This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Maik
Advisor
‎2021-09-24 08:52 AM

Several questions regarding tags and the management API

Hello community!

I have an issue with my Check Point management environment, which is related to the tagging possibilities and logic. The management server itself is running R80.40, but I think that this does not matter as I have read the docs regarding further releases and related management API versions. So to begin...

The environment is kinda large with lots of administrators who perform daily tasks. Not of all the tasks are automated, so manual creation of specific objects and rules is necessary. In regards to tags we have a model where each resource needs to be tagged in way that makes sense, so that the tags can be used to build a logical connection relatedto internal departments/applications etc. Now to the actual issue:

If someone enters a tag like "Tagname:XYZ" and instantly presses enter, the SmartConsole application creates a new tag, even though there may already be an existing one with exactly the same name. (When you enter a tag name within another object, like for example a host.) This leads to the fact that we have lots of tags with the same name but different UIDs (as they are technically different objects). [I know, that a dropdown for given tags gets displayed when you enter a tag name without instantly pressing enter.]

 

This behaviour raises the following questions:

> Is there some way to restrict permissions of users / groups within the SmartConsole to specific API calls, so that some admins can only select tags for new resources without the chance to create new tags (which would basically eliminate the described problem)? A first lookup in the permission profile section of the SmartConsole did not list such a granular option.

> Due to the current "tagging chaos" I am currently trying to find a way to sort this out by removing identical tag names and alter respective tagged resources/objects. During a first evaluation I realized, that the api call for "where-used" can not be used on tags, while the SmartConsole provides such an option (via Manage & Settings => Tags => Where Used ... [in the top bar]). When I try to perform the where-used api operation with an UID that belongs to a tag the API responds that the object could not be found. (A "show object uid xyz" with the same uid can be executed successfully.)

Thanks in advance for any replies!

 

Regards,

Maik

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2021-09-24 04:15 PM

The way you would restrict creation of tags would be a SmartTask that confirms only specific tags can be created.
This particular SmartTask only allows changes to specifically tagged objects and could presumably be modified to support this requirement: https://community.checkpoint.com/t5/Management/SmartTask-Custom-Permissions/m-p/77247#M11281

For the second question, not sure.
@Omer_Kleinstern can you comment?

Maik
Advisor
‎2021-09-27 08:11 AM
In response to PhoneBoy

Thanks, I will have a look at the mentioned SmartTask! At a first glance this seems to be quite helpful in this case.

Looking forward for a reply in regards to the second question @Omer_Kleinstern 

 

0 Kudos
Omer_Kleinstern
Employee
Employee
‎2021-09-29 02:07 AM
In response to Maik

Hi @Maik,

 

To retrieve all the objects with a specific tag name you can use show-objects and set the filter argument with the tag name.

Regarding where-used on tags, I recommend opening a TAC case.

 

Thanks,

Omer

Maik
Advisor
‎2021-09-30 02:19 AM
In response to Omer_Kleinstern

Thanks, I will open a TAC case once I can confirm whether the creation of tags can be controlled via the provided SmartTask or other tools.

0 Kudos
PhoneBoy
Admin
Admin
‎2021-09-30 12:33 PM
In response to Maik

You would have to create a SmartTask to do this, using the one I provided as a basis for it.
Nothing "out of the box" does it.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events