Did you know? SmartConsole Tags

Tomer_Sole · ‎2018-05-17

R80 and R80.10 provide a new feature for ease of security management: Tags.

We have presented it in Check Point conventions dating back to 2013 - it's time that we discuss them at CheckMates as well

The purpose with tags is to ease the searches and associations of objects. You can tag any object from its Object Editor, as well as with the Security Management CLI or API.

You can then search for all objects that belong to a specific tag.

In the Object Explorer:

When picking objects in places like security policies:

In addition of simplified user experience, Tags have good value in the world of automation and orchestration.

PhoneBoy · ‎2018-05-17

I don't use this feature nearly enough

rupert_matthews · ‎2018-08-02

All,

How would you do a bulk modify of objects to insert tags based on a csv? I have tried the following to no avail. what am i doing wrong?

dataset examples

name,tag

Test_Net_10.104.50.0_24,class1

Test_Net_10.104.51.0_24,class2

name,tags

Test_Net_10.104.50.0_24,class1

Test_Net_10.104.51.0_24,class2

name,tag.add

Test_Net_10.104.50.0_24,class1

Test_Net_10.104.51.0_24,class2

with the following commands.

mgmt_cli set network --batch /path/to/csv/dataset.csv --format json -s id.txt > tag_add.json

mgmt_cli publish -s id.txt

Nothing gets published. What is the structure of the dataset supposed to look like? Or is this just something that isn't working yet?

Sincerely,

Rupert

PhoneBoy · ‎2018-08-02

Note the header line on this CSV file:

name,tags.add
net-internal,tag1
net-dmz,tag2

This worked.

[Expert@mumford:0]# mgmt_cli -r true set network --batch tag.csv
---------------------------------------------
Time: [16:21:25] 2/8/2018
---------------------------------------------
"Publish operation" succeeded (100%)

Vladimir · ‎2019-02-16

Can you tell me how the CSV should look like if I am trying to create network objects with multiple tags?

name,subnet, subnet-mask,tags.add,tags.add

Net_10.0.0.0,10.0.0.0,255.255.255.0,ny,data

Net_10.0.0.1,10.0.0.1,255.255.255.0,nj,voice

PhoneBoy · ‎2019-02-16

Maybe tags.add.1, tags.add.2, etc

Vladimir · ‎2019-02-17

Nope.

Getting:

[Expert@SMS8010:0]# mgmt_cli add network --batch test1.csv
Username: admin
Password:
Line 2: code: "generic_err_invalid_parameter"
message: "Invalid parameter for [tags]. Invalid value"

Line 3: code: "generic_err_invalid_parameter"
message: "Invalid parameter for [tags]. Invalid value"

Executed command failed. Changes are discarded.
[Expert@SMS8010:0]#

CSV that looks like:

name,subnet,subnet-mask,tags.add.1,tags.add.2
Net_10.0.0.0,10.0.0.0,255.255.255.0,ny,data
Net_10.0.0.1,10.0.0.1,255.255.255.0,nj,voice

Vladimir · ‎2019-02-17

OK. Figured it out finally:

no need to include ".add" when creating objects with tags from CSV.

This format works:

name,subnet,subnet-mask,color,tags.1,tags.2
Net_10.0.0.0,10.0.0.0,255.255.255.0,red,ny,data
Net_10.0.0.1,10.0.1.0,255.255.255.0,red,nj,voice

Creating objects:

Thing to note is that tags appear in alphabetical order, so if you want to see them in identical order, pre-phase them the type.

I.e.: "loc-ny, typ-data" and "loc-nj,typ-voice". Then they will appear in order:

Will_H · ‎2019-05-17

So you can not control policy by tags, it is just for searching in the GUI?

I'd like to see tags being able to be used for policy enforcement.

Dima_M · ‎2019-05-18

Hey Will,

Currently - yes. We do support imported tags from various external sources though.

Could you please share more info on your use case for internal SmartConsole tags?

Cihat_Bulut · ‎2019-07-09

Hi,

I have added 50 domain (fqdn) objects with the "library" tag.

I want to add the "library" tag in the destination column of a rule.

Gateway should allow all domains (also all objects) tagged with "library" in the future.

How can I achieve this?

BR

Tal_Paz-Fridman · ‎2019-07-09

Hi

I think this would be better achieved using a Network Group (Simple Group) object called library.

You can add it to the Destination column of the relevant rule.

In the future when you add additional objects to the Network Group, it will be part of the Destination.

HTH

Tal

Cihat_Bulut · ‎2019-07-09

Dear Tal,

I've done it what you've suggested. But it is not what I want.

BR

Tal_Paz-Fridman · ‎2019-07-11

Hi

I do not think this is how Tags work but perhaps you could do it using a script and Management API to list all the objects that have a specific Tag and then add them to a specific rule.

https://sc1.checkpoint.com/documents/latest/APIs/index.htm l#cli/show-tag~v1.5%20

Tal

Luis_Miguel_Mig · ‎2020-11-18

I was hoping that you could use tags to permit only certain objects to be viewed/modified by certain users in the SmartConsole Object Explorer. It doesn't look like it though

Are you a member of CheckMates?

Did you know? SmartConsole Tags