topic Re: Publish API query in API / CLI Discussion

Publish API query

appyens — Tue, 05 May 2020 11:47:57 GMT

Do I need to call publish API after every change in one session or I can publish changes all at once with final publish API call in one session?

Re: Publish API query

_Val_ — Tue, 05 May 2020 13:10:17 GMT

It is enough to publish before logging off, or every time you need those changes to be available for other admins.

Re: Publish API query

_Val_ — Tue, 05 May 2020 13:11:54 GMT

In general, always follow the flow:

1. login and capture sid

2. perform changes

3. verify performed changes

4. publish or discard, depending of the results in p.3

5. log off

Re: Publish API query

PhoneBoy — Tue, 05 May 2020 13:45:01 GMT

If you're doing a small number of changes, then publishing after you do the API calls to make them is fine.
If you're doing a large number of changes (several hundred), it's best to publish after every few hundred calls for performance reasons.

Note that publish does NOT push changes to the relevant security gateways for enforcement.
That is done with a separate policy installation action.

Re: Publish API query

appyens — Tue, 05 May 2020 20:42:57 GMT

Thanks for the replay. How can I push changes to security gateways for enforcement with API. please explain

Re: Publish API query

PhoneBoy — Tue, 05 May 2020 21:34:53 GMT

You use the install-policy API.
https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/install-policy~v1.6

Re: Publish API query

appyens — Tue, 05 May 2020 22:07:29 GMT

I have checked it. the policy-package and target are required fields. what is policy package name and where can I find it, is there any API command for it? target is the name of gateway right?

Re: Publish API query

PhoneBoy — Tue, 05 May 2020 22:47:24 GMT

Target is the name of the gateway, yes.

The layer itself won't tell you what policy package its used in as it can exist as part of multiple policy packages.
If you were to do it programmatically, you would have to list all policy packages (show-packages) and listing each package (show-package) to determine what layers are used within them.
The other option is to know via some other method which policy package(s) you're pushing beforehand.

In any case, only one install-policy action can be active at one time, so if you're updating multiple policies programmatically, you'd have to push one policy, wait until it finishes, then push the next policy, etc.