- Products
- Learn
- Local User Groups
- Partners
-
More
Celebrate the New Year
With CheckMates!
Value of Security
Vendor Self-Awareness
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
Mobile Security
Buyer's Guide Out Now
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Hi all!
We just upgraded one test system to R80.20 which brought us the API version 1.3.
In the past (v1.1 and v.1.2) we were also getting the memberships while executing "show-hosts".
Since v1.3 there is no members array in the response anymore.
Only if we put "show-membership" : true in the request body, we are getting them...
The documentation is saying that the default value for the attribute "show-membership" is true in all versions since v1.1.
Was there a change in v1.3? Is the documentation wrong in this case?
Regards,
Konstantin
@KonstantinS , we did change the defaults in v1.3 due to performance impact and the fact that this data is redundant most of the times (you will get it if you query all groups or do it for specific object if needed) . Documentation should be fixed.
I can confirm that the CLI will not show any membership.
The command I used: show-hosts show-membership true
But what is the expected behavior? I would expect that is shows the memberships.
Using the REST API on the v1.3 machine:
Request-Body (offset set to 31 to squeeze out the other hosts I don't need here):
{
"limit" : 50,
"offset" : 31,
"details-level" : "full"
}
Output:
{
"objects": [
{
"uid": "886f7de8-04a1-45f6-9c35-3b6b5984373c",
"name": "test.OWE.Memberships",
"type": "host",
"domain": {
"uid": "41e821a0-3720-11e3-aa6e-0800200c9fde",
"name": "SMC User",
"domain-type": "domain"
},
"ipv4-address": "127.0.0.15",
"interfaces": [],
"nat-settings": {
"auto-rule": false
},
"comments": "test.OWE.Memberships",
"color": "black",
"icon": "Objects/host",
"tags": [],
"meta-info": {
"lock": "unlocked",
"validation-state": "ok",
"last-modify-time": {
"posix": 1561570479439,
"iso-8601": "2019-06-26T19:34+0200"
},
"last-modifier": "api-user",
"creation-time": {
"posix": 1561570479439,
"iso-8601": "2019-06-26T19:34+0200"
},
"creator": "api-user"
},
"read-only": false
}
],
"from": 32,
"to": 32,
"total": 32
}
Request-Body with show-membership:
{
"show-membership" : true,
"limit" : 50,
"offset" : 31,
"details-level" : "full"
}
Output:
{
"objects": [
{
"uid": "886f7de8-04a1-45f6-9c35-3b6b5984373c",
"name": "test.OWE.Memberships",
"type": "host",
"domain": {
"uid": "41e821a0-3720-11e3-aa6e-0800200c9fde",
"name": "SMC User",
"domain-type": "domain"
},
"ipv4-address": "127.0.0.15",
"interfaces": [],
"nat-settings": {
"auto-rule": false
},
"groups": [
{
"uid": "3ad66a53-6e1b-44af-ae86-9768b2575938",
"name": "Grp_OWE_TestMembership",
"type": "group",
"domain": {
"uid": "41e821a0-3720-11e3-aa6e-0800200c9fde",
"name": "SMC User",
"domain-type": "domain"
},
"members": [
"886f7de8-04a1-45f6-9c35-3b6b5984373c"
],
"groups": [],
"comments": "Grp_OWE_TestMembership",
"color": "black",
"icon": "General/group",
"tags": [],
"meta-info": {
"lock": "unlocked",
"validation-state": "ok",
"last-modify-time": {
"posix": 1561572003951,
"iso-8601": "2019-06-26T20:00+0200"
},
"last-modifier": "api-user",
"creation-time": {
"posix": 1561570389669,
"iso-8601": "2019-06-26T19:33+0200"
},
"creator": "api-user"
},
"read-only": false
}
],
"comments": "test.OWE.Memberships",
"color": "black",
"icon": "Objects/host",
"tags": [],
"meta-info": {
"lock": "unlocked",
"validation-state": "ok",
"last-modify-time": {
"posix": 1561570479439,
"iso-8601": "2019-06-26T19:34+0200"
},
"last-modifier": "api-user",
"creation-time": {
"posix": 1561570479439,
"iso-8601": "2019-06-26T19:34+0200"
},
"creator": "api-user"
},
"read-only": false
}
],
"from": 32,
"to": 32,
"total": 32
}
If I run it against a v1.1 or v1.2 machine it always gives me the memberships, regardless I use the "show-membership" parameter or not.
Any idea?
Yes, if I call /web_api/v1.1/show-hosts or /web_api/v1.2/show-hosts on R80.20 I'm getting the previous result.
If I call explicitly /web_api/v1.3/show-hosts I'm not getting the memberships.
Are you or someone else able to reproduce this?
Personally, I haven't tried this with the API (versus using mgmt_cli).
Like I suggested before, a TAC case will help move this forward.
Also tagging @Amiad_Stern in case his team can provide any insight on this issue.
@KonstantinS , we did change the defaults in v1.3 due to performance impact and the fact that this data is redundant most of the times (you will get it if you query all groups or do it for specific object if needed) . Documentation should be fixed.
Thank you!
Then the documentation for v1.4 and v1.5 is also wrong?
Any idea why the CLI is not returning any membership? Is this a bug?
@Amiad_Sternoh sorry, I see my mistake. I forgot to set the details-level to full when using the CLI.
@PhoneBoyMaybe you did the same mistake? 😉
As @PhoneBoy already mentioned, if you use the CLI with the command e.g. "show-hosts show-membership true" no memberships are returned.
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY