Showing results for 
Search instead for 
Did you mean: 
Create a Post
Aathi inside API / CLI Discussion and Samples 5 hours ago
views 143 14

cp_conf sic init 1234 norestart is not working via ansible

Hi Team, I am trying to reset the SIC without restart by using below command via ansible and getting the error .Kinldy help on this. Playbook:- name: SIC key generationcommand: "{{ item }}"with_items:- /opt/CPshrd-R80/bin/cp_conf sic init Infy123+ norestart- /opt/CPshrd-R80/bin/cpwd_admin stop -name CPD -path "/opt/CPshrd-R80/bin/cpd_admin" -command "cpd_admin stop"- /opt/CPshrd-R80/bin/cpwd_admin start -name CPD -path "/opt/CPshrd-R80/bin/cpd" -command "cpd" Error in ansible:failed: [10.6 (item=/opt/CPshrd-R80/bin/cp_conf sic init Infy123+ norestart) => {"changed": true, "cmd": ["/opt/CPshrd-R80/bin/cp_conf", "sic", "init", "Infy123+", "norestart"], "delta": "0:00:00.018486", "end": "2019-07-17 07:50:20.309823", "item": "/opt/CPshrd-R80/bin/cp_conf sic init Infy123+ norestart", "msg": "non-zero return code", "rc": 127, "start": "2019-07-17 07:50:20.291337", "stderr": "/opt/CPshrd-R80/bin/cp_conf: error while loading shared libraries: cannot open shared object file: No such file or directory", "stderr_lines": ["/opt/CPshrd-R80/bin/cp_conf: error while loading shared libraries: cannot open shared object file: No such file or directory"], "stdout": "", "stdout_lines": []}failed: (item=/opt/CPshrd-R80/bin/cpwd_admin stop -name CPD -path "/opt/CPshrd-R80/bin/cpd_admin" -command "cpd_admin stop") => {"changed": true, "cmd": ["/opt/CPshrd-R80/bin/cpwd_admin", "stop", "-name", "CPD", "-path", "/opt/CPshrd-R80/bin/cpd_admin", "-command", "cpd_admin stop"], "delta": "0:00:00.019825", "end": "2019-07-17 07:50:20.956607", "item": "/opt/CPshrd-R80/bin/cpwd_admin stop -name CPD -path \"/opt/CPshrd-R80/bin/cpd_admin\" -command \"cpd_admin stop\"", "msg": "non-zero return code", "rc": 127, "start": "2019-07-17 07:50:20.936782", "stderr": "/opt/CPshrd-R80/bin/cpwd_admin: error while loading shared libraries: cannot open shared object file: No such file or directory", "stderr_lines": ["/opt/CPshrd-R80/bin/cpwd_admin: error while loading shared libraries: cannot open shared object file: No such file or directory"], "stdout": "", "stdout_lines": []}failed: (item=/opt/CPshrd-R80/bin/cpwd_admin start -name CPD -path "/opt/CPshrd-R80/bin/cpd" -command "cpd") => {"changed": true, "cmd": ["/opt/CPshrd-R80/bin/cpwd_admin", "start", "-name", "CPD", "-path", "/opt/CPshrd-R80/bin/cpd", "-command", "cpd"], "delta": "0:00:00.019049", "end": "2019-07-17 07:50:21.613861", "item": "/opt/CPshrd-R80/bin/cpwd_admin start -name CPD -path \"/opt/CPshrd-R80/bin/cpd\" -command \"cpd\"", "msg": "non-zero return code", "rc": 127, "start": "2019-07-17 07:50:21.594812", "stderr": "/opt/CPshrd-R80/bin/cpwd_admin: error while loading shared libraries: cannot open shared object file: No such file or directory", "stderr_lines": ["/opt/CPshrd-R80/bin/cpwd_admin: error while loading shared libraries: cannot open shared object file: No such file or directory"], "stdout": "", "stdout_lines": []} Kinldy help on this. RegardsAthimoolam.A
Iain_King inside API / CLI Discussion and Samples 14 hours ago
views 1632 3 8

