Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Donald_Paterson
Employee Alumnus
Employee Alumnus
Jump to solution

Adding members to a group

Is there a better way than this to add member network objects to a group?

add group name Internal-Nets members.1 Net-192.168.111.0 members.2 Net-192.168.113.0 members.3 Net-192.168.114.0 members.4 Net-192.168.116.0 members.5 Net-192.168.117.0 members.6 Net-192.168.119.0 color cyan

set group name Internal-Nets members.add Net-192.168.122.0

set group name Internal-Nets members.add Net-192.168.123.0

set group name Internal-Nets members.add Net-192.168.124.0

set group name Internal-Nets members.add Net-192.168.125.0

set group name Internal-Nets members.add Net-192.168.126.0

set group name Internal-Nets members.add Net-192.168.131.0

set group name Internal-Nets members.add Net-192.168.134.0

Thanks,

Don

1 Solution

Accepted Solutions
Shawn_Babinyecz
Explorer

Don, this is what I ended up doing and it worked great!

mgmt add group name "MyGroup"

mgmt add host name "host1" ip-address "1.1.1.1" groups.1 "MyGroup"
mgmt add host name "host2" ip-address "2.2.2.2" groups.1 "MyGroup"

It was nice because I added the objects to the group at the time of creating them.

View solution in original post

12 Replies
Igal_Rivin
Employee Alumnus
Employee Alumnus

Hi Don,

In the similar way you created a group and added to it a list of members, you could modify the group by adding a list of members to it.

Please use the following command:

set group name Internal-Nets members.add.1 Net-192.168.122.0  members.add.2 Net-192.168.123.0

Use Check Point - Management API Documentation as a reference to set-group command.

Donald_Paterson
Employee Alumnus
Employee Alumnus

This is how I did it in the end:

add network name Net-192.168.111.0 subnet4 192.168.111.0 mask-length4 24 color cyan

add network name Net-192.168.113.0 subnet4 192.168.113.0 mask-length4 24 color cyan

add network name Net-192.168.114.0 subnet4 192.168.114.0 mask-length4 24 color cyan

add network name Net-192.168.116.0 subnet4 192.168.116.0 mask-length4 24 color cyan

add network name Net-192.168.117.0 subnet4 192.168.117.0 mask-length4 24 color cyan

add network name Net-192.168.119.0 subnet4 192.168.119.0 mask-length4 24 color cyan

add network name Net-192.168.122.0 subnet4 192.168.122.0 mask-length4 24 color cyan

add network name Net-192.168.123.0 subnet4 192.168.123.0 mask-length4 24 color cyan

add network name Net-192.168.124.0 subnet4 192.168.124.0 mask-length4 24 color cyan

add network name Net-192.168.125.0 subnet4 192.168.125.0 mask-length4 24 color cyan

add network name Net-192.168.126.0 subnet4 192.168.126.0 mask-length4 24 color cyan

add network name Net-192.168.131.0 subnet4 192.168.131.0 mask-length4 24 color cyan

add network name Net-192.168.134.0 subnet4 192.168.134.0 mask-length4 24 color cyan

add group name Internal-Nets color cyan

set group name Internal-Nets members.add.1 Net-192.168.111.0 members.add.2 Net-192.168.113.0 members.add.3 Net-192.168.114.0 members.add.4 Net-192.168.116.0 members.add.5 Net-192.168.117.0 members.add.6 Net-192.168.119.0  members.add.7 Net-192.168.122.0 members.add.8 Net-192.168.123.0 members.add.9 Net-192.168.124.0 members.add.10 Net-192.168.125.0 members.add.11 Net-192.168.126.0 members.add.12 Net-192.168.131.0 members.add.13 Net-192.168.134.0

The set group command above (the last line) is one line (of 450 characters).

Chris_Atkinson
Employee Employee
Employee

Further to this has anyone seen / created a nice way to handle the management of groups that relate to dynamic network lists as supplied by the likes of Microsoft & AWS (in particular where MiTM is not being used and hence AppC is not a reliable option / alternative):

Examples:

Microsoft EOP

Microsoft O365

Microsoft Azure

AWS

CCSM R77/R80/ELITE
Quinn_Yost
Contributor

Chris,

I saw this last week, the same day I had been working on parsing the AWS ip-ranges.json myself.     Unfortunately, I can't provide the scripting I did most of the work with, but I'd be glad to share a skeleton.

First, I downloaded and locally saved AWS's ip-ranges.json to csv using the following powershell 1-liner.

( iwr -Uri "https://ip-ranges.amazonaws.com/ip-ranges.json" | convertfrom-json ) | select-object -ExpandProperty prefixes | convertto-csv -NoTypeInformation > ip-ranges.csv

This resulted in a csv with the following column headers and text formats:

ip_prefix,region,service

54.239.4.0/22,eu-central-1,AMAZON

54.239.8.0/21,us-east-1,AMAZON

....

Then I made a few additional columns with text manipulation: (I also appended the AWS synctoken and createDate from the json)

ip_prefix,region,service,subnet,mask-length,name,group,comments

54.239.4.0/22,eu-central-1,AMAZON,54.239.4.0,22,net_54.239.4.0-22,AMAZON_eu-central-1syncToken: 1234567890 createDate:2017-01-23-01-34-56

54.239.8.0/21,us-east-1,AMAZON,54.239.8.0,21,net_54.239.8.0-21,AMAZON_us-east-1,syncToken: 1234567890 createDate:2017-01-23-01-34-56

Next, I extracted the fields I wanted into a couple new csv files:

Network.csv

name, subnet, mask-length,comments

Groups.csv (extracted, then unique sorted)

name, comments

The final file I made was the most challenging to script but the end result was:

groupPopulate.csv

name,member.1,member.2,member.3,...member.100

Then a few scripted calls to mgmt_cli.

.\mgmt_cli.exe -m myhost login true user myuser password ******** > sessionid.txt

.\mgmt_cli.exe -m myhost -s sessionid.txt set session new-name "MyName" description "Creating AWS networks from http://ip-ranges.amazonaws.com/ip-ranges.json"

.\mgmt_cli.exe -m myhost -s sessionid.txt add network -b networks.csv --format json  > networks_import_log.txt

.\mgmt_cli.exe -m myhost -s sessionid.txt add group -b groups.csv --format json > group_import_log.txt

.\mgmt_cli.exe -m myhost -s sessionid.txt set group -b groupPopulate.csv --format json > groupPopulate_import_log.txt

.\mgmt_cli.exe -s sessionid.txt -m myhost publish

.\mgmt_cli.exe -s sessionid.txt -m myhost logout

For ongoing maintenance; I would look at adding checks for existing objects to avoid re-creation attempts, and instead update the comments on those.   groupPopulate overwrites the group members, so there isn't a need to parse or repopulate those.  Additional cleanup after re-populating would be to remove the groups and network objects with an older syncToken in the comments.

Sorry I can't just outright provide the scripting, but hopefully this will help get you moving in the right direction.

Shawn_Babinyecz
Explorer

Don, this is what I ended up doing and it worked great!

mgmt add group name "MyGroup"

mgmt add host name "host1" ip-address "1.1.1.1" groups.1 "MyGroup"
mgmt add host name "host2" ip-address "2.2.2.2" groups.1 "MyGroup"

It was nice because I added the objects to the group at the time of creating them.

Eric_Beasley
Employee
Employee

Based on your original issue, I would just use the batch mode csv import and create a simple csv file with the header and then each line is the group and the member to add, that works, as long as all members are existing.

Example CSV:

name    members.add

Internal-Nets    Net-192.168.122.0

Internal-Nets    Net-192.168.123.0

Internal-Nets    Net-192.168.124.0

Command to execute:

set group --batch <csvfilename> --format json --ignore-errors true

The "--ignore-errors true" is used to ensure that any duplication warnings don't kill the operation, also outputing the json will allow review of potential errors.

0 Kudos
DanielS
Employee
Employee

You can also do it like this

set group name "Name" members.add '["member1", "member2","member3"]'

Remember you are limited to 1000 characters per command when doing this via the smart console CLI

0 Kudos
Robert_Decker
Advisor
0 Kudos
DanielS
Employee
Employee

After creating many many groups, I can tell you 100% the max command length is 1000 characters, you get too long to execute on anything more.

0 Kudos
Kris_Meldrum
Contributor

Hi Daniel, what was the behavior you experienced when you go over the 1000 character per line limit? I'm doing a large batch update of groups and find it process through the commands fine, and then seems to get stuck at the 60% publish phase for hours. Has this been your experience?

0 Kudos
DanielS
Employee
Employee

I was doing my api calls through the Smart Console command window due to limited access to tools on the jump server. For me 1000's lines in the txt files just wouldn't be accepted at all.

bhaizlett123
Contributor

Is there a way to do this using the pythond sdk, it doesn't seem to have the option "members.add"?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events