- Products
- Learn
- Local User Groups
- Partners
- More
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
Join our TechTalk: Malware 2021 to Present Day
Building a Preventative Cyber Program
Be a CloudMate!
Check out our cloud security exclusive space!
Check Point's Cyber Park is Now Open
Let the Games Begin!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hi,
I am using R80.10, and need some help regarding getting ip addresses under a big group.
Lets say i have a big group that has few groups under it, and then those groups have other groups inside them, and so on and so on until i reach the objects (servers,computers, etc).
i want to get to a situation that i have all ip addresses that are under the big group.
Does anyone know/ or did do such thing in the past?
Maybe some way in the API or SQL query through posgresql?
Thank you
First of all this is not a single API call but a series of API calls in iteration.
It would actually be recursive.
At a high level, you would query the relevant group for:
1. All the host objects
2. All the network objects (e.g. objects that represent subnets)—how do you want to handle these?
3. All the groups, which would be iterated and queried as was the original group.
You could probably do this with a bash script and jq.
If you take this approach, I would make sure you create a single read-only session and use that for all your queries.
That sounds like a great idea.
i know it sounds a bit too much, but i'm very rusty on scripting and these kinda methods, is there any chance you'd give a little low level example of how it would look?
Thank you so much
Actually, it turns out there's a single API command that should give you every IP covered by a group (including its various sub objects).
mgmt_cli --session-id $SID --format json show group name group_name show-as-ranges true
This will break down all the objects into a range of IP addresses (with start/end ranges).
Not sure how far down the rabbit hole this goes (i.e. nesting levels), but it does appear to go down a couple levels at least.
I tested as follows:
The resulting output gave me:
Thank you so much for the reply.
but the show-as-ranges true doesn't seem to work because the parameter isn't right..?
and i don't really understand what the session id part means .
Maybe you can explain about what the command does exactly? i know what the show group name does but thats it
Keep in mind the CLI is just a wrapper for API calls.
In general, the flow is something like this:
Other than the login, every call needs a session ID passed.
Or, if you're using the CLI from the Security Management server, you can avoid all that by using a -r true to the command instead
To break down my command: mgmt_cli --session-id $SID --format json show group name group_name show-as-ranges true
Unfortunately, that feature (show-as-ranges true) was added in API version 1.3, which corresponds to R80.20, not R80.10.
I should have checked that before providing you a solution, my apologies.
In any case, it's easy enough to get the members of a group using:
mgmt_cli -r true --format json --version 1.1 show group name test-group details-level full
That will output (in JSON) the list of all objects in a group.
All groups are referred to by UID.
To parse that and get all the IPv4 and IPv6 addresses in said group:
mgmt_cli -r true --format json --version 1.1 show group name test-group details-level full | jq -r '.members[] | select(.type=="host") | [."ipv4-address", ."ipv6-address"] | @csv'
Note this will be in the format IPv4 Address,IPv6 Address (an object can have both)
To get all the networks, we have to parse IPv4 and IPv6 networks and netmasks (output in this case is CSV format):
mgmt_cli -r true --format json --version 1.1 show group name test-group details-level full | jq -r '.members[] | select(.type=="network") | [.subnet4, ."mask-length4", .subnet6, ."mask-length6"] | @csv'
To get all the uids of the groups contained in my group (the API does not return names, only UIDs in this case):
mgmt_cli -r true --format json --version 1.1 show group name test-group details-level full | jq -r '.members[] | select(.type=="group") | .uid'
Now you can repeat the above using the group(s) identified except you use "uid whatever" instead of "name test-group".
Hopefully that's enough to help you get started.
So now i need to do a script that involves these commands recursively? can you give me a little example of how it would look?
That's the basic idea, yes.
I would put the relevant commands into a function that calls itself.
I would also do this with a single session versus trying to do this with a bunch of -r true commands (it will improve efficiency).
There are several scripting examples in Developers (Code Hub) you could borrow from.
They don't necessarily cover this exact use case, but they do show how you can work with the API.
For example CLI API Example for exporting, importing, and deleting different objects using CSV files (v 00.33.00...
Ok, Thank you very much for everything.
Yeah I agree what happened to this button that was part of the Group Object definition:
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY