cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Developers

These spaces are for people who are using Check Point APIs to automate and orchestrate their security and/or integrate with other solutions.

PhongNN
PhongNN inside API / CLI Discussion and Samples yesterday
views 167 5

Error when trying to export package by import_export_package.py

Hi allI have a trouble when trying to export a package from SMC. The message like this :Exporting NAT policyGetting information from show-nat-rulebaseRetrieved 50 out of 65 rules (76%)Traceback (most recent call last):File "import_export_package.py", line 59, in <module>export_package(client, args)File "D:\Python\ExportImportPolicyPackage-master\exporting\export_package.py", line 59, in export_packagenat_data_dict, nat_unexportable_objects = export_nat_rulebase(show_package.data["name"], client)File "D:\Python\ExportImportPolicyPackage-master\exporting\export_nat_rulebase.py", line 13, in export_nat_rulebaserulebase_rules, general_objects = get_query_nat_rulebase_data(client, {"package": package})File "D:\Python\ExportImportPolicyPackage-master\exporting\export_objects.py", line 174, in get_query_nat_rulebase_dataif "Automatic Generated Rules : " in rulebase_item["name"]:KeyError: 'name'Does anyone have any ideas for this ?Thank youRegards
Uri_Bialik
inside API / CLI Discussion and Samples yesterday
views 18489 25 6
Mod

Getting a "Forbidden" error message (HTTP status code 403)

In some scenarios browsing to https://<management-server>/web_api/ may lead to seeing this error message:ForbiddenYou don't have permission to access /web_api/login on this server.What does it mean?It means that the API server is not configured to accept requests from the machine running your browser.For security reasons, the default settings for the API server allows him to accept requests only from the management server itself and not from any other IP address.If you want your management server to accept API requests from other machines, please follow this procedure:* Open SmartConsole and log into your management server. If you have a multi-domain environment, log into the MDS domain.* Click on the "Manage & Settings" button on the left.* Select "Blades"* Look for the "Management API" section and click on "Advanced Settings".Now you can choose between three options:1) Accept API calls from the management server only (the default setting)2) All IP addresses that can be used for GUI clients.    This option would allow the API server to accept requests only from IP addresses that can be used to connect with the management server using SmartConsole.3) All IP addressesOnce you make you selection:* Click the publish button* Use SSH to log into the management server in "expert mode" and type "api restart".

GAiA API failing to install with Ansible

Hi all, I have the following task in my ansible playbook for installing the GAiA API (version 1.3) on my gateways and SMS:- name: Install gaia_api  shell: ./install_gaia_api.sh  args:    chdir: /home/admin/gaia_api  register: output- name: Output  debug:    var: output.stdout_lines When I'm running the playbook on my gateways (reimaged with blink_image_1.1_Check_Point_R80.30_Gateway.tgz) and SMS (reimaged with blink_image_1.1_Check_Point_R80.30_Management.tgz), I'm getting the following output after performing a 'gaia_api status' on the gateways, but on the SMS everything seems to be working fine: [Expert@GW1:0]# gaia_api statusTraceback (most recent call last):File "/rest_api/ckp/client_util/serverStatusPrinter.py", line 2, in <module>from objects.serverStatus import *File "/rest_api/ckp/objects/serverStatus.py", line 1, in <module>from infra.annotations import *File "/rest_api/ckp/infra/annotations.py", line 3, in <module>import rest_rbaFile "/rest_api/libs/rest_rba.py", line 7, in <module>import sessions_managerFile "/rest_api/libs/sessions_manager.py", line 12, in <module>import rest_api_xml_parserFile "/rest_api/libs/rest_api_xml_parser.py", line 8, in <module>import command_factory as factFile "/rest_api/libs/command_factory.py", line 10, in <module>import clishFile "/rest_api/libs/clish.py", line 5, in <module>from flaskApi import getRequestHeaderFile "/rest_api/libs/flaskApi.py", line 12, in <module>from flask import *ImportError: No module named flask I've checked the Ansible output and even though it says the installation completed successfully it's still giving me the output errors when running gaia_api status. But when I manually run the install_gaia_api.sh script it seems to be working.ok: [GW1] => {"output.stdout_lines": ["Starting gaia_api installation","Old version removed successfully","Installing gaia_api...","Successfully installed gaia_api, use \"gaia_api status\" to monitor the state"]} I have my Python interpreter set as: ansible_python_interpreter="/opt/CPsuite-R8*/fw1/Python/bin/python"Remarkably, when I use ansible_python_interpreter=python, I'm getting the following error on the gateways (not on the SMS): fatal: [GW2]: FAILED! => {"changed": false, "module_stderr": "Shared connection to 10.23.112.102 closed.\r\n", "module_stdout": "/bin/sh: python: command not found\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": Which makes me think it's a Python issue.Any suggestions? I'd appreciate some input.

Trigger API system backups via API

Hello,I'm an absolute novice to firewalls, but I'm fairly familiar with automation using Ansible, Chef, Puppet, etc and the use of APIs.one of the network engineers presented a use case to trigger "system backups". I'm already able to do configuration backups using Ansible, but the use case presented to me shows "system backups" being triggered from an MDS to multiple gateways. I'm curious about the capabilities of the management API to be able to programmatically trigger these system backups as they seem to contain more than just the "show configuration" command.can anyone point me in the right direction on how to execute this via API call or via a console (CLI/SSH)?Is this feasible/necessary? Regards, Zeke

Python API Lib set

a few months ago i found a code snip on here of python calling the web api and i wanted to expand on it to make a more extensible library set.https://github.com/celticcow/r80api-functionshas the library set with a test script ... a LOT of debug info is returned.  I've been able to take this and make web front ends via simple cgi calls to automate a lot of firewall object builds etc ..the idea is to call a function like add_a_host that will take arguments and do the json work for you ... and check things like does a host already exist with this IP.  or add_a_host_with_group which will add a host ... if a host object does NOT exist with this IP already.  if a host with that IP exist it will add that host object to the group name that is passed as an argument.   does similar things with networks and IP ranges. example:""" add a host object and add it to a group """ def add_a_host_with_group(ip_addr, name, ip, group, sid): print("temp -- in add_a_host<br>") check_host_obj = {"type" : "host", "filter" : ip, "ip-only" : "true"} chkhst = api_call(ip_addr, "show-objects", check_host_obj, sid) if(chkhst['total'] == 0): #need new host if(name_exist(ip_addr, name, sid) == False): host_to_add = {"name" : name, "ip-address" : ip, "groups" : group, "color" : "light green"} out1 = api_call(ip_addr, "add-host", host_to_add, sid) print(json.dumps(out1)) else: print("object with that name already exist") else: # host exist ... print("host already exist") existing_host_name = chkhst['objects'][0]['name'] # name of existing host add_host_to_group_json = { "name" : group, "members" : { "add" : existing_host_name } } out1 = api_call(ip_addr, "set-group", add_host_to_group_json, sid) print(json.dumps(out1)) so in the main code you can just do something like:apifunctions.add_a_host_with_group(ip_addr, "test176", "192.168.176.200", "group1", sid) this will attempt to create a host object named "test176" with ip 192.168.176.200 into a group named "group1" unless something already exist with that IP and then it will add that.ip_addr = raw_input("Enter IP of MDS : ") ip_cma = raw_input("Enter IP of CMA : ") user = raw_input("Enter P1 User : ") password = getpass.getpass('Enter P1 Password :') sid = apifunctions.login(user, password, ip_addr, ip_cma) will get you sid for the login. hope this is helpful.  it's been a huge time savor for me when we're building out policies and i can create a web form for engineers to dump data into and it will create / search for them.
Jim_Oqvist
inside API / CLI Discussion and Samples Thursday
views 18434 22 25
Employee+

How-to use Postman with R80 Security Management API

What is Postman Postman is a free Google Chrome extension that can be used for testing and experimenting with web-services You can find the latest postman collection file for R80 Security Management API here postman_collection.json   Installation 1) Launch "Google Chrome" and enter "chrome://apps" in the URL bar. 2) Open "Web Store" 3) Search for "Postman" 4) Click on "Add to Chrome" and the following should appear: 5) Add the app and then click on "Launch App"   Setup Postman to work with the R80 Security Management API 1) You can import a list of APIs into your Postman environment using Postman's "collection" feature. This stored list of APIs can help you avoid syntax errors and save you time finding APIs. The various Postman collections can be found as follows: API v 1.00 R80 - https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/postman-collection-R80/td-p/38853 API v 1.1 R80.10 - https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/postman-collection-R80-10/td-p/38806 API v 1.2 R80.20.M1 - https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/postman-collection-R80-20-M1/td-p/40310 API v 1.3 R80.20 GA - https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/postman-collection-R80-20/td-p/40569 API v 1.4 R80.20.M2 - https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/postman-collection-R80-20-M2/td-p/40952 API v 1.5 R80.30 - https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/postman-collection-R80-30/m-p/539... 2) Launch Postman, and click on the "import collection" button. 3) Select "choose files" and select the collection file that you have. After selecting the file, you should see something like this:      4) On the left part of the screen, you should now see the text similar to "Web API – take hero3– 991000104". Click on this text, to see the list of API calls grouped by categories. 5) To set-up the environment variable, click on "Manage environments" and click on add     ---->  6) Add a key called "server" and set it with the value: https://<your-mgmt-ip-address>/web_api 7) Add a key called "session", you can leave its value empty. 😎 Click the "Add" button, to exit this dialog. 9) Click the "X" button to exit the “Manage Environments” screen Activating and testing the R80 Security Management API 1) Open SmartConsole R80, and login to the R80 Security Management 2) When the GUI is opened, go to : Manage & settings -> Blades -> Management API -> Advanced Settings 3) Check “Automatic start”, and pick “All IP Addresses that can be used for GUI clients or All IP addresses”. 4) Press OK 5) Publish 6) Run the command api reconf from clish 7) Make sure the management API server is up and running. Browse to: https://<your-mgmt-ip-address>/api_docs/ You need to accept the self signed certificate warning 😎 You should now see the R80 Management API reference guide   9) In Postman: (A) change the postman environment to the one you set in the previous step. (B) locate the "Login" command in the list of APIs on the left and click on it.(C) Change the values for the user-name and password.(D) Click on the "send" button 10) The output of the "Login" command contains a session-ID (sid) value. This value should be used by all other API calls in the same session as a way to prove the authenticity of the user behind the API call. To set the session-ID for subsequent API calls select the sid value, right click and select "Set:" -> "session". 11) You're done! Choose any other API calls from the collection and run it.
Employee

GAIA API version 1.3 is now GA !

Hi all,   I am happy to announce the release of GAIA API version 1.3   This version includes several stability fixes, fine tuning of the current I/S and new APIs. Some of the new capabilities of the new version: NTP API Run scripts from expert (“run-script”). Show-task API. Added 'gaia_api fingerprint' command to run from expert mode.    Documentation: Examples per added API Documentation for asynchronous tasks.   I/S: Asynchronous task capabilities. Added Celery and Redis.   Info Use this link to check the recent APIs documentation Use this link to download the recent API engine and see the latest changelog   Regards, Itai Weiss

Login failed: APIResponse received a response which is not a valid JSON.

Hello, I new with API for CheckPoint... I have an API for checkpoint.the API : https://github.com/CheckPointSW/cp_mgmt_api_python_sdk/blob/master/README.mdI using an R80.30 Server Management when i run script from my Python API i get this response:Login failed: APIResponse received a response which is not a valid JSON. Note : I new with API for checkpoint, my goal is to create/use a API with python  for checkpoint to read/write Rules for the checkpoint FW.Someone can to direct me for which API i need to use... Thank to all ! 🙂 
Employee+

