sudonull.com Open in urlscan Pro
185.65.244.20  Public Scan

URL: https://sudonull.com/post/66113-Check-Point-R8010-API-Management-through-CLI-scripts-and-more-TS-Solution-Blog
Submission: On April 08 via manual from CH — Scanned from DE

Form analysis 0 forms found in the DOM

Text Content

 * Home
 * Random Post

cooper051 October 12, 2017 at 11:48


CHECK POINT R80.10 API. MANAGEMENT THROUGH CLI, SCRIPTS AND MORE

 * Tutorial



I am sure that everyone who has ever worked with Check Point had a complaint
about the impossibility of editing the configuration from the command line .
This is especially wild for those who previously worked with the Cisco ASA,
where absolutely everything can be configured in the CLI. Check Point has the
opposite: all security settings were performed exclusively from the graphical
interface. However, some things are completely inconvenient to do through the
GUI (even as convenient as Check Point). For example, the task of adding 100 new
hosts or networks turns into a long and tedious procedure. For each object, you
have to click the mouse several times and drive in the ip-address. The same goes
for creating a group of sites or massively enabling / disabling IPS signatures.
Moreover, it is likely to make a mistake.

Relatively recently, a “miracle” happened. With the release of the new version
of Gaia R80 , the possibility of using the API was announced , which opens up
great opportunities for automation of settings, administration, monitoring, etc.
Now you can:


 * create objects;
 * add or edit access-lists;
 * enable / disable blades;
 * Configure network interfaces
 * install policies;
 * and much more.


To be honest, I don’t understand how this news passed by Habr. In this article,
we will briefly describe how to use the API and provide some practical examples
of configuring CheckPoint using scripts .

I would like to make a reservation right away, the API is used only for the
Management server. Those. it is still impossible to manage gateways without a
Management server.




WHO CAN USE THIS API IN PRINCIPLE?


 1. System administrators who want to simplify or automate the routine tasks of
    setting up Check Point;
 2. Companies that want to integrate Check Point with other solutions
    (virtualization systems, ticket systems, configuration management systems,
    etc.);
 3. System integrators who want to standardize settings or create additional
    products related to Check Point.



TYPICAL CIRCUIT


And so, imagine a typical diagram with Check Point:



As usual, we have a gateway ( SG ), a management server ( SMS ) and an
administrator console ( SmartConsole ). In this case, the usual process of
configuring the gateway is as follows:



I.e. first you need to run SmartConsole on the administrator’s computer , with
which we connect to the Management server ( SMS ). On SMS, security settings are
made, and only then they are applied ( install policy ) to the gateway ( SG ).

When using the Management API , we can in principle skip the first item (launch
SmartConsole) and apply API commands directly to the Management server (SMS).




WAYS TO USE THE API


There are four main ways to edit a configuration using the API:



1) USING THE MGMT_CLI UTILITY


An example is # mgmt_cli add host name host1 ip-address 192.168.2.100
This command is launched from the command line of the Management server (SMS). I
think the syntax of the command is clear - it creates host1 with the address
192.168.2.100.



2) ENTER THE COMMAND API THROUGH CLISH (IN EXPERT MODE)


In fact, all you need is to log in to the command line ( mgmt login ) under the
account that is used when connecting via SmartConsole (or the root account).
Then you can enter the API commands (in this case there is no need to use the
mgmt_cli utility before each command ). You can create full-fledged BASH scripts
. An example script that creates a host:


