# Management API

CloudGuard WAF provides a collection of GraphQL APIs that allows to Authenticate, Create, Read, Update Delete any object in the system as well as Publish or Enforce a set of changes. &#x20;

GraphQL is a strongly typed API query language. It allows clients to define the structure of the data required, and exactly the same structure of the data is returned from the server. This avoids both the problems of over and under-fetching data, while also allowing for a powerful and flexible API.

{% hint style="info" %}
See here the [official GraphQL documentation](https://graphql.org/learn/).
{% endhint %}

## Authentication

### Creating an API Key

Go to **Account Settings -> API Keys** and create a new API Key for the 'CloudGuard WAF' service. Configure the Expiration date.

![](/files/ttdFNnCE44BXU8ifpwiP)

After clicking on Create your Client ID and Secret Key will be shown for a single time. Copy it to a secure location as they are not retrievable once the window will be closed.

<div align="left"><img src="/files/RknGUkkr2qOIJqeyrfmh" alt=""></div>

{% hint style="warning" %}
The ID and Key provide access to your account from the Internet. Secure your keys very carefully. We strongly recommend to use a vault solution for holding your keys and to rotate them periodically.
{% endhint %}

### Using an API Key to authenticate

Before using the specific GraphQL API, you first need to create a valid token to Infinity Portal.

Infinity Portal uses REST API. Use the following REST API:

`POST <server address>/auth/external`&#x20;

Use the relevant server address as documented [here](https://app.swaggerhub.com/apis-docs/Check-Point/infinity-portal-api/1.0.0#/User%20Control/post_auth_external), to generate a JSON Web Token (JWT).

This token allows temporary usage of the application API using Bearer Authentication (as explained in [RFC 6750](https://datatracker.ietf.org/doc/html/rfc6750)) until token expiration or revocation. It should be used as Authorization: Bearer \[token] header for each API call.

Example of adding the authorization bearer token "abcde-f12345f" to an API call using curl:

`curl -H "Authorization: Bearer abcde-f12345f" https://<infinity portal address>/app/waf/graphql/v1`

## API Reference

### **View and usage without an external client (using GraphQL)**

Under Support->API we provide a GraphQL-based interface for:

1. Viewing all available functions, divided into query functions that are available for Read-Only users as well, and mutations functions which change configuration and are not available for Read-only Users.
2. Running custom requests and seeing the result received from the backend.

{% hint style="warning" %}
Configuration changes (mutation functions) done using this API will still require clicking on the **Publish** button in order to be saved in the database and unlocked for usage of other administrators, or by running the **publishChanges** API request.
{% endhint %}

<figure><img src="/files/mS1PPBIyMkuiFDhWrCF1" alt=""><figcaption></figcaption></figure>

The left hand screen allows you to modify GraphQL JSON queries. The middle screen shows the response upon clicking the play button. The right hand screen is the GraphQL documentation of all available functions.

### **Sending GraphQL requests from external sources**

If you have a JWT temporary token using the authentication API described above, and you are familiar with creating a query or a mutation operation JSON body, then you can post such a JSON to the following URL with the JSON as the request body:

`POST https://<infinity portal address>/app/waf/graphql/v1`

{% hint style="warning" %}
The infinity portal address depends on the region you are working with, and can be seen in the [Infinity Portal REST API documentation](https://app.swaggerhub.com/apis-docs/Check-Point/infinity-portal-api/).
{% endhint %}

{% hint style="info" %}
Several clients (e.g. Postman) have a GraphQL mode that allows easily constructing the exact request body from the GraphQL JSON.
{% endhint %}

### **GraphQL methods**

Most methods documented are about CRUD operations vs object in the database.

Read operations (queries) usually start with get\* prefix, and GraphQL allows you to modify what exact fields you are interested in viewing. There are also read operations with the suffix \*UsedBy which allow you to check for an object if it used by other objects (for example, a practice that is used by multiple assets and zones).

All non-Read operations are methods that are called **mutations** (as opposed to queries). For Create, Update and Delete operations on objects, the prefixes are usually **new\***, **update\*** and **delete\***.

**add\***, **move\*** and **remove\*** are parallel prefixes for connecting between existing objects (for example, adding a practice to an asset).

**share\*** methods are explained better in the objects structure overview – they are used for taking an existing object, which up until now has been used and owned by a single other object, and making them available to be used and shared by other objects as well (for example, taking an existing practice owned by a specific asset object, and making it globally available to be reused by additional assets and zones).

There are also additional special actions:

* Agent revocation – revoke\* methods
* Publish configuration – A critical method to activate when the changes are completed, otherwise the objects will be locked for other administrators. There is also a method for discarding all changes.
* Policy enforce operations – Sending a request to enforce the latest published policy by agents. The query method isEnforcePolicy provides information if a published policy is waiting to be enforced.

### **Object structure overview**

The main hierarchy of objects in Infinity Next Management starts with an asset object (which can come in a variety of types) or a zone object (which represents a usually-dynamic group of assets according to a query).

This object can own other objects according to the following hierarchy:

![](/files/2maufB5KLN8EWa5mrlK4)

{% hint style="info" %}
In CloudGuard WAF's usage of GraphQL, an object can be owned by another object, or can be owned by a connection between 2 objects (and then it will have 2 owning IDs).
{% endhint %}

When creating an object that should be owned by a parent object, run the relevant **get\*** method on the owning object to get its ID value prior to the object creation method call.

There are several objects in the behavior family. Some can be owned by an asset/zone object and some can be owned by the connection between an asset/zone and a practice.

* The connection between an Asset/Zone and a Practice can own the following behavior object types:

  *WebUserResponseBehavior*

  *ExceptionBehavior*
* A Web API or a Web Application asset can own the following behavior object type:

  *TrustedSourceBehavior*

### **Object sharing (visibility field)**

Practices and behavior objects also have a visibility field that can have either the value of “Local” or “Shared”. A “Local” visibility object must contain an owning object ID and cannot be used by any other object in parallel. It will be deleted when the parent object is deleted as it is wholly owned by it.

However, through the share\* methods you can make a “Local” visibility object into a “Shared” one which can be owned by multiple objects – Basically you are turning it into a globally used object which will not be deleted if any of the parent objects are deleted.&#x20;

{% hint style="warning" %}
The “Share” action is irreversible – A Shared object cannot be turned into a “Local” visibility object.
{% endhint %}

When creating a practice or a behavior object make sure you have IDs of the parent object/s by using the relevant get\* method/s if the visibility is set to “Local”. An empty owning ID can only exist if the visibility is set to “Shared” during the object creation.

{% hint style="warning" %}
When getting all objects, that can be either local or shared, the default behavior is to return only shared objects.\
A specific parameter is needed to be added to request to see the local objects as well.\
Specifically:\
getPractices will require includePrivatePractices to return local practice objects.\
getBehaviors will require includePrivateBehaviors to retun local behavior objects.
{% endhint %}

## API tester

The GitHub repository [infinitynext-mgmt-api-resources](https://github.com/CheckPointSW/infinitynext-mgmt-api-resources) - includes the following:

1. JSON file of the [management GraphQL](/references/management-api.md) API postman collection to import.
2. Example usage of the GraphQL API.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://waf-doc.inext.checkpoint.com/references/management-api.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.