cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Paulo_Aun
Ivory

Easy Way to create address range for https://ip-ranges.amazonaws.com/ip-ranges.json 

I need to create an object network for the list of ranges 

Is there an easy way to create this list ? My firewall version is R77.30 

0 Kudos
6 Replies
Employee+
Employee+

Re: Easy Way to create address range for https://ip-ranges.amazonaws.com/ip-ranges.json 

You can use the Check Point Management API's to accomplish this. 
I have updated some scripts that accomplish this HERE. They are written in Python and will create the Network objects for the AWS public IP nets.
You can find Powershell functions here as well - I have worked on one of those as well but am still refining the code.

Hope this helps !

0 Kudos
Danny
Pearl

Re: Easy Way to create address range for https://ip-ranges.amazonaws.com/ip-ranges.json 

His firewall version is R77.30, so there's no API's.

The most easy way that I can think of is by using Confwiz or sometimes called CPConfWiz.

Simply create a test ip range, export your SmartCenter (SMC) config via Confwiz, mind the XML syntax for your test ip range, open the https://ip-ranges.amazonaws.com/ip-ranges.json in your preferred text editor, adjust the syntax via Search&Replace to match the required XML syntax, import the XML containing all your required ranges back into your SMC via Confwiz.

Note: The Confwiz tool was recently changed to be available for Check Point internal staff only. Therefore create a service request or ask your Check Point support partner.. or google it.

0 Kudos
Employee+
Employee+

Re: Easy Way to create address range for https://ip-ranges.amazonaws.com/ip-ranges.json 

His management is R80.10. and the API works on management not on the Gateway.

Policy then on push sends to R77.30 Gateway the objects and policy formatted for R77.30.

Best to have as recent Jumbo as possible.

CB Currier

0 Kudos
Danny
Pearl

Re: Easy Way to create address range for https://ip-ranges.amazonaws.com/ip-ranges.json 

I understand he opened his request in this R80.10 Management Thread. I was just under the Impression that he is using R77.30 on his Management as well, because he wrote that his firewall version (Gateway + Management) is R77.30. There is no R77.30 Management Thread here where he could have posted his question otherwise.

0 Kudos
Admin
Admin

Re: Easy Way to create address range for https://ip-ranges.amazonaws.com/ip-ranges.json 

Rather than make assumptions, let's ask Paulo Aun‌ what version of management he's using.

The mechanics of the answer are different for R77.30 and R80.10 management, but it boils down to: write a script that parses the .json from Amazon and outputs commands either to dbedit (R77.30) or the API (R80.10).

dbedit is documented here: Command Line Interface R77 

Confwiz is another way to achieve the same result. 

There are several example scripts for R80.x in the Developers (Code Hub)‌ section.

0 Kudos

Re: Easy Way to create address range for https://ip-ranges.amazonaws.com/ip-ranges.json 

For R80 I was able to cook a test PowerShell script:

#
# Download Amazon network Details
#
# (C) 2017, Hugo van der Kooij
#
# Don't forget to run `Install-Module psCheckPoint` (as administrator) once!
#
# WARNING: This script may put a significant load on your SmartCenter!
#

# Import Modules
Write-Host " *** Loading Modules *** "
Import-Module psCheckPoint

# Download Amazon AWS IP Ranges into Object
$AmazonAWSURI = "https://ip-ranges.amazonaws.com/ip-ranges.json"
$AmazonAWS = Invoke-WebRequest -Uri $AmazonAWSURI -DisableKeepAlive | ConvertFrom-JSON
$SyncToken = $AmazonAWS.syncToken
$CreateDate = $AmazonAWS.createDate
$Marker = "syncToken = $SyncToken; createDate = $CreateDate"

$Comments = "Amazon AWS - $Marker"

# Ignore Certificate Block on self-sign certificate
Write-Verbose " *** Ignore Private Certificates *** "
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True }

# Login to Check Point API to get Session ID
Write-Verbose " *** Log in to Check Point Smart Center API *** "
$Session = Open-CheckPointSession

Write-Verbose "New-CheckPointGroup -Session $Session -Name Amazon_AWS -Tag AmazonAWS -Color Orange -Comments $Comments"
New-CheckPointGroup -Session $Session -Name Amazon_AWS -Tag AmazonAWS -Color Orange -Comments "$Comments" -DetailsLevel "None"

$Services = ($AmazonAWS.prefixes.service + $AmazonAWS.ipv6_prefixes.service) | Get-Unique
ForEach ($Service in $Services) {
$GroupName = "Amazon_AWS_Service_$Service"
Write-Host "New-CheckPointGroup -Session $Session -Name $GroupName -Tag AmazonAWS,$Service -Color Orange -Comments $Comments"
New-CheckPointGroup -Session $Session -Name $GroupName -Tag AmazonAWS,$Service -Color "Orange" -Comments "$Comments"
}

$Regions = ($AmazonAWS.prefixes.region + $AmazonAWS.ipv6_prefixes.region) | Sort | Get-Unique
ForEach ($Region in $Regions) {
$GroupName = "Amazon_AWS_Region_$Region"
Write-Host "New-CheckPointGroup -Session $Session -Name $GroupName -Tag AmazonAWS,$Region -Color Orange -Comments $Comments"
New-CheckPointGroup -Session $Session -Name $GroupName -Tag AmazonAWS,$Region -Color "Orange" -Comments "$Comments"
}

foreach($Prefix in $AmazonAWS.prefixes) {
$Network = $Prefix.ip_prefix.Split("/")[0]
$NetworkMaskLength = $Prefix.ip_prefix.Split("/")[1]
$Region = $Prefix.region
$RegionGroup = "Amazon_AWS_Region_$Region"
$Service = $Prefix.service
$ServiceGroup = "Amazon_AWS_Service_$Service"
$Name = "Amazon_AWS_$Network/$NetworkMasklength"
Write-Host "New-CheckPointNetwork -Session $Session -Name $Name -Subnet4 $Network -MaskLength4 $NetworkMaskLength -Color Orange -Groups Amazon_AWS,$ServiceGroup,$RegionGroup -Tags AmazonAWS,$Service,$Region -Comments $Comments"
New-CheckPointNetwork -Session $Session -Name $Name -Subnet4 $Network -MaskLength4 $NetworkMaskLength -Color Orange -Groups "Amazon_AWS",$ServiceGroup,$RegionGroup -Tags AmazonAWS,$Service,$Region -Comments "$Comments"
}

foreach($Prefix in $AmazonAWS.ipv6_prefixes) {
$Network = $Prefix.ipv6_prefix.Split("/")[0]
$NetworkMaskLength = $Prefix.ipv6_prefix.Split("/")[1]
$Region = $Prefix.region
$RegionGroup = "Amazon_AWS_Region_$Region"
$Service = $Prefix.service
$ServiceGroup = "Amazon_AWS_Service_$Service"
Write-Verbose "$Network/$NetworkMask | $Region | $Service"
$Name = "Amazon_AWS_$Network/$NetworkMasklength"
Write-Host "New-CheckPointNetwork -Session $Session -Name $Name -Subnet6 $Network -MaskLength6 $NetworkMaskLength -Color Orange -Groups Amazon_AWS,$ServiceGroup,$RegionGroup -Tags AmazonAWS,$Service,$Region -Comments $Comments"
New-CheckPointNetwork -Session $Session -Name $Name -Subnet6 $Network -MaskLength6 $NetworkMaskLength -Color Orange -Groups "Amazon_AWS",$ServiceGroup,$RegionGroup -Tags AmazonAWS,$Service,$Region -Comments "$Comments"
}


# Publish Changes
Write-Verbose " *** Publish Session changes *** "
Publish-CheckPointSession -Session $Session
Reset-CheckPointSession -Session $Session

# Logout from Check Point API
Write-Verbose " *** Logout Session *** "
Close-CheckPointSession -Session $Session

# Ignore Certificate Block on self-sign certificate no longer
Write-Verbose " *** Ignore Private Certificates no longer *** "
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $False }

# Remove Modules
Write-Verbose " *** Remove Modules *** "
Remove-Module psCheckPoint

# DONE!