Difference between revisions of "r80 api notes"
(Created page with "[https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference]") |
|||
(62 intermediate revisions by one user not shown) | |||
Line 1: | Line 1: | ||
− | [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1. | + | ==Management server API setup== |
+ | ===enabling for remote IPs=== | ||
+ | done the smartconsole | ||
+ | |||
+ | [[file:cp_mgmt_api_enable_all_IPs.png]] | ||
+ | |||
+ | it can also be enabled via mgmt_cli under "set api-settings" | ||
+ | |||
+ | ===status check=== | ||
+ | |||
+ | [Expert@chmkmgr1:0]# '''api status''' | ||
+ | <br>API Settings: | ||
+ | <br><nowiki>-----------------</nowiki> | ||
+ | <br>Accessibility: Require all granted | ||
+ | <br>Automatic Start: Enabled | ||
+ | <br>Processes: | ||
+ | <br>Name State PID More Information | ||
+ | <br><nowiki>-------------------------------------------------</nowiki> | ||
+ | <br>API Started 10763 | ||
+ | <br>CPM Started 10460 Check Point Security Management Server is running and ready | ||
+ | <br>FWM Started 10007 | ||
+ | <br>Port Details: | ||
+ | <br><nowiki>----------------</nowiki> | ||
+ | <br>JETTY Internal Port: 50276 | ||
+ | <br>APACHE Gaia Port: 443 | ||
+ | <br><nowiki>-------------------------------------------------</nowiki> | ||
+ | <br>Overall API Status: Started | ||
+ | <br><nowiki>-------------------------------------------------</nowiki> | ||
+ | <br>API readiness test SUCCESSFUL. The server is up and ready to receive connections | ||
+ | |||
+ | ==examples== | ||
+ | ===logging in=== | ||
+ | login and redirect session info to a file for reuse | ||
+ | # mgmt_cli login user admin > id.txt | ||
+ | |||
+ | same but read only | ||
+ | # mgmt_cli login user admin read-only true > id.txt | ||
+ | |||
+ | ===search existing object=== | ||
+ | search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range. | ||
+ | # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}' | ||
+ | |||
+ | return only objects with the EXACT ip | ||
+ | |||
+ | # mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name' | ||
+ | |||
+ | *** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object) | ||
+ | |||
+ | ===access rules=== | ||
+ | ====notes before you begin==== | ||
+ | when using the parameter "name" to refer to a particular package, it appears to require the following... | ||
+ | <package name> <layer name> | ||
+ | |||
+ | as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules. | ||
+ | |||
+ | What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands... | ||
+ | |||
+ | for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with | ||
+ | |||
+ | | jq '.rulebase[]' | ||
+ | |||
+ | if you DO HAVE headers, to output the rules you need | ||
+ | |||
+ | | jq '.rulebase[] | .rulebase[]' | ||
+ | |||
+ | ====show access layers?==== | ||
+ | [Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' | ||
+ | "dropall Network"''' | ||
+ | "Network" | ||
+ | |||
+ | where "Network" represents the default policy package Standard | ||
+ | |||
+ | ====examples==== | ||
+ | show number of rules in policy | ||
+ | mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json limit 1 | jq '.total' | ||
+ | |||
+ | display rule with uid = xxx | ||
+ | |||
+ | # '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"''' | ||
+ | |||
+ | display src/dst/service from rule with uid | ||
+ | for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done | ||
+ | |||
+ | alternate(inferior) way with jq | ||
+ | mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' | ||
+ | 1 | ||
+ | |||
+ | display rule number with comment containing a string haha | ||
+ | mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}' | ||
+ | |||
+ | ====adding rules==== | ||
+ | |||
+ | mgmt_cli -s id.txt add access-rule layer xxad70c9-b4c6-4e64-9bfd-d57ac91289f3 name new_rule | ||
+ | |||
+ | mgmt_cli -s id.txt add access-rule layer xx70adc9-b4c6-4e64-9bfd-d57ac91289f3 position top name new_rule | ||
+ | |||
+ | mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" action "Accept" service add "https" | ||
+ | |||
+ | mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" service.add "https" | ||
+ | |||
+ | |||
+ | ===mds / domain=== | ||
+ | |||
+ | get list of domains,objects(management and firewalls),object type | ||
+ | mgmt_cli.exe -s id.txt show gateways-and-servers --format json limit 500 | jq '.objects.nat,.name,.type' | xargs -n3 | ||
+ | |||
+ | ===log queries=== | ||
+ | mgmt_cli -s id.txt show-logs new-query.filter "src:10.0.0.11 and service:https" new-query.time-frame last-hour new-query.max-logs-per-request 1 --format json | jq '.logs[] | {time: .time,fw: .orig,log_server: .orig_log_server,policy: .policy_name,action: .action,source: .src,dest: .dst,service: .service}' | ||
+ | |||
+ | { | ||
+ | "time": "2023-06-09T06:20:20Z", | ||
+ | "fw": "my_cp_fw1", | ||
+ | "log_server": "192.168.1.88", | ||
+ | "policy": "super_secure", | ||
+ | "action": "Accept", | ||
+ | "source": "10.0.0.11", | ||
+ | "dest": "204.79.197.203", | ||
+ | "service": "443" | ||
+ | } | ||
+ | |||
+ | ==jq== | ||
+ | compound jq select using and/or (note: contains returns true/false) | ||
+ | |||
+ | | jq '.rulebase[] | .rulebase[] | select (.comments | (contains("hahaha") or contains("lol")) | not ) | {ruleUID: .uid, comments: .comments} ' | ||
+ | |||
+ | and another one... | ||
+ | | jq '.rulebase[] | .rulebase[] | select ((.comments | (contains("hahah") or contains("lol") | not )) and (.enabled == true)) | {enabled: .enabled, rulenum: ."rule-number", ruleUID: .uid, comments: .comments} ' | ||
+ | |||
+ | filter objects dictary for uid for accept action | ||
+ | jq '."objects-dictionary"[] | select (.name == "Accept") | .uid' | ||
+ | |||
+ | get cluster member policy installation targets | ||
+ | |||
+ | | jq -c '."installation-targets-revision"[] | ."cluster-members-revision"[] | ."target-name"' | tr -d '"' | tr '\n' ' ' | ||
+ | |||
+ | get values without keys | ||
+ | |||
+ | example | ||
+ | |||
+ | with keys... | ||
+ | '''| jq '.objects[] | {name: .name,type: .type}'''' | ||
+ | { | ||
+ | "name": chkp-fw", | ||
+ | "type": "simple-gateway" | ||
+ | } | ||
+ | { | ||
+ | "name": "chkp-mgmt", | ||
+ | "type": "checkpoint-host" | ||
+ | } | ||
+ | |||
+ | without keys, change from curly {} to square [] brackets and drop key references | ||
+ | '''| jq '.objects[] | [.name, .type]'''' | ||
+ | [ | ||
+ | "chkp-fw", | ||
+ | "simple-gateway" | ||
+ | ] | ||
+ | [ | ||
+ | "chkp-mgmt", | ||
+ | "checkpoint-host" | ||
+ | ] | ||
+ | |||
+ | print all values on the same line, comma separated | ||
+ | '''| jq '.objects[] | [.name, .type] | join (",")''' | ||
+ | "chkp-fw simple-gateway" | ||
+ | "chkp-mgmt,checkpoint-host" | ||
+ | |||
+ | ==curl== | ||
+ | |||
+ | curl -X POST -H "Content-Type: application/json" -d '{"userId": 5, "title": "Post Title", "body": "Post content."}' | ||
+ | |||
+ | curl -X -H POST -H "Content-Type: application/json" -d '{"user" : "jsmith", "password" : "abc123"}' 192.168.1.10:443/login | ||
+ | |||
+ | $ '''curl --insecure -X POST -H "Content-Type: application/json" -d '{"user" : "jsmith", "password" : "abc123"}' https://192.168.1.10:443/web_api/login''' | ||
+ | { | ||
+ | "uid" : "46a11170-e554-4e58-a5fc-65ff9e38d8cb", | ||
+ | "sid" : "dfq6sI1MxMT1qUhXQ7tafQduKAfJxYkqXCEjaQKjres", | ||
+ | "url" : "https://192.168.1.10:443/web_api", | ||
+ | "session-timeout" : 600, | ||
+ | "last-login-was-at" : { | ||
+ | "posix" : 1707413218074, | ||
+ | "iso-8601" : "2024-02-08T10:26-0700" | ||
+ | }, | ||
+ | "api-server-version" : "1.8.1", | ||
+ | "user-name" : "jsmith", | ||
+ | "user-uid" : "c1109c35-d741-7jg8-98e3-36669b7047a2" | ||
+ | |||
+ | $ '''curl --insecure -X POST -H "Content-Type: application/json" -H "X-chkp-sid: dfq6sI1MxMT1qUhXQ7tafQduKAfJxYkqXCEjaQKjres" -d '{ }' https://192.168.1.10:443/web_api/keepalive''' | ||
+ | { | ||
+ | "message" : "OK" | ||
+ | } | ||
+ | |||
+ | ==links== | ||
+ | [https://community.checkpoint.com/t5/General-Management-Topics/What-s-new-with-R80-20M1-Management-API/td-p/39522 What's new with R80.20M1 Management API] | ||
+ | |||
+ | [https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.4%20 r80 api reference] | ||
+ | |||
+ | [https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api] | ||
+ | |||
+ | parsing json return output | ||
+ | [https://stedolan.github.io/jq/ jq] | ||
+ | |||
+ | [https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli] | ||
+ | |||
+ | [https://devqa.io/curl-sending-api-requests/ How to Use CURL to Send API Requests] |
Latest revision as of 07:05, 9 June 2024
Contents |
Management server API setup
enabling for remote IPs
done the smartconsole
it can also be enabled via mgmt_cli under "set api-settings"
status check
[Expert@chmkmgr1:0]# api status
API Settings:
-----------------
Accessibility: Require all granted
Automatic Start: Enabled
Processes:
Name State PID More Information
-------------------------------------------------
API Started 10763
CPM Started 10460 Check Point Security Management Server is running and ready
FWM Started 10007
Port Details:
----------------
JETTY Internal Port: 50276
APACHE Gaia Port: 443
-------------------------------------------------
Overall API Status: Started
-------------------------------------------------
API readiness test SUCCESSFUL. The server is up and ready to receive connections
examples
logging in
login and redirect session info to a file for reuse
# mgmt_cli login user admin > id.txt
same but read only
# mgmt_cli login user admin read-only true > id.txt
search existing object
search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range.
# mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}'
return only objects with the EXACT ip
# mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name'
- details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object)
access rules
notes before you begin
when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name>
as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules.
What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands...
for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with
| jq '.rulebase[]'
if you DO HAVE headers, to output the rules you need
| jq '.rulebase[] | .rulebase[]'
show access layers?
[Expert@chmkmgr1:0]# mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network" "Network"
where "Network" represents the default policy package Standard
examples
show number of rules in policy
mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json limit 1 | jq '.total'
display rule with uid = xxx
# mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"
display src/dst/service from rule with uid
for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done
alternate(inferior) way with jq
mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1
display rule number with comment containing a string haha
mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}'
adding rules
mgmt_cli -s id.txt add access-rule layer xxad70c9-b4c6-4e64-9bfd-d57ac91289f3 name new_rule
mgmt_cli -s id.txt add access-rule layer xx70adc9-b4c6-4e64-9bfd-d57ac91289f3 position top name new_rule
mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" action "Accept" service add "https"
mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" service.add "https"
mds / domain
get list of domains,objects(management and firewalls),object type
mgmt_cli.exe -s id.txt show gateways-and-servers --format json limit 500 | jq '.objects.nat,.name,.type' | xargs -n3
log queries
mgmt_cli -s id.txt show-logs new-query.filter "src:10.0.0.11 and service:https" new-query.time-frame last-hour new-query.max-logs-per-request 1 --format json | jq '.logs[] | {time: .time,fw: .orig,log_server: .orig_log_server,policy: .policy_name,action: .action,source: .src,dest: .dst,service: .service}'
{
"time": "2023-06-09T06:20:20Z", "fw": "my_cp_fw1", "log_server": "192.168.1.88", "policy": "super_secure", "action": "Accept", "source": "10.0.0.11", "dest": "204.79.197.203", "service": "443"
}
jq
compound jq select using and/or (note: contains returns true/false)
| jq '.rulebase[] | .rulebase[] | select (.comments | (contains("hahaha") or contains("lol")) | not ) | {ruleUID: .uid, comments: .comments} '
and another one...
| jq '.rulebase[] | .rulebase[] | select ((.comments | (contains("hahah") or contains("lol") | not )) and (.enabled == true)) | {enabled: .enabled, rulenum: ."rule-number", ruleUID: .uid, comments: .comments} '
filter objects dictary for uid for accept action
jq '."objects-dictionary"[] | select (.name == "Accept") | .uid'
get cluster member policy installation targets
| jq -c '."installation-targets-revision"[] | ."cluster-members-revision"[] | ."target-name"' | tr -d '"' | tr '\n' ' '
get values without keys
example
with keys...
| jq '.objects[] | {name: .name,type: .type}' { "name": chkp-fw", "type": "simple-gateway" } { "name": "chkp-mgmt", "type": "checkpoint-host" }
without keys, change from curly {} to square [] brackets and drop key references
| jq '.objects[] | [.name, .type]' [ "chkp-fw", "simple-gateway" ] [ "chkp-mgmt", "checkpoint-host" ]
print all values on the same line, comma separated
| jq '.objects[] | [.name, .type] | join (",") "chkp-fw simple-gateway" "chkp-mgmt,checkpoint-host"
curl
curl -X POST -H "Content-Type: application/json" -d '{"userId": 5, "title": "Post Title", "body": "Post content."}'
curl -X -H POST -H "Content-Type: application/json" -d '{"user" : "jsmith", "password" : "abc123"}' 192.168.1.10:443/login
$ curl --insecure -X POST -H "Content-Type: application/json" -d '{"user" : "jsmith", "password" : "abc123"}' https://192.168.1.10:443/web_api/login { "uid" : "46a11170-e554-4e58-a5fc-65ff9e38d8cb", "sid" : "dfq6sI1MxMT1qUhXQ7tafQduKAfJxYkqXCEjaQKjres", "url" : "https://192.168.1.10:443/web_api", "session-timeout" : 600, "last-login-was-at" : { "posix" : 1707413218074, "iso-8601" : "2024-02-08T10:26-0700" }, "api-server-version" : "1.8.1", "user-name" : "jsmith", "user-uid" : "c1109c35-d741-7jg8-98e3-36669b7047a2"
$ curl --insecure -X POST -H "Content-Type: application/json" -H "X-chkp-sid: dfq6sI1MxMT1qUhXQ7tafQduKAfJxYkqXCEjaQKjres" -d '{ }' https://192.168.1.10:443/web_api/keepalive { "message" : "OK" }
links
What's new with R80.20M1 Management API
official python open source api
parsing json return output jq