Solved: How to create LegacyUserAtLocation object through ...

Francesco-P · ‎2019-01-10

Hi,

in a R80.20 SMS, i need to implement a lot of object of type LegacyUserAtLocation and use in the rulebase as ClientAuth rule.

To use an existing LegacyUserAtLocation object, it's easy by referencing the uid, in the "source" filed of the api call for add-access-rule.
And this is the only way, because the allowed values for the "source" field are just "string" or a "list" of string (see Management API Reference v1.3).

For this reason,i suppose this object isn't a "runtime object", and should exist in the db(where, i don't know)

But how can i create a new LegacyUserAtLocation object?

If i would use add-generic-object api, i should know the class type to use in the "create" field, as explained in this link (see Request - 2 Add new user)... i miss this information

Take a look to the following request to clarify:

Request - https://_._._._/web_api/show-generic-object

This is the request for an existing LegacyUserAtLocation

{
    "uid": "fc3839e0-16d9-4d2b-9b6a-057744f7d3cc",
    "details-level" : "full"
}‍‍‍‍‍‍‍‍‍‍‍‍

Response

{
  "domainsPreset": null,
  "objectValidationState": null,
  "color": "BLACK",
  "userGroup": "0f2aadf4-42b7-11e2-a0d2-00000000dede",
  "location": "ad57e4fc-42bb-11e2-a0d2-00000000dede",
  "uid": "fc3839e0-16d9-4d2b-9b6a-057744f7d3cc",
  "folder": {
    "uid": "baf708b7-6543-4b69-aa44-a3f6058e6607",
    "name": "Global Objects"
  },
  "domain": {
    "uid": "41e821a0-3720-11e3-aa6e-0800200c9fde",
    "name": "SMC User"
  },
  "meta-info": {
    "metaOwned": false,
    "lockStateResponse": null,
    "validationState": "OK",
    "deletable": true,
    "renameable": true,
    "newObject": false,
    "lastModifytime": 1546965204492,
    "lastModifier": "System",
    "creationTime": 1546964026903,
    "creator": "System"
  },
  "tags": [
  ],
  "name": "user_1@location_1",
  "icon": "Objects/UsersGroup",
  "comments": "",
  "display-name": "",
  "customFields": null,
  "_original_type": "LegacyUserAtLocation"
}‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

I think to use something like:

Request - https://_._._._/web_api/add-generic-object

{
    "create" : "com.checkpoint.????.????.ClassUserAtLocation",
    "name": "new_user@new_location",
    "type": "LegacyUserAtLocation",
    "color": "black",
    "location": "ad57e4fc-42bb-11e2-a0d2-00000000dede",
    "userGroup": "0f2aadf4-42b7-11e2-a0d2-00000000dede",
    "icon": "Objects/UsersGroup",
    "comments": "Some comments",
    "display-name": "",
    "_original_type": "LegacyUserAtLocation"
}
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

but doesn't work!

Possible workaround (dbedit?) or a list of class are welcome.

Thanks,

Francesco

Joshua_Hatter · ‎2019-01-10

The appropriate class is going to be 'com.checkpoint.objects.LegacyUserAtLocation'

Then you need to supply the following keys.

name - I would stick with <groupname>@<objectname>

userGroup - uid of group object

location - uid of network object

So something like:

mgmt_cli add generic-object create 'com.checkpoint.objects.LegacyUserAtLocation' userGroup ad7bffcd-af13-4fd6-8115-5662a9f15e57 location 5c2e22c4-1698-43fc-b7b2-bac26ef00c09 name "test_group@test_object"

Then you need to run show generic-objects class-name com.checkpoint.objects.LegacyUserAtLocation to get the UID of the created UserAtLocation to pass its UID to an access-rule.

mgmt_cli show generic-objects class-name com.checkpoint.com.objects.LegacyUserAtLocation

Tested in lab, the object creation works, don't know about traffic actually working.

View solution in original post

Joshua_Hatter · ‎2019-01-10

The appropriate class is going to be 'com.checkpoint.objects.LegacyUserAtLocation'

Then you need to supply the following keys.

name - I would stick with <groupname>@<objectname>

userGroup - uid of group object

location - uid of network object

So something like:

mgmt_cli add generic-object create 'com.checkpoint.objects.LegacyUserAtLocation' userGroup ad7bffcd-af13-4fd6-8115-5662a9f15e57 location 5c2e22c4-1698-43fc-b7b2-bac26ef00c09 name "test_group@test_object"

Then you need to run show generic-objects class-name com.checkpoint.objects.LegacyUserAtLocation to get the UID of the created UserAtLocation to pass its UID to an access-rule.

mgmt_cli show generic-objects class-name com.checkpoint.com.objects.LegacyUserAtLocation

Tested in lab, the object creation works, don't know about traffic actually working.

Francesco-P · ‎2019-01-11

Thanks Joshua,
the api works, and asap i'll test the traffic and let you know

Francesco-P · ‎2019-01-11

I tried to do some traffic in a virtual environment and its works as expected!

Thanks!

PhoneBoy · ‎2019-01-12

While it's great you got it working, I do have to ask the question why you are still using Client Auth.

Use on R80.x gateways still works, but has some limitations.

See: Install policy on R80.10 Security Gateway fails with verification error messages

Francesco-P · ‎2019-01-15

Thanks Dameon, i get it!

Are you a member of CheckMates?

How to create LegacyUserAtLocation object through the R80.x api?