Further to this has anyone seen / created a nice way to handle the management of groups that relate to dynamic network lists as supplied by the likes of Microsoft & AWS (in particular where MiTM is not being used and hence AppC is not a reliable option / alternative):

Examples:

Microsoft EOP

Microsoft O365

Microsoft Azure

AWS

Chris,

I saw this last week, the same day I had been working on parsing the AWS ip-ranges.json myself.     Unfortunately, I can't provide the scripting I did most of the work with, but I'd be glad to share a skeleton.

First, I downloaded and locally saved AWS's ip-ranges.json to csv using the following powershell 1-liner.

( iwr -Uri "https://ip-ranges.amazonaws.com/ip-ranges.json" | convertfrom-json ) | select-object -ExpandProperty prefixes | convertto-csv -NoTypeInformation > ip-ranges.csv

This resulted in a csv with the following column headers and text formats:

ip_prefix,region,service 54.239.4.0/22,eu-central-1,AMAZON 54.239.8.0/21,us-east-1,AMAZON ....

Then I made a few additional columns with text manipulation: (I also appended the AWS synctoken and createDate from the json)

ip_prefix,region,service,subnet,mask-length,name,group,comments 54.239.4.0/22,eu-central-1,AMAZON,54.239.4.0,22,net_54.239.4.0-22,AMAZON_eu-central-1syncToken: 1234567890 createDate:2017-01-23-01-34-56 54.239.8.0/21,us-east-1,AMAZON,54.239.8.0,21,net_54.239.8.0-21,AMAZON_us-east-1,syncToken: 1234567890 createDate:2017-01-23-01-34-56

Next, I extracted the fields I wanted into a couple new csv files:

Network.csv name, subnet, mask-length,comments Groups.csv (extracted, then unique sorted) name, comments

The final file I made was the most challenging to script but the end result was:

groupPopulate.csv name,member.1,member.2,member.3,...member.100

Then a few scripted calls to mgmt_cli.

.\mgmt_cli.exe -m myhost login true user myuser password ******** > sessionid.txt .\mgmt_cli.exe -m myhost -s sessionid.txt set session new-name "MyName" description "Creating AWS networks from http://ip-ranges.amazonaws.com/ip-ranges.json" .\mgmt_cli.exe -m myhost -s sessionid.txt add network -b networks.csv --format json  > networks_import_log.txt .\mgmt_cli.exe -m myhost -s sessionid.txt add group -b groups.csv --format json > group_import_log.txt .\mgmt_cli.exe -m myhost -s sessionid.txt set group -b groupPopulate.csv --format json > groupPopulate_import_log.txt .\mgmt_cli.exe -s sessionid.txt -m myhost publish .\mgmt_cli.exe -s sessionid.txt -m myhost logout

For ongoing maintenance; I would look at adding checks for existing objects to avoid re-creation attempts, and instead update the comments on those.   groupPopulate overwrites the group members, so there isn't a need to parse or repopulate those.  Additional cleanup after re-populating would be to remove the groups and network objects with an older syncToken in the comments.

Sorry I can't just outright provide the scripting, but hopefully this will help get you moving in the right direction.

Actually, the command characters limit is 2048 per line - 

https://community.checkpoint.com/docs/DOC-2651-running-management-api-commands-from-the-r80-smartcon... 

After creating many many groups, I can tell you 100% the max command length is 1000 characters, you get too long to execute on anything more.

Hi Daniel, what was the behavior you experienced when you go over the 1000 character per line limit? I'm doing a large batch update of groups and find it process through the commands fine, and then seems to get stuck at the 60% publish phase for hours. Has this been your experience?

I was doing my api calls through the Smart Console command window due to limited access to tools on the jump server. For me 1000's lines in the txt files just wouldn't be accepted at all.

Is there a way to do this using the pythond sdk, it doesn't seem to have the option "members.add"?