Create a Post
Showing results for 
Search instead for 
Did you mean: 

How-to fetch endpoint forensics reports on R80.20 programmatically

Fetching packet captures and reports via API is a feature supported in R80.10 JHF 112 and 121 only. The feature is expected in R80.10 JHF 169 and R80.20 JHF 47.

For those who simply cannot wait, I present the following stopgap solution:

  1. Authenticate to the smartlog server service listening on localhost to obtain an "FWMToken" value
    [Expert@stack-mgmt-a0:0]# netstat -antp |grep 18242
    tcp        0      0   *                   LISTEN      3247/smartlog_serve
    # authenticate and obtain FWMToken value
    curl_cli -v -d @fwm-login.xml '' --user-agent "Apache-HttpClient/4.3.1 (java 1.5)" -H "RflId: 52ff49cf-6ef8-40df-a968-a1a9863b0a2b" -o fwm-login-resp.xml
    fwm_token=`xmllint --format --shell fwm-login-resp.xml <<< "cat //root/token/text()" |tail -n +2 |head -n -1`​
    Content of fwm-login.xml:
    <login><user><![CDATA[admin]]></user><magic_number><![CDATA[CP_Etude_2055]]></magic_number><password><![CDATA[admin123]]></password><sso_token><![CDATA[]]></sso_token><get_all_columns_def /></login>
  2. Authenticate using mgmt_cli to obtain a "CPMToken" value
    # authenticate and obtain CPMToken value
    cpm_token=`mgmt_cli login -u admin -p admin123 --port 4434 |grep sid |awk -F ': ' '{print $2}' |sed 's:"::g'`
  3. Fetch an XML report blog from the smartlog server service
    timestamp=`date -d '07/09/2019 12:00:00' +"%s"`


    # $1 - report uid
    # $2 - date - a unix timestamp that equals noon on the same day the event was created
    # fetch the XML report blob
    export FETCH_PCAP_COOKIE="FWMToken=$fwm_token&CPMToken=$cpm_token"
    curl_cli -v '' --user-agent
     "Apache-HttpClient/4.3.1 (java 1.5)" -H "RflId: 52ff49cf-6ef8-40df-a968-a1a9863b0a2b" --cookie "${FETCH_PCAP_COOKIE}" -o $1.xml

    The complete request parameters:


    Note: Pay attention to the parameters that must be modified to match a different management server.

  4. Extract and decode XML report blob content
    # extract the XML report blob and decode it
    xmllint --nocdata --format --shell $1.xml <<< "cat //blob/text()" |tail -n +2 |head -n -2 |base64 -d |base64 -d > $
0 Replies


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events