Checkpoint Device rule - Troubleshooting Tips

Checkpoint Device rule - Troubleshooting Tips


  1. API - failed case analyze:
    1. Download curl tool and extract the downloaded zip file in FWA installed machine (https://curl.haxx.se/download.html) - (only for Windows machine, curl tool by default bundled in linux machines)
      • Go to "AMD64" folder in command prompt (only for Windows machine),

    2. execute below commands and check the status: (Need to copy sid value)
      1. curl --insecure -XPOST "https://managementServerIP/web_api/login" --data-binary "{\"user\": \"givenUserName\", \"password\": \"givenPassword\"}" -H "Content-Type: application/json"   (Standard setup)

        (or)

        curl --insecure -XPOST "https://managementServerIP/web_api/login" --data-binary "{\"user\": \"givenUserName\", \"password\": \"givenPassword\",\"domain\": \"givenDomainName\"}}" -H "Content-Type: application/json"   (Multi domain setup)



      2. curl --insecure -XPOST "https://managementServerIP/web_api/show-access-layers" --data-binary "{\"limit\": \"50\", \"offset\": \"0\", \"details-level\": \"standard\"}" -H "Content-Type: application/json" -H "X-chkp-sid: sid-Value"
        • Copy access layer names.



      3. curl --insecure -XPOST "https://managementServerIP/web_api/show-access-rulebase" --data-binary "{\"name\": \"layerName\", \"details-level\": \"full\", \"use-object-dictionary\": \"true\"}"  -H "Content-Type: application/json" -H "X-chkp-sid: sid-Value"
        • Need to check all layer names.
      4. curl --insecure -XPOST "https://managementServerIP/web_api/show-unused-objects" --data-binary "{\"details-level\": \"full\"}"  -H "Content-Type: application/json" -H "X-chkp-sid: sid-Value"
      5. curl --insecure -XPOST "https://managementServerIP/web_api/show-gateways-and-servers" --data-binary "{\"details-level\": \"full\"}"  -H "Content-Type: application/json" -H "X-chkp-sid: sid-Value"
      6. curl --insecure -XPOST "https://managementServerIP/web_api/logout" --data-binary "{}" -H "Content-Type: application/json" -H "X-chkp-sid: sid-Value"


  1. CLI - failed case analyze:
    • Connect management server using putty or ssh tool,
    • Then execute below commands:
      1. mgmt login user givenUserName password givenPassword
      2. mgmt_cli show access-layers limit 50 offset 0 details-level standard
        • Copy access layer names.

      3. mgmt_cli show access-rulebase name "layerName" details-level full use-object-dictionary true  --format json
        • Need to check all layer names.
      4. mgmt_cli show unused-objects details-level full  --format json
      5. mgmt_cli show gateways-and-servers details-level "full" --format json
      6. mgmt_cli logout  --format json



How to configured Device rule for Checkpoint devices:
  1. Go to "Settings" > "Firewall Server" > "Device Rule" page and Click "Add" button and select the checkpoint device,
  2. 2ways we can configure device rule for Checkpoint devices (preferable is API option):
    1. API:
      • Need to provide "Management Server URL" (like https://190.10.10.11/)
      • Need to provide "Login Name" of "Management Server".
      • Need to provide "Password" of "Management Server".
      • Multi-Domain cases, need to enable "Domain Name" check box and provide the domain name. (Otherwise leave the domain name field.)
      • Device name contains ip address cases, need to provide gateway name in "Gateway Name" field. (Changes released in 124099 build)
      • Then click the "Validate" action, if validation failed cases access given "Management Server URL" in browser(in FWA installed machine), then try login using given credentials. if login failed cases report customer to enable API option in Checkpoint devices.
        • If failed cases try below steps:
          1. Download curl tool and extract the downloaded zip file in FWA installed machine (https://curl.haxx.se/download.html) - (only for Windows machine, curl tool default bundled in linux machines)
          2. Go to "AMD64" folder in command prompt (only for Windows machine),
          3. execute below commands and check the status:
            • Multi-Domain setup: (managementServerIP="Management server Ipaddress" and givenUserName="Login Name"  and givenPassword="Password" and givenDomainName="Domain Name", need to replace the correct values)
              • curl --insecure -XPOST "https://managementServerIP/web_api/login" --data-binary "{\"user\": \"givenUserName\", \"password\": \"givenPassword\" , \"domain\": \"givenDomainName\"}" -H "Content-Type: application/json"
            • Other setups: (managementServerIP="Management server Ipaddress" and givenUserName="Login Name"  and givenPassword="Password", need to replace the correct values)
              • curl --insecure -XPOST "https://managementServerIP/web_api/login" --data-binary "{\"user\": \"givenUserName\", \"password\": \"givenPassword\"}" -H "Content-Type: application/json"
            • Login successful cases need to execute below API calls: (managementServerIP="Management server Ipaddress" and sessionID=login api access will return a sessionId value.)
              • curl --insecure -XPOST "https://managementServerIP/web_api/show-access-layers" --data-binary "{\"limit\": \"50\", \"offset\": \"0\", \"details-level\": \"standard\"}" -H "Content-Type: application/json" -H "X-chkp-sid: sessionID"
            • Execute below API call to get rule details: (managementServerIP="Management server Ipaddress",  layerName=show-access-layers api call will return a layer name details and sessionID=login api access will return a sessionId value.)
              • curl --insecure -XPOST "https://managementServerIP/web_api/show-access-rulebase" --data-binary "{\"name\": \"layerName\", \"details-level\": \"full\", \"use-object-dictionary\": \"true\"}"  -H "Content-Type: application/json" -H "X-chkp-sid: sessionID"
            • Execute below API call to get unUsed objects list: (managementServerIP="Management server Ipaddress" and sessionID=login api access will return a sessionId value.)
              • curl --insecure -XPOST "https://managementServerIP/web_api/show-unused-objects" --data-binary "{\"details-level\": \"full\"}"  -H "Content-Type: application/json" -H "X-chkp-sid: sessionID"
            • Execute below API call to get Interface list: (managementServerIP="Management server Ipaddress" and sessionID=login api access will return a sessionId value.)
              • curl --insecure -XPOST "https://managementServerIP/web_api/show-gateways-and-servers" --data-binary "{\"details-level\": \"full\"}"  -H "Content-Type: application/json" -H "X-chkp-sid: sessionID"
            • After that changes need to call logout API: (managementServerIP="Management server Ipaddress" and sessionID=login api access will return a sessionId value.)
              • curl --insecure -XPOST "https://managementServerIP/web_api/logout" --data-binary "{}" -H "Content-Type: application/json" -H "X-chkp-sid: sessionID"

    2. CLI:
      • Need to provide below fields:
        1. "Management Server IP" (Management server ipaddress value like 190.10.10.11)
        2. "Login Username" (Management server login username)
        3. "Login Password" (Management server login password)
        4. Device name contains ip address cases, need to provide gateway name in "Gateway Name" field. (Changes released in 124099 build)
        5. "Security Management Administrator Username" (During the checkpoint installation, we have option to configure separate username for access "Security Management", if not configured cases ask customer to use  "Login Username" value.)
        6. "Security Management Administrator Password" (During the checkpoint installation, we have option to configure separate password for access  "Security Management", if not configured cases ask customer to use  "Login Password" value.)
        7. "Timeout" (Provide timeout value)
        8. Multi-Domain cases, Need to enable "Domain Name" check box and provide the domain name. (Otherwise leave the domain name field.)
        9. Then click the "Validate" action, if validation failed cases try below options:
          1. Open command prompt/putty,
          2. then login the "Management Server IP" using given "Login Username" and "Login Password" values,
          3. then execute below command:
            • Multi-Domain setup: (givenUserName="Security Management Administrator Username" and givenPassword="Security Management Administrator Password" and givenDomainName="Domain Name", need to replace the correct values)
              • mgmt login user givenUserName password givenPassword domain givenDomainName
            • Other setups: (givenUserName="Security Management Administrator Username" and givenPassword="Security Management Administrator Password", need to replace the correct values)
              • mgmt login user givenUserName password givenPassword
            • If failed cases check the error message.
            • Login successful cases need to execute below API commands:
              1. set clienv rows 0
              2. mgmt_cli show access-layers  limit 50  offset 0  details-level "standard" --format json
              3. mgmt_cli show access-rulebase name "layerName" details-level "full" use-object-dictionary true --format json (layerName = "show access-layers " command returned value)
              4. mgmt_cli show unused-objects details-level "full" --format json
              5. mgmt_cli logout  --format json



How to Enable API in Checkpoint devices:
  • Using 2ways we can enable API option in Checkpoint devices:
    1. Manual:
      • Open Check Point Smart Console.
      • Go to Manage & Settings > Blades > Management API and click Advanced Settings button.
      • Enable Automatic Start and choose All IP address option from Access API calls from  field.
      • Click push button and restart the management server.
    2. Command Prompt:
      • In command prompt login in "Management Server",
      • In expert mode execute below commands:
        1. mgmt_cli -r true --domain MDS set api-settings accepted-api-calls-from "All IP addresses"
        2. mgmt_cli -r true --domain MDS  set api-settings automatic-start true


Security Management Administrator Username/password section in installation:
mgmtUserInfo



Postman tool based Troubleshooting steps:
  1. Need to install "postman" tool in Firewall Analyzer installed machine.
  2. Then need to execute below login API call in "Postman" tool:
    1. Request type = Post
    2. URL = https://managementServerIP/web_api/login  (Need to update managementServerIP value)
    3. Headers:
      1. Content-Type = application/json
    4. Body > Need to select "raw" option : (Need to update correct givenUserName and givenPassword values)
       {"user": "givenUserName" , "password" : "givenPassword"}
    5. Then click "Send" and check response.


  3. If above login API returned "sid" value response case, need to execute below API call:
    1. Request type = Post
    2. URL = https://managementServerIP/web_api/show-access-layers   (Need to update managementServerIP value)
    3. Headers:
      1. Content-Type = application/json
      2. X-chkp-sid = sid-Value (Login API returnned sid value)
    4. Body > Need to select "raw" option :
       {"limit": "50", "offset": "0", "details-level": "standard"}
    5. Then click "Send" and check response.

  4. If 3 step API call return more than 1 access layer cases. need  to call below API multiple times using access layer name value:
    1. Request type = Post
    2. URL = https://managementServerIP/web_api/show-access-rulebase   (Need to update managementServerIP value)
    3. Headers:
      1. Content-Type = application/json
      2. X-chkp-sid = sid-Value (Login API returnned sid value)
    4. Body > Need to select "raw" option : (Need use 3rd step returned access layer name value in  layerName value.)
      {"name": "layerName", "details-level": "full", "use-object-dictionary": "true"}
    5. Then click "Send" and check response.







          • Related Articles

          • Cisco Firepower - Device Rule Issues Troubleshooting Tips

            Case 1: Device rule add failed because of read-only user credentials. How to confirm: Method 1: Please login device using putty console, Copy and paste below commands in putty console: show access-list show running-config show startup-config If those ...
          • Paloalto & sonicwall configuration export command for troubleshooting when device rule fails

            SCP user name - deviceexpert Password - SCPDeviceExpert Paloalto Command: scp export configuration remote-port 22 source-ip <FIREWALL IP> from running-config.xml to <scp server user name>@<Firewall anayzer Ip>:<file name with xml extension> Replace ...
          • How to Export Backup configuration from the Firewall Analyzer Web-UI

            Please navigate to Settings-->Firewall Server-->Device Rule-->Click the Export Configuration button-->The backup file will be saved under ManageEngine/OpManager/server/Config data/ResourceId/device vendor_configuration.txt (For Windows) /opt/ ...
          • Sophos XG API - Troubleshoot Dcoument

            How to enable API: Go to Authentication > Users to create a new user for the API call. The user type will need to be Administrator and its profile will require read/write permissions. This API user is optional, its purpose is to lock the user down to ...