This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Peter_Elmer
Employee
Employee
‎2021-05-16 03:03 PM

Using Gaia OS curl_cli for Management API commands for Threat Prevention

Have you ever wondered using curl_cli to issue Management API HTTP POST requests? 

In this article you learn using curl_cli issueing API calls against a Smart-1 Cloud management tenant. You can easily adapt the commands to meet Smart-1 Management or Multi-Domain Management scenarios. 

The example changes the Threat Prevention rule action from using Optimized profile to use a custom profile and changes the destination 'any' to be a dedicated host object.

I used this website to learn about using CURL to run HTTP POST. This website helps checking JSON format and here you can learn about JQuery. 

I documented the below outlined list of actions in this video here.

  1. Get your Smart-1 Cloud Management API context
    Find the context under the settings menu of your tenant
  2. Create an administrative permission profile for the API user and limit access rights as much as possible
  3. Create an API user ID with a limited validity time and generate an API key for it
  4. Create a working temporary directory on Gaia
    # mkdir /var/log/tmp/automation
  5. Create simple JSON formated files to be used as HTTP POST payload
    add-host JSON
    {
      "name" : "New Host 4",
      "ip-address" : "192.0.2.4"
    }

    An empty JSON file has just {}

  6. Define environment variables
    export VAR_mgmt_context= < context ID from Smart-1 Cloud tenant >
    export VAR_mgmt_api_user_key= < API key generated before >
  7. Define environment variable holding the API Session ID
    Perform an API login to the management server and capture the output to a JSON formatted file 
    curl_cli -X POST -H "content-Type: application/json" -k https://ngtx-emea-ahtaic1e.maas.checkpoint.com/$VAR_mgmt_context/web_api/login -d '{ "api-key":"'$VAR_mgmt_api_user_key'" }' > ./api_session.json
    Extract the session ID from the JSON formatted file and create a file holding only the Session ID 
    cat api_session.json | jq -r '."sid"' > ./sid_file.id
    Export environment variable based on content of this file - note ` signs are embracing sid_file.id  
    export VAR_mgmt_sid=`cat sid_file.id`
  8. Set session description using 'set session' 
    curl_cli -X POST -H "content-Type: application/json" -H "X-chkp-sid: $VAR_mgmt_sid" -k https://ngtx-emea-ahtaic1e.maas.checkpoint.com/$VAR_mgmt_context/web_api/set-session -d @./setSession
  9. Add a host using relevant 'add host' API call  
    curl_cli -X POST -H "content-Type: application/json" -H "X-chkp-sid: $VAR_mgmt_sid" -k https://ngtx-emea-ahtaic1e.maas.checkpoint.com/$VAR_mgmt_context/web_api/add-host -d @./addhost
  10. Learn about existing policy packages 'show packages' or check the name using SmartConsole
  11. Check the output for the package you want to modify and query details of this selective 'policy package'  
    curl_cli -X POST -H "content-Type: application/json" -H "X-chkp-sid: $VAR_mgmt_sid" -k https://ngtx-emea-ahtaic1e.maas.checkpoint.com/$VAR_mgmt_context/web_api/show-package -d @./showPackage
  12. Capture the name of the Threat Prevention Layer and create the required JSON file
  13. Query details of the Threat Prevention Layer rule base using 'show-threat-rulebase' 
    curl_cli -X POST -H "content-Type: application/json" -H "X-chkp-sid: $VAR_mgmt_sid" -k https://ngtx-emea-ahtaic1e.maas.checkpoint.com/$VAR_mgmt_context/web_api/show-threat-rulebase -d @./showThreatRuleBase
  14. Capture the rule number and profile selected in the action settings
  15. Query to learn the existing Threat Prevention Profiles using 'show-threat-profiles' 
    curl_cli -X POST -H "content-Type: application/json" -H "X-chkp-sid: $VAR_mgmt_sid" -k https://ngtx-emea-ahtaic1e.maas.checkpoint.com/$VAR_mgmt_context/web_api/show-threat-profiles -d @./showGenericLimit
  16. Query details of the Threat Prevention Rule using 'show-threat-rule'  
    curl_cli -X POST -H "content-Type: application/json" -H "X-chkp-sid: $VAR_mgmt_sid" -k https://ngtx-emea-ahtaic1e.maas.checkpoint.com/$VAR_mgmt_context/web_api/show-threat-rule -d @./showThreatRule
  17. Extract information about the profile you want to define as action for this rule
  18. Create a JSON file with the name of the profile and destination settings 
    {
      "layer" : "QuantumNetwork Threat Prevention", 
      "rule-number" : 1,
      "destination" : { 
        "add" : ["Lab_Web_Server"]
         },
      "action" : "PerimeterLab"
    }
  19. Change Threat Prevention rule using 'set-threat-rule' 
    curl_cli -X POST -H "content-Type: application/json" -H "X-chkp-sid: $VAR_mgmt_sid" -k https://ngtx-emea-ahtaic1e.maas.checkpoint.com/$VAR_mgmt_context/web_api/set-threat-rule -d @./setThreatRule
  20. Publish changes using 'publish' 
    curl_cli -X POST -H "content-Type: application/json" -H "X-chkp-sid: $VAR_mgmt_sid" -k https://ngtx-emea-ahtaic1e.maas.checkpoint.com/$VAR_mgmt_context/web_api/publish -d @./emptyJSON
  21. Logout from this API session 'logout' 
    curl_cli -X POST -H "content-Type: application/json" -H "X-chkp-sid: $VAR_mgmt_sid" -k https://ngtx-emea-ahtaic1e.maas.checkpoint.com/$VAR_mgmt_context/web_api/logout -d @./emptyJSON

 

 

1 Reply
PhoneBoy
Admin
Admin
‎2021-05-16 09:40 PM

The above also applies to curl on a regular Linux host as well. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events