Difference between revisions of "r80 api notes"

From cpwiki.net
Jump to: navigation, search
Check Point Profressional Services
(examples)
 
(24 intermediate revisions by one user not shown)
Line 47: Line 47:
 
*** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object)
 
*** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object)
  
==access rules==
+
===access rules===
===notes before you begin===
+
====notes before you begin====
 
when using the parameter "name" to refer to a particular package, it appears to require the following...
 
when using the parameter "name" to refer to a particular package, it appears to require the following...
 
<package name> <layer name>
 
<package name> <layer name>
Line 64: Line 64:
 
  | jq '.rulebase[] | .rulebase[]'
 
  | jq '.rulebase[] | .rulebase[]'
  
====rule numbers====
+
====show access layers?====
 
+
===show access layers?===
+
 
  [Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name'
 
  [Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name'
 
  "dropall Network"'''
 
  "dropall Network"'''
Line 73: Line 71:
 
where "Network" represents the default policy package Standard
 
where "Network" represents the default policy package Standard
  
===examples===
+
====examples====
 
show number of rules in policy
 
show number of rules in policy
 
  mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json limit 1 | jq '.total'
 
  mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json limit 1 | jq '.total'
Line 91: Line 89:
 
  mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}'
 
  mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}'
  
compound jq select using and/or
+
====adding rules====
 +
 
 +
mgmt_cli -s id.txt add access-rule layer xxad70c9-b4c6-4e64-9bfd-d57ac91289f3 name new_rule
 +
 
 +
mgmt_cli -s id.txt add access-rule layer xx70adc9-b4c6-4e64-9bfd-d57ac91289f3 position top name new_rule
 +
 
 +
mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" action "Accept" service add "https"
 +
 
 +
mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" service.add "https"
 +
 
 +
 
 +
===mds / domain===
 +
 
 +
get list of domains,objects(management and firewalls),object type
 +
mgmt_cli.exe -s id.txt show gateways-and-servers --format json limit 500 | jq '.objects.nat,.name,.type' | xargs -n3
 +
 
 +
===log queries===
 +
mgmt_cli -s id.txt show-logs new-query.filter "src:10.0.0.11 and service:https" new-query.time-frame last-hour new-query.max-logs-per-request 1 --format json | jq '.logs[] | {time: .time,fw: .orig,log_server: .orig_log_server,policy: .policy_name,action: .action,source: .src,dest: .dst,service: .service}'
 +
 
 +
{
 +
  "time": "2023-06-09T06:20:20Z",
 +
  "fw": "my_cp_fw1",
 +
  "log_server": "192.168.1.88",
 +
  "policy": "super_secure",
 +
  "action": "Accept",
 +
  "source": "10.0.0.11",
 +
  "dest": "204.79.197.203",
 +
  "service": "443"
 +
}
 +
 
 +
==jq==
 +
compound jq select using and/or (note: contains returns true/false)
  
 
  | jq '.rulebase[] | .rulebase[] | select (.comments | (contains("hahaha") or contains("lol")) | not ) | {ruleUID: .uid, comments: .comments} '
 
  | jq '.rulebase[] | .rulebase[] | select (.comments | (contains("hahaha") or contains("lol")) | not ) | {ruleUID: .uid, comments: .comments} '
  
 +
and another one...
 +
| jq '.rulebase[] | .rulebase[] | select ((.comments | (contains("hahah") or contains("lol") | not )) and (.enabled == true)) | {enabled: .enabled, rulenum: ."rule-number", ruleUID: .uid, comments: .comments} '
 +
 +
filter objects dictary for uid for accept action
 +
jq '."objects-dictionary"[] | select (.name == "Accept") | .uid'
  
"rulenum": 1,
+
get cluster member policy installation targets
<br> "comment": "hahahlol"
+
 
 +
| jq -c '."installation-targets-revision"[] | ."cluster-members-revision"[] | ."target-name"' | tr -d '"' | tr '\n' ' '
 +
 
 +
get values without keys
 +
 
 +
example
 +
 
 +
with keys...
 +
'''| jq '.objects[] | {name: .name,type: .type}''''
 +
{
 +
  "name": chkp-fw",
 +
  "type": "simple-gateway"
 +
}
 +
{
 +
  "name": "chkp-mgmt",
 +
  "type": "checkpoint-host"
 +
}
 +
 
