topic Re: Add objectX to rule where objectY exists ? in API / CLI Discussion

Add objectX to rule where objectY exists ?

lbalogh — Thu, 27 Jan 2022 09:40:21 GMT

Hi All,

We are moving a lot of servers and I would like to add the new objects next to the old ones in the ruleset.

I still have to keep the old ones for a while though so I can not just change the IPs of the objects itself.

So the thing is that now we have an OLDobject with IP 1.1.1.1 and a NEWobject with IP 2.1.1.1.
There is rule 1 and 145 and 645 where OLDobject as source is present, and I would like to add the NEWobject next to it.
If I do it manually I have to go over the ruleset and I really would like to not do that. 🙂
That's why I asked the automation, becuase real life is this sample x 100.

Grouping is not really a nice option in my opinion either, because when all the tests ran I have to remove the OLDobject anyway, which would leave a group as source with one member in it.

Thanks a lot!

Re: Add objectX to rule where objectY exists ?

the_rock — Wed, 26 Jan 2022 12:27:26 GMT

I dont see why not, as long as there are no IP conflicts. You can try few and then do rule base verification to see if it gives you any warning/errors. I would not be too concerned about warnings, unless its something super important.

Re: Add objectX to rule where objectY exists ?

lbalogh — Wed, 26 Jan 2022 12:45:06 GMT

I mean via API or something automated way, becuase I have many to do so.

Re: Add objectX to rule where objectY exists ?

Tal_Paz-Fridman — Wed, 26 Jan 2022 13:13:34 GMT

Hi,

Not sure if this is what you are referring to, but you could use following Management API commands:

https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/set-access-rule~v1.8%20

You can add the relevant objects / servers to a Network Group and then add it to the rule.

If this is not what you are referring to please elaborate.

Tal

Re: Add objectX to rule where objectY exists ?

the_rock — Wed, 26 Jan 2022 13:19:57 GMT

Ok, sorry, did not realize there were so many...in that case, @Tal_Paz-Fridman is correct. API is your best option here.

Andy

Re: Add objectX to rule where objectY exists ?

lbalogh — Thu, 27 Jan 2022 09:39:34 GMT

Hi,
Yes, I would like to avoid grouping.
So the thing is that now we have an OLDobject with IP 1.1.1.1 and a NEWobject with IP 2.1.1.1.
There is rule 1 and 145 and 645 where OLDobject as source is present, and I would like to add the NEWobject next to it.
If I do it manually I have to go over the ruleset and I really would like to not do that. 🙂
That's why I asked the automation, becuase real life is this sample x 100.

Grouping is not really a nice option in my opinion either, because when all the tests ran I have to remove the OLDobject anyway, which would leave a group as source with one member in it.

Hope this makes more sense, yesterday I was way-way more tired than this 🙂
Thanks a lot!

Re: Add objectX to rule where objectY exists ?

PhoneBoy — Thu, 27 Jan 2022 12:46:12 GMT

You would use set-access-rule as noted by @Tal_Paz-Fridman to actually change the rules.
Or are you looking for a programmatic way to find the rules that you need to modify?
In that case, you probably want to use the where-used API call to find the specific instances where the old object is used and then use set-access-rule to update the rules accordingly.

Re: Add objectX to rule where objectY exists ?

Bob_Zimmerman — Thu, 27 Jan 2022 15:02:00 GMT

I would attack this with a script which works like this:

Ingest pairs of IPs. Old first, then new.
Log in to the management via the API.
For each IP pair, create an object for the new IP if one doesn't exist. Save the new object's UUID. Find all existing objects with the old IP and save their UUIDs.
For each old object, run 'where-used'.
For each resulting access rule, if it's in the source, use the rule UUID and layer UUID to call 'set access-rule source.add' with the new object's UUID.
Repeat for the destination, calling 'set access-rule destination.add'.
For each resulting group, use the group UUID to call 'set group members.add' with the new object's UUID.
After dealing with each pair, publish.
After dealing with all pairs, log out.

NAT rules are more complex, as they can't have multiple objects in fields. I think I would look for the old object in each field, one at a time, then copy the other fields to a new NAT rule which I add to the policy package immediately below the old NAT rule. If you don't use them in NAT rules directly, then you can skip all that.

This also wouldn't handle other objects-which-reference-objects situations like Access Roles. Should get you >90% of the way there, though.

Re: Add objectX to rule where objectY exists ?

Mlinko — Thu, 20 Apr 2023 09:31:21 GMT

Hi,

did someone manage to create such a script and would be willing to share it? I would be very grateful!

KR
Rok

Re: Add objectX to rule where objectY exists ?

chymmmy — Tue, 30 Jan 2024 08:31:28 GMT

Hello

I would like has a way to add a newobject in the rule is exists an old object too.

Some checkpoint expert has an script to perform that requeriment? I think that is a great challenge for you.

I see that https://community.checkpoint.com/t5/Management/How-can-I-quickly-move-from-many-objects-in-many-rules-to-a/td-p/13274. But, sometimes its bettter have both objects than a group object.

Re: Add objectX to rule where objectY exists ?

Amir_Senn — Tue, 30 Jan 2024 17:18:52 GMT

set access-rule command works just fine with adding additional objects, I don't think that writing a script should be too complicated if you have experience with this.

Just for syntax reference, I used the following:

mgmt_cli set access-rule layer "Network" -r true rule-number 1 dst.add Host1

mgmt_cli set access-rule layer "Network" -r true rule-number 1 dst.add Host2

This added dst to a rule and the second added the second host without subtracting the first one, means this command should be suitable for you.