Ubiquiti Unifi and Check Point Integration

Here is a simple way to integrate Ubiquiti Unifi systems into Check Point environments using the Unifi API and the Identity API. This solution will query the Unifi controller to gather details about the connected clients for a given Unifi site and/or ssid and create network IDs for each active client. In addition to better visibility, you can also configure Access Roles objects for these client identities to be used in the security policy. Since this is querying the Unifi controller you will need to always have the controller up and running in either a VM/container OR by using a cloud key.   Identity in PDP table of the gateway. All of the details gathered from the Unifi controller are added into the Machine field. For this example a client machine named 'dilligj1-e7470' is active on the 'homenet' Unifi site and also connected to port #12 of the switch. Client identity in pdp table of gateway   Example log inside SmartConsole showing machine identity. Using the search bar for logs you can also type any of the machine details to search the logs for clients connected to that Unifi site or switch.   If you want to enforce rules based on Unifi sites and/or ssid you are able to create an access role object that represents the Unifi site name and ssid (if wireless clients). The name format for this is 'Unifi_<SITENAME>_<SSID>' for wireless and 'Unifi_<SITENAME>' for wired clients.   For usage examples and the code see my GitHub repository for this project: https://github.com/joe-at-cp/CPUnifi   Thanks and Enjoy!      
Maik
Maik inside API / CLI Discussion and Samples a week ago
views 293 2

SmartConsole Extension - Your experience (+ examples)

Hello,I wanted to ask you about your first impressions with the SmartConsole extension, which is now available for some time. If you haven't heard of it before; you can check out a basic introduction here. The developer guide can be found via this link.I'm currently thinking of creating an extension on my own which simply executes specific mgmt_cli commands and provides some kind of feedback based on the return value(s). But before I start to (somehow) figure out how to approach this with just basic html knowledge and absolutely zero knowledge in React or JavaScript I wanted to get some impressions from the community.> Did you use this feature yet? If yes, what does your extension actually do?> Did you create your own extension, or used/tested with the examples from Github?> Did you have devs help you with the first steps or is it kinda trivial and can be done without prior JavaScript and/or React knowledge? Regards,Maik
israelgl
israelgl inside API / CLI Discussion and Samples a week ago
views 293 5

adding network object with mgmt_cli batch CSV file

i try to add number of network object with cli tool but i received an error.i followed sk113078 and did exactly the same and received the error:Line 2: code: "generic_err_invalid_parameter_name"message: "Unrecognized parameter [name]"Line 3: code: "generic_err_invalid_parameter_name"message: "Unrecognized parameter [name]"Line 4: code: "generic_err_invalid_parameter_name"message: "Unrecognized parameter [name]"Executed command failed. Changes are discarded. the csv is:name,subnet,subnet-masknetwork1,10.10.10.0,255.255.255.0network2,20.20.20.0,255.255.255.0network3,30.30.30.0,255.255.255.0  i have R80.20 take: 103
Arun66
Arun66 inside API / CLI Discussion and Samples a week ago
views 1420 3

Rule base export with zero hit count

Hi I am trying to export the rules with zero hit count for past three months using API to do a rule base clean up.Is there a way to filter only the rules with zero counts to be exported using show access-rulebase commandMy commnad as follows mgmt_cli show access-rulebase offset 0 limit 20 name "Network" details-level "standard" use-object-dictionary true show-hits true hits-settings.from-date "2019-01-01" hits-settings.to-date "2019-01-30" hits-settings.target "XXX"Thanks & RegardsArun

Adding network object via mgmt_cli tool

According to Check Point - Management API reference , below are the mandatory parameters for adding a network object:Below is my command:And below is the result:As far as I can see, I haven't made a mistake in the syntax while the ip-address parameter is not even on the list among the mandatory arguments shown above. What's more, I have also used the "subnet4", "ip-address" and "ipv4-address" keywords without having any luck.Has anybody had issues with this?Thanks.
Uri_Bialik
inside API / CLI Discussion and Samples a week ago
views 9126 19 13
Mod

Python library for using R80 management server APIs

OverviewCheck Point Python Development Kit simplifies the usage of the Check Point R80 Management Server APIs. The kit contains the API library project, and sample projects demonstrating the capabilities of the library.Examples:add_access_rule - demonstrates a basic flow of using the APIs: performs a login command, adds an access rule to the top of the access policy layer, and publishes the changes.find_duplicate_ip - demonstrates searching for all the hosts that share the same IP address.discard_sessions - demonstrates how to discard the changes to the database for un-published sessions.clone_host - demonstrates cloning and replacing an existing host with a cloned host.DescriptionA Python 2.7 and Python 3.7 code that uses a library that handles all the communication with the Check Point R80 Management Server.InstructionsDownload the development kit containing the library and the examples.Run each example from its folder.python example_name.pyOr you can instalI the library with pip as follows:pip install git+https://github.com/CheckPointSW/cp_mgmt_api_python_sdkhttps://github.com/CheckPointSW/cp_mgmt_api_python_sdk#note-you-might-be-required-to-use-sudo-for-this-commandNote: you might be required to use "sudo" for this command.For other ways to install/upgrade, see: cp_mgmt_api_python_sdk/README.md Tested on versionR80, API version 1.0Source Code AvailabilityThe source code is now public on GitHub repository:GitHub - CheckPointSW/cp_mgmt_api_python_sdk: Check Point API Python Development Kit https://github.com/CheckPoint-APIs-Team/cpapi-python-sdkNOTICE: By using this sample code you agree to terms and conditions in this Terms and Conditions...

New native Ansible module in 2.10 devel branch - and how to get it working

Hello,since  a few days there are several new modules in the developement branch of ansible, extending the very basic modules available since ansible version 2.8. (See: https://docs.ansible.com/ansible/devel/modules/list_of_network_modules.html#checkpoint)Does anyone have implemented a working playbook with these modules? I'm not sure if I use them correctly with the httpapi plugin. But if I do so, I get the following error: ansible.module_utils.connection.ConnectionError: 'Connection' object has no attribute '_session_uid'The full traceback is:Traceback (most recent call last):File "/home/pi/.ansible/tmp/ansible-local-21374ItToPW/ansible-tmp-1567247472.1-86947877065269/AnsiballZ_cp_mgmt_host.py", line 102, in <module>_ansiballz_main()File "/home/pi/.ansible/tmp/ansible-local-21374ItToPW/ansible-tmp-1567247472.1-86947877065269/AnsiballZ_cp_mgmt_host.py", line 94, in _ansiballz_maininvoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)File "/home/pi/.ansible/tmp/ansible-local-21374ItToPW/ansible-tmp-1567247472.1-86947877065269/AnsiballZ_cp_mgmt_host.py", line 40, in invoke_modulerunpy.run_module(mod_name='ansible.modules.network.checkpoint.cp_mgmt_host', init_globals=None, run_name='__main__', alter_sys=False)File "/usr/lib/python2.7/runpy.py", line 192, in run_modulefname, loader, pkg_name)File "/usr/lib/python2.7/runpy.py", line 72, in _run_codeexec code in run_globalsFile "/tmp/ansible_cp_mgmt_host_payload_N_OLDa/ansible_cp_mgmt_host_payload.zip/ansible/modules/network/checkpoint/cp_mgmt_host.py", line 333, in <module>File "/tmp/ansible_cp_mgmt_host_payload_N_OLDa/ansible_cp_mgmt_host_payload.zip/ansible/modules/network/checkpoint/cp_mgmt_host.py", line 328, in mainFile "/tmp/ansible_cp_mgmt_host_payload_N_OLDa/ansible_cp_mgmt_host_payload.zip/ansible/module_utils/network/checkpoint/checkpoint.py", line 189, in api_callFile "/tmp/ansible_cp_mgmt_host_payload_N_OLDa/ansible_cp_mgmt_host_payload.zip/ansible/module_utils/connection.py", line 185, in __rpc__ansible.module_utils.connection.ConnectionError: 'Connection' object has no attribute '_session_uid' using this basic playbook:- name: My First Playbook hosts: checkpoint connection: httpapi gather_facts: no tasks: - name: add-host cp_mgmt_host: ip_address: 192.0.2.1 name: New Host 1 state: presentIn my inventory file I defined the host and the plugin to use:[checkpoint] 192.168.100.5 [checkpoint:vars] ansible_network_os=checkpoint ansible_user=admin ansible_password=adminpw Is this a bug in the new series of modules or do I use them in the wrong way? Can anyone post an example including necessary variable definitions to make the plugin working? Thanks in advance and have a nice weekend,Markus
In This Category
API / CLI Discussion and Samples

<p>Do you have questions on how to use any of Check Point's API commands, including via the CLI using mgmt_cli? Looking for sample code? This is the place to find answers!</p>

Category Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.