18 R80 REST API Lab

R80 REST API LAB
R80.10 Training
(revised: September 14, 2018)
©2017 Check Point Software Technologies Ltd. 1

REST API Lab
Security needs to be agile and efficient

to keep pace with the dynamic nature
of today’s IT infrastructure.
Automation and granular delegation

are key to helping your staff reduce
operational overhead.
With the R80.10 API, security teams

can automate tasks and create web
portals for security self-service.

REST API Lab
Lab preparation
• For this lab download the lab content to test-files/R80:
̶ tar file containing example scripts
̶ pscp.exe to copy files to our R80 management server
• Ignore the error and select Keep.
Keep

REST API Lab
Lab preparation
• Right click and select Extract the files from the
download folder to test-files/R80.
Downloads test-files/R80

REST API Lab
Enable the API

• On Win-Victim browse to:
https://192.168.101.254/api_docs
• The API is enabled, but by default

is limited to internal host access.
• This can be checked from the CLI

also using the command “api
status”.
• Hint: to access the CLI use:

̶ The putty client on win-victim
̶ The console from CloudShare or
your local Workstation VM
̶ SmartConsole -> GATEWAYS &
SERVERS -> Actions -> Open Shell
̶ Web UI terminal
REST API Lab
Enable the API

• In SmartConsole
navigate to MANAGE &
SETTINGS -> Blades -> Management
Management API. API
• Click to open Advanced

Settings.
• Select Accept API calls
from All IP addresses.
• Click OK.

REST API Lab
Enable the API

• Notice in the info window that
the API needs to be restarted.
Click OK.
• Publish the changes.
• Instead of doing an “api restart”

do an “api reconf” from the CLI.
• Check the API status again from

the CLI.
• Browse to
https://192.168.101.254/api_doc
and you should see the API
reference.

REST API
Review Questions
From the API Reference Overview Introduction identify:

1. The RAM needed to activate the API?
2. The number of methods to use the management
API?
3. Which method sends an HTTP Post request with a
Content-Type of application/json?

REST API Lab
SmartConsole GUI
• In API Overview click SmartConsole CLI.
add host
• Copy the first example command “add host” with the two
required name/value pairs.

REST API Lab
SmartConsole GUI
• To understand the command syntax, in the API Reference expand
Network Objects. Click Host -> add host. Name and IP are required.
 Browse tabs other than SmartConsole CLI to see the different syntax.
Add host

REST API Lab
SmartConsole GUI
• In SmartConsole click on the API command
line icon in the lower left.
• Paste or type the add host command into the
CLI window and press enter to create the
myHost object.
• In the top middle of SmartConsole you may
API notice that the yellow session icon increments.
command line
• Searching for myHost in the right objects
sidebar you’ll find the new object.
• We can also add multiple objects from a file.

Rest API Lab
SmartConsole GUI
Click to
Open a File
©2017 Check Point Software Technologies Ltd. [Confidential] For designated groups and individuals 12
Rest API Lab
SmartConsole GUI
• Open students.txt in the test-files/R80 folder.
• This creates 3 networks, a network group object and
adds the 3 new networks to the new group.
Rest API Lab
SmartConsole GUI
• Press the up arrow and press enter to repeat one of
the last commands and notice the error.
• To debug the API, from expert mode in the CLI you
can look for errors in /etc/fw/log/api.elg. Enter publish
to try to publish the changes. Exit the window.
Exit
Rest API Lab
SmartConsole GUI
• In SmartConsole go to MANAGE & SETTINGS ->
Sessions -> View Sessions.
• Notice all of the changes are done in the current admin
session and the Application is SmartConsole.
• Click Discard to discard the changes.
Rest API Lab
Web services operational flow
A typical R80 API session starts with a login.
Send
Login Rest Publish Logout
Action
https://<ip>/web_api/login https://<ip>/web_api/add-host https://<ip>/web_api/publish https://<ip>/web_api/logout
Install
Policy
https://<ip>/web_api/install_policy

Rest API Lab
Web Services
• It’s a good idea to create a
separate account for API
access.
• Go to MANAGE &
SETTINGS -> Permissions &
Administrators ->
Administrators.
• Click the new icon and create

a new user with the name
api-user.
• Set the Permission Profile to

Read Write All.
• Set a password “Cpwins1!”.
• Uncheck User must change

password.
• Click OK and publish.
REST API Lab
Web Services
• In the Management API reference click Web Services in the
API Overview section. Review as you like.
• One tool we can use to facilitate web development is the
Chrome postman add-on.
• In the Chrome browser, search for Chrome postman.
• In the chrome web store, click on ADD TO CHROME.
Add

REST API Lab
Web Services
• Click Postman to launch the app.
• Click Take me straight to the app.
• Click Import and select test-
files/R80/postman_collection_R80_10.json file.
Import
Note: The file can also be downloaded from the Check Point community:
https://community.checkpoint.com/docs/DOC-2183. Unzip the file to import it.
REST API Lab
Web Services
Note: In addition to the browser add-on, Postman has native apps. In the Windows,
MacOS and Linux native app you’ll want to disable SSL certificate verification.
In the Chrome Add-on we’re using this is not needed.
See https://www.getpostman.com/docs/postman/launching_postman/settings.
Chrome Add-on Windows
disable

REST API Lab
Web Services
• Click Collections to see the Web API R80.10 collection.
• Click Session Management -> login.
 Notice they are all POST requests.
Collections
login

REST API Lab
Web Services
• In the API
reference find
Session
Management ->
login in the Web
Services tab.
• Notice that when
we login with
username and
password the
server response
will include a
unique session
ID that we’ll
capture and use
for the entire
session.

REST API Lab
Web Services
• In Postman, click the Body tab.
• Hover over server and you’ll notice the variable is
unresolved in the current environment and no Environment
is defined.
Server
Environment

REST API Lab
Web Services
• Click the gear icon.
• Click Manage Environments.
• Click Create an environment and enter R80 as the name.
Gear icon
Name

REST API Lab
Web Services
• Enter two keys.
• server:
https://192.168.10
1.254/web_api
• session: <empty>
• Click Add to save
the environment. server
• Click X to exit the
window.

REST API Lab
Web Services
• Click No Environment and select the new R80 environment.
• Notice that server variable is now set.
• Change the Request Body user value to api-user.
• Change the Request Body password value to Cpwins1!.
R80
update

REST API Lab
Web Services
• Click Send and you
should receive a
200 OK response.
• Highlight the sid in
the response.
• Right click and
select Set R80 ->
session to capture
the session ID in
the session session
variable.

REST API Lab
Web Services
• Click Host -> add-host.
• Click Send. You should receive a 200 status OK.
add-host

REST API Lab
Web Services
• Notice that you can capture the code.
• Click Code and review the code snippets options as you like.
• Click X to close the window.
• To complete the process, in Session Management, send a publish and
logout.
Code

REST API Lab
Web Services
• Go to LOGS & MONITOR and click + to open a new tab.
• Click Open Audit Log View.
• Notice the changes are all tracked.

REST API Lab
mgmt_cli
• mgmt_cli is an executable available on Windows and Gaia.
• Like web services, you can use mgmt_cli as part of a
session;
̶ mgmt_cli login
̶ mgmt_cli <do something>
̶ mgmt_cli <publish or discard>
̶ mgmt_cli logout
• Or you can do the same in one mgmt_cli command. This
one command does a login, adds host7, publishes the
change and logs out.
mgmt_cli add host name "host7" ip-address "10.10.10.7" --user "api-user" \
--password "Cpwins1!" --management 192.168.101.254

REST API Lab
mgmt_cli
• Open a DOS command window.
• One by one copy the commands below into the DOS command window.
• We first have to set the path to the mgmt_cli executable.
• As you like check the audit log to see the results of each command.
cd \Users\jroberts\Desktop\test-files\R80
set R80PATH="C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM"
%R80PATH%\mgmt_cli add host name "host7" ip-address "10.10.10.7" -u "api-user" -p "Cpwins1!" -m 192.168.101.254
%R80PATH%\mgmt_cli show host name "host7" -u "api-user" -p "Cpwins1!" -m 192.168.101.254
%R80PATH%\mgmt_cli delete host name "host7" -u "api-user" -p “Cpwins1!" -m 192.168.101.254
%R80PATH%\mgmt_cli show host name "host7" -u "api-user" -p "Cpwins1!" -m 192.168.101.254

REST API Lab
mgmt_cli
• mgmt_cli also has a batch option.
• In the folder test-files\R80 is a file csvfile.txt with the

following contents.
name,ip-address,color,comments
csv-host1,10.10.10.101,blue,batch
• Run the command below to create 3 host objects.
%R80PATH%\mgmt_cli add host -b csvfile.txt -u "api-user" -p "Cpwins1!" -m 192.168.101.254

REST API Lab
Wrapping commands in scripts
• With a basic understanding of the API commands, we
can now wrap commands in scripts. Here is an example
from the Check Point community.
̶ Automating and Streamlining Security Operations

REST API Lab
• The example files are in the test-files\R80 folder R80_mgmt_cli_scripts.tar file. To transfer the files to
the R80 management server we need a user with bash set as the shell.
• Use an existing user named bob with the password vpn123.
• Or you can also create your own by logging into the Gaia Web UI: https://192.168.101.254.
• Select User Management -> Users.
• Click Add, set the password, set the Role to adminRole and set the Shell to /bin/bash.
/bin/bash

REST API Lab
• Copy and paste the below into the DOS command
window.
• Change the password and the username to match.
pscp –pw vpn123 R80_mgmt_cli_Scripts.tar [email protected]:/home/admin/R80_mgmt_cli_Scripts.tar

REST API Lab
• Login to the management server CLI as admin and
change to expert mode.
̶ Or login directly to a bash shell as your new user.
• Change the directory to /home/admin:

̶ cd /home/admin
• Untar the scripts:

̶ tar xvf R80_mgmt_cli_Scripts.tar
• Change the directory to the new folder.

̶ cd R80_mgmt_cli_Scripts

REST API Lab
• Using the UNIX commands “ls” and “cat <filename>”
you’ll notice the scripts:
̶ Are modular
̶ Use variables and loops to create 10 objects, services and
rules

REST API Lab
• Open the CheckMates-Mgmt_CLI.pdf in test-files\R80.
• Step through the commands from top to bottom or go

directly to the bottom and enter the command to create
all of the objects, services and rulebase.
̶ bash Create_All
• In SmartConsole check the audit logs.
• When the command finishes, review the new policy and

objects as you like.

REST API Lab

REST API
Review Questions
1. Does the CheckMates example use one command

or multiple commands to complete a session, i.e.
login, <do something>, publish, logout?
2. How is the session key captured and used?
3. What is the –r option used in the CheckMates
example?
4. We’ve looked at management APIs. Are there other
APIs?

ADVANCED TOPICS
[Confidential] For designated groups and individuals

Rest API
TechTalk Wednesday Schedule
login to see examples

of live R80.10 API
demos

THANK YOU

18 R80 REST API Lab

Uploaded by

Copyright:

Available Formats

18 R80 REST API Lab

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

18 R80 REST API Lab

Uploaded by

Copyright:

Available Formats

R80 REST API LAB

©2017 Check Point Software Technologies Ltd. 1

Security needs to be agile and efficient

Automation and granular delegation

With the R80.10 API, security teams

©2017 Check Point Software Technologies Ltd. 2

• Ignore the error and select Keep.

©2017 Check Point Software Technologies Ltd. 3

©2017 Check Point Software Technologies Ltd. 4

Enable the API

• The API is enabled, but by default

• This can be checked from the CLI

• Hint: to access the CLI use:

Enable the API

• Click to open Advanced

©2017 Check Point Software Technologies Ltd. 6

Enable the API

• Publish the changes.

• Instead of doing an “api restart”

• Check the API status again from

©2017 Check Point Software Technologies Ltd. 7

From the API Reference Overview Introduction identify:

©2017 Check Point Software Technologies Ltd. 8

©2017 Check Point Software Technologies Ltd. 9

©2017 Check Point Software Technologies Ltd. 10

©2017 Check Point Software Technologies Ltd. 11

• Click Discard to discard the changes.

©2017 Check Point Software Technologies Ltd. 16

• Click the new icon and create

• Set the Permission Profile to

• Set a password “Cpwins1!”.

• Uncheck User must change

• Click OK and publish.

©2017 Check Point Software Technologies Ltd. 18

Chrome Add-on Windows

©2017 Check Point Software Technologies Ltd. 20

©2017 Check Point Software Technologies Ltd. 21

©2017 Check Point Software Technologies Ltd. 22

©2017 Check Point Software Technologies Ltd. 23

©2017 Check Point Software Technologies Ltd. 24

©2017 Check Point Software Technologies Ltd. 25

©2017 Check Point Software Technologies Ltd. 26

©2017 Check Point Software Technologies Ltd. 27

©2017 Check Point Software Technologies Ltd. 28

©2017 Check Point Software Technologies Ltd. 29

©2017 Check Point Software Technologies Ltd. 30

©2017 Check Point Software Technologies Ltd. 31

• We first have to set the path to the mgmt_cli executable.

set R80PATH="C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM"

%R80PATH%\mgmt_cli show host name "host7" -u "api-user" -p "Cpwins1!" -m 192.168.101.254

%R80PATH%\mgmt_cli delete host name "host7" -u "api-user" -p “Cpwins1!" -m 192.168.101.254

%R80PATH%\mgmt_cli show host name "host7" -u "api-user" -p "Cpwins1!" -m 192.168.101.254

©2017 Check Point Software Technologies Ltd. 32

• In the folder test-files\R80 is a file csvfile.txt with the

• Run the command below to create 3 host objects.

%R80PATH%\mgmt_cli add host -b csvfile.txt -u "api-user" -p "Cpwins1!" -m 192.168.101.254

©2017 Check Point Software Technologies Ltd. 33

©2017 Check Point Software Technologies Ltd. 34

• Use an existing user named bob with the password vpn123.

• Select User Management -> Users.