This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Network_Engine2
Participant
‎2019-02-25 05:54 AM

Getting all Hosts(ip addresses) under a big group that has other groups inside it

Hi, 

I am using R80.10, and need some help regarding getting ip addresses under a big group.

Lets say i have a big group that has few groups under it, and then those groups have other groups inside them, and so on and so on until i reach the objects (servers,computers, etc).

i want to get to a situation that i have all ip addresses that are under the big group.

Does anyone know/ or did do such thing in the past?

Maybe some way in the API or SQL query through posgresql?

Thank you

0 Kudos
9 Replies
PhoneBoy
Admin
Admin
‎2019-02-25 07:18 PM

First of all this is not a single API call but a series of API calls in iteration.

It would actually be recursive.

At a high level, you would query the relevant group for:

1. All the host objects

2. All the network objects (e.g. objects that represent subnets)—how do you want to handle these?

3. All the groups, which would be iterated and queried as was the original group.

You could probably do this with a bash script and jq.

If you take this approach, I would make sure you create a single read-only session and use that for all your queries.

Network_Engine2
Participant
‎2019-02-27 12:36 AM
In response to PhoneBoy

That sounds like a great idea.

i know it sounds a bit too much, but i'm very rusty on scripting and these kinda methods, is there any chance you'd give a little low level example of how it would look?

Thank you so much

0 Kudos
PhoneBoy
Admin
Admin
‎2019-02-27 09:05 AM
In response to Network_Engine2

Actually, it turns out there's a single API command that should give you every IP covered by a group (including its various sub objects).

mgmt_cli --session-id $SID --format json show group name group_name show-as-ranges true

 

This will break down all the objects into a range of IP addresses (with start/end ranges).

Not sure how far down the rabbit hole this goes (i.e. nesting levels), but it does appear to go down a couple levels at least.

I tested as follows:

  • Created a group called test group as follows:
    • A few host objects
    • A group containing the following:
      • A group containing some network objects (including some IPv6 objects)
      • A single network (not host) object
      • A group containing a single host object
  • Ran the above command 

The resulting output gave me:

  • The ranges of all IPv4 addresses covered by the above
  • No IPv6 ranges were returned
  • An "other" section that included the IPv6 objects 
Network_Engine2
Participant
‎2019-02-28 05:27 AM
In response to PhoneBoy

Thank you so much for the reply.

but the  show-as-ranges true doesn't seem to work because the parameter isn't right..? 

and i don't really understand what the session id part means .

Maybe you can explain about what the command does exactly? i know what the show group name does but thats it


0 Kudos
PhoneBoy
Admin
Admin
‎2019-02-28 03:06 PM
In response to Network_Engine2

Keep in mind the CLI is just a wrapper for API calls.

In general, the flow is something like this:

  • Login, which gives you a session ID
  • Perform tasks
  • If edits/additions were made, then you must publish (or discard) those changes
  • Logout, which clears the session

Other than the login, every call needs a session ID passed.

Or, if you're using the CLI from the Security Management server, you can avoid all that by using a -r true to the command instead Smiley Happy

To break down my command: mgmt_cli --session-id $SID --format json show group name group_name show-as-ranges true

  • --session-id $SID says to use the session ID specified in the $SID shell variable (I had set this previously)
  • --format json says to give JSON output
  • show group name group_name show-as-ranges true shows the group group_name with the output in ranges (show-as-ranges true).

Unfortunately, that feature (show-as-ranges true) was added in API version 1.3, which corresponds to R80.20, not R80.10.

I should have checked that before providing you a solution, my apologies.

In any case, it's easy enough to get the members of a group using:

  • mgmt_cli -r true --format json --version 1.1 show group name test-group details-level full

That will output (in JSON) the list of all objects in a group.

All groups are referred to by UID.

To parse that and get all the IPv4 and IPv6 addresses in said group:

  • mgmt_cli -r true --format json --version 1.1 show group name test-group details-level full | jq -r '.members[] | select(.type=="host") | [."ipv4-address", ."ipv6-address"] | @csv'

Note this will be in the format IPv4 Address,IPv6 Address (an object can have both)

To get all the networks, we have to parse IPv4 and IPv6 networks and netmasks (output in this case is CSV format):

  • mgmt_cli -r true --format json --version 1.1 show group name test-group details-level full | jq -r '.members[] | select(.type=="network") | [.subnet4, ."mask-length4", .subnet6, ."mask-length6"] | @csv'

To get all the uids of the groups contained in my group (the API does not return names, only UIDs in this case):

  • mgmt_cli -r true --format json --version 1.1 show group name test-group details-level full | jq -r '.members[] | select(.type=="group") | .uid'

Now you can repeat the above using the group(s) identified except you use "uid whatever" instead of "name test-group".

Hopefully that's enough to help you get started.

0 Kudos
Network_Engine2
Participant
‎2019-03-03 06:11 AM
In response to PhoneBoy

So now i need to do a script that involves these commands recursively?  can you give me a little example of how it would look? 

PhoneBoy
Admin
Admin
‎2019-03-04 01:31 AM
In response to Network_Engine2

That's the basic idea, yes.

I would put the relevant commands into a function that calls itself.

I would also do this with a single session versus trying to do this with a bunch of -r true commands (it will improve efficiency).

There are several scripting examples in Developers (Code Hub)‌ you could borrow from.

They don't necessarily cover this exact use case, but they do show how you can work with the API.

For example CLI API Example for exporting, importing, and deleting different objects using CSV files (v 00.33.00...

Network_Engine2
Participant
‎2019-03-04 03:48 AM
In response to PhoneBoy

Ok, Thank you very much for everything.

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-02-26 06:41 AM

Yeah I agree what happened to this button that was part of the Group Object definition:

Regards, Maarten
0 Kudos