add-template

Description

Create a new Small Office Gateway template for an account-id.

If the Security Gateway is ready for deployment with its final configuration and deployment decisions, the under-construction parameter should remain at its default (false). In this configuration, the Security Gateway downloads its settings immediately from Zero TouchClosed Allows users to manage the initial configurations of "Small Office" and "Gaia Gateways" easily and remotely. Settings from the Zero Touch Server replace the First Time Configuration Wizard. The Zero Touch Cloud Service runs a Web Portal and supports REST API. All actions are available through API calls. when it is claimed.

If the Security Gateway needs additional editing, under-construction should be set to "true" in the template to prevent downloads until the final configuration editing is complete.

The Small Office Gateway only has access to its template when it is being claimed. Edits to the template afterward have no effect on the Security Gateway.

Use the set-claimed-gateway-configuration command to edit the Small Office Gateway and to change under-construction to "false" to allow the Zero Touch downloads to start.

Request URL

POST

https://zerotouch.checkpoint.com/ZeroTouch/web_api/v2/add-template

Request Headers

Parameter Name

Type

Description

Content-Type

application/json

Send JSON object to use the API Web Services

X-chkp-sid

string token

Session unique identifier as the response to the login request

Request Body

Parameter Name

Status

Type

Description

name

Mandatory

string

The new template's name

time-zone

Mandatory

string

Time zone for the Security Gateway

See Configuring the Time Zone on Gaia Embedded Security Gateways

wireless-country

Mandatory

string

Country in which the Security Gateway is deployed.

See Configuring the Wireless Country on Gaia Embedded Security Gateways.

admin-password

Mandatory

string

Administrator password for the Security Gateway

The admin-password is returned as "******" in the JSON response

account-id

Mandatory

int

The User Center account to which Security Gateways and templates belong

admin-access

Mandatory

string

Networks and IP addresses from which an administrator can access the Security Gateway

For example:

"10.2.3.56",

"192.1.1.2,10.1.1.7/255.255.255.0"

An empty string means "any IP address"

limit-source-ip-mode

Mandatory

string

Source IP mode

If admin-access is an empty string, use:

"LIMIT_SRC_IP_MODE.NO_LIMIT"

If admin-access is an IPv4 address, or a network and a subnet, use:

"LIMIT_SRC_IP_MODE.ALL_INTERFACES"

under-construction

Optional

boolean

A "true" value prevents downloads to the Security Gateway until the final configuration and deployment decisions are complete

Default value: false

template-id

Optional

int

The template's unique identifier

user-script

Optional

string

CLI commands execute on the Security Gateway immediately after all other settings are applied

In multiline Gaia Clish scripts, use end line ("\n") at the end of each command line

"user-script": "set static-route 192.0.2.100 nexthop gateway address 192.0.2.155 on\nset static-route 192.0.3.0/24 nexthop blackhole\n"

Before executing the script, the Security Gateway locks the database automatically

No need to add the "lock database override" command to the script

accept-lan

Optional

boolean

Administrator has access to the Security Gateway from a LAN, if "true"

Default value: true

accept-wifi

Optional

boolean

Administrator has access to the Security Gateway from a trusted WiFi, if "true"

Default value: true

accept-vpn

Optional

boolean

Administrator has access to the Security Gateway from a VPN, if "true"

Default value: true

accept-wan

Optional

boolean

Administrator has access to the Security Gateway from the internet, if "true"

Default value: true

upload-info

Optional

boolean

Controls the Upload Consent Flag on the Security Gateway

If "true", enables the Upload Consent Flag

For R81.20 and higher, see sk175504

For R81.10 and lower, see sk111080

locally-managed

Optional

boolean

Controls the appliance Locally Managed mode

If "true":

  1. Enables the Locally Managed mode

  2. Configures the value "false" for the parameter centrally-managed

Default value: true

Note - If your API Request contains "locally-managed": false and centrally-managed": false", then:

  • If the default firmware is the Check Point factory default firmware, then the default management mode is Centrally Managed.

  • If the default firmware is a custom default image (this feature is supported from R80.20.40), then the appliance uses the management mode that is configured in the custom default image.

centrally-managed

Optional

boolean

Controls the appliance Centrally Managed mode

If "true":

  1. Enables the Centrally Managed mode

  2. Configures the value "false" for the parameter locally-managed

Default value: false

Note - If your API Request contains "centrally-managed": false and locally-managed": false", then:

  • If the default firmware is the Check Point factory default firmware, then the default management mode is Centrally Managed.

  • If the default firmware is a custom default image (this feature is supported from R80.20.40), then the appliance uses the management mode that is configured in the custom default image.

service-center

Optional

string

IP address or the DNS of the SMP server

To manage your Security Gateway from SMP, fill these fields: service-center, registration-key, and portal (used by the Security Gateway for cloud activation)

registration-key

Optional

string

Key obtained from the Gateway page in the SMP server

To manage your Security Gateway from SMP, fill these fields:

service-center, registration-key, portal

(Used by the Security Gateway for cloud activation)

ignore-cert-verification

Optional

boolean

If "true", ignores certificate (if your SMP has a certificate from a CA that is not known to the Security Gateway)

Default value: false

use-cpn-tp-server

Optional

boolean

Use Check Point NTP servers

False indicates not using them

Default value: true

auto-gateway-creation

Optional

boolean

To automatically create the Security Gateway in the SMP, set to "true"

If "true", these fields are required: plan, service-center, registration-key,portal

If "false", plan must be empty

Default value: false

activate-rmd

Optional

boolean

If "true", then the Security Gateway uses "Reach My DeviceClosed Check Point's service that enables connections to a gateway's management even when it is behind NAT." to be accessible while using NAT (Network Address Translation) within an organization

comments

Optional

string

General comments

portal

Optional

string

Service domain name for the Security Gateway

To manage your Security Gateway from SMP, fill these fields:

service-center, registration-key, portal

(Used by the Security Gateway for cloud activation)

plan

Optional

string

Plan name from the SMP

If you fill this field, these fields are required:

auto-gateway-creation, service-center, registration-key and portal

If auto-gateway-creation is false, plan must be empty

Response

On Success, HTTP Return code: 200

Parameter Name

Type

Description

creation-time

object

Timestamps for creating a template

last-modify-time

object

Timestamps for last modifying a template

account-id

int

The User Center account to which Security Gateways and templates belong

template-id

int

The template's unique identifier

creating-user

string

The user who created the template

last-modifying-user

string

The user who last modified the template

service-center

string

IP address or the DNS of the SMP server

To manage your Security Gateway from SMP, fill these fields: service-center, registration-key, and portal (used by the Security Gateway for cloud activation)

registration-key

string

Key obtained from the Gateway page in the SMP server

To manage your Security Gateway from SMP, fill these fields:

service-center, registration-key, portal

(Used by the Security Gateway for cloud activation)

user-script

string

CLI commands execute on the Security Gateway immediately after all other settings are applied

In multiline CLISH scripts, use end line ("\n") at the end of each command line

"user-script": "set static-route 192.0.2.100 nexthop Security Gateway address 192.0.2.155 on\nset static-route 192.0.3.0/24 nexthop blackhole\n"

Before executing the script, the Security Gateway locks the database automatically

No need to add the "lock database override" command to the script

wireless-country

string

Country in which the Security Gateway is deployed

admin-password

string

Administrator password for the Security Gateway

The admin-password is returned as "******" in the JSON response

admin-access

string

Networks and IP addresses from which an administrator can access the Security Gateway

For example:

"10.2.3.56"

"192.1.1.2,10.1.1.7/255.255.255.0"

An empty string allows access from any IP address

accept-lan

boolean

Administrator has access to the Security Gateway from a LAN, if "true"

Default value: true

accept-wifi

boolean

Administrator has access to the Security Gateway from a trusted WiFi, if "true"

Default value: true

accept-vpn

boolean

Administrator has access to the Security Gateway from a VPN, if "true"

Default value: true

accept-wan

boolean

Administrator has access to the Security Gateway from the internet, if "true"

Default value: true

limit-source-ip-mode

string

Source IP mode

  • If admin-access is an empty string, use:

    "LIMIT_SRC_IP_MODE.NO_LIMIT"

  • If admin-access is an IPv4 address, or a network and a subnet, use:

    "LIMIT_SRC_IP_MODE.ALL_INTERFACES"

ignore-cert-verification

boolean

If "true", ignores certificate (if your SMP has a certificate from a CA that is not known to the Security Gateway)

Default value: false

use-cpn-tp-server

boolean

Use Check Point NTP servers

If "false", you can configure your NTP servers

Default value: true

auto-gateway-creation

boolean

To automatically create the Security Gateway in the SMP, set to "true"

If "true", these fields are required: plan, service-center, registration-key,portal

If "false", plan must be empty

Default value: false

activate-rmd

boolean

If "true", then the Security Gateway uses "Reach My Device" to be accessible while using NAT (Network Address Translation) within an organization

under-construction

boolean

A "true" value prevents downloads to the Security Gateway until the final configuration and deployment decisions are complete

Default value: false

upload-info

boolean

Controls the Upload Consent Flag on the Security Gateway

If "true", enables the Upload Consent Flag

For R81.20 and higher, see sk175504

For R81.10 and lower, see sk111080

time-zone

string

Time zone for the Security Gateway

comments

string

General comments

portal

string

Service domain name for the Security Gateway

To manage your Security Gateway from SMP, fill these fields:

service-center, registration-key, portal

(Used by the Security Gateway for cloud activation)

plan

string

Plan name from the SMP

If you fill this field, these fields are required:

auto-gateway-creation, service-center, registration-key and portal

If auto-gateway-creation is false, plan must be empty

name

string

The template name

creation-time

Parameter Name

Type

Description

posix

int

The value is the number of milliseconds that have elapsed since 00:00:00, 1 January 1970

iso-8601

string

Date and time represented in international ISO 8601 format

last-modify-time

Parameter Name

Type

Description

posix

int

The value is the number of milliseconds that have elapsed since 00:00:00, 1 January 1970

iso-8601

string

Date and time represented in international ISO 8601 format

On Failure, HTTP Return code: 400, 401, 500

Parameter Name

Type

Description

message

string

Operation status

messages

List: string

List of validation errors

code

string

Error code

Request Example

{
"time-zone": "GMT(Greenwich-Mean-Time/Dublin/Edinburgh/Lisbon/London)",
"account-id": 7899567,
"template-id": 608212,
"user-script": "",
"accept-lan": true,
"accept-wifi": true,
"accept-vpn": true,
"accept-wan": true,
"upload-info": true,
"service-center": "",
"registration-key": "",
"wireless-country": "GB",
"admin-password": "f5f5f5f5",
"admin-access": "",
"limit-source-ip-mode": "LIMIT_SRC_IP_MODE.NO_LIMIT",
"ignore-cert-verification": false,
"use-cpn-tp-server": true,
"auto-gateway-creation": false,
"under-construction": false,
"activate-rmd": false,
"name": "Template A",
"comments": "My comments",
"portal": "",
"plan": ""
}

Response Example

{
"account-id": 7899567,
"template-id": 8988937,
"creating-user": "user@domain.com",
"last-modifying-user": "user@domain.com",
"service-center": "",
"registration-key": "",
"user-script": "",
"wireless-country": "GB",
"admin-password": "******",
"admin-access": "",
"accept-lan": true,
"accept-wifi": true,
"accept-vpn": true,
"accept-wan": true,
"limit-source-ip-mode": "LIMIT_SRC_IP_MODE.NO_LIMIT",
"ignore-cert-verification": false,
"use-cpn-tp-server": true,
"auto-gateway-creation": false,
"activate-rmd": false,
"under-construction": false,
"upload-info": true,
"locally-managed": true,
"centrally-managed": false,
"creation-time": {
  "posix": 1530099088,
  "iso-8601": "2018-06-27T11:31"
},
"last-modify-time": {
  "posix": 1530099088,
  "iso-8601": "2018-06-27T11:31"
},
"time-zone": "GMT(Greenwich-Mean-Time/Dublin/Edinburgh/Lisbon/London)",
"comments": "My comments",
"portal": "",
"plan": "",
"name": "Template A"
}