A python client to interact with CheckPoint R80 API.
Project description
# checkpoint_client
A python client to interact with CheckPoint R80 API (https://sc1.checkpoint.com/documents/R80/APIs/#ws).
# Installation
```
pip install checkpoint-client
```
# Features
1. Perform basic functionality such as add/delete objects, get tags, show objects in group, publish and install policy.
2. Authentication session (sid) can persist using configuration file. If session is invalid, automatically re-authenticate and update sid.
3. Management server fingerprint verification.
# Disclaimers
1. CheckPoint R80 API does not allow adding/deleting multiple host objects to a group in one call. Each host object must be created and then added/deleted to the group. This results in very slow (serial) execution.
2. In our testing, we have noticed some instability with very large set (10k+) of changes.
# Example
Sample configuration file
```
[checkpoint]
username = myusername
# API does not support cert based authentication
password = mypassword
domain = DMZ
# Some useful fileds to make CP session more descriptive
session-name = inet_blacklist
session-comments = API automation example
session-description = Automated DMZ blacklisting of known malicious IPs (from TIP).
cp_server = 10.10.100.32
# Exit if fingerprint verification fails
fingerprint = 82C9C0B60850901BBDF5653D794ADF8E8AAEA1B7
verify_fingerprint = True
# No changes made if set to True
dryrun = False
# Automatically populated if authentication successful
sid =
[dmz_blacklist]
color = red
group = GRP-DMZ_BAD_IP_FROM_TIP
target = LAB_DMZ_CLUSTER
```
A simple script to add host objects to an existing group object, publish changes and finally, install the policy.
```
from checkpoint_client import CheckPointClient
from checkpoint_client.utils import set_default_logger, add_logger_streamhandler
# Instantiate a client
logger = set_default_logger("inet_blacklist_mgr", "DEBUG")
add_logger_streamhandler(logger, "INFO")
cpc = CheckPointClient('configs/example.ini', logger)
bad_IPs = ['1.2.3.4', '5.6.7.8', '9.0.11.12', '13.14.15.16']
color = config.get('dmz_blacklist', 'color', fallback=cpc.default_color),
group = config.get('dmz_blacklist', 'group', fallback="MY_DEFAULT_GROUP")
target = config.get('dmz_blacklist', 'target', fallback="DMZ_CLUSTER")
success_count = 0
fail_count = 0
for bad_ip in bad_IPs:
resp = cpc.add_host(
name=bad_ip,
ipaddr=bad_ip,
tags="bad_ips_from_tip",
comments="Import example using API wrapper",
color=color,
groups=group)
if resp.success:
success_count += 1
else:
fail_count += 1
logger.info({'message': {'total': len(bad_IPs), 'success': success_count, 'fail': fail_count})
# Publish changes
resp = cpc.publish()
if resp.success:
logger.info({'message': "Policy publication successful"})
else:
logger.error('message': "Policy publication failed.")
# Install policy
# https://sc1.checkpoint.com/documents/R80/APIs/?#gui-cli/install-policy
params = {'access': True, 'threat-prevention': False, 'install-on-all-cluster-members-or-fail': True}
resp = cpc.install_policy(group, target, **params)
if resp.success:
logger.info({'message': "Policy installation successful"})
else:
logger.error('message': "Policy installation failed.")
cpc.logout()
```
A python client to interact with CheckPoint R80 API (https://sc1.checkpoint.com/documents/R80/APIs/#ws).
# Installation
```
pip install checkpoint-client
```
# Features
1. Perform basic functionality such as add/delete objects, get tags, show objects in group, publish and install policy.
2. Authentication session (sid) can persist using configuration file. If session is invalid, automatically re-authenticate and update sid.
3. Management server fingerprint verification.
# Disclaimers
1. CheckPoint R80 API does not allow adding/deleting multiple host objects to a group in one call. Each host object must be created and then added/deleted to the group. This results in very slow (serial) execution.