Pre-R80.10 dynamic objects from DNS A record lists.. one liner examples

Ever want to allow access to "" or "" or some large lists of A record hosts (like AWS or Azure hosted front end elastic load balancers.. or akamai hosted stuff etc)?Domain objects not doing it for you? (reverse lookups only the first address)Logical server objects not doing it for you (like they do in AWS/Azure autoscaling?)Not on R80.10 yet?Create a dynamic object as a destination.. then on the command line do the following:The dynamic object name here is "dynamic_dns_hosts" and must match the dynamic object created in the policy editor (smartconsole).//[Expert@gw-913127:0]# dynamic_objects -n dynamic_dns_hostsOperation completed successfullyTo populate the dynamic object run the following:[Expert@gw-913127:0]# dig +short|sort -u|awk '{print $1" "$1}'|xargs dynamic_objects -a -o dynamic_dns_hosts -rOperation completed successfullyLog update success//Check the object has been updated (shows both in the logs in tracker as well)://[Expert@gw-913127:0]# dynamic_objects -lobject name : CPDShieldrange 0 : name : dynamic_dns_hostsrange 0 : 1 : 2 : 3 : 4 : 5 : 6 : 7 : 8 : 9 : completed successfully//It's possible to write this into cron (scheduled_task) or run in a while loop. It's possible also to depopulate the object, delete the object and all the other things too.If you're interested in doing this in python, there's some cool tools here (someone at checkpoint wrote it):chkp / dynobj — Bitbucket
Tim_Koopman inside API / CLI Discussion and Samples yesterday
views 1235 8 6

CheckPoint.NET Class Library for Web API

Hello All,I have started a new project of creating a .NET class library for talking to the Web API easily. My goal is to make it rather simple to integrate any .NET application to Check Point in a standard way. While I personally have a few custom internal projects that will use it, I will also be looking at migrating psCheckPoint PowerShell module to it once it is ready.So while this project is in early stages I am interested in any questions, requests or comments anyone may have, as well has if anyone wants to help with the project in any way.If you are interested you can watch its progress on GitHub.GitHub - tkoopman/CheckPoint.NET Tim.

Group membership export with IP address

I have a group object that contains close to 600 devices. I can export the group to a csv but it only contains the group information. If I search for a specific device, I can export a csv with hostname, IP address, and description. However, I cannot export a csv with the members of a group with the hostname, IP address, and description. I've looked into some APIs but did not have much luck. Any and all assistance is greatly appreciated.
Danny inside API / CLI Discussion and Samples Friday
views 139 2 1

Bash - Name and IP of any Gateway?

I‘m looking for a way to retrieve the name and IP address of any Check Point gateway locally on the system exactly as they are shown in the gateway list of SmartConsole, including VS systems. Environment: Expert Mode (Bash). For Non-VS systems this could be easily performed via: grep `hostname` /etc/hosts However, I need a solution that also works on VSX systems in different VS environments.
inside API / CLI Discussion and Samples a week ago
views 3835 5 9

Dynamic Block Lists for Check Point firewalls

I have cooked together some further improvements on Check Points 'block TOR' scripts and built a small service around it. This is not an official Check Point function/product and is provided by me in my spare time.At this moment the following blocklists are implemented:OpenBLEmerging Threats: Known Compromised HostsTOR exit AllTalosDshieldThe feeds are downloaded, sanity checked and then published on for free. I am currently running all lists on two separate clusters without any noticeable performance hit. Of course ymmv so all feedback is appreciated. If you want to try it out go to: https://cpdbl.netScreenshot of the interface:Gateway details:These scripts utilize the rate limiting policy in SecureXL. Therefore blocking is done in fastpath and should not impact performance noticably.Connections from IPs listed in the activated blocklists are only blocked INBOUND. Outgoing communications are currently allowed. I have roadmapped a toggle for this.VSX is not supported for now.Workflow:The server( downloads all the lists nightly andValidates that all entries are valid IPs.Baselines the lists, makes sure a list does not suddenly grow enormously.Publishes the lists for the clients to download.The client:Downloads fresh lists every 12 hoursTimes out entries in the block-table after 12 hours, hence if is unavailable all entries will be removed at this time.Validates that only entries containing numbers and "-" are read into the system. (to stop possible code injection)Installs validated entries into blocking tables and waits for 12 hours before starting over again.To monitor the blocked IP addresses:R77.30:In SmartView Tracker, search for "SecureXL message: Quota violation".R80:In SmartLog, search for "blade:Firewall Alert".
Raj_Khatri inside API / CLI Discussion and Samples a week ago
views 2640 2

Using mgmt_cli without automatic publish

I noticed when using SmartConsole CLI, changes are not automatically published. However, when using mgmt_cli, changes are automatically published. Is there a flag that can be used when using mgmt_cli so you can still review the changes made allowing you to perform a manual publish?
John_Lovinggood inside API / CLI Discussion and Samples a week ago
views 99468 44 10

Security Gateway Inventory

About 6 months ago, CP gave us a script to run from Provider 1 to grab all gateways and their corresponding model/software version. However, it was a very inconsistent result. Meaning that, some (active) gateways came back with just host name and IP and then some came back with host name/IP/OS Version/model number.Anybody aware of a way to pull : Gateway Info that includes (Hostname/IP/OS-Version/Model)? I know you can export a list through network objects, but I just want active count for inventory. Any such method/script?

Functionality - API vs. SmartConsole

When teaching the Check Point Certified Automation Specialist (CCAS) class, a common question I get is what types of Management operations cannot be performed through the API and must be performed through the SmartConsole GUI instead. I have a bit of an unofficial list but would like to compile an authoritative list with the CheckMates community; various API limitations have been discussed in prior threads like this. Some ground rules: 1) Only releases that are GA like R80.30 and earlier may be discussed, so if an API limitation is resolved in an upcoming release like R80.40 that doesn't count 2) dbedit is not the API and doesn't really count, but feel free to discuss workarounds for the various limitations 3) This list of limitations is for the Management API, not the Threat Prevention API, Identity Awareness API, etc. 4) Features available through the API that are not available in the SmartConsole GUI (like specific Hit Count history) should not be included (that could be a separate post) So without further ado, here is the list of Management operations that cannot be performed via the Management API and must be performed through a GUI instead, please feel free to add items to this list or provide corrections: 1) Manipulation of gateway cluster objects 2) Geo Policy 3) HTTPS Inspection 4) Mobile Access Blade 5) Anti-spam & Mail Blade 6) DLP Blade (not Content Awareness) 7) SmartEvent Event Policy Tuning (performed in a separate GUI from SmartConsole) 😎 SmartUpdate License Manipulation (performed in a separate GUI from SmartConsole) 9) QoS Blade/Policies (not APCL/URLF Limits) 10) GUIDBedit operations (performed in a separate GUI from SmartConsole) Thanks everyone!
inside API / CLI Discussion and Samples a week ago
views 24102 291 60

Python tool for exporting/importing a policy package or parts of it

Overview ExportImportPolicyPackage tool enables you to export a policy package from a R80.x management database to a .tar.gz file, which can then be imported into any other R80.x management database. This tool can be used for backups, database transfers, testing and more. In the case you are exporting a policy package from a CMA, please verify that a global policy was NOT assigned to that CMA.The tool doesn't support exporting a policy with global policy assigned! Description This tool enables you to export a policy package (Access Policy, Threat Policy or both) from a management server into a .tar.gz file. Notice There are some types of objects that the script might not be able to export. In such a case, an appropriate dummy object will be exported instead, and a message will be logged into the log files to notify you of this. In the Check Point SmartConsole you can easily replace each of these objects by searching "export_error" in the search field, see where each object is used, create the necessary object manually, then replace it. Instructions Download the latest version from our GitHub repository: First, make sure you have [2.7.9 <= Python <= 2.7.14] installed on the machine running the script. To export a package, run the script. An interactive menu will guide you the rest of the way. Command line flags may also be set in order to skip some or all of the menu. A lot more details can of course be accessed with the [-h] option. This option also prints the current version of the tool. Current tool version is V3.0. Limitations This export/import script does not gather all data from a given management server/CMA. In general, it is limited by the R80.x Management APIs. Specifically, this means: CMAs with a Global Policy assigned cannot be exported Workaround: unassign the Global Policy prior to export Gateway/Cluster objects have to be recreated Placeholder objects will be created UserCheck messages have to be recreated Placeholder objects will be created The Internal Certificate Authority will not be copied. This means: Re-establishing SIC with the appropriate gateways Re-generating VPN certificates Manually recreating HTTPS Inspection and DLP Rules Other objects not currently readable/writable via the R80.x API will not be copied Tested on version R80.x Source Code Availability The source code is available through GitHub: NOTICE: By using this sample code you agree to terms and conditions in this Terms and Conditions ...
KonstantinS inside API / CLI Discussion and Samples 2 weeks ago
views 574 12

show-membership attribute - REST API

Hi all! We just upgraded one test system to R80.20 which brought us the API version 1.3.In the past (v1.1 and v.1.2) we were also getting the memberships while executing "show-hosts".Since v1.3 there is no members array in the response anymore.Only if we put "show-membership" : true in the request body, we are getting them... The documentation is saying that the default value for the attribute "show-membership" is true in all versions since v1.1.Was there a change in v1.3? Is the documentation wrong in this case? Regards,Konstantin
Saxo- inside API / CLI Discussion and Samples 2 weeks ago
views 81 1

Routing BGP advertisement

Hi all,How can i advertise correctly a route on BGP that is directly connected? When i run show bgp peer x.x.x.x advertise i don't see my network advertised, i think i made some wrong command, how can i advertise correctly a network to my peer? I already checked sk refer to bgp but explanation was a bit difficult to understand, somene can help me to figured it out?Thank you
Keld_Norman inside API / CLI Discussion and Samples 2 weeks ago
views 95 1 1

Demo mode for Multi-domain Management R80.30

Hi Check Mates, I have a customer who wants to upgrade their MDM 77.x to 80.x and wants to see all the GUI and config options in the "new design" of 80.xIn 77.20 there were a demo mode for MDM but It seems to have disappeared in 80.x - does any one know where I can get access to a demo MDM 80.30 ? I have installed a local Vmware Workstation MDM v80.30 but it is not populated with firewalls and log servers and I do not have the spare time to setup examples there.. Best regards Keld Norman
Chonyi inside API / CLI Discussion and Samples 2 weeks ago
views 109 2

Get IPS Protections using API

Hi,I am wondering is there an option to export .csv file with IPS protections per profile using Web Services API? The output should be the same as doing it through SmartConsole as shown in the following screnshot Other option to get this information is through API command show threat-protections but max limit to the output is 500 protections which is not sufficient. Thanks.
udanap inside API / CLI Discussion and Samples 2 weeks ago
views 291 2

How to merge policy packages in one R80.10 CMS to another existing R80.10 CMS using python tool?

Hi All,I need to import some policy packages from one R80.10 CMS to another R80.10 CMS. I used the python tool to export each and every policy packages from the first CMS. But when I tried to import them one by one to the 2nd CMS, first policy package was imported with its objects without any issues but when importing the 2nd policy package, new objects were created with the name of "NAME_COLLISION_RESOLVED_". I think it is because during the import of 1st policy package, majority of the objects were imported and during the 2nd policy package import, it tried to import same objects again and met with name collisions. Then all those duplicated objects were renamed as NAME_COLLISION_RESOLVED_objects and saved as new objects. Is there anyway to overcome this issue? Or any other successful method to import those policies? I really appreciate you respondsThanks and Regards,udanap
In This Category
API / CLI Discussion and Samples

Sample code for the Check Point APIs and CLIs and where to ask questions about these topics

Category Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.