cancel
Showing results for 
Search instead for 
Did you mean: 
New Article

EA invitation - new Gaia features (REST API and Dynamic CLI)

Employee+
Employee+
11 20 1,068

Hi,

 

I would like to invite you to try out two new Gaia features which may provide a great deal of simplicity in day-to-day operation. You can find a short description below, followed by dates, available versions and contacts.

 

Both of them deal with the way we configure settings on Gaia gateways. We are used to tools like clish and WebUI, and in many cases we even need to switch to expert mode to set/get some of the gateway settings. These two projects are aimed to simplify and organize this.

 

  • Dynamic CLI

        

 

The idea is very simple – pull any expert command/script/binary to real clish command. But, unlike “extended command”, we are talking about real clish – with friendly syntax, auto completion, full RBA support (roles/features/users), history and more…

 

Example : instead of assigning admin privileges to the operator in order to run

 

#fw tab –t connections –f

 

Just stay in clish and type

 

>show security-gateway table connections formatted

 

And enjoy the auto completion (including the list of available firewall tables), help strings, and a peace of mind knowing that this operator will only be able to see the tables but not delete them, for example.

 

The feature brings in the infrastructure, the coverage of possible expert commands to be ported into clish is ongoing, and the list can be augmented based on what the field needs.

===========================================================================================

 

  • Ender (Gaia REST APIs)

                    

 

 

This one is a bit fancier – running a REST daemon on Gaia gateway, allowing remote configuration based on HTTP with JSON arguments and JSON response. Similar to existing Mgmt APIs, but this time covering any gateway configuration, any clish command, any expert command/binary or any flow combining a group of clish/expert commands in one URL.

 

Any sort of automation/orchestration or remote monitoring/debugging on the gateway (or Mgmt server) can be achieved with this feature over REST, including Ansible and Terraform support.

===========================================================================================

Cool, so how do I get it and when ?

 

Both of the features are now in EA, beta versions available (can be installed on top of R80.10 or R80.20). They come as a separate self-updateable hotfixes, and do not block the customer from installing JHFs on top of it (sweet, right ? ). We plan to release an SK with a downloadable package for each of the features by the end of this month - stay tuned.

 

Please, do not hesitate to contact Linor, Tal and myself for more details or if you want the EA version packages to play around with…

 

Cheers,

Kim

20 Comments
Ivo_Hrbacek
Nickel

Hey Kim ..

this is Ivo. I am glad this is officially in EA, I was in touch with you for some REST API testing few months ago, I did not have time to test latest code you sent since I am busy lately, anyway my question is still the same  - how it looks with easy task -> adding interfaces to cluster? Is there some API logic which will handle adding interface for myself when cluster is in place? sometimes it's tricky to add new vlan interfaces without issues you know (sk57100) and automation never take place if those things wont be handled properly, nobody will trust machine with code to change something on production cluster. So I can imagine described steps (in SK) are not in API logic,  so I have to handle by myself in code, you mentioned in some emails that cphaprob state should be included, what about clusterXL_admin down/up and some stats monitoring? Or maybe logic itself is included in newest API? Smiley Happy What is the status?

thx for info

Cheers

ivo

Hi Alexander,

I think the idea is good to move all firewall commands to the clish. Personally I like the Expert mode more.

I know there is the command

# clish -c "show version"

to provide clish commands in expert mode.

I would go the other way and provide new commands in expert mode, with which you can get the commandos from the clish in expert mode.

Like this:

# cshow version

Regards

Heiko

Employee+
Employee+

Ivo,

The API should allow you to automate interfaces provisioning on multiple cluster members by reusing the same playbook and just adjusting the target IP (it should be the IP of every member respectively). This would minimize the room for errors or discrepancies between cluster members configuration.

Admin
Admin

The question I ask is: why do we need expert mode at all?

Yes, there are some functional limitations that currently require expert mode.

What are the most limiting ones?

Or are we just more comfortable using a Bash shell because we're old school guys? Smiley Happy

Yes, we're old school guys!

I like the bash:-)

Kim_Moberg
Silver

Hi Alexander,

Any change for implementation fro VPN Reset via API as mentioned in this discussion?

 

 

Thanks

Kim

Employee+
Employee+

On the GW, I suppose, not Mgmt ?

Kim_Moberg
Silver

Hi Alexander

I was thinking of resetting vpn tunnel(s) via gw rest API.

Instead of running below steps from mgmt API I would like to this is from a website for internal use

  • Create a ssh to active cluster node
  • Login as expert 
  • Run-script with vpn tu del <peer address>
  • Sign out expert mode
  • Close ssh session
Employee+
Employee+

It’s possible with Ender. Not yet covered – but definitely possible.

Gaia REST API (Ender) is now GA

For more information:

sk143612

GAIA REST API 

Enjoy!

Is there plan to have both tools included in R80.30 by default ?

Admin
Admin

Believe so yes

phlrnnr
Copper

I've been playing around with the GA release, and it is pretty cool!  However, still seems to be missing a bunch of items.  Interfaces, hostname, allowed clients, proxy, dns, and authentication servers seem to be covered.  However, anything else doesn't seem to be there (at least not documented in the API reference.)  Static routes is a big one that is missing.  I was also hoping to do update management via API. (Think zero touch deployment).  I assume API configuration of the rest of the things is coming soon?

So, how do I run any arbitrary clish / expert mode command as referenced above?

Admin
Admin

We plan additional improvements on the gateway API, yes Smiley Happy

Hopefully Alexander Kim‌ can comment on running arbitrary commands via the Gateway API.

Hi Dameon, Philip,

We will soon have an API to run scripts remotely, similar to what we have today via the MGMT API:

Check Point - Management API reference (run-script ref)

I think it may suite your request above

Regarding the rest of the API's you've mentioned, we are pushing to have the most commonly used APIs available, you will see more and more APIs in the upcoming versions - stay tuned Smiley Happy

I will check for the ones you've mention with the relevant teams at Check Points.

Thanks,

Tal

phlrnnr
Copper

Thanks, that is much appreciated! 

Here is my vision for how I'd like to use this:  I configure a management IP on the firewall, plug it in to the network, and run a script that completely configures all of the GAIA settings, skips the first-time wizard, checks the SMS for the current Jumbo Hotfix installed on it, and then downloads and installs the jumbo on the GW, reboots the GW, and we are ready to go.

Thanks Philip,

We will take the scenario you've mentioned and see how it can be done.

BTW, may I ask, why do you skip the first-time-wizard ? are you trying to prepare a "default" setting of a Check Point machine ?

Tal

phlrnnr
Copper

So, today, we cannot skip the first time wizard.  We have to complete it to build the appliance.  I'd like to be able to have a script that uses the REST API to build the appliance (including doing the things the first time wizard does (eg. set the machine up for ClusterXL, etc).

It would be great if we could get it to the point that I can give a firewall to a Jr. Engineer and tell them 'plug the interfaces in to the appropriate switch ports, configure an IP on the mgmt interface, and then run an automation job that does the rest.  That way we can guarantee consistency across FWs as they are provisioned across the enterprise.

Script it using How to run the First Time Configuration Wizard through CLI in Gaia R76 and above and you are done Smiley Happy 

The only manual work is to assign IP for External interface in order to execute the script(s). If there is a way to automate console logging ...

phlrnnr
Copper

I will explore this, thank you for the link!  I still would love to see this via the REST API though.  So, thank you Check Point for looking further into this!