good point! I'll need to collect info before I do 🙂

fixed! had very little time this morning, sorry 🙂

Great to hear that I just didn't waste my time for myself 🙂 will have to sit and update it!

Hello, one quick question about dynamic objects. The customer is asking about managing the Check Point object using PUSH (e.g. MISP platform connecting to the CP and modifying the group of IPs directly) rather than PULL (e.g. checkpoint checking and downloading the feed from the Web server every N minutes). We have used PULL IoC feeds many times before, and the setup is clear.

I'm struggling to find an example of programming Check Point via the API - an example of REST code and authentication token generation. I tried to find an answer on https://developer.checkpoint.com/ but was quickly lost.

EXCELLENT query @Sergej_Gurenko . I had one customer ask me about it while back, but I never bothered to open TAC case about it, as it was more their curiosity if it was possible or not, but would be nice to know, for sure.

Best,

Andy

I found the "Introduction" and "Tips & Best Practices" sections in Management API Reference fairly handy. As always, the ultimate answer would require a lab.

I'm not entirely sure how MISP is pushing data (API, file transfer?), apologies for ignorance 🙂

But the first thing that came to my mind was that MISP could push a text (API/file) to an intermediate server and CP could use external network feeds to read it. Then you kind of meet in the middle: MISP still does PUSH and CP does the PULL 🙂

Great suggestion. But If i recall correctly, the whole PUSH vs PULL discussion started due to the debate on who will be responsible for maintaining the web server with feed file.

I'm not a MISP (Malware Information Sharing Platform) expert either, but i believe it has a built-in functionality to export anything into any format and store on the local or remote server:

Technically you could even drop using SSH keys directly onto CP Mgmt, nothing to maintain 🙂 if SSH is supported by MISP

Hi @Sergej_Gurenko 

Let's be clear about the term "dynamic object" I actually blame our own @Kaspars_Zibarts for this confusion, because his post subject should say UPDATABLE objects, not DYNAMIC objects.

Updatable objects are just that, a logical list of IPs from external feeds.

You really need something else, and we do call it a "dynamic object". It is in essence a logical container defined on the GW itself via CLI commands. It preceded Updatable Objects for a couple of decades, actually. 

Please look on the CLI syntax for dynamic objects in the documentation. However, since the tech is a bit old, you will have to write your own scripts to automate it.

If you are looking for something with less automation effort, there is another thing you can leverage - Generic Data Center Objects. You will be able to feed info into json file to control it.

Pushing will require interacting with the Management API, which will include a policy installation to the relevant gateways.
Read the relevant API documentation:

• login: https://sc1.checkpoint.com/documents/latest/APIs/index.html#web/login~v1.9.1%20
• add-host: https://sc1.checkpoint.com/documents/latest/APIs/index.html#web/add-host~v1.9.1%20 (can add to an existing group in the same call)
• publish: https://sc1.checkpoint.com/documents/latest/APIs/index.html#web/publish~v1.9.1%20 
• install-policy: https://sc1.checkpoint.com/documents/latest/APIs/index.html#web/install-policy~v1.9.1%20 
• logout: https://sc1.checkpoint.com/documents/latest/APIs/index.html#web/logout~v1.9.1%20 

You will log in, add the hosts (one per API call), publish (should be done every ~100 or so calls for performance reasons).
Once you've published all the changes, you will need to install-policy on the relevant gateways.
Logout when done.