r80 api notes
Contents |
Management server API setup
enabling for remote IPs
done the smartconsole
it can also be enabled via mgmt_cli under "set api-settings"
status check
[Expert@chmkmgr1:0]# api status
API Settings:
-----------------
Accessibility: Require all granted
Automatic Start: Enabled
Processes:
Name State PID More Information
-------------------------------------------------
API Started 10763
CPM Started 10460 Check Point Security Management Server is running and ready
FWM Started 10007
Port Details:
----------------
JETTY Internal Port: 50276
APACHE Gaia Port: 443
-------------------------------------------------
Overall API Status: Started
-------------------------------------------------
API readiness test SUCCESSFUL. The server is up and ready to receive connections
examples
logging in
login and redirect session info to a file for reuse
# mgmt_cli login user admin > id.txt
same but read only
# mgmt_cli login user admin read-only true > id.txt
search existing object
search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range.
# mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}'
return only objects with the EXACT ip
# mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name'
- details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object)
access rules
notes before you begin
when using the parameter "name" to refer to a particular package, it appears to require the following... <package name> <layer name>
as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules.
What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands...
for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with
| jq '.rulebase[]'
if you DO HAVE headers, to output the rules you need
| jq '.rulebase[] | .rulebase[]'
rule numbers
show access layers?
[Expert@chmkmgr1:0]# mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name' "dropall Network" "Network"
where "Network" represents the default policy package Standard
examples
show number of rules in policy
mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json | jq '.total'
display only the rule number for a rule with uid = xxx
# mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"
display src/dst/service from rule with uid
for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done
alternate(inferior) way with jq
mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"' 1
display rule number with comment containing a string haha
mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}'
"rulenum": 1,
"comment": "hahahlol"
links
official python open source api
parsing json return output jq
[https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli'