AnsweredAssumed Answered

how to use the web api to run the run-script

Question asked by Chris Williams on Jan 18, 2018
Latest reply on Apr 27, 2018 by Jason Carrillo

I have a question about how to use the web api to run the run-script. We have a security concern with our current setup. We are using “Check Point's software version R80.10 - Build 423”. Integrated with Aruba and the identity access blade.

 

We have a beautiful integration with Aruba sending a post to Check Point, and then removing it when a user logs out. This is using json to post to the cluster vip. For my setup (/_IA_API/v1.0/add-identity)

 

{"shared-secret":"abc123","user":"Tom Cruise","ip-address":"1.1.1.1","machine":"Toms_Host","machine-os":"Microsoft Windows 7 Enterprise Edition","host-type":"Windows 7","identity-source":"ARUBA ClearPass Policy Manager","session-timeout":555,"user-groups":["aruba-guest-group"],"machine-groups":["aruba-guest-machine"],"roles":[],"fetch-user-groups":0,"fetch-machine-groups":0}

 

The gap comes with any existing sessions/connections, they do not get closed ie: remain open.

New ones are blocked. What we came up with is to use a web api post to run-script.

 

From the link it looks simple enough. https://sc1.checkpoint.com/documents/latest/APIs/index.html#web/run-script~v1.1

 

(POST https://<mgmt-server>:<port>/web_api/run-script)

POST {{server}}/run-script

Content-Type: application/json

X-chkp-sid: {{session}}

{

  "script-name" : "Script Example: List files under / dir",

  "script" : "ls -l /",

  "targets" : [ "corporate-gateway" ]

}

 

So theoretically it looks possible… I would ideally like to send the same src as what is in the post above… ie: "ip-address":"%{Connection:Client-IP-Address}"

fw sam -v -t 60 -J src x.x.x.x

 

So far, no matter what I try I always get:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html>

    <head>

        <title>404 Not Found</title>

    </head>

    <body>

        <h1>Not Found</h1>

        <p>The requested URL /run-script was not found on this server.</p>

    </body>

</html>

 

In a video this was mentioned at around 35:00, but I cannot seem to find the corresponding code.

https://community.checkpoint.com/videos/5537

How to use R80.10 API for Automation and Streamlined Security (Video)

SAM block commands

 

All along, I have been trying to do this on the gateways… Cluster VIP. In reviewing. It looks like maybe I need to do this on the management server ip. If I do this. Wouldn’t I need to publish?

 

If I run this on the management server:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html>

    <head>

        <title>403 Forbidden</title>

    </head>

    <body>

        <h1>Forbidden</h1>

        <p>You don't have permission to access /web_api/run-script

on this server.

            <br />

        </p>

    </body>

</html>

 

Anybody have an idea to help close this gap?

Outcomes