Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

EA invitation - new Gaia features (REST API and Dynamic CLI)

Alexander_Kim
Employee Alumnus
Employee Alumnus
11 21 8,385

Hi,

 

I would like to invite you to try out two new Gaia features which may provide a great deal of simplicity in day-to-day operation. You can find a short description below, followed by dates, available versions and contacts.

 

Both of them deal with the way we configure settings on Gaia gateways. We are used to tools like clish and WebUI, and in many cases we even need to switch to expert mode to set/get some of the gateway settings. These two projects are aimed to simplify and organize this.

 

  • Dynamic CLI

        

 

The idea is very simple – pull any expert command/script/binary to real clish command. But, unlike “extended command”, we are talking about real clish – with friendly syntax, auto completion, full RBA support (roles/features/users), history and more…

 

Example : instead of assigning admin privileges to the operator in order to run

 

#fw tab –t connections –f

 

Just stay in clish and type

 

>show security-gateway table connections formatted

 

And enjoy the auto completion (including the list of available firewall tables), help strings, and a peace of mind knowing that this operator will only be able to see the tables but not delete them, for example.

 

The feature brings in the infrastructure, the coverage of possible expert commands to be ported into clish is ongoing, and the list can be augmented based on what the field needs.

===========================================================================================

 

  • Ender (Gaia REST APIs)

                    

 

 

This one is a bit fancier – running a REST daemon on Gaia gateway, allowing remote configuration based on HTTP with JSON arguments and JSON response. Similar to existing Mgmt APIs, but this time covering any gateway configuration, any clish command, any expert command/binary or any flow combining a group of clish/expert commands in one URL.

 

Any sort of automation/orchestration or remote monitoring/debugging on the gateway (or Mgmt server) can be achieved with this feature over REST, including Ansible and Terraform support.

===========================================================================================

Cool, so how do I get it and when ?

 

Both of the features are now in EA, beta versions available (can be installed on top of R80.10 or R80.20). They come as a separate self-updateable hotfixes, and do not block the customer from installing JHFs on top of it (sweet, right ? ). We plan to release an SK with a downloadable package for each of the features by the end of this month - stay tuned.

 

Please, do not hesitate to contact Linor, Tal and myself for more details or if you want the EA version packages to play around with…

 

Cheers,

Kim

21 Comments
Ivo_Hrbacek
Contributor
Contributor

Hey Kim ..

this is Ivo. I am glad this is officially in EA, I was in touch with you for some REST API testing few months ago, I did not have time to test latest code you sent since I am busy lately, anyway my question is still the same  - how it looks with easy task -> adding interfaces to cluster? Is there some API logic which will handle adding interface for myself when cluster is in place? sometimes it's tricky to add new vlan interfaces without issues you know (sk57100) and automation never take place if those things wont be handled properly, nobody will trust machine with code to change something on production cluster. So I can imagine described steps (in SK) are not in API logic,  so I have to handle by myself in code, you mentioned in some emails that cphaprob state should be included, what about clusterXL_admin down/up and some stats monitoring? Or maybe logic itself is included in newest API? Smiley Happy What is the status?

thx for info

Cheers

ivo

HeikoAnkenbrand
Champion Champion
Champion

Hi Alexander,

I think the idea is good to move all firewall commands to the clish. Personally I like the Expert mode more.

I know there is the command

# clish -c "show version"

to provide clish commands in expert mode.

I would go the other way and provide new commands in expert mode, with which you can get the commandos from the clish in expert mode.

Like this:

# cshow version

Regards

Heiko

Alexander_Kim
Employee Alumnus
Employee Alumnus

Ivo,

The API should allow you to automate interfaces provisioning on multiple cluster members by reusing the same playbook and just adjusting the target IP (it should be the IP of every member respectively). This would minimize the room for errors or discrepancies between cluster members configuration.

PhoneBoy
Admin
Admin

The question I ask is: why do we need expert mode at all?

Yes, there are some functional limitations that currently require expert mode.

What are the most limiting ones?

Or are we just more comfortable using a Bash shell because we're old school guys? Smiley Happy

HeikoAnkenbrand
Champion Champion
Champion

Yes, we're old school guys!

I like the bash:-)

Kim_Moberg
Advisor

Hi Alexander,

Any change for implementation fro VPN Reset via API as mentioned in this discussion?

https://community.checkpoint.com/thread/8659-vpn-tunnel-reset-via-api 

 

Thanks

Kim

Alexander_Kim
Employee Alumnus
Employee Alumnus

On the GW, I suppose, not Mgmt ?

Kim_Moberg
Advisor

Hi Alexander

I was thinking of resetting vpn tunnel(s) via gw rest API.

Instead of running below steps from mgmt API I would like to this is from a website for internal use

  • Create a ssh to active cluster node
  • Login as expert 
  • Run-script with vpn tu del <peer address>
  • Sign out expert mode
  • Close ssh session
Alexander_Kim
Employee Alumnus
Employee Alumnus

It’s possible with Ender. Not yet covered – but definitely possible.

Pablo_Munoz
Employee Employee
Employee

Gaia REST API (Ender) is now GA

For more information:

sk143612

GAIA REST API 

Enjoy!

JozkoMrkvicka
Mentor
Mentor

Is there plan to have both tools included in R80.30 by default ?

PhoneBoy
Admin
Admin

Believe so yes

phlrnnr
Advisor

I've been playing around with the GA release, and it is pretty cool!  However, still seems to be missing a bunch of items.  Interfaces, hostname, allowed clients, proxy, dns, and authentication servers seem to be covered.  However, anything else doesn't seem to be there (at least not documented in the API reference.)  Static routes is a big one that is missing.  I was also hoping to do update management via API. (Think zero touch deployment).  I assume API configuration of the rest of the things is coming soon?

So, how do I run any arbitrary clish / expert mode command as referenced above?

PhoneBoy
Admin
Admin

We plan additional improvements on the gateway API, yes Smiley Happy

Hopefully Alexander Kim‌ can comment on running arbitrary commands via the Gateway API.

Tal_Martsiano
Employee Alumnus
Employee Alumnus

Hi Dameon, Philip,

We will soon have an API to run scripts remotely, similar to what we have today via the MGMT API:

Check Point - Management API reference (run-script ref)

I think it may suite your request above

Regarding the rest of the API's you've mentioned, we are pushing to have the most commonly used APIs available, you will see more and more APIs in the upcoming versions - stay tuned Smiley Happy

I will check for the ones you've mention with the relevant teams at Check Points.

Thanks,

Tal

phlrnnr
Advisor

Thanks, that is much appreciated! 

Here is my vision for how I'd like to use this:  I configure a management IP on the firewall, plug it in to the network, and run a script that completely configures all of the GAIA settings, skips the first-time wizard, checks the SMS for the current Jumbo Hotfix installed on it, and then downloads and installs the jumbo on the GW, reboots the GW, and we are ready to go.

Tal_Martsiano
Employee Alumnus
Employee Alumnus

Thanks Philip,

We will take the scenario you've mentioned and see how it can be done.

BTW, may I ask, why do you skip the first-time-wizard ? are you trying to prepare a "default" setting of a Check Point machine ?

Tal

phlrnnr
Advisor

So, today, we cannot skip the first time wizard.  We have to complete it to build the appliance.  I'd like to be able to have a script that uses the REST API to build the appliance (including doing the things the first time wizard does (eg. set the machine up for ClusterXL, etc).

It would be great if we could get it to the point that I can give a firewall to a Jr. Engineer and tell them 'plug the interfaces in to the appropriate switch ports, configure an IP on the mgmt interface, and then run an automation job that does the rest.  That way we can guarantee consistency across FWs as they are provisioned across the enterprise.

JozkoMrkvicka
Mentor
Mentor

Script it using How to run the First Time Configuration Wizard through CLI in Gaia R76 and above and you are done Smiley Happy 

The only manual work is to assign IP for External interface in order to execute the script(s). If there is a way to automate console logging ...

phlrnnr
Advisor

I will explore this, thank you for the link!  I still would love to see this via the REST API though.  So, thank you Check Point for looking further into this!

Daniel_Schlifka
Contributor

@HeikoAnkenbrand 

Hi,

a bit late, nevertheless.....
expert mode is just a bash shell.
You can use bash aliases to achieve that functionality.



regards

Labels