 +
without keys, change from curly {} to square [] brackets and drop key references
 +
'''| jq '.objects[] | [.name, .type]''''
 +
[
 +
  "chkp-fw",
 +
  "simple-gateway"
 +
]
 +
[
 +
  "chkp-mgmt",
 +
  "checkpoint-host"
 +
]
 +
 
 +
print all values on the same line, comma separated
 +
'''| jq '.objects[] | [.name, .type] | join (",")'''
 +
"chkp-fw simple-gateway"
 +
"chkp-mgmt,checkpoint-host"
 +
 
 +
==curl==
 +
 
 +
curl -X POST -H "Content-Type: application/json" -d '{"userId": 5, "title": "Post Title", "body": "Post content."}'
 +
 +
curl -X -H POST -H "Content-Type: application/json" -d '{"user" : "jsmith", "password" : "abc123"}' 192.168.1.10:443/login
 +
 +
$ '''curl --insecure -X POST -H "Content-Type: application/json" -d '{"user" : "jsmith", "password" : "abc123"}' https://192.168.1.10:443/web_api/login'''
 +
{
 +
  "uid" : "46a11170-e554-4e58-a5fc-65ff9e38d8cb",
 +
"sid" : "dfq6sI1MxMT1qUhXQ7tafQduKAfJxYkqXCEjaQKjres",
 +
"url" : "https://192.168.1.10:443/web_api",
 +
"session-timeout" : 600,
 +
"last-login-was-at" : {
 +
  "posix" : 1707413218074,
 +
  "iso-8601" : "2024-02-08T10:26-0700"
 +
},
 +
"api-server-version" : "1.8.1",
 +
"user-name" : "jsmith",
 +
"user-uid" : "c1109c35-d741-7jg8-98e3-36669b7047a2"
 +
 
 +
$ '''curl --insecure -X POST -H "Content-Type: application/json" -H "X-chkp-sid: dfq6sI1MxMT1qUhXQ7tafQduKAfJxYkqXCEjaQKjres" -d '{ }' https://192.168.1.10:443/web_api/keepalive'''
 +
{
 +
  "message" : "OK"
 +
}
  
 
==links==
 
==links==
[https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.1%20 r80 api reference]
+
[https://community.checkpoint.com/t5/General-Management-Topics/What-s-new-with-R80-20M1-Management-API/td-p/39522 What's new with R80.20M1 Management API]
 +
 
 +
[https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.4%20 r80 api reference]
  
 
[https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api]
 
[https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api]
Line 107: Line 200:
 
[https://stedolan.github.io/jq/ jq]
 
[https://stedolan.github.io/jq/ jq]
  
[https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli'
+
[https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli]
 +
 
 +
[https://devqa.io/curl-sending-api-requests/ How to Use CURL to Send API Requests]

Latest revision as of 07:05, 9 June 2024

Contents

Management server API setup

enabling for remote IPs

done the smartconsole

cp mgmt api enable all IPs.png

it can also be enabled via mgmt_cli under "set api-settings"

status check

[Expert@chmkmgr1:0]# api status
API Settings:
-----------------
Accessibility: Require all granted
Automatic Start: Enabled
Processes:
Name State PID More Information
-------------------------------------------------
API Started 10763
CPM Started 10460 Check Point Security Management Server is running and ready
FWM Started 10007
Port Details:
----------------
JETTY Internal Port: 50276
APACHE Gaia Port: 443
-------------------------------------------------
Overall API Status: Started
-------------------------------------------------
API readiness test SUCCESSFUL. The server is up and ready to receive connections

examples

logging in

login and redirect session info to a file for reuse

# mgmt_cli login user admin > id.txt

same but read only

# mgmt_cli login user admin read-only true > id.txt

search existing object

search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range.

# mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true  --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}'

return only objects with the EXACT ip

# mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json |  jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name'
      • details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object)

access rules

notes before you begin

when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name>

as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules.

What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands...

for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with

| jq '.rulebase[]'

if you DO HAVE headers, to output the rules you need

| jq '.rulebase[] | .rulebase[]'

show access layers?