Bash script

#!/bin/bash
main() {
    clear
    #LOGIN (don't ask for username and password, user is already logged in to Management server as 'root' user)
    mgmt_cli login --root true > id_add_host.txt
    on_error_print_and_exit "Error: Failed to login, check that the server is up and running (run 'api status')"
    #READ HOST NAME
    printf "Enter host name:\n"
    read -e host_name
    on_empty_input_print_and_exit "$host_name" "Error: The host's name cannot be empty."
    #READ IP ADDRESS
    printf "\nEnter host IP address:\n"
    read -e ip
    on_empty_input_print_and_exit "$ip" "Error: The host's IP address cannot be empty."
    #CREATE HOST
    printf "Creating new host: $host_name with IP address: $ip\n"
    new_host_response=$(mgmt_cli add host name $host_name ip-address $ip -s id_add_host.txt 2> /dev/null)
    on_error_print_and_exit "Error: Failed to create host object. \n$new_host_response"
    #PUBLISH THE CHANGES
    printf "\nPublishing the changes\n"
    mgmt_cli publish --root true -s id_add_host.txt &> /dev/null
    on_error_print_and_exit "Error: Failed to publish the changes."
    #LOGOUT
    logout
	printf "Done.\n"
}
logout(){
	mgmt_cli logout --root true -s id_add_host.txt &> /dev/null
}
on_error_print_and_exit(){
    if [ $? -ne 0 ]; then
        handle_error "$1" 
	fi
}
handle_error(){
    printf "\n$1\n" #print error message
    mgmt_cli discard --root true -s id_add_host.txt &> /dev/null
    logout
    exit 1
}
on_empty_input_print_and_exit(){
	if [ -z "$1" ]; then
		printf "$2\n" #print error message
		logout
		exit 0
	fi
}
# Script starts here. Call function "main".
main




If interested, you can watch the corresponding video:






3) VIA SMARTCONSOLE, OPENING THE CLI WINDOW


All you need to do is launch the CLI window directly from SmartConsole , as
shown in the picture below.



In this window, you can immediately start entering API commands.



4) WEB SERVICES. USE HTTPS POST REQUEST (REST API)


In our opinion, this is one of the most promising ways, because allows you to
“build” entire applications for managing the management server (I apologize for
the tautology). Below we consider this method in more detail.



TO SUMMARIZE:


 1. API + cli is more suitable for people who are used to Cisco;
 2. API + shell for applying scripts and performing routine tasks;
 3. REST API for automation.



API ENABLE


By default, the API is enabled on management servers with RAM more than 4GB and
standalone configurations with RAM more than 8GB. You can check the status using
the command: api status

If it turns out that the api is turned off, it is quite simple to enable it via
SmartConsole: Manage & Settings> Blades> Management API> Advanced Settings



Then publish ( Publish ) the changes and execute the api restart command .




WEB REQUESTS + PYTHON


You can use Web requests using Python and the requests , json libraries to
execute API commands . In general, the structure of the web request consists of
three parts:

1) Address 2) HTTP Headers 3) Request payload Text in JSON format containing the
different parameters Example for calling various commands:



(https://:/web_api/) 




content-Type: application/json
x-chkp-sid: 









def api_call(ip_addr, port, command, json_payload, sid):
    url = 'https://' + ip_addr + ':' + str(port) + '/web_api/' + command
    if sid == “”:
        request_headers = {'Content-Type' : 'application/json'}
    else:
        request_headers = {'Content-Type' : 'application/json', 'X-chkp-sid' : sid}
    r = requests.post(url,data=json.dumps(json_payload), headers=request_headers,verify=False)
    return r.json()                                        
'xxx.xxx.xxx.xxx' -> Ip address GAIA



Here are a few typical tasks that you most often encounter when administering
Check Point.

1) Example of authorization and logout functions:


Script


    payload = {‘user’: ‘your_user’, ‘password’ : ‘your_password’}
    response = api_call('xxx.xxx.xxx.xxx', 443, 'login',payload, '')
    return response["sid"]
    response = api_call('xxx.xxx.xxx.xxx', 443,'logout', {} ,sid)
    return response["message"]




2) Enabling Blades and Network Setup:


Script


new_gateway_data = {'name':'CPGleb','anti-bot':True,'anti-virus' : True,'application-control':True,'ips':True,'url-filtering':True,'interfaces':
                    [{'name':"eth0",'topology':'external','ipv4-address': 'xxx.xxx.xxx.xxx',"ipv4-network-mask": "255.255.255.0"},
                     {'name':"eth1",'topology':'internal','ipv4-address': 'xxx.xxx.xxx.xxx',"ipv4-network-mask": "255.255.255.0"}]}
new_gateway_result = api_call('xxx.xxx.xxx.xxx', 443,'set-simple-gateway', new_gateway_data ,sid)
print(json.dumps(new_gateway_result))




3) Change the firewall rules:


Script


new_access_data={'name':'Cleanup rule','layer':'Network','action':'Accept'}
new_access_result = api_call('xxx.xxx.xxx.xxx', 443,'set-access-rule', new_access_data ,sid)
print(json.dumps(new_access_result))




4) Adding an Application layer:


Script


add_access_layer_application={ 'name' : 'application123',"applications-and-url-filtering" : True,"firewall" : False}
add_access_layer_application_result = api_call('xxx.xxx.xxx.xxx', 443,'add-access-layer', add_access_layer_application ,sid)
print(json.dumps(add_access_layer_application_result))
set_package_layer={"name" : "Standard","access":True,"access-layers" : {"add" : [ { "name" : "application123","position" :2}]} ,"installation-targets" : "CPGleb"}
set_package_layer_result = api_call('xxx.xxx.xxx.xxx', 443,'set-package', set_package_layer ,sid)
print(json.dumps(set_package_layer_result))




5) Publish and policy setting, verifying command execution (task-id):


Script


publish_result = api_call('xxx.xxx.xxx.xxx', 443,"publish", {},sid)
print("publish result: " + json.dumps(publish_result))
new_policy = {'policy-package':'Standard','access':True,'targets':['CPGleb']}
new_policy_result = api_call('xxx.xxx.xxx.xxx', 443,'install-policy', new_policy ,sid)
print(json.dumps(new_policy_result)
task_id=(json.dumps(new_policy_result ["task-id"]))
len_str=len(task_id)
task_id=task_id[1:(len_str-1)]
show_task_id ={'task-id':(task_id)}
show_task=api_call('xxx.xxx.xxx.xxx',443,'show-task',show_task_id,sid)
print(json.dumps(show_task))




6) Add host:


Script


new_host_data = {'name':'JohnDoePc', 'ip-address': '192.168.0.10'}
new_host_result = api_call('xxx.xxx.xxx.xxx', 443,'add-host', new_host_data ,sid)
print(json.dumps(new_host_result))




7) Add the Threat Prevention field:


Script


set_package_layer={'name':'Standard','threat-prevention' :True,'installation-targets':'CPGleb'}
set_package_layer_result = api_call('xxx.xxx.xxx.xxx', 443,'set-package',set_package_layer,sid)
print(json.dumps(set_package_layer_result))




8) View the list of sessions


Script


new_session_data = {'limit':'50', 'offset':'0','details-level' : 'standard'}
new_session_result = api_call('xxx.xxx.xxx.xxx', 443,'show-sessions', new_session_data ,sid)
print(json.dumps(new_session_result))




9) Create a new profile:


Script


add_threat_profile={'name':'Apeiron', "active-protections-performance-impact" : "low","active-protections-severity" : "low or above","confidence-level-medium" : "prevent",
  "confidence-level-high" : "prevent", "threat-emulation" : True,"anti-virus" : True,"anti-bot" : True,"ips" : True,
  "ips-settings" : { "newly-updated-protections" : "staging","exclude-protection-with-performance-impact" : True,"exclude-protection-with-performance-impact-mode" : "High or lower"},
  "overrides" : [ {"protection" : "3Com Network Supervisor Directory Traversal","capture-packets" : True,"action" : "Prevent","track" : "Log"},
                  {"protection" : "7-Zip ARJ Archive Handling Buffer Overflow", "capture-packets" : True,"action" : "Prevent","track" : "Log"} ]}
add_threat_profile_result=api_call('xxx.xxx.xxx.xxx',443,'add-threat-profile',add_threat_profile,sid)
print(json.dumps(add_threat_profile_result))  




10) Change the action for the IPS signature:


Script


set_threat_protection={
  "name" : "3Com Network Supervisor Directory Traversal",
  "overrides" : [{ "profile" : "Apeiron","action" : "Detect","track" : "Log","capture-packets" : True},
    { "profile" : "Apeiron", "action" : "Detect", "track" : "Log", "capture-packets" : False} ]}
set_threat_protection_result=api_call('xxx.xxx.xxx.xxx',443,'set-threat-protection',set_threat_protection,sid)
print(json.dumps(set_threat_protection_result))




11) Add your service:


Script


add_service_udp={    "name" : "Dota2_udp", "port" : '27000-27030',
"keep-connections-open-after-policy-installation" : False,
"session-timeout" : 0, "match-for-any" : True,
"sync-connections-on-cluster" : True,
"aggressive-aging" : {"enable" : True, "timeout" : 360,"use-default-timeout" : False  },
"accept-replies" : False}
add_service_udp_results=api_call('xxx.xxx.xxx.xxx',443,"add-service-udp",add_service_udp,sid)
print(json.dumps(add_service_udp_results))




12) Add a category, site or group:


Script


add_application_site_category={  "name" : "Valve","description" : "Valve Games"}
add_application_site_category_results=api_call('xxx.xxx.xxx.xxx',443,"add-application-site-category",add_application_site_category,sid)
print(json.dumps(add_application_site_category_results))
add_application_site={    "name" : "Dota2", "primary-category" : "Valve",  "description" : "Dotka",
  "url-list" : [ "www.dota2.ru" ], "urls-defined-as-regular-expression" : False}
add_application_site_results=api_call('xxx.xxx.xxx.xxx',443,"add-application-site " , 
add_application_site , sid)
print(json.dumps(add_application_site_results))
add_application_site_group={"name" : "Games","members" : [ "Dota2"]}
add_application_site_group_results=api_call('xxx.xxx.xxx.xxx',443,"add-application-site-group",add_application_site_group,sid)
print(json.dumps(add_application_site_group_results))




In addition, using the Web API you can add and remove networks, hosts, access
roles, etc. It is possible to configure Antivirus, Antibot, IPS, VPN blades . It
is even possible to install licenses using the run-script command . All Check
Point APIs can be found here .




CHECK POINT API + POSTMAN


It is also convenient to use the Check Point Web API in conjunction with Postman
. Postman has desktop versions for Windows, Linux, and MacOS. In addition, there
is a plugin for Google Chrome. We will use it. First you need to find Postman in
the Google Chrome Store and install:



Using this utility, we can generate Web requests to the Check Point API. In
order not to remember all the API commands, it is possible to import the
so-called collections (templates) that already contain all the necessary
commands:



Here you will find a collection for R80.10 . After import, API command templates
will be available to us:



In my opinion, it is very convenient. You can quickly start developing
applications using the Check Point API.




CHECK POINT + ANSIBLE


I would also like to note that there is an Ansible module for the CheckPoint
API. The module allows you to manage configurations, but it is not so convenient
for solving exotic tasks. Writing scripts in any programming language provides
more flexible and convenient solutions.




CONCLUSION


This is perhaps the end of our short review of the Check Point API. In my
opinion, this feature was very long-awaited and necessary. The appearance of the
API opens up very broad opportunities for both system administrators and system
integrators who work with Check Point products. Orchestration, automation,
feedback from SIEM ... all this is now possible.

PS You can find more articles about Check Point as always in our Habr blog or in
a blog on the website .




PSS For technical questions related to setting up Check Point, click here.

Only registered users can participate in the survey. Please come in.


DO YOU PLAN TO USE THE API?

 * 69.2% Yes 9
   
 * 23% No 3
   
 * 7.6% already using 1
   

13 users voted. 3 users abstained.
Tags:
 * check point
 * api
 * script
 * ansible
 * python
 * postman



--------------------------------------------------------------------------------

ALSO POPULAR NOW:

 * Java Data Structures - NavigableSet
 * DIY 10-monitor desktop
 * MindStream. How we write software under FireMonkey
 * Budget consumables for the engraver
 * Worldwide tech support: local IT flavor flavored with its English version
 * Errors in checking internal payments Android-iOS and their solution / i-Free
   Group blog
 * Plotting a wavy line through the Bezier Curves
 * SDK and YotaPhone Architecture Features / Yota Devices Blog
 * The first free school of Android developers in e-Legion / e-Legion Blog
 * A large set of sample code extensions for Visual Studio 2013 / Microsoft Blog

--------------------------------------------------------------------------------

Copyright © Sudo Null company 2019
sudonull@yahoo.com