Groups with Exclusions

Bob_Zimmerman · ‎2023-01-01

I'm working on ingesting and creating group-with-exclusion objects. In SmartConsole, you can only pick groups for the include and exclude relationships. In the API, it looks like you can pick any traffic endpoint, but not some objects like "None":

[Expert@DallasSA]# mgmt_cli -r true login > session.txt

[Expert@DallasSA]# mgmt_cli -s session.txt -f json add group-with-exclusion name TestGWE include 97aeb36a-9aea-11d5-bd16-0090272ccb30 except 97aeb369-9aea-11d5-bd16-0090272ccb30 details-level full
{
  "code" : "err_validation_failed",
  "message" : "Validation failed with 1 blocking-error",
  "blocking-errors" : [ {
    "message" : "The main group must contain IP-Based objects only."
  } ]
}

[Expert@DallasSA]# mgmt_cli -s session.txt -f json show networks | jq -c '.objects[]|[.uid,.name]'
["b6f64342-f13c-4d60-9435-278d35bd2851","CP_default_Office_Mode_addresses_pool"]
["caee1116-8087-4310-9208-b422d3628a7e","IPv6_Link_Local_Hosts"]

[Expert@DallasSA]# mgmt_cli -s session.txt -f json add group-with-exclusion name TestGWE include b6f64342-f13c-4d60-9435-278d35bd2851 except caee1116-8087-4310-9208-b422d3628a7e details-level standard
{
  "uid" : "2a534519-b8c3-4128-b9ef-d4ec9e0bdfb7",
  "name" : "TestGWE",
  "type" : "group-with-exclusion",
  "domain" : {
    "uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
    "name" : "SMC User",
    "domain-type" : "domain"
  },
  "include" : {
    "uid" : "b6f64342-f13c-4d60-9435-278d35bd2851",
    "name" : "CP_default_Office_Mode_addresses_pool",
    "type" : "network",
    "domain" : {
      "uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
      "name" : "SMC User",
      "domain-type" : "domain"
    },
    "subnet4" : "172.16.10.0",
    "mask-length4" : 24,
    "subnet-mask" : "255.255.255.0",
    "icon" : "NetworkObjects/network",
    "color" : "black"
  },
  "except" : {
    "uid" : "caee1116-8087-4310-9208-b422d3628a7e",
    "name" : "IPv6_Link_Local_Hosts",
    "type" : "network",
    "domain" : {
      "uid" : "a0bbbc99-adef-4ef8-bb6d-defdefdefdef",
      "name" : "Check Point Data",
      "domain-type" : "data domain"
    },
    "subnet6" : "fe80::",
    "mask-length6" : 64,
    "icon" : "NetworkObjects/network",
    "color" : "black"
  },
  "groups" : [ ],
  "comments" : "",
  "color" : "black",
  "icon" : "General/group",
  "tags" : [ ],
  "meta-info" : {
    "lock" : "unlocked",
    "validation-state" : "ok",
    "last-modify-time" : {
      "posix" : 1672603849758,
      "iso-8601" : "2023-01-01T20:10+0000"
    },
    "last-modifier" : "WEB_API",
    "creation-time" : {
      "posix" : 1672603849758,
      "iso-8601" : "2023-01-01T20:10+0000"
    },
    "creator" : "WEB_API"
  },
  "read-only" : true
}

97aeb36a-9aea-11d5-bd16-0090272ccb30 is the UUID for the "None" object. Can't put that in the 'include' of a GWE.

Is all this expected? I definitely can't use SmartConsole to make that object.

PhoneBoy · ‎2023-01-02

@Omer_Kleinstern

Youssef_Obeidal · ‎2023-01-04

Hi

I see that APIs are missing validations.

that you for reporting that, we will solve it ASAP.

Bob_Zimmerman · ‎2023-01-04

What is intended to be able to go in the "include" property? Only Any or a group?

What about the "exclude" property? Only a group?

If those are the intent, I'll add checking on my end as well.

Are you a member of CheckMates?

Groups with Exclusions