inactive" track: "log" capture-packets: false final: action: "Inactive" track: "log" capture-packets: false...Step 3: On the target machine, create the new profile.The add threat-profile command creates a new Threat Prevention Profile.You have to convert the output from step 1 to a command-line with the values.Example:add threat-profile name MyOrganization active-protections-performance-impact "medium" active-protections-severity "Medium or above" confidence-level-low "Inactive" confidence-level-medium "Prevent" confidence-level-high "Prevent" ips true ips-settings.newly-updated-protections "staging" ips-settings.exclude-protection-with-performance-impact false ips-settings.exclude-protection-with-severity false threat-emulation true anti-virus true anti-bot true Step 4: On the target machine, set protection actions for the specific protections that were exported at step 2.The set threat-protection command lets you change the action of the protection for a given profile.Example:set threat-protection name "3Com Network Supervisor Directory Traversal" overrides.1.profile MyOrganization overrides.1.action Prevent

Looking for ISOmorphic Additional OS Configuration Script format

Hello Checkmates,As the subject indicates, I would like to rapidly deploy using the scripts which can be included in the additional OS configuration and am unsure regarding the format of the script.Does it follow standard clish commands and I can do as followsset domainname domain.localset dns primary 1.1.1.1set interface Mgmt ipv4-address 2.2.2.2 mask-length 24... etc
Employee

Script to Automate GAIA Configuration backup

Hi,i wrote below script for my customer to automate gaia configuration backup of gateway . Script runs on management and it can fetch the "show configuration" of all the gateway and create a file for individual gateway .Steps :Perform below on management server . Create a Directory called gaiagwbkp under /var/log Create a file called gateway_ip_list.txt under /opt/CPsuite-R80/fw1/scripts and add ip address of the gateway which is being managed by same management server[Expert@PROD-MGMT-R80:0]# cat gateway_ip_list.txt10.1.1.254[Expert@PROD-MGMT-R80:0]#Create a file called gaiafwbkp.sh under /opt/CPsuite-R80/fw1/scripts and copy the script content and change file permission*****************************************[Expert@PROD-MGMT-R80:0]# cat gaiafwbkp.sh#!/bin/shsource /opt/CPshrd-R80/tmp/.CPprofile.shfor dest in $(<gateway_ip_list.txt); dohostname=`cprid_util -server $dest -verbose rexec -rcmd /bin/bash -c "hostname"`now=$(date +"%m_%d_%Y")cprid_util -server $dest -verbose rexec -rcmd /bin/clish -c "show configuration" > /var/log/gaiagwbkp/$hostname$nowdone************************************4. run script gaiafwbkp.sh5. Schedule job from GAIA portal using job scheduler 6. if needed you can run another job to ftp this backup files to ftp server as well
Mod

postman_collection R80.30

Postman collection for Check Point R80.30 (1.5 API)

R80.20 Mgmt API issue

We need help with this issue happening in R80.20 , we see the API service stopping randomly and at that point we need to manually restart the service but of course we are trying to find out what is causing it to stop running randomly , this is very annoying. Below is the output of the API status when the issue happens:API Settings:---------------------Accessibility: Require all grantedAutomatic Start: EnabledProcesses:Name State PID More Information-------------------------------------------------API StoppedCPM Started 4929 Check Point Security Management Server is running and readyFWM Started 2192APACHE Started 4180Port Details:-------------------JETTY Internal Port: 50276APACHE Gaia Port: 4434 (a non-default port)When running mgmt_cli commands add '--port 4434'When using web-services, add port 4434 to the URL--------------------------------------------Overall API Status: The API Server Is Not Running!--------------------------------------------Notes:------------To collect troubleshooting data, please run 'api status -s <comment>'[Expert@cglscc4a:0]# api statusAPI Settings:---------------------Accessibility: Require all grantedAutomatic Start: EnabledProcesses:Name State PID More Information-------------------------------------------------API StoppedCPM Started 4929 Check Point Security Management Server is running and readyFWM Started 2192APACHE Started 4180Port Details:-------------------JETTY Internal Port: 50276APACHE Gaia Port: 4434 (a non-default port)When running mgmt_cli commands add '--port 4434'When using web-services, add port 4434 to the URL--------------------------------------------Overall API Status: The API Server Is Not Running!--------------------------------------------Notes:------------To collect troubleshooting data, please run 'api status -s <comment>'

set-if-exists example

Could I have an example on how to use "set-if-exists"? And what versions of the API is this command compatiable with?

R80.10 API install database

Is there a way to sync management/log servers via the "install database" via the API? Not having any luck finding it in the API reference guide.

How to create a radius server object via API?

Hi all, just wonderig how to create a radius server object via API in R80.20.I'm afraid it's not possible. Hopefully I'm wrong 😞 Cheers,Martin
PhoneBoy
inside API / CLI Discussion and Samples Sunday
views 1473 27 16
Admin

SmartMove

Overview Check Point SmartMove tool enables you to convert 3rd party database with firewall security policy and NAT to Check Point database. The tool parses Cisco ASA (version 8.3 and above), JunOS (version 12.1 and above), ScreenOS (version 6.3 and above), Fortinet (FortiOS version 5 and above), and Palo Alto Networks (Version 7 and above) configuration file and converts its objects, NAT and firewall policy to a Check Point R80.x compliant policy. For PAN, we also convert application definitions (including Application Groups and Application Filters). The tool is planned to support additional vendors and security configurations in the future. The tool generates bash scripts by utilizing Check Point Management API's command line interface, to migrate the converted policy into a R80.x Management (or Multi-Domain) server. Description The tool is developed using Microsoft C# language and .Net framework version 4.5 (WPF application). The project solution file is configured for Microsoft Visual Studio 2012 and above. Instructions Code is available on GitHub: SmartMove Tool can be downloaded from: sk111546 Code Version Code version 0.0.0 Tested on version R80.10, API version 1.1 NOTICE: By using this sample code you agree to terms and conditions in this Terms and Conditions ...
In This Category
API / CLI Discussion and Samples

Sample code for the Check Point APIs and CLIs and where to ask questions about these topics

Category Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.