Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Paulo_Aun
Explorer

Easy Way to create address range for https://ip-ranges.amazonaws.com/ip-ranges.json 

I need to create an object network for the list of ranges 

Is there an easy way to create this list ? My firewall version is R77.30 

0 Kudos
6 Replies
Charles_Currier
Employee Alumnus
Employee Alumnus

You can use the Check Point Management API's to accomplish this. 
I have updated some scripts that accomplish this HERE. They are written in Python and will create the Network objects for the AWS public IP nets.
You can find Powershell functions here as well - I have worked on one of those as well but am still refining the code.

Hope this helps !

0 Kudos
Danny
Champion Champion
Champion

His firewall version is R77.30, so there's no API's.

The most easy way that I can think of is by using Confwiz or sometimes called CPConfWiz.

Simply create a test ip range, export your SmartCenter (SMC) config via Confwiz, mind the XML syntax for your test ip range, open the https://ip-ranges.amazonaws.com/ip-ranges.json in your preferred text editor, adjust the syntax via Search&Replace to match the required XML syntax, import the XML containing all your required ranges back into your SMC via Confwiz.

Note: The Confwiz tool was recently changed to be available for Check Point internal staff only. Therefore create a service request or ask your Check Point support partner.. or google it.

0 Kudos
Charles_Currier
Employee Alumnus
Employee Alumnus

His management is R80.10. and the API works on management not on the Gateway.

Policy then on push sends to R77.30 Gateway the objects and policy formatted for R77.30.

Best to have as recent Jumbo as possible.

CB Currier

0 Kudos
Danny
Champion Champion
Champion

I understand he opened his request in this R80.10 Management Thread. I was just under the Impression that he is using R77.30 on his Management as well, because he wrote that his firewall version (Gateway + Management) is R77.30. There is no R77.30 Management Thread here where he could have posted his question otherwise.

0 Kudos
PhoneBoy
Admin
Admin

Rather than make assumptions, let's ask Paulo Aun‌ what version of management he's using.

The mechanics of the answer are different for R77.30 and R80.10 management, but it boils down to: write a script that parses the .json from Amazon and outputs commands either to dbedit (R77.30) or the API (R80.10).

dbedit is documented here: Command Line Interface R77 

Confwiz is another way to achieve the same result. 

There are several example scripts for R80.x in the Developers (Code Hub)‌ section.

0 Kudos
Hugo_vd_Kooij
Advisor

For R80 I was able to cook a test PowerShell script:

#
# Download Amazon network Details
#
# (C) 2017, Hugo van der Kooij
#
# Don't forget to run `Install-Module psCheckPoint` (as administrator) once!
#
# WARNING: This script may put a significant load on your SmartCenter!
#

# Import Modules
Write-Host " *** Loading Modules *** "
Import-Module psCheckPoint

# Download Amazon AWS IP Ranges into Object
$AmazonAWSURI = "https://ip-ranges.amazonaws.com/ip-ranges.json"
$AmazonAWS = Invoke-WebRequest -Uri $AmazonAWSURI -DisableKeepAlive | ConvertFrom-JSON
$SyncToken = $AmazonAWS.syncToken
$CreateDate = $AmazonAWS.createDate
$Marker = "syncToken = $SyncToken; createDate = $CreateDate"

$Comments = "Amazon AWS - $Marker"

# Ignore Certificate Block on self-sign certificate
Write-Verbose " *** Ignore Private Certificates *** "
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True }

# Login to Check Point API to get Session ID
Write-Verbose " *** Log in to Check Point Smart Center API *** "
$Session = Open-CheckPointSession

Write-Verbose "New-CheckPointGroup -Session $Session -Name Amazon_AWS -Tag AmazonAWS -Color Orange -Comments $Comments"
New-CheckPointGroup -Session $Session -Name Amazon_AWS -Tag AmazonAWS -Color Orange -Comments "$Comments" -DetailsLevel "None"

$Services = ($AmazonAWS.prefixes.service + $AmazonAWS.ipv6_prefixes.service) | Get-Unique
ForEach ($Service in $Services) {
$GroupName = "Amazon_AWS_Service_$Service"
Write-Host "New-CheckPointGroup -Session $Session -Name $GroupName -Tag AmazonAWS,$Service -Color Orange -Comments $Comments"
New-CheckPointGroup -Session $Session -Name $GroupName -Tag AmazonAWS,$Service -Color "Orange" -Comments "$Comments"
}

$Regions = ($AmazonAWS.prefixes.region + $AmazonAWS.ipv6_prefixes.region) | Sort | Get-Unique
ForEach ($Region in $Regions) {
$GroupName = "Amazon_AWS_Region_$Region"
Write-Host "New-CheckPointGroup -Session $Session -Name $GroupName -Tag AmazonAWS,$Region -Color Orange -Comments $Comments"
New-CheckPointGroup -Session $Session -Name $GroupName -Tag AmazonAWS,$Region -Color "Orange" -Comments "$Comments"
}

foreach($Prefix in $AmazonAWS.prefixes) {
$Network = $Prefix.ip_prefix.Split("/")[0]
$NetworkMaskLength = $Prefix.ip_prefix.Split("/")[1]
$Region = $Prefix.region
$RegionGroup = "Amazon_AWS_Region_$Region"
$Service = $Prefix.service
$ServiceGroup = "Amazon_AWS_Service_$Service"
$Name = "Amazon_AWS_$Network/$NetworkMasklength"
Write-Host "New-CheckPointNetwork -Session $Session -Name $Name -Subnet4 $Network -MaskLength4 $NetworkMaskLength -Color Orange -Groups Amazon_AWS,$ServiceGroup,$RegionGroup -Tags AmazonAWS,$Service,$Region -Comments $Comments"
New-CheckPointNetwork -Session $Session -Name $Name -Subnet4 $Network -MaskLength4 $NetworkMaskLength -Color Orange -Groups "Amazon_AWS",$ServiceGroup,$RegionGroup -Tags AmazonAWS,$Service,$Region -Comments "$Comments"
}

foreach($Prefix in $AmazonAWS.ipv6_prefixes) {
$Network = $Prefix.ipv6_prefix.Split("/")[0]
$NetworkMaskLength = $Prefix.ipv6_prefix.Split("/")[1]
$Region = $Prefix.region
$RegionGroup = "Amazon_AWS_Region_$Region"
$Service = $Prefix.service
$ServiceGroup = "Amazon_AWS_Service_$Service"
Write-Verbose "$Network/$NetworkMask | $Region | $Service"
$Name = "Amazon_AWS_$Network/$NetworkMasklength"
Write-Host "New-CheckPointNetwork -Session $Session -Name $Name -Subnet6 $Network -MaskLength6 $NetworkMaskLength -Color Orange -Groups Amazon_AWS,$ServiceGroup,$RegionGroup -Tags AmazonAWS,$Service,$Region -Comments $Comments"
New-CheckPointNetwork -Session $Session -Name $Name -Subnet6 $Network -MaskLength6 $NetworkMaskLength -Color Orange -Groups "Amazon_AWS",$ServiceGroup,$RegionGroup -Tags AmazonAWS,$Service,$Region -Comments "$Comments"
}


# Publish Changes
Write-Verbose " *** Publish Session changes *** "
Publish-CheckPointSession -Session $Session
Reset-CheckPointSession -Session $Session

# Logout from Check Point API
Write-Verbose " *** Logout Session *** "
Close-CheckPointSession -Session $Session

# Ignore Certificate Block on self-sign certificate no longer
Write-Verbose " *** Ignore Private Certificates no longer *** "
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $False }

# Remove Modules
Write-Verbose " *** Remove Modules *** "
Remove-Module psCheckPoint

# DONE!

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events