- Products
- Learn
- Local User Groups
- Partners
- More
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
Join our TechTalk: Malware 2021 to Present Day
Building a Preventative Cyber Program
Be a CloudMate!
Check out our cloud security exclusive space!
Check Point's Cyber Park is Now Open
Let the Games Begin!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Fetching packet captures and reports via API is a feature supported in R80.10 JHF 112 and 121 only. The feature is expected in R80.10 JHF 169 and R80.20 JHF 47.
For those who simply cannot wait, I present the following stopgap solution:
[Expert@stack-mgmt-a0:0]# netstat -antp |grep 18242
tcp 0 0 127.0.0.1:18242 0.0.0.0:* LISTEN 3247/smartlog_serve
[Expert@stack-mgmt-a0:0]#
# authenticate and obtain FWMToken value
curl_cli -v -d @fwm-login.xml 'http://127.0.0.1:18242/login' --user-agent "Apache-HttpClient/4.3.1 (java 1.5)" -H "RflId: 52ff49cf-6ef8-40df-a968-a1a9863b0a2b" -o fwm-login-resp.xml
fwm_token=`xmllint --format --shell fwm-login-resp.xml <<< "cat //root/token/text()" |tail -n +2 |head -n -1`
Content of fwm-login.xml:<login><user><![CDATA[admin]]></user><magic_number><![CDATA[CP_Etude_2055]]></magic_number><password><![CDATA[admin123]]></password><sso_token><![CDATA[]]></sso_token><get_all_columns_def /></login>
# authenticate and obtain CPMToken value
cpm_token=`mgmt_cli login -u admin -p admin123 --port 4434 |grep sid |awk -F ': ' '{print $2}' |sed 's:"::g'`
uid=A8571015-BF9A-492B-81D0-1D9EBCD6EB3F
timestamp=`date -d '07/09/2019 12:00:00' +"%s"`
# $1 - report uid
# $2 - date - a unix timestamp that equals noon on the same day the event was created
# fetch the XML report blob
export FETCH_PCAP_COOKIE="FWMToken=$fwm_token&CPMToken=$cpm_token"
curl_cli -v 'http://127.0.0.1:18242/packet_capture?session_id=0&product=Forensics&module_name=stack-mgmt-a0&incid...' --user-agent
"Apache-HttpClient/4.3.1 (java 1.5)" -H "RflId: 52ff49cf-6ef8-40df-a968-a1a9863b0a2b" --cookie "${FETCH_PCAP_COOKIE}" -o $1.xml
The complete request parameters:
'?session_id=0&product=Forensics&module_name=stack-mgmt-a0&incident_uid='"$1"'&date='"$2"'&service=ignore&log_server=10.0.0.14'
Note: Pay attention to the parameters that must be modified to match a different management server.
# extract the XML report blob and decode it
xmllint --nocdata --format --shell $1.xml <<< "cat //blob/text()" |tail -n +2 |head -n -2 |base64 -d |base64 -d > $1.zip
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY