cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

IPS Query

Hi,

With the R80.10 API, is there a way determine which IPS profile is tied to a gateway?  Basically, we have a large number of gateways and multiple IPS profiles and I would like to create a script that will eventually create a list with the name of the gateway and the associated IPS profile.

I'm trying to work backwards and I'm just stuck getting all the information that I need.  The workflow I'm thinking of is:

Query 1 : Threat Prevention Policy, Rules, Profile Name

Query 2:  Gateway Name, Threat Prevention Policy name

With results from both queries, I should be able to generate the gateway to IPS profile list.  Let me know if I"m off base here.

1 Reply
Admin
Admin

Re: IPS Query

In past releases, only a single IPS Profile could apply to an entire gateway.

With R80.x gateways, there could be several threat prevention profiles that apply to the gateway depending on the protected scope.

At a high level, you'd do something like:

1. Query the gateway to see what policy is currently loaded to it (e.g. with fw stat). You could do this with run-script via the API or use the new https://community.checkpoint.com/community/infinity-general/appliances-and-gaia/blog/2018/12/06/new-...‌. However, this will only give you the name of the policy, not what the actual threat-prevention layer is called (most likely "PolicyName Threat Prevention" but you'll have to double-check, and there could be a few).

2. Use the API to query the Threat Prevention rulebase for that particular policy, parsing the output to determine which profiles are used for the given gateway.