[Expert@chmkmgr1:0]# mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name'
"dropall Network"
"Network"

where "Network" represents the default policy package Standard

examples

show number of rules in policy

mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json limit 1 | jq '.total'

display rule with uid = xxx

# mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"

display src/dst/service from rule with uid

for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done

alternate(inferior) way with jq

mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"'
1

display rule number with comment containing a string haha

mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}'

adding rules

mgmt_cli -s id.txt add access-rule layer xxad70c9-b4c6-4e64-9bfd-d57ac91289f3 name new_rule

mgmt_cli -s id.txt add access-rule layer xx70adc9-b4c6-4e64-9bfd-d57ac91289f3 position top name new_rule

mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" action "Accept" service add "https"

mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" service.add "https"


mds / domain

get list of domains,objects(management and firewalls),object type

mgmt_cli.exe -s id.txt show gateways-and-servers --format json limit 500 | jq '.objects.nat,.name,.type' | xargs -n3

log queries

mgmt_cli -s id.txt show-logs new-query.filter "src:10.0.0.11 and service:https" new-query.time-frame last-hour new-query.max-logs-per-request 1 --format json | jq '.logs[] | {time: .time,fw: .orig,log_server: .orig_log_server,policy: .policy_name,action: .action,source: .src,dest: .dst,service: .service}'

{

 "time": "2023-06-09T06:20:20Z",
 "fw": "my_cp_fw1",
 "log_server": "192.168.1.88",
 "policy": "super_secure",
 "action": "Accept",
 "source": "10.0.0.11",
 "dest": "204.79.197.203",
 "service": "443"

}

jq

compound jq select using and/or (note: contains returns true/false)

| jq '.rulebase[] | .rulebase[] | select (.comments | (contains("hahaha") or contains("lol")) | not ) | {ruleUID: .uid, comments: .comments} '

and another one...

| jq '.rulebase[] | .rulebase[] | select ((.comments | (contains("hahah") or contains("lol") | not )) and (.enabled == true)) | {enabled: .enabled, rulenum: ."rule-number", ruleUID: .uid, comments: .comments} '

filter objects dictary for uid for accept action

jq '."objects-dictionary"[] | select (.name == "Accept") | .uid'

get cluster member policy installation targets

| jq -c '."installation-targets-revision"[] | ."cluster-members-revision"[] | ."target-name"' | tr -d '"' | tr '\n' ' '

get values without keys

example

with keys...

| jq '.objects[] | {name: .name,type: .type}'
{
 "name": chkp-fw",
 "type": "simple-gateway"
}
{
 "name": "chkp-mgmt",
 "type": "checkpoint-host"
}

without keys, change from curly {} to square [] brackets and drop key references

| jq '.objects[] | [.name, .type]'
[
 "chkp-fw",
 "simple-gateway"
]
[
 "chkp-mgmt",
 "checkpoint-host"
]

print all values on the same line, comma separated

| jq '.objects[] | [.name, .type] | join (",")
"chkp-fw simple-gateway"
"chkp-mgmt,checkpoint-host"

curl

curl -X POST -H "Content-Type: application/json" -d '{"userId": 5, "title": "Post Title", "body": "Post content."}' 
curl -X -H POST -H "Content-Type: application/json" -d	'{"user" : "jsmith", "password" : "abc123"}' 192.168.1.10:443/login
$ curl --insecure -X POST -H "Content-Type: application/json" -d '{"user" : "jsmith", "password" : "abc123"}' https://192.168.1.10:443/web_api/login
{
"uid" : "46a11170-e554-4e58-a5fc-65ff9e38d8cb",
"sid" : "dfq6sI1MxMT1qUhXQ7tafQduKAfJxYkqXCEjaQKjres",
"url" : "https://192.168.1.10:443/web_api",
"session-timeout" : 600,
"last-login-was-at" : {
  "posix" : 1707413218074,
  "iso-8601" : "2024-02-08T10:26-0700"
},
"api-server-version" : "1.8.1",
"user-name" : "jsmith",
"user-uid" : "c1109c35-d741-7jg8-98e3-36669b7047a2"
$ curl --insecure -X POST -H "Content-Type: application/json" -H "X-chkp-sid: dfq6sI1MxMT1qUhXQ7tafQduKAfJxYkqXCEjaQKjres" -d '{ }' https://192.168.1.10:443/web_api/keepalive
{
 "message" : "OK"
}

links

What's new with R80.20M1 Management API

r80 api reference

official python open source api

parsing json return output jq

Parsing the output of mgmt_cli

How to Use CURL to Send API Requests