cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

integration with third party solutions

Jump to solution

Are current integrations with third party solutions through OPSEC (SDK) supported in R80?

Tags (2)
0 Kudos
1 Solution

Accepted Solutions
Eyal_Balla
Nickel

Re: integration with third party solutions

Jump to solution

Most OPSEC APIs have remained valid.

The main items that have changed is CPMI opsec where management API has replaced it: Check Point - Management API reference

0 Kudos
7 Replies
Eyal_Balla
Nickel

Re: integration with third party solutions

Jump to solution

Most OPSEC APIs have remained valid.

The main items that have changed is CPMI opsec where management API has replaced it: Check Point - Management API reference

0 Kudos

Re: integration with third party solutions

Jump to solution

Hi,

How about OPSEC application management via the R80 APIs? When can we expect the API to support configuring OPSEC applications?

0 Kudos
Eyal_Balla
Nickel

Re: integration with third party solutions

Jump to solution

Configuring and managing OPSEC applications via API is on the API roadmap and will not be part of R80. Uri Bialik

0 Kudos
Admin
Admin

Re: integration with third party solutions

Jump to solution

Are we looking at changing some of the OPSEC APIs so they are more modern and better documented?

I'm thinking specifically about LEA (integrating with third party SIEMs and the like), but there are probably a ton of other opportunities for improvement as well.

0 Kudos
Eyal_Balla
Nickel

Re: integration with third party solutions

Jump to solution

Currently such changes are not planned for R80

0 Kudos
Quinn_Yost
Nickel

Re: integration with third party solutions

Jump to solution

I've been fighting this one for a little bit myself and I'll agree with the CheckPoint responses above, "Yes, the OPSEC API is still [mostly] supported".

However:

  1. R80 uses a sha256 hash on the certificate by default.   The OPSEC SDK was updated to include this support early in the summer (sk110425: OPSEC SDK - SHA-256 support​ ), and is still considered EA.   It is quite likely that your application has not yet released updated binaries that permit use of sha256.  sk109618 (OPSEC SIC connection fails​) has instructions for resetting a single opsec application to use sha1, but in my experience it will still not work if the cp_mgmt is still sha256.  To get those application to connect to your R80 infrastructure, you will need to force cpca to issue sha1 certificates as shown in sk103840 (SHA-1 and SHA-256 certificates in Check Point Internal CA (ICA)​).  This sk specifically deals with post-install or post-upgrade instruction, before any other configuration has been done.  To change the cp_mgmt certificate anytime later, you should reference sk110559 ("Bad certificate - SIC error 301 for lea" error when fetching 3rd party OPSEC server certificate) which has instructions for SMS and MDS.
  2. There is a small note a the bottom of sk110425, "CPMI is no longer fully supported in R80 (regardless of the SDK)".  Keep this in mind if you plan to use a third party firewall management tool.

Re: integration with third party solutions

Jump to solution

Nice answer. Thanks for the detailed response.

Would just add that we're working with third party vendors on both the OPSEC SDK SHA-256 support and their support of the new R80 web services API. In most cases you can follow up with them and they'll provide you with their plan and timeline for an R80 web services API integration.

0 Kudos