Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Chris_Williams2
Explorer

how to use the web api to run the run-script

I have a question about how to use the web api to run the run-script. We have a security concern with our current setup. We are using “Check Point's software version R80.10 - Build 423”. Integrated with Aruba and the identity access blade.

We have a beautiful integration with Aruba sending a post to Check Point, and then removing it when a user logs out. This is using json to post to the cluster vip. For my setup (/_IA_API/v1.0/add-identity)

 

{"shared-secret":"abc123","user":"Tom Cruise","ip-address":"1.1.1.1","machine":"Toms_Host","machine-os":"Microsoft Windows 7 Enterprise Edition","host-type":"Windows 7","identity-source":"ARUBA ClearPass Policy Manager","session-timeout":555,"user-groups":["aruba-guest-group"],"machine-groups":["aruba-guest-machine"],"roles":[],"fetch-user-groups":0,"fetch-machine-groups":0}

 

The gap comes with any existing sessions/connections, they do not get closed ie: remain open.

New ones are blocked. What we came up with is to use a web api post to run-script.

 

From the link it looks simple enough. https://sc1.checkpoint.com/documents/latest/APIs/index.html#web/run-script~v1.1

 

(POST https://<mgmt-server>:<port>/web_api/run-script)

POST {{server}}/run-script

Content-Type: application/json

X-chkp-sid: {{session}}

{

  "script-name" : "Script Example: List files under / dir",

  "script" : "ls -l /",

  "targets" : [ "corporate-gateway" ]

}

 

So theoretically it looks possible… I would ideally like to send the same src as what is in the post above… ie: "ip-address":"%{Connection:Client-IP-Address}"

fw sam -v -t 60 -J src x.x.x.x

 

So far, no matter what I try I always get:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html>

    <head>

        <title>404 Not Found</title>

    </head>

    <body>

        <h1>Not Found</h1>

        <p>The requested URL /run-script was not found on this server.</p>

    </body>

</html>

 

In a video this was mentioned at around 35:00, but I cannot seem to find the corresponding code.

https://community.checkpoint.com/videos/5537

How to use R80.10 API for Automation and Streamlined Security (Video)

SAM block commands

All along, I have been trying to do this on the gateways… Cluster VIP. In reviewing. It looks like maybe I need to do this on the management server ip. If I do this. Wouldn’t I need to publish?

 

If I run this on the management server:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html>

    <head>

        <title>403 Forbidden</title>

    </head>

    <body>

        <h1>Forbidden</h1>

        <p>You don't have permission to access /web_api/run-script

on this server.

            <br />

        </p>

    </body>

</html>

 

Anybody have an idea to help close this gap?

7 Replies
PhoneBoy
Admin
Admin

First of all, in your example, it looks like you're posting to https://management-ip/run-script which is not correct (and would explain the 404 error).

And yes, you would need to do this through the management IP (not the individual gateways) to the individual gateways.

Now what I'm not sure about is if you have to specify the individual gateways or if you can just do it to the cluster object.

Since you're not modifying a rulebase or an object, this action should not require a publish.

0 Kudos
PhoneBoy
Admin
Admin

For some reason your "reply" got stuck and I can't get it out of the moderation queue.

All API calls require you to be authenticated first with a user that is allowed to use the Web API.

The authentication process will return a session ID, that is passed to future calls you make.

That explains the 403 error above.

To release that session (recommended), you would need to log out after you're done executing commands.

0 Kudos
Chris_Williams2
Explorer

So... I have managed to make it all work.

I’ve got it all working in postman… 

POST //web_api/login HTTP/1.1
Host: 192.168.1.1
Content-Type: application/json

{
"user" : "adm",
"password" : "loveCP"
}


How do I capture the sid to use in the below example?
This works, but I am not sure where to put it…

try {
var sid = JSON.parse(responseBody).sid;
postman.setEnvironmentVariable("session", sid);
tests["login session-id = " + sid] = true;
} catch (e) {}


POST //web_api/run-script HTTP/1.1
Host: 192.168.1.1
Content-Type: application/json
X-chkp-sid: P8VtDKPobdRGq12QU4BDnPdzUadoem7mZ7TQgV6d1Y4

{
"script-name" : "CW Test fw sam",
"script" : "fw sam -v -t 60 -J src 10.10.10.1",
"targets" : [ "Enforcer" ]
}

Anybody have an idea to help close this gap in capturing the sid? Again the above works... but I am not sure how to stack the login, run-script, logoff. I am still figuring this all out.

0 Kudos
Brian_Deutmeyer
Collaborator

I'm working on something very similar to this.  I want to use automatic reactions in SmartEvent to put in FW SAM blocks.  We did this pre-R80, where SE could be connected at the domain level and fw sam was run on SE itself.  Now that SE has to be global R80+, the ease of functionality disappeared (I can no longer to FW SAM on SE with MDS)...  I was able to use the API to authenticate to domain level to do a run-script, but I can't figure out how to log into the MDS level and do a run script on my MDS server.  For my target, I tried my MDS server name as it appears in SmartConsole.  I also tried using the names of the CMAs on the MDS I was authenticated to...  each time i get the same error:

{
"code" : "generic_err_object_not_found",
"message" : "Requested object [cpmdsserver.company.com] not found"
}

Is it possible to use run-script at the MDS level?  I just want to log into my MDS and run a script.

@Chris - If you using bash, one way you can store your SID like this:

MYSID=`curl_cli -k -X POST "https://$MYCPMGMTSERVER/web_api/login" -H "Content-Type: application/json" -d "{\"user\":\"$MYUSER\",\"password\":\"$MYPASS\",\"domain\":\"$MYDOMAIN\",\"session-name\":\"My Fun Session\",\"session-timeout\":\"3600\"}" -s | grep sid | awk -F'"' '{print $4}'`

Once you have the SID, you can just pass it to X-chkp-sid like this:

"X-chkp-sid: $MYSID"
0 Kudos
PhoneBoy
Admin
Admin

From what I can tell, the target for that API call must be a gateway not the management server itself (at least that's what my testing suggests).

However, we just released a new Gaia OS API that should also work on a management server: https://community.checkpoint.com/community/infinity-general/appliances-and-gaia/blog/2018/12/06/new-...

Brian_Deutmeyer
Collaborator

The SG REST API sounds interesting, especially if it works on the management server...  I'll look into that.  Thanks!

Jason_Carrillo
Collaborator

Chris, you seem to be having way more luck with Aruba Clear Pass API integration than we are. We can't get the Aruba Clear Pass server to reliably send API POSTs to the firewall.

Any special sauce on the Aruba or Check Point side you wouldn't mind sharing? 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events