cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Adding members to a group

Jump to solution

Is there a better way than this to add member network objects to a group?

add group name Internal-Nets members.1 Net-192.168.111.0 members.2 Net-192.168.113.0 members.3 Net-192.168.114.0 members.4 Net-192.168.116.0 members.5 Net-192.168.117.0 members.6 Net-192.168.119.0 color cyan

set group name Internal-Nets members.add Net-192.168.122.0

set group name Internal-Nets members.add Net-192.168.123.0

set group name Internal-Nets members.add Net-192.168.124.0

set group name Internal-Nets members.add Net-192.168.125.0

set group name Internal-Nets members.add Net-192.168.126.0

set group name Internal-Nets members.add Net-192.168.131.0

set group name Internal-Nets members.add Net-192.168.134.0

Thanks,

Don

Labels (1)
1 Solution

Accepted Solutions

Re: Adding members to a group

Jump to solution

Don, this is what I ended up doing and it worked great!

mgmt add group name "MyGroup"

mgmt add host name "host1" ip-address "1.1.1.1" groups.1 "MyGroup"
mgmt add host name "host2" ip-address "2.2.2.2" groups.1 "MyGroup"

It was nice because I added the objects to the group at the time of creating them.

View solution in original post

0 Kudos
11 Replies
Employee+
Employee+

Re: Adding members to a group

Jump to solution

Hi Don,

In the similar way you created a group and added to it a list of members, you could modify the group by adding a list of members to it.

Please use the following command:

set group name Internal-Nets members.add.1 Net-192.168.122.0  members.add.2 Net-192.168.123.0

Use Check Point - Management API Documentation as a reference to set-group command.

Re: Adding members to a group

Jump to solution

This is how I did it in the end:

add network name Net-192.168.111.0 subnet4 192.168.111.0 mask-length4 24 color cyan

add network name Net-192.168.113.0 subnet4 192.168.113.0 mask-length4 24 color cyan

add network name Net-192.168.114.0 subnet4 192.168.114.0 mask-length4 24 color cyan

add network name Net-192.168.116.0 subnet4 192.168.116.0 mask-length4 24 color cyan

add network name Net-192.168.117.0 subnet4 192.168.117.0 mask-length4 24 color cyan

add network name Net-192.168.119.0 subnet4 192.168.119.0 mask-length4 24 color cyan

add network name Net-192.168.122.0 subnet4 192.168.122.0 mask-length4 24 color cyan

add network name Net-192.168.123.0 subnet4 192.168.123.0 mask-length4 24 color cyan

add network name Net-192.168.124.0 subnet4 192.168.124.0 mask-length4 24 color cyan

add network name Net-192.168.125.0 subnet4 192.168.125.0 mask-length4 24 color cyan

add network name Net-192.168.126.0 subnet4 192.168.126.0 mask-length4 24 color cyan

add network name Net-192.168.131.0 subnet4 192.168.131.0 mask-length4 24 color cyan

add network name Net-192.168.134.0 subnet4 192.168.134.0 mask-length4 24 color cyan

add group name Internal-Nets color cyan

set group name Internal-Nets members.add.1 Net-192.168.111.0 members.add.2 Net-192.168.113.0 members.add.3 Net-192.168.114.0 members.add.4 Net-192.168.116.0 members.add.5 Net-192.168.117.0 members.add.6 Net-192.168.119.0  members.add.7 Net-192.168.122.0 members.add.8 Net-192.168.123.0 members.add.9 Net-192.168.124.0 members.add.10 Net-192.168.125.0 members.add.11 Net-192.168.126.0 members.add.12 Net-192.168.131.0 members.add.13 Net-192.168.134.0

The set group command above (the last line) is one line (of 450 characters).

Employee++
Employee++

Re: Adding members to a group

Jump to solution

Further to this has anyone seen / created a nice way to handle the management of groups that relate to dynamic network lists as supplied by the likes of Microsoft & AWS (in particular where MiTM is not being used and hence AppC is not a reliable option / alternative):

Examples:

Microsoft EOP

Microsoft O365

Microsoft Azure

AWS

Quinn_Yost
Nickel

Re: Adding members to a group

Jump to solution

Chris,

I saw this last week, the same day I had been working on parsing the AWS ip-ranges.json myself.     Unfortunately, I can't provide the scripting I did most of the work with, but I'd be glad to share a skeleton.

First, I downloaded and locally saved AWS's ip-ranges.json to csv using the following powershell 1-liner.

( iwr -Uri "https://ip-ranges.amazonaws.com/ip-ranges.json" | convertfrom-json ) | select-object -ExpandProperty prefixes | convertto-csv -NoTypeInformation > ip-ranges.csv

This resulted in a csv with the following column headers and text formats:

ip_prefix,region,service

54.239.4.0/22,eu-central-1,AMAZON

54.239.8.0/21,us-east-1,AMAZON

....

Then I made a few additional columns with text manipulation: (I also appended the AWS synctoken and createDate from the json)

ip_prefix,region,service,subnet,mask-length,name,group,comments

54.239.4.0/22,eu-central-1,AMAZON,54.239.4.0,22,net_54.239.4.0-22,AMAZON_eu-central-1syncToken: 1234567890 createDate:2017-01-23-01-34-56

54.239.8.0/21,us-east-1,AMAZON,54.239.8.0,21,net_54.239.8.0-21,AMAZON_us-east-1,syncToken: 1234567890 createDate:2017-01-23-01-34-56

Next, I extracted the fields I wanted into a couple new csv files:

Network.csv

name, subnet, mask-length,comments

Groups.csv (extracted, then unique sorted)

name, comments

The final file I made was the most challenging to script but the end result was:

groupPopulate.csv

name,member.1,member.2,member.3,...member.100

Then a few scripted calls to mgmt_cli.

.\mgmt_cli.exe -m myhost login true user myuser password ******** > sessionid.txt

.\mgmt_cli.exe -m myhost -s sessionid.txt set session new-name "MyName" description "Creating AWS networks from http://ip-ranges.amazonaws.com/ip-ranges.json"

.\mgmt_cli.exe -m myhost -s sessionid.txt add network -b networks.csv --format json  > networks_import_log.txt

.\mgmt_cli.exe -m myhost -s sessionid.txt add group -b groups.csv --format json > group_import_log.txt

.\mgmt_cli.exe -m myhost -s sessionid.txt set group -b groupPopulate.csv --format json > groupPopulate_import_log.txt

.\mgmt_cli.exe -s sessionid.txt -m myhost publish

.\mgmt_cli.exe -s sessionid.txt -m myhost logout

For ongoing maintenance; I would look at adding checks for existing objects to avoid re-creation attempts, and instead update the comments on those.   groupPopulate overwrites the group members, so there isn't a need to parse or repopulate those.  Additional cleanup after re-populating would be to remove the groups and network objects with an older syncToken in the comments.

Sorry I can't just outright provide the scripting, but hopefully this will help get you moving in the right direction.

Re: Adding members to a group

Jump to solution

Don, this is what I ended up doing and it worked great!

mgmt add group name "MyGroup"

mgmt add host name "host1" ip-address "1.1.1.1" groups.1 "MyGroup"
mgmt add host name "host2" ip-address "2.2.2.2" groups.1 "MyGroup"

It was nice because I added the objects to the group at the time of creating them.

View solution in original post

0 Kudos
Employee+
Employee+

Re: Adding members to a group

Jump to solution

Based on your original issue, I would just use the batch mode csv import and create a simple csv file with the header and then each line is the group and the member to add, that works, as long as all members are existing.

Example CSV:

name    members.add

Internal-Nets    Net-192.168.122.0

Internal-Nets    Net-192.168.123.0

Internal-Nets    Net-192.168.124.0

Command to execute:

set group --batch <csvfilename> --format json --ignore-errors true

The "--ignore-errors true" is used to ensure that any duplication warnings don't kill the operation, also outputing the json will allow review of potential errors.

0 Kudos
Employee+
Employee+

Re: Adding members to a group

Jump to solution

You can also do it like this

set group name "Name" members.add '["member1", "member2","member3"]'

Remember you are limited to 1000 characters per command when doing this via the smart console CLI

0 Kudos
Employee++
Employee++

Re: Adding members to a group

Jump to solution
0 Kudos
Employee+
Employee+

Re: Adding members to a group

Jump to solution

After creating many many groups, I can tell you 100% the max command length is 1000 characters, you get too long to execute on anything more.

0 Kudos
Highlighted

Re: Adding members to a group

Jump to solution

Hi Daniel, what was the behavior you experienced when you go over the 1000 character per line limit? I'm doing a large batch update of groups and find it process through the commands fine, and then seems to get stuck at the 60% publish phase for hours. Has this been your experience?

0 Kudos
Employee+
Employee+

Re: Adding members to a group

Jump to solution

I was doing my api calls through the Smart Console command window due to limited access to tools on the jump server. For me 1000's lines in the txt files just wouldn't be accepted at all.