CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 3 of 3

Thread: API Irritations

  1. #1
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    342
    Rep Power
    14

    Default API Irritations

    I'm trying to do more with the management API, and it is insanely frustrating to deal with. Thought I would vent a little here.

    First, something actually very good: the API is versioned. Version numbers within the API really ought to be part of the minimum standard before you can call something an API (along with an error schema!), but tons of vendors don't include these, and your tools just break when you update the product. Versions let you provide API stability to get around that issue.

    Now for the not-so-good.

    What is with all the hyphens in object keys? The only tool Check Point includes for processing JSON is jq, which intensely dislikes hyphens in keys. I don't know of any common programming language besides Lisp which tolerates hyphens in structure or object properties, which means you have to translate things between Check Point's JSON format and your tool's internal format constantly. It's an enormous headache. snake_case, camelCase, and PascalCase are all right there, and they avoid this problem entirely.

    Why is nothing strongly typed?! Every object has a type, sure. The type is an immutable property of the object, sure. You could superclass hosts, networks, address ranges, and so on into a "checkPointEndpoint" class, then constrain source and destination fields in rules to only contain that class ... except then you run into Any. Check Point uses the same object for Any in source, destination, service, VPN, content, and time fields within rules. Again, the same object. It's a single UUID with the type CpmiAnyObject. So now your source and destination fields have to be able to contain a checkPointEndpoint object or a CpmiAnyObject object. Lists in strongly-typed languages don't like to be composed of more than one type, so to represent everything (including Any) with objects, you now have to make an even larger superclass. At that point, you pretty much have to make everything as a superclass so broad it can't constrain anything at build time. Runtime checks for everybody!

    Remember how I mentioned the hyphens earlier? Notice the "CpmiAnyObject" above with no hyphens? That's right! Check Point mixes kebab-case with PascalCase in fields.

  2. #2
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    342
    Rep Power
    14

    Default Re: API Irritations

    Found another one. Some API endpoints are case-insensitive, while others (the specific one I hit was where-used) don't return anything for uppercase UUIDs. It's easy enough to just add a "toLowercase" on the end of the conversion from binary UUID to string, but the inconsistency is weird.

  3. #3
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    342
    Rep Power
    14

    Default Re: API Irritations

    I converted my code to use a single class for all objects, then switched to using 'show objects' to get everything.

    Tags aren't included in 'show objects'.

    Are you kidding me?



    I'm also not a fan of the two personalities of access layers. When you feed a UUID to 'show access-layer', you get a bunch of properties like whether it's shared, and what features are enabled. Nothing about the rules, though.

    When you feed the same UUID to 'show access-rulebase', you get the UUID, name, rulebase, objects dictionary (optionally), from, to, and total. No information about the layer personality of the object.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •