topic Re: Generic Data Center / IP addresses JSON in Cloud Firewall

Generic Data Center / IP addresses JSON

Finner1976 — Tue, 10 Jan 2023 15:25:26 GMT

Working on Checkpoint Appliances R81.10
OS Gaia

I need to create a security rule that will permit from a source (frequently changing CIDR block) to an internal host on 443

For example:

source(https://ip-ranges.atlassian.com] destinaion (static nat ip > internal host] on port 443

The challenge I am trying to overcome is the src ip's will change frequently. Looking at the documentation there looks to be a feature that supports this

Generic Data Center feature (checkpoint.com)

However when I create the object I get an error when importing it to the rule. All it says failed to import and check the logs.

Is there any other way to achieve this without having to manually check when the source json changes?

Re: Generic Data Center / IP addresses JSON

PhoneBoy — Tue, 10 Jan 2023 18:09:45 GMT

Generic Datacenter Objects use the CloudGuard Controller infrastructure.
This implies:

The management server can reach the server hosting the JSON file (assuming you didn't specify a local file)
You should see errors in $FWDIR/log/cloud_proxy.elg

The specified JSON file (be it by URL or local file) must be in the format specified in sk167210.
If you're using the contents of https://ip-ranges.atlassian.com "as-is" it won't work.

Which leaves you with a couple of options:

Convert this JSON file into a supported format (either an appropriately constructed JSON file or maybe a CSV to use with ioc_feeds, see sk132193).
Upgrade to R81.20 and use the Network Feed option, which will require creating a jq query to pull out the data we care about from the JSON file.

Having said that, given this vendor provides information in a structured format, it seems like a nice candidate for an Updatable Object.
Tagging @Micky_Michaeli
If we end up making this an Updatable Object, you'll be able to import it into your Access Policy.

Re: Generic Data Center / IP addresses JSON

Micky_Michaeli — Tue, 10 Jan 2023 18:49:30 GMT

Hi @PhoneBoy , @Finner1976

This is exactly the reason we created Network Feed in R81.20, to provide customers the ability to use JSON feeds (or lists) in their policy easily.

My recommendation is to upgrade to R81.20 and use the Network Feed option.

Thanks.

Re: Generic Data Center / IP addresses JSON

Sorin_Gogean — Tue, 10 Jan 2023 19:15:40 GMT

Hello Finner1976,

We have created GDC objects based on JSON files, and as long as the JSON is valid and it respects the format required, you should be good.

One thing I had noticed, is that if we were to combine IPV4 with IPV6, it would fail loading and give an error, so can you look into that.

As I looked to the file from Atlassian, its an JSON but the format is not good for importing into Checkpoint GDC. So, can you share the process/script you're using to convert the data to JSON, or you didn't convert it .

Thank you,

Re: Generic Data Center / IP addresses JSON

PhoneBoy — Fri, 13 Jan 2023 17:23:34 GMT

To assist in creating a properly formatted JSON file, you can use the following command to get all the IP ranges (in CIDR format) from the website:

curl https://ip-ranges.atlassian.com | jq '.items[].cidr'

This can be part of a script that periodically generates a properly structured JSON file that will be acceptable by the Generic Datacenter feature.
Or you can likely use '.items[].cidr' as the filter when configuring the website as part of the Network Feeds feature in R81.20.