Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Bob_Zimmerman
Authority
Authority
Jump to solution

Rules for objects from a CPDataDomain?

While learning how to deal with MDSs via the management API, I've run across some interesting behavior with objects from a domain of type "CPDataDomain" or "data domain" (these appear to be different values for the same internal object type).

[Expert@TestMDS:0]# aolUuid="97aeb44f-9aea-11d5-bd16-0090272ccb30"

[Expert@TestMDS:0]# mgmt_cli -f json -r true -d "Contoso" show object uid "${aolUuid}" details-level full | jq '.object|{domain:.domain,color:.color}'
{
  "domain": {
    "uid": "a0bbbc99-adef-4ef8-bb6d-defdefdefdef",
    "name": "Check Point Data",
    "domain-type": "data domain"
  },
  "color": "red"
}

[Expert@TestMDS:0]# mgmt_cli -f json -r true -d "ParnellAero" show object uid "${aolUuid}" details-level full | jq '.object|{domain:.domain,color:.color}'
{
  "domain": {
    "uid": "a0bbbc99-adef-4ef8-bb6d-defdefdefdef",
    "name": "Check Point Data",
    "domain-type": "data domain"
  },
  "color": "red"
}

[Expert@TestMDS:0]# mgmt_cli -f json -r true -d "Contoso" set service-tcp uid "${aolUuid}" color black >/dev/null
---------------------------------------------
Time: [15:19:36] 14/6/2024
---------------------------------------------
"Publish operation"  succeeded  (100%)  

[Expert@TestMDS:0]# mgmt_cli -f json -r true -d "Contoso" show object uid "${aolUuid}" details-level full | jq '.object|{domain:.domain,color:.color}'
{
  "domain": {
    "uid": "a0bbbc99-adef-4ef8-bb6d-defdefdefdef",
    "name": "Check Point Data",
    "domain-type": "data domain"
  },
  "color": "black"
}

[Expert@TestMDS:0]# mgmt_cli -f json -r true -d "ParnellAero" show object uid "${aolUuid}" details-level full | jq '.object|{domain:.domain,color:.color}'
{
  "domain": {
    "uid": "a0bbbc99-adef-4ef8-bb6d-defdefdefdef",
    "name": "Check Point Data",
    "domain-type": "data domain"
  },
  "color": "red"
}

Even though these both have the same UUID, clearly they are not the same object like you would see from the Global domain.

What does the data domain signify? It looks like when a domain is instantiated, it gets local copies of all of the objects from the data domain, but those copies still show as belonging to the data domain. Is this significant?

Are there any things we can do with objects created from scratch in the domain which we can't do with objects copied from the data domain? What about the other way around?

0 Kudos
1 Solution

Accepted Solutions
Omer_Kleinstern
Employee
Employee

Objects from "Check Point Data" domain are default objects that are shared by all other domains and in most cases cannot be edited.

In the case of services, there is a field called "override-default-settings" that indicates whether this service is a Data Domain service which has been overridden (meaning a local copy has been created in the specific domain with changes from the default settings).

View solution in original post

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
0 Kudos
Omer_Kleinstern
Employee
Employee

Objects from "Check Point Data" domain are default objects that are shared by all other domains and in most cases cannot be edited.

In the case of services, there is a field called "override-default-settings" that indicates whether this service is a Data Domain service which has been overridden (meaning a local copy has been created in the specific domain with changes from the default settings).

0 Kudos
Bob_Zimmerman
Authority
Authority

Interesting! I just dumped all the objects in an empty CMA (I created it on the MDS, but never created any objects in it), filtered them down to just the domain and type, sorted them, and deduplicated.

[Expert@TestMDS:0]# jq -c '{domain:.domain.name,type:.type}' <objects.jsonl | sort | uniq -c
   8198 {"domain":"APPI Data","type":"application-site"}
    171 {"domain":"APPI Data","type":"application-site-category"}
      1 {"domain":"Check Point Data","type":"ApproveUserCheckInteractionScheme"}
      5 {"domain":"Check Point Data","type":"AskUserCheckInteractionScheme"}
      1 {"domain":"Check Point Data","type":"CancelUserCheckInteractionScheme"}
      4 {"domain":"Check Point Data","type":"CpmiAppfwLimit"}
      1 {"domain":"Check Point Data","type":"CpmiCustomDataType"}
      1 {"domain":"Check Point Data","type":"Internet"}
      1 {"domain":"Check Point Data","type":"application-site-category"}
      1 {"domain":"Check Point Data","type":"data-center-server"}
      6 {"domain":"Check Point Data","type":"dynamic-object"}
      2 {"domain":"Check Point Data","type":"multicast-address-range"}
      1 {"domain":"Check Point Data","type":"network"}
      5 {"domain":"Check Point Data","type":"repository-script"}
      4 {"domain":"Check Point Data","type":"security-zone"}
      1 {"domain":"Check Point Data","type":"service-citrix-tcp"}
      4 {"domain":"Check Point Data","type":"service-compound-tcp"}
     23 {"domain":"Check Point Data","type":"service-dce-rpc"}
     52 {"domain":"Check Point Data","type":"service-group"}
     10 {"domain":"Check Point Data","type":"service-gtp"}
     13 {"domain":"Check Point Data","type":"service-icmp"}
     24 {"domain":"Check Point Data","type":"service-icmp6"}
     43 {"domain":"Check Point Data","type":"service-other"}
     18 {"domain":"Check Point Data","type":"service-rpc"}
    217 {"domain":"Check Point Data","type":"service-tcp"}
     96 {"domain":"Check Point Data","type":"service-udp"}
      3 {"domain":"Check Point Data","type":"time"}
      4 {"domain":"Check Point Data","type":"user-check-drop"}
      1 {"domain":"Empty","type":""}
      1 {"domain":"Empty","type":"AskUserCheckInteractionScheme"}
      1 {"domain":"Empty","type":"CancelUserCheckInteractionScheme"}
      3 {"domain":"Empty","type":"CertificateTemplateUserCheckInteractionScheme"}
    109 {"domain":"Empty","type":"CpmiCompoundDataType"}
      6 {"domain":"Empty","type":"CpmiCustomDataType"}
    150 {"domain":"Empty","type":"CpmiDictionaryDataType"}
      6 {"domain":"Empty","type":"CpmiDlpUserCheckInteractionScheme"}
      1 {"domain":"Empty","type":"CpmiExternalBccDataType"}
     26 {"domain":"Empty","type":"CpmiFileDataType"}
     34 {"domain":"Empty","type":"CpmiGroupDataType"}
      1 {"domain":"Empty","type":"CpmiInternalCaServer"}
      2 {"domain":"Empty","type":"CpmiMessageAttributesDataType"}
     22 {"domain":"Empty","type":"CpmiNcodeDataType"}
    274 {"domain":"Empty","type":"CpmiPatternDataType"}
     16 {"domain":"Empty","type":"CpmiTemplateBasedDataType"}
      2 {"domain":"Empty","type":"CpmiUnintentionalRecipientDataType"}
     23 {"domain":"Empty","type":"CpmiWeightedWordsDataType"}
    100 {"domain":"Empty","type":"CpmiWordsDataType"}
      2 {"domain":"Empty","type":"InformUserCheckInteractionScheme"}
      2 {"domain":"Empty","type":"address-range"}
      1 {"domain":"Empty","type":"checkpoint-host"}
      1 {"domain":"Empty","type":"network"}
      1 {"domain":"Empty","type":"user-check-drop"}
      1 {"domain":"Empty","type":"user-template"}
      1 {"domain":"Empty","type":"vpn-community-meshed"}
      1 {"domain":"Empty","type":"vpn-community-remote-access"}
     18 {"domain":"IPS Data","type":"service-dce-rpc"}
      2 {"domain":"IPS Data","type":"service-group"}

So some User Check schemes are from a data domain, some are copied into the CMA when it's built. Most DLP data types are copied into the CMA when it's built, but one comes from a data domain. In case anybody is curious about exactly which objects are from the data domain:

[Expert@TestMDS:0]# jq -c 'if .domain.name == "Check Point Data" then {readOnly:."read-only",type:.type,name:.name} else empty end' <objects.jsonl | grep -v '"type":"service' | sort
{"readOnly":false,"type":"data-center-server","name":"Online Services"}
{"readOnly":null,"type":"ApproveUserCheckInteractionScheme","name":"Threat Extraction Success Page"}
{"readOnly":null,"type":"AskUserCheckInteractionScheme","name":"Company Policy Anti-Bot"}
{"readOnly":null,"type":"AskUserCheckInteractionScheme","name":"Company Policy Anti-Virus"}
{"readOnly":null,"type":"AskUserCheckInteractionScheme","name":"Company Policy Threat Emulation"}
{"readOnly":null,"type":"AskUserCheckInteractionScheme","name":"Company Policy Threat Extraction"}
{"readOnly":null,"type":"AskUserCheckInteractionScheme","name":"Company Policy Zero Phishing"}
{"readOnly":null,"type":"CancelUserCheckInteractionScheme","name":"Cancel Page Threat Prevention"}
{"readOnly":null,"type":"CpmiAppfwLimit","name":"Download_10Mbps"}
{"readOnly":null,"type":"CpmiAppfwLimit","name":"Download_1Gbps"}
{"readOnly":null,"type":"CpmiAppfwLimit","name":"Upload_10Mbps"}
{"readOnly":null,"type":"CpmiAppfwLimit","name":"Upload_1Gbps"}
{"readOnly":null,"type":"CpmiCustomDataType","name":"Any File"}
{"readOnly":null,"type":"Internet","name":"Internet"}
{"readOnly":true,"type":"application-site-category","name":"Custom_Application_Site"}
{"readOnly":true,"type":"dynamic-object","name":"AuxiliaryNet"}
{"readOnly":true,"type":"dynamic-object","name":"CPDShield"}
{"readOnly":true,"type":"dynamic-object","name":"DMZNet"}
{"readOnly":true,"type":"dynamic-object","name":"InternalNet"}
{"readOnly":true,"type":"dynamic-object","name":"LocalMachine"}
{"readOnly":true,"type":"dynamic-object","name":"LocalMachine_All_Interfaces"}
{"readOnly":true,"type":"multicast-address-range","name":"All_DHCPv6_Relay_Agents_and_Servers"}
{"readOnly":true,"type":"multicast-address-range","name":"All_DHCPv6_Servers"}
{"readOnly":true,"type":"network","name":"IPv6_Link_Local_Hosts"}
{"readOnly":true,"type":"repository-script","name":"List Check Point Services"}
{"readOnly":true,"type":"repository-script","name":"Show Assets"}
{"readOnly":true,"type":"repository-script","name":"Show Configuration"}
{"readOnly":true,"type":"repository-script","name":"Show OS Info"}
{"readOnly":true,"type":"repository-script","name":"Show Policy Status"}
{"readOnly":true,"type":"security-zone","name":"DMZZone"}
{"readOnly":true,"type":"security-zone","name":"ExternalZone"}
{"readOnly":true,"type":"security-zone","name":"InternalZone"}
{"readOnly":true,"type":"security-zone","name":"WirelessZone"}
{"readOnly":true,"type":"time","name":"Every_Day"}
{"readOnly":true,"type":"time","name":"Off_Work"}
{"readOnly":true,"type":"time","name":"Weekend"}
{"readOnly":true,"type":"user-check-drop","name":"Anti-Bot Blocked"}
{"readOnly":true,"type":"user-check-drop","name":"Anti-Virus Blocked"}
{"readOnly":true,"type":"user-check-drop","name":"Threat Emulation Blocked"}
{"readOnly":true,"type":"user-check-drop","name":"Zero Phishing Blocked"}

I'm guessing the ones without a "read-only" key (the rows which show as "readOnly":null above) are object types which aren't fully integrated into the API as of R81.20 jumbo 65, so I should default the read-only key to true if it can't be found.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events