- Products
- Learn
- Local User Groups
- Partners
- More
Access Control and Threat Prevention Best Practices
5 November @ 5pm CET / 11am ET
Ask Check Point Threat Intelligence Anything!
October 28th, 9am ET / 3pm CET
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
Spark Management Portal and More!
Is there a better way than this to add member network objects to a group?
add group name Internal-Nets members.1 Net-192.168.111.0 members.2 Net-192.168.113.0 members.3 Net-192.168.114.0 members.4 Net-192.168.116.0 members.5 Net-192.168.117.0 members.6 Net-192.168.119.0 color cyan
set group name Internal-Nets members.add Net-192.168.122.0
set group name Internal-Nets members.add Net-192.168.123.0
set group name Internal-Nets members.add Net-192.168.124.0
set group name Internal-Nets members.add Net-192.168.125.0
set group name Internal-Nets members.add Net-192.168.126.0
set group name Internal-Nets members.add Net-192.168.131.0
set group name Internal-Nets members.add Net-192.168.134.0
Thanks,
Don
Don, this is what I ended up doing and it worked great!
mgmt add group name "MyGroup"
mgmt add host name "host1" ip-address "1.1.1.1" groups.1 "MyGroup"
mgmt add host name "host2" ip-address "2.2.2.2" groups.1 "MyGroup"
It was nice because I added the objects to the group at the time of creating them.
Hi Don,
In the similar way you created a group and added to it a list of members, you could modify the group by adding a list of members to it.
Please use the following command:
set group name Internal-Nets  members.add.1 Net-192.168.122.0  members.add.2 Net-192.168.123.0 
Use Check Point - Management API Documentation as a reference to set-group command.
This is how I did it in the end:
add network name Net-192.168.111.0 subnet4 192.168.111.0 mask-length4 24 color cyan
add network name Net-192.168.113.0 subnet4 192.168.113.0 mask-length4 24 color cyan
add network name Net-192.168.114.0 subnet4 192.168.114.0 mask-length4 24 color cyan
add network name Net-192.168.116.0 subnet4 192.168.116.0 mask-length4 24 color cyan
add network name Net-192.168.117.0 subnet4 192.168.117.0 mask-length4 24 color cyan
add network name Net-192.168.119.0 subnet4 192.168.119.0 mask-length4 24 color cyan
add network name Net-192.168.122.0 subnet4 192.168.122.0 mask-length4 24 color cyan
add network name Net-192.168.123.0 subnet4 192.168.123.0 mask-length4 24 color cyan
add network name Net-192.168.124.0 subnet4 192.168.124.0 mask-length4 24 color cyan
add network name Net-192.168.125.0 subnet4 192.168.125.0 mask-length4 24 color cyan
add network name Net-192.168.126.0 subnet4 192.168.126.0 mask-length4 24 color cyan
add network name Net-192.168.131.0 subnet4 192.168.131.0 mask-length4 24 color cyan
add network name Net-192.168.134.0 subnet4 192.168.134.0 mask-length4 24 color cyan
add group name Internal-Nets color cyan
set group name Internal-Nets members.add.1 Net-192.168.111.0 members.add.2 Net-192.168.113.0 members.add.3 Net-192.168.114.0 members.add.4 Net-192.168.116.0 members.add.5 Net-192.168.117.0 members.add.6 Net-192.168.119.0 members.add.7 Net-192.168.122.0 members.add.8 Net-192.168.123.0 members.add.9 Net-192.168.124.0 members.add.10 Net-192.168.125.0 members.add.11 Net-192.168.126.0 members.add.12 Net-192.168.131.0 members.add.13 Net-192.168.134.0
The set group command above (the last line) is one line (of 450 characters).
Further to this has anyone seen / created a nice way to handle the management of groups that relate to dynamic network lists as supplied by the likes of Microsoft & AWS (in particular where MiTM is not being used and hence AppC is not a reliable option / alternative):
Examples:
Microsoft EOP
Microsoft O365
Microsoft Azure
AWS
Chris,
I saw this last week, the same day I had been working on parsing the AWS ip-ranges.json myself. Unfortunately, I can't provide the scripting I did most of the work with, but I'd be glad to share a skeleton.
First, I downloaded and locally saved AWS's ip-ranges.json to csv using the following powershell 1-liner.
( iwr -Uri "https://ip-ranges.amazonaws.com/ip-ranges.json" | convertfrom-json ) | select-object -ExpandProperty prefixes | convertto-csv -NoTypeInformation > ip-ranges.csv
This resulted in a csv with the following column headers and text formats:
ip_prefix,region,service
54.239.4.0/22,eu-central-1,AMAZON
54.239.8.0/21,us-east-1,AMAZON
....
Then I made a few additional columns with text manipulation: (I also appended the AWS synctoken and createDate from the json)
ip_prefix,region,service,subnet,mask-length,name,group,comments
54.239.4.0/22,eu-central-1,AMAZON,54.239.4.0,22,net_54.239.4.0-22,AMAZON_eu-central-1syncToken: 1234567890 createDate:2017-01-23-01-34-56
54.239.8.0/21,us-east-1,AMAZON,54.239.8.0,21,net_54.239.8.0-21,AMAZON_us-east-1,syncToken: 1234567890 createDate:2017-01-23-01-34-56
Next, I extracted the fields I wanted into a couple new csv files:
Network.csv
name, subnet, mask-length,comments
Groups.csv (extracted, then unique sorted)
name, comments
The final file I made was the most challenging to script but the end result was:
groupPopulate.csv
name,member.1,member.2,member.3,...member.100
Then a few scripted calls to mgmt_cli.
.\mgmt_cli.exe -m myhost login true user myuser password ******** > sessionid.txt
.\mgmt_cli.exe -m myhost -s sessionid.txt set session new-name "MyName" description "Creating AWS networks from http://ip-ranges.amazonaws.com/ip-ranges.json"
.\mgmt_cli.exe -m myhost -s sessionid.txt add network -b networks.csv --format json > networks_import_log.txt
.\mgmt_cli.exe -m myhost -s sessionid.txt add group -b groups.csv --format json > group_import_log.txt
.\mgmt_cli.exe -m myhost -s sessionid.txt set group -b groupPopulate.csv --format json > groupPopulate_import_log.txt
.\mgmt_cli.exe -s sessionid.txt -m myhost publish
.\mgmt_cli.exe -s sessionid.txt -m myhost logout
For ongoing maintenance; I would look at adding checks for existing objects to avoid re-creation attempts, and instead update the comments on those. groupPopulate overwrites the group members, so there isn't a need to parse or repopulate those. Additional cleanup after re-populating would be to remove the groups and network objects with an older syncToken in the comments.
Sorry I can't just outright provide the scripting, but hopefully this will help get you moving in the right direction.
Don, this is what I ended up doing and it worked great!
mgmt add group name "MyGroup"
mgmt add host name "host1" ip-address "1.1.1.1" groups.1 "MyGroup"
mgmt add host name "host2" ip-address "2.2.2.2" groups.1 "MyGroup"
It was nice because I added the objects to the group at the time of creating them.
Based on your original issue, I would just use the batch mode csv import and create a simple csv file with the header and then each line is the group and the member to add, that works, as long as all members are existing.
Example CSV:
name members.add
Internal-Nets Net-192.168.122.0
Internal-Nets Net-192.168.123.0
Internal-Nets Net-192.168.124.0
Command to execute:
set group --batch <csvfilename> --format json --ignore-errors true
The "--ignore-errors true" is used to ensure that any duplication warnings don't kill the operation, also outputing the json will allow review of potential errors.
You can also do it like this
set group name "Name" members.add '["member1", "member2","member3"]'
Remember you are limited to 1000 characters per command when doing this via the smart console CLI
Actually, the command characters limit is 2048 per line -
After creating many many groups, I can tell you 100% the max command length is 1000 characters, you get too long to execute on anything more.
Hi Daniel, what was the behavior you experienced when you go over the 1000 character per line limit? I'm doing a large batch update of groups and find it process through the commands fine, and then seems to get stuck at the 60% publish phase for hours. Has this been your experience?
I was doing my api calls through the Smart Console command window due to limited access to tools on the jump server. For me 1000's lines in the txt files just wouldn't be accepted at all.
Is there a way to do this using the pythond sdk, it doesn't seem to have the option "members.add"?
 
					
				
				
			
		
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count | 
|---|---|
| 6 | |
| 4 | |
| 2 | |
| 2 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | 
Tue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionThu 30 Oct 2025 @ 03:00 PM (CET)
Cloud Security Under Siege: Critical Insights from the 2025 Security Landscape - EMEAThu 30 Oct 2025 @ 11:00 AM (EDT)
Tips and Tricks 2025 #15: Become a Threat Exposure Management Power User!About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY