This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
mikesleath
Participant
‎2020-11-11 10:40 AM

How do you create objects of type DynamicGlobalNetworkObject via API call

Jump to solution

Hi,

We make significant use of Dynamic Global Network Objects in our policies, specifically for install-on targets but also within global rules as source and destination fields. These were previously created via the following dbedit commands on R77.30

create dynamic_object DMZ_Firewalls_global
modify network_objects DMZ_Firewalls_global bogus_ip 0.0.0.1
modify network_objects DMZ_Firewalls_global color black
modify network_objects DMZ_Firewalls_global comments "All site DMZ virtual firewalls"
update network_objects DMZ_Firewalls_global

And these have been "converted" to an object of 

"type" : "DynamicGlobalNetworkObject"
 
during the process of upgrading to R80.40.
 
How are these objects now created via the API (the add-dynamic-object endpoint does not achieve this). 
 
And another question on this... when attempting to reference the converted DynamicGlobalNetworkObject in global policy creation it is only possible to refer to the object via name when using it as an "install-on" definition, it has to be referred to by UID is attempting to use it in a source or destination definition - any ideas why?
 
Thanks,
 
Mike
0 Kudos
2 Solutions

Accepted Solutions
mikesleath
Participant
‎2020-11-11 11:28 PM
In response to Maarten_Sjouw

Jump to solution

Thanks for the information. Not having the ability to create these "new" variants of the object via the API seems like a bit of a miss as they were available to create via dbedit in the past (this now fails too); our existing tooling is now unable to take full advantage of the API.

And yes, by referencing the UID instead of the name I am able to use the objects in the source/destination field in the policy. I was just wondering if the ability to only reference by UID is either by design, a problem or that the inability to reference by name for that rule field is the problem (referencing by name for the install-on value/field works fine)

View solution in original post

0 Kudos
Jim_Oqvist
Employee
Employee
‎2020-11-12 07:04 AM

Jump to solution

Hi Mike

Here is a one-liner to create a Global Dynamic Network object in the Global domain using the undocumented add-generic-object API endpoint.
Please Note:
These APIs provide direct access to different objects and fields in the database. As a result if an objects schema change, scripts that relied on specific schema fields may break.

As the generic-object(s) API calls have direct access to change different objects and fields in the database, they do not provide any data validation to ensure that the data added to the fields are following required format for this field. Therefore you have to ensure that the script or 3rd party system you are using to integrate with the management server is doing appropriate data validation before sending the API call.

mgmt_cli -r true -d Global -f json add-generic-object create "com.checkpoint.blades_common.objects.DynamicGlobalNetworkObject" name DMZ_Firewalls_global

 

Here is a small shell script that can be used:
https://github.com/jimoq/CHKP_api_examples/blob/master/mgmt_cli/generic_object_add_dynamic_global_ne...

You can get it to the management server by running

[Expert@mds10:0]# curl_cli -kLs https://raw.githubusercontent.com/jimoq/CHKP_api_examples/master/mgmt_cli/generic_object_add_dynamic_global_network_object.sh > generic_object_add_dynamic_global_network_object.sh
[Expert@mds10:0]# bash generic_object_add_dynamic_global_network_object.sh DMZ_Firewalls

 

Concerning the other issue with adding a Global dynamic object to to source and destination column in the access control rulebase . I tested it and get the same result, for me it looks like a issue that should be resolved by our support, I suggest that you open a ticket with support to get a fix for that

View solution in original post

0 Kudos
6 Replies
Maarten_Sjouw
Champion
Champion
‎2020-11-11 03:04 PM

Jump to solution

Not available as an API object (yet?) therefore not possible to create them that way.

By using the UID reference you can bypass the problem that there is no variable set for the object maybe?

Regards, Maarten
0 Kudos
mikesleath
Participant
‎2020-11-11 11:28 PM
In response to Maarten_Sjouw

Jump to solution

Thanks for the information. Not having the ability to create these "new" variants of the object via the API seems like a bit of a miss as they were available to create via dbedit in the past (this now fails too); our existing tooling is now unable to take full advantage of the API.

And yes, by referencing the UID instead of the name I am able to use the objects in the source/destination field in the policy. I was just wondering if the ability to only reference by UID is either by design, a problem or that the inability to reference by name for that rule field is the problem (referencing by name for the install-on value/field works fine)

0 Kudos
PhoneBoy
Admin
Admin
‎2020-11-12 07:02 AM

Jump to solution

@Omer_Kleinstern can you chime in here?

There are still a handful of attributes/object types that don’t have official API support.
Entirely possible this is doable with the generic-object API.
There are a few examples in the community (not for this specifically).

0 Kudos
mikesleath
Participant
‎2020-11-12 08:14 AM
In response to PhoneBoy

Jump to solution

thanks for the detail.

0 Kudos
Jim_Oqvist
Employee
Employee
‎2020-11-12 07:04 AM

Jump to solution

Hi Mike

Here is a one-liner to create a Global Dynamic Network object in the Global domain using the undocumented add-generic-object API endpoint.
Please Note:
These APIs provide direct access to different objects and fields in the database. As a result if an objects schema change, scripts that relied on specific schema fields may break.

As the generic-object(s) API calls have direct access to change different objects and fields in the database, they do not provide any data validation to ensure that the data added to the fields are following required format for this field. Therefore you have to ensure that the script or 3rd party system you are using to integrate with the management server is doing appropriate data validation before sending the API call.

mgmt_cli -r true -d Global -f json add-generic-object create "com.checkpoint.blades_common.objects.DynamicGlobalNetworkObject" name DMZ_Firewalls_global

 

Here is a small shell script that can be used:
https://github.com/jimoq/CHKP_api_examples/blob/master/mgmt_cli/generic_object_add_dynamic_global_ne...

You can get it to the management server by running

[Expert@mds10:0]# curl_cli -kLs https://raw.githubusercontent.com/jimoq/CHKP_api_examples/master/mgmt_cli/generic_object_add_dynamic_global_network_object.sh > generic_object_add_dynamic_global_network_object.sh
[Expert@mds10:0]# bash generic_object_add_dynamic_global_network_object.sh DMZ_Firewalls

 

Concerning the other issue with adding a Global dynamic object to to source and destination column in the access control rulebase . I tested it and get the same result, for me it looks like a issue that should be resolved by our support, I suggest that you open a ticket with support to get a fix for that

0 Kudos
mikesleath
Participant
‎2020-11-12 08:14 AM
In response to Jim_Oqvist

Jump to solution

Jim,

Thanks a lot for the detail. Fully understand that there is a lack of validation - will use this with care.

Mike

0 Kudos