2. In our testing, we have noticed some instability with very large set (10k+) of changes.
# Example
Sample configuration file
```
[checkpoint]
username = myusername
# API does not support cert based authentication
password = mypassword
domain = DMZ
# Some useful fileds to make CP session more descriptive
session-name = inet_blacklist
session-comments = API automation example
session-description = Automated DMZ blacklisting of known malicious IPs (from TIP).
cp_server = 10.10.100.32
# Exit if fingerprint verification fails
fingerprint = 82C9C0B60850901BBDF5653D794ADF8E8AAEA1B7
verify_fingerprint = True
# No changes made if set to True
dryrun = False
# Automatically populated if authentication successful
sid =
[dmz_blacklist]
color = red
group = GRP-DMZ_BAD_IP_FROM_TIP
target = LAB_DMZ_CLUSTER
```
A simple script to add host objects to an existing group object, publish changes and finally, install the policy.
```
from checkpoint_client import CheckPointClient
from checkpoint_client.utils import set_default_logger, add_logger_streamhandler
# Instantiate a client
logger = set_default_logger("inet_blacklist_mgr", "DEBUG")
add_logger_streamhandler(logger, "INFO")
cpc = CheckPointClient('configs/example.ini', logger)
bad_IPs = ['1.2.3.4', '5.6.7.8', '9.0.11.12', '13.14.15.16']
color = config.get('dmz_blacklist', 'color', fallback=cpc.default_color),
group = config.get('dmz_blacklist', 'group', fallback="MY_DEFAULT_GROUP")
target = config.get('dmz_blacklist', 'target', fallback="DMZ_CLUSTER")
success_count = 0
fail_count = 0
for bad_ip in bad_IPs:
resp = cpc.add_host(
name=bad_ip,
ipaddr=bad_ip,
tags="bad_ips_from_tip",
comments="Import example using API wrapper",
color=color,
groups=group)
if resp.success:
success_count += 1
else:
fail_count += 1
logger.info({'message': {'total': len(bad_IPs), 'success': success_count, 'fail': fail_count})
# Publish changes
resp = cpc.publish()
if resp.success:
logger.info({'message': "Policy publication successful"})
else:
logger.error('message': "Policy publication failed.")
# Install policy
# https://sc1.checkpoint.com/documents/R80/APIs/?#gui-cli/install-policy
params = {'access': True, 'threat-prevention': False, 'install-on-all-cluster-members-or-fail': True}
resp = cpc.install_policy(group, target, **params)
if resp.success:
logger.info({'message': "Policy installation successful"})
else:
logger.error('message': "Policy installation failed.")
cpc.logout()
```
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
checkpoint_client-0.0.1.tar.gz
(11.9 kB
view details)
Built Distribution
File details
Details for the file checkpoint_client-0.0.1.tar.gz.
File metadata
- Download URL: checkpoint_client-0.0.1.tar.gz
- Upload date:
- Size: 11.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/1.13.0 pkginfo/1.5.0.1 requests/2.21.0 setuptools/40.8.0 requests-toolbelt/0.9.1 tqdm/4.31.1 CPython/3.6.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | b1ae3696eb7fe98ed9cfe73839cb62b424afb5c5d083f19641e04de32b4497d3 |
|
| MD5 | 7452151f33415164bab70268b3cfb10e |
|
| BLAKE2b-256 | 2b34cf77ebdd158451f28149c295264618815de42fe82de2f593edf19150bbd3 |
File details
Details for the file checkpoint_client-0.0.1-py3-none-any.whl.
File metadata
- Download URL: checkpoint_client-0.0.1-py3-none-any.whl
- Upload date:
- Size: 13.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/1.13.0 pkginfo/1.5.0.1 requests/2.21.0 setuptools/40.8.0 requests-toolbelt/0.9.1 tqdm/4.31.1 CPython/3.6.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 36a4b85c3d442be0881c4cb889f7c36875299c9216f6d5ce8dd83fa670e7d0ee |
|
| MD5 | bee9e85c98c95f025169ea04bef75355 |
|
| BLAKE2b-256 | b0658fba22bb2d05ad6099e2a87047469e24ac0e8ba98370ba2c59ae8b3d2b58 |
