Check Point Security Management Server (SMS) management API (Application Programming Interface) supports the ability to send commands and read information from the management server. APIs provides the ability for the administrator to create objects, configure VPN communities, install policies etc from the command line or through web services.
The Management APIs can be used four ways:
- Using the mgmt_cli executable from the administrator workstation (installed as part of the SmartConsole application)
- Using the SmartConsole CLI via the Command Line option
- Using the clish (Gaia) on the SMS
- Sending API commands over and https connection using web services
The objective of this post is to demonstrate using basic APIs to create and modify objects, used in daily tasks, using the SmartConsole CLI.
Using Management APIs
Before starting refer to the Check Point Management API reference guide – Check Point Management API reference guide R81.10 for detailed information on the supported API calls.
From the Management API reference guide, we can determine the syntax of the commands to add, set (edit), delete and show network objects.
From the SmartConsole application, click Command Line. This will bring up a CLI in a pop window, which will allow the administrator to configure objects directly.
Creating group objects
Open the objects pane of SmartConsole to Network Groups and leave behind the Command Line window.
From the Command Line enter the following command
add group name GRP1
Once the command is successfully run, you should notice in SmartConsole the new group automatically appeared.
From the Command Line create another group was added but the colour is set to red, run the following command:
add group name GRP2 color red
If you want to change the colour of the group of an existing group, run the following command:
set group name GRP1 color green
Create network objects.
To create network objects, use the commands below (note using mask-length or subnet-mask achieves the same thing).
add network subnet 192.168.10.0 mask-length 24 name NET10 color green add network subnet 192.168.11.0 subnet-mask 255.255.255.0 name NET11 color green
To add those network objects to an existing group, use the following commands:
set group name GRP1 members.add NET10 set group name GRP1 members.add NET11
Checking the Network Group confirms the network objects have been added to the group.
Network objects can also be added to the group upon initial creation, use the following command:
add network subnet 192.168.12.0 mask-length 24 name NET12 color red groups GRP2 add network subnet 192.168.13.0 mask-length 24 name NET13 color red groups GRP2 add network subnet 192.168.14.0 mask-length 24 name NET14 color red groups GRP2 add network subnet 192.168.15.0 mask-length 24 name NET15 color red groups GRP2
Checking the Network Group confirms the network objects have been created and added to the group.
Configure NAT on a network object
The network objects can also be configured with NAT, use the following command to hide behind the gateway.
set network name "NET12" nat-settings.auto-rule "true" nat-settings.method "hide" nat-settings.hide-behind "gateway"
The NAT properties of the network object NET12 confirms that automatic hide nat is configured and “Hide behind the gateway” is selected.
As with the other commands the NAT configuration can be defined when creating the initial object, use the command:
add network subnet 192.168.17.0 mask-length 24 name NET17 color red groups GRP2 nat-settings.auto-rule "true" nat-settings.method "hide" nat-settings.hide-behind "gateway"
Summary
As demonstrated above, using the built-in APIs in the Check Point Security Management Server allow for faster implementation and management of daily tasks.
Objects can also be imported in bulk from a CSV file – https://support.checkpoint.com/results/sk/sk113078