Rizwan Rashid I think this is something that can be used easy, especially when you create a new firewall for a customer. Quick way to get in hundreds of objects :)
Thank you for watching and commenting :) The mgmt_cli can be really helpful ;) used it today to add 200 networks. Doing that manually would be horrible.
hey Magnus, just some thoughts: try touch servers100.csv instead of cat servers100.csv and quit. you even can just use vi servers100.csv it will be created upon :wq have you tried mgmt_cli login user "yourusername" password "yourpassword" > s.txt and then on all commands you can append -s s.txt and for the time of timeout you can do commands without always provide username and password. best regards
Hehe, great tips! am not good at this stuff thankfully I do have devops engineers to help me with automation. Next time maybe I should ask one of them to help me make a more advance video in regards to the api :)
Thank you for watching and commenting! I do appriciate the feedback, more content is on the way :) Hope you guys like what is planned, Honestly am wondering if this serie did help anyone pass an exam yet. When i did study for my Cisco stuff i did use CBT nuggets with Jeremy Chara and that was a huge reason why i manage to take both CCNA, CCNP.
@@MagnusHolmberg-NetSec i am planning to take the CCSA in the next month, or two. So far i am using your channel as my main source of information for both passing the CCSA exam and learning more about the Firewall itself. I have a strong Cisco background in RS and Sec ( 4 years Cisco TAC support), but for the past 6+ months i am dealing with CP as well and you are helping me a lot :) So, please keep on the good videos. What do you think about making a video / series for troubleshooting packet drops and etc on the the Firewall? Also, a list of useful commands like - "cphaprob state", "fw tab", "fw up execute" and etc? I think this will will be very useful :) As i told you i bought a course from Udemy, because i was not able to find any other good resourses. The course is made by a person who was CP TAC and he shares some good info - admit, but i learned a lot of new stuff from your course as well. Are you planning to add new videos for the CCSA course, or what is present is enough to pass it? Thank you! George
@George Milev thats awesome to hear! Best of luck. Yes i will be about 4-5 more CCSA videos to cover more of the exam. (keep in mind i havn´t actually written CCSA since it was R71. ) So for me its 10years ago. - Smartlog was intruduced within R80 and it changed how the logs are processed such as a new DB for faster logsearch. - Backups, we havn´t mention that topic yet and backup is an important part within any it infra. - Smartevent, as this is an admin certification they do expect you to be aware of all gui parts and smartevent we havn´t checked out yet. There are major changes in R80 when it comes to event/reports. - Site to Site vpn, this is an important part atleast the basic parts. vpn tu is something that is brought up within the exam and something that you do use within production. Its also important to know general IPSEC things and how it actually works to setup the tunnel. After those topics i do think its suffciant to pass the exam, one more thing to keep in mind is that even if you go an offical ccsa course (unlinke cisco) check point do expect you to have 6 months experiance to be able to pass the exam even if you go the 3 days course provided by check point, The main objective for me has been to give content based on real world and what am expecting a CCSA certified person to acutally know, so some topics within this serie is NOT part of the real exam. But is more or less mandatory in real life. (such as this specific video that we are commenting on now) I am not sure how many of the CLI commands are within the CCSA course, think i do need to ask check point to give me a copy of the offical course content! :D A top 10 list of CLI commands i think that we can fix a video for! Regards, Magnus
@@MagnusHolmberg-NetSec agreed with everything you said, thank you again for all the effort. Looking forward for the new videos. Best of luck and enjoy your holidays. George
Information regarding the API can be found here sc1.checkpoint.com/documents/latest/APIs/#introduction~v1.7 Make sure to select the correct version that you are using.
great demonstration. i also have tested in my lab and it works perfectly fine. As i pass through the below comments, have u created the next playlist to add hosts in the existing group?
That would be using the set command. sc1.checkpoint.com/documents/latest/APIs/#cli/set-group~v1.8.1%20 mgmt_cli set group name "New Group 1" members.add "New Host 2"
Hi Magnus, thank you for this wonderful video. But I have a question: Can we export the .csv file directly into Management Server by using WinSCP, (say in tmp folder) and then we can execute "mgmt_cli add host --batch .csv" command from tmp folder?
Hi Magnus, thank you for your video. How can I modify the comments of my groups, networks or interface ? May I use the SET command ? Or does it exist a MODIFY command ??
This is very interesting. Can help to produce video for creating bulk for users and group. This is for my SSLVPN users that use local authentication to checkpoint (checkpoint password). Thank you
Thank you Arnold!. In API 1.6.1 there is possibility to add users and usergroups. sc1.checkpoint.com/documents/latest/APIs/index.html#cli/changelog~v1.6.1%20 This 1.6.1 is available in R80.30 JFA217 and above or R80.40 JFA 53 and above. I would recommend to not use local accounts and actually use like AD or similar. Local accounts can be a good backup in worse case scenarios.
As first, thank you so much for videos. There are a lot of useful things. I'm interested in APIs migration from one firewall to another (for example Palo Alto to Check Point, Fortinet to Check Point, Cisco ASA to Check Point). Is there any way to automate it, or at least to accelerate migration process? For exmple I have a configuration of Cisco ASA, is there any API which can from that configuration automatically create host, network objects for Check Point? Best regards
I think what you are looking for is check point smartmove supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk115416&t=1619484102459 This allow you to take an excisting rulebase and create a check point rulebase, including objects, nat etc :)
Is it possible to check there is any host or network objects exist for the Ip? If possible we can ignore to create duplicate object for same host or network.
Check this post out :) It include multiple ways to add members in a group, am going to make a video about it next week. community.checkpoint.com/t5/API-CLI-Discussion/Adding-members-to-a-group/td-p/2665
Hi, you can do something like this. Then the object is created the same time. I will make a video on it with a batch files aswell ;) mgmt add host name "host1" ip-address "1.1.1.1" groups.1 "MyGroup" mgmt add host name "host2" ip-address "2.2.2.2" groups.1 "MyGroup"
Hello, When we have to edit a group without erase what already exist, what is the better to do, Working with object or with group ? I'm afraid to use the "add group" command, I worry about writing over the group and erase each host in the group. add group name myGroup members myHost1 add group name myGroup members myHost2 add group name myGroup members myHost3 add group name myGroup members myHost4 Can we batch the CLI command "set host" like that ? set host name srv41 groups billing_server set host name srv42 groups billing_server set host name srv43 groups billing_server set host name srv44 groups billing_server Thank you.
make sure - API is enable. - Prefix on your mgmt server is allowed under GUI clients. - Your account has write access. sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SecurityManagement_AdminGuide/Topics-SECMG/Managing-Security-through-API.htm
This really works. Thanks Magnus for proper explanation.
very helpful in production environment, Thanks Magnus
Rizwan Rashid I think this is something that can be used easy, especially when you create a new firewall for a customer.
Quick way to get in hundreds of objects :)
agreed
Very very useful!! Thank you
What a magic
Got a lot of help form the working in bank checkpoint firewall
Hello Magnus, you are awesome. Thank you so much!!!
Thank you for watching and commenting :)
The mgmt_cli can be really helpful ;) used it today to add 200 networks.
Doing that manually would be horrible.
hey Magnus,
just some thoughts:
try touch servers100.csv instead of cat servers100.csv and quit. you even can just use vi servers100.csv it will be created upon :wq
have you tried mgmt_cli login user "yourusername" password "yourpassword" > s.txt
and then on all commands you can append -s s.txt and for the time of timeout you can do commands without always provide username and password.
best regards
Hehe, great tips!
am not good at this stuff thankfully I do have devops engineers to help me with automation.
Next time maybe I should ask one of them to help me make a more advance video in regards to the api :)
Hello Magnus. Maybe next time - try to run mgmt_cli with " -r true " e.g. mgmt_cli -r true show-hosts --format json
could you please make one video for custom intelligence feeds checkpoint
U saved a couple of hours for me
Thanks m8, need to figure out what should be next part :D
Another great video... really enjoying the course. Please, do not stop the good content!!
Thank you for watching and commenting!
I do appriciate the feedback, more content is on the way :)
Hope you guys like what is planned,
Honestly am wondering if this serie did help anyone pass an exam yet.
When i did study for my Cisco stuff i did use CBT nuggets with Jeremy Chara and that was a huge reason why i manage to take both CCNA, CCNP.
@@MagnusHolmberg-NetSec i am planning to take the CCSA in the next month, or two. So far i am using your channel as my main source of information for both passing the CCSA exam and learning more about the Firewall itself. I have a strong Cisco background in RS and Sec ( 4 years Cisco TAC support), but for the past 6+ months i am dealing with CP as well and you are helping me a lot :) So, please keep on the good videos. What do you think about making a video / series for troubleshooting packet drops and etc on the the Firewall? Also, a list of useful commands like - "cphaprob state", "fw tab", "fw up execute" and etc? I think this will will be very useful :)
As i told you i bought a course from Udemy, because i was not able to find any other good resourses. The course is made by a person who was CP TAC and he shares some good info - admit, but i learned a lot of new stuff from your course as well.
Are you planning to add new videos for the CCSA course, or what is present is enough to pass it?
Thank you!
George
@George Milev thats awesome to hear!
Best of luck.
Yes i will be about 4-5 more CCSA videos to cover more of the exam. (keep in mind i havn´t actually written CCSA since it was R71. ) So for me its 10years ago.
- Smartlog was intruduced within R80 and it changed how the logs are processed such as a new DB for faster logsearch.
- Backups, we havn´t mention that topic yet and backup is an important part within any it infra.
- Smartevent, as this is an admin certification they do expect you to be aware of all gui parts and smartevent we havn´t checked out yet. There are major changes in R80 when it comes to event/reports.
- Site to Site vpn, this is an important part atleast the basic parts. vpn tu is something that is brought up within the exam and something that you do use within production.
Its also important to know general IPSEC things and how it actually works to setup the tunnel.
After those topics i do think its suffciant to pass the exam, one more thing to keep in mind is that even if you go an offical ccsa course (unlinke cisco) check point do expect you to have 6 months experiance to be able to pass the exam even if you go the 3 days course provided by check point,
The main objective for me has been to give content based on real world and what am expecting a CCSA certified person to acutally know, so some topics within this serie is NOT part of the real exam. But is more or less mandatory in real life. (such as this specific video that we are commenting on now)
I am not sure how many of the CLI commands are within the CCSA course, think i do need to ask check point to give me a copy of the offical course content! :D A top 10 list of CLI commands i think that we can fix a video for!
Regards,
Magnus
@@MagnusHolmberg-NetSec agreed with everything you said, thank you again for all the effort. Looking forward for the new videos.
Best of luck and enjoy your holidays.
George
@@georgemilev3244 Same to you, make sure to take time for yourself and your family!
Enjoy the holidays :D
Would you cover in some other video SNMP configuration and troubleshooting?
Just some basic one when it comes to VSX as its abit diff from normal.
As in VSX you are able to poll the nodes or the VS itself.
this video saved my day. kindly show me how to add policy via API to a specific package
Information regarding the API can be found here
sc1.checkpoint.com/documents/latest/APIs/#introduction~v1.7
Make sure to select the correct version that you are using.
@@MagnusHolmberg-NetSec kindly make a video on it
Yes i will make a video about it, but it may take some time as i have promised to fix MDS/VSX and VPN videos before.
thank you very much
great demonstration. i also have tested in my lab and it works perfectly fine. As i pass through the below comments, have u created the next playlist to add hosts in the existing group?
Yes, ruclips.net/video/prbaOuQfvfk/видео.html
thank for share. i have question? Can i add multiple domain object with same way . Thank
By that do you mean global domain objects or just same objects within multiple domains?
What is the CLI command for adding the existing host in the existing Group @Magnus
That would be using the set command.
sc1.checkpoint.com/documents/latest/APIs/#cli/set-group~v1.8.1%20
mgmt_cli set group name "New Group 1" members.add "New Host 2"
Is mandatory to fill all fields in the excel? May I remove, for example, "color" column from excel?
Yes color can be removed :)
Tks.
How can I export objects via cli?
Hi Magnus, thank you for this wonderful video.
But I have a question:
Can we export the .csv file directly into Management Server by using WinSCP, (say in tmp folder) and then we can execute "mgmt_cli add host --batch .csv" command from tmp folder?
Thank you for watching and commenting.
Yes it’s possible, you may need to specify the path (depends where u run the command from)
like after log into mgmt cli, then goto # cd/tmp
@@EagleWatch79 yes :)
odd that the --batch flag isn't in the MGMT CLI reference. Also, is the same method for a batch of network objects?
I made the video ruclips.net/video/prbaOuQfvfk/видео.html to also include adding it in groups etc.
Hi Magnus, thank you for your video. How can I modify the comments of my groups, networks or interface ? May I use the SET command ? Or does it exist a MODIFY command ??
Set is what would be used to modify objects :)
I get error host already exist and it fails
Ist it possible to say that the batch operation should not break up but over jump already existing hosts ?
This is very interesting. Can help to produce video for creating bulk for users and group. This is for my SSLVPN users that use local authentication to checkpoint (checkpoint password). Thank you
Thank you Arnold!.
In API 1.6.1 there is possibility to add users and usergroups.
sc1.checkpoint.com/documents/latest/APIs/index.html#cli/changelog~v1.6.1%20
This 1.6.1 is available in R80.30 JFA217 and above or R80.40 JFA 53 and above.
I would recommend to not use local accounts and actually use like AD or similar.
Local accounts can be a good backup in worse case scenarios.
@@MagnusHolmberg-NetSec I think really cannot add bulk users. :(
Arnold Salvador you need the 1.6.1 API as I said above. It’s brand new so you will need to upgrade your mgmt station
As first, thank you so much for videos. There are a lot of useful things. I'm interested in APIs migration from one firewall to another (for example Palo Alto to Check Point, Fortinet to Check Point, Cisco ASA to Check Point). Is there any way to automate it, or at least to accelerate migration process? For exmple I have a configuration of Cisco ASA, is there any API which can from that configuration automatically create host, network objects for Check Point?
Best regards
I think what you are looking for is check point smartmove
supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk115416&t=1619484102459
This allow you to take an excisting rulebase and create a check point rulebase, including objects, nat etc :)
Nice thankyou sir
Your welcome :)
Is it possible to check there is any host or network objects exist for the Ip? If possible we can ignore to create duplicate object for same host or network.
i actually belive that the cli will not create duplicate objects, but i will check on it and there will be some followup videos on this one :)
Please, could you show us How apply access-rules?
With API you mean?
@@MagnusHolmberg-NetSec yes, with mgmt_cli :)
waiting for your reply
How can i add mulitple obect in group (pls give full syntex)
Check this post out :)
It include multiple ways to add members in a group, am going to make a video about it next week.
community.checkpoint.com/t5/API-CLI-Discussion/Adding-members-to-a-group/td-p/2665
Did you try it with "Web Services" ?
If you referring to like dynamic objects or similar, there is a new function within r81.20 that can be used for this
How can we do same operation using Smartconsole cli??
sc1.checkpoint.com/documents/latest/APIs/index.html#gui-cli/add-host~v1.6%20
sir can u guide us, how to create vpn access for the customers on check point....Thanks
You mean, Site-to-Site or Cient-to-Site VPN?
Hi buddy it is really helpful but can you help me to add the host to an existing group
Hi, you can do something like this.
Then the object is created the same time.
I will make a video on it with a batch files aswell ;)
mgmt add host name "host1" ip-address "1.1.1.1" groups.1 "MyGroup"
mgmt add host name "host2" ip-address "2.2.2.2" groups.1 "MyGroup"
@@MagnusHolmberg-NetSec can we set multiple host to one group at same time ?
@@simmonsarkar5023 yes like the command in the comment above.
@@MagnusHolmberg-NetSec how to do with a batch file? can you show it will be very helpful
Hello,
When we have to edit a group without erase what already exist, what is the better to do, Working with object or with group ?
I'm afraid to use the "add group" command, I worry about writing over the group and erase each host in the group.
add group name myGroup members myHost1
add group name myGroup members myHost2
add group name myGroup members myHost3
add group name myGroup members myHost4
Can we batch the CLI command "set host" like that ?
set host name srv41 groups billing_server
set host name srv42 groups billing_server
set host name srv43 groups billing_server
set host name srv44 groups billing_server
Thank you.
Hii :) I am getting Err_login_failed, Could you please check?
make sure
- API is enable.
- Prefix on your mgmt server is allowed under GUI clients.
- Your account has write access.
sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SecurityManagement_AdminGuide/Topics-SECMG/Managing-Security-through-API.htm
Please I am waiting for your revert
@sanjeev prasad you mean reverting policys?