This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Workz
Participant
‎2021-05-23 04:26 AM

Create single group in multiple CMAs or Domains via MDS

I'm looking for API/CLI option from MDS to create a single (or even multiple in future) group and push it into all CMA's/Domains. I tried to see if anything possible apart from logging into each CMA's manually in Dashboard or in CLI too, but didn't find any. So if there is any option to add a group from MDS level that can drill down to all CMA's/domains (we have 13-14 domains)

Note: I've tried using mgmt_cli from MDS and it shows successfully completed but manual check in each domain shows no group created. 

0 Kudos
4 Replies
Tomer_Noy
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2021-05-23 06:14 AM

It sounds like you want to use the MDS global policy. You can create your objects in the global domain and those can be shared with the regular domains.

For that to work, you need to first set a global policy for each domain that you want to use those objects. This is a one-time operation. You can do it from the UI of course, but here is the command if you want to use API:
https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/set-global-assignment~v1.7%20 

After that, you can decide when to apply the global objects to the domains. That can be done by assigning the global policy. Again, that can be done from the SmartConsole UI, but for reference, here is the API command:
https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/assign-global-assignment~v1.7%20 

BTW, if the use-case that you are trying to achieve is shared block lists, you might want to look at IoC feeds, which is another alternative with some benefits.

0 Kudos
Workz
Participant
‎2021-05-24 04:29 AM
In response to Tomer_Noy

Thanks  Tomer, I'm not looking with MDS global policy, that option probably a last resort. Is there a reason on why from MDS cli, it doesn't accept to push the group to multiple domains/CMA's.?

0 Kudos
Martin_Valenta
Advisor
‎2021-05-24 05:28 AM
In response to Workz

Just create global domain assignement on particular CMA's and don't specify any access control policy and then objects created on global will be displayed under each CMA. After each change on global objects you just need to run re-assignement.

 

https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/assign-global-assignment~v1.1%20

0 Kudos
Aleksandr_Lisit
Explorer
‎2021-05-27 11:04 PM

You can use bash/API script or any other
#/bin/bash
printf "Enter group name\n"
read GROUPNAME
mgmt_cli  -d %DOMAINNAME1% add group name \"$GROUPNAME\"
.
.
mgmt_cli  -d %DOMAINNAMEN% add group name \"$GROUPNAME\"

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events