Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Tomer_Sole
Mentor
Mentor

Did you know? SmartConsole Tags

R80 and R80.10 provide a new feature for ease of security management: Tags.

We have presented it in Check Point conventions dating back to 2013 - it's time that we discuss them at CheckMates as well Smiley Happy

The purpose with tags is to ease the searches and associations of objects. You can tag any object from its Object Editor, as well as with the Security Management CLI or API. 

You can then search for all objects that belong to a specific tag.

In the Object Explorer:

When picking objects in places like security policies:

In addition of simplified user experience, Tags have good value in the world of automation and orchestration.

14 Replies
PhoneBoy
Admin
Admin

I don't use this feature nearly enough Smiley Happy

0 Kudos
rupert_matthews
Explorer

All,

How would you do a bulk modify of objects to insert tags based on a csv?  I have tried the following to no avail.  what am i doing wrong?  

dataset examples

name,tag

Test_Net_10.104.50.0_24,class1

Test_Net_10.104.51.0_24,class2

name,tags

Test_Net_10.104.50.0_24,class1

Test_Net_10.104.51.0_24,class2

name,tag.add

Test_Net_10.104.50.0_24,class1

Test_Net_10.104.51.0_24,class2

with the following commands. 

mgmt_cli set network --batch /path/to/csv/dataset.csv --format json -s id.txt > tag_add.json

mgmt_cli publish -s id.txt

Nothing gets published.  What is the structure of the dataset supposed to look like?  Or is this just something that isn't working yet?

Sincerely, 

Rupert

PhoneBoy
Admin
Admin

Note the header line on this CSV file:

name,tags.add

net-internal,tag1

net-dmz,tag2

This worked.

[Expert@mumford:0]# mgmt_cli -r true set network --batch tag.csv

---------------------------------------------

Time: [16:21:25] 2/8/2018

---------------------------------------------

"Publish operation"  succeeded  (100%) 

Vladimir
Champion
Champion

Can you tell me how the CSV should look like if I am trying to create network objects with multiple tags?

name,subnet, subnet-mask,tags.add,tags.add

Net_10.0.0.0,10.0.0.0,255.255.255.0,ny,data

Net_10.0.0.1,10.0.0.1,255.255.255.0,nj,voice

PhoneBoy
Admin
Admin

Maybe tags.add.1, tags.add.2, etc

0 Kudos
Vladimir
Champion
Champion

Nope.

Getting:

[Expert@SMS8010:0]# mgmt_cli add network --batch test1.csv
Username: admin
Password:
Line 2: code: "generic_err_invalid_parameter"
message: "Invalid parameter for [tags]. Invalid value"

Line 3: code: "generic_err_invalid_parameter"
message: "Invalid parameter for [tags]. Invalid value"


Executed command failed. Changes are discarded.
[Expert@SMS8010:0]#

CSV that looks like:

name,subnet,subnet-mask,tags.add.1,tags.add.2
Net_10.0.0.0,10.0.0.0,255.255.255.0,ny,data
Net_10.0.0.1,10.0.0.1,255.255.255.0,nj,voice

0 Kudos
Vladimir
Champion
Champion

OK. Figured it out finally:

no need to include ".add" when creating objects with tags from CSV.

This format works:

name,subnet,subnet-mask,color,tags.1,tags.2
Net_10.0.0.0,10.0.0.0,255.255.255.0,red,ny,data
Net_10.0.0.1,10.0.1.0,255.255.255.0,red,nj,voice

Creating objects:

 

Thing to note is that tags appear in alphabetical order, so if you want to see them in identical order, pre-phase them the type.

I.e.: "loc-ny, typ-data" and "loc-nj,typ-voice". Then they will appear in order:

 

Will_H
Contributor

So you can not control policy by tags, it is just for searching in the GUI?

I'd like to see tags being able to be used for policy enforcement.

Dima_M
Employee
Employee

Hey Will,

 

Currently - yes. We do support imported tags from various external sources though.

Could you please share more info on your use case for internal SmartConsole tags?

Cihat_Bulut
Contributor
Contributor

Hi,

 

I  have added 50 domain (fqdn) objects with the "library" tag.

I want to add the "library" tag in the destination column of a rule.

Gateway should allow all domains (also all objects) tagged with "library" in the future.

How can I achieve this?

 

BR   

Tal_Paz-Fridman
Employee
Employee

Hi

I think this would be better achieved using a Network Group (Simple Group) object called library.

You can add it to the Destination column of the relevant rule.

In the future when you add additional objects to the Network Group, it will be part of the Destination.

 

HTH

Tal

0 Kudos
Cihat_Bulut
Contributor
Contributor

Dear Tal,

 

I've done it what you've suggested. But it is not what I want.

 

BR

0 Kudos
Tal_Paz-Fridman
Employee
Employee

Hi

 

I do not think this is how Tags work but perhaps you could do it using a script and Management API to list all the objects that have a specific Tag and then add them to a specific rule.

https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/show-tag~v1.5%20

 

Tal

0 Kudos
Luis_Miguel_Mig
Advisor

I was hoping that you could use tags to permit only certain objects to be viewed/modified by certain users in the SmartConsole Object Explorer. It doesn't look like it though

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events