topic Re: add-access-rule install-on target issue in API / CLI Discussion

add-access-rule install-on target issue

mikesleath — Wed, 14 Oct 2020 07:59:48 GMT

I am using the add-access-rule call to add a rule using the following JSON construct

{
"vpn": "Any",
"layer": "Test_Domain Security",
"comments": "First rule addition test",
"service": [
"ssh"
],
"action": "Accept",
"name": "MIKE_TEST_RULE",
"destination": [
"DEST_PROD_NETWORKS"
],
"source": [
"SOURCE_PROD_NETWORKS"
],
"install-on": [
"G_DOMAIN_Firewalls_global"
],
"track": {
"type": "Log"
},
"position": {
"below": "a13b68a5-83aa-4cf1-bcc4-490c82e40f07"
}
}

The rule adds successfully, however the domain uses a global policy where, in the install-on
field of the global rules the object defining the install on group is a global dynamic
network object that gets resolved to a local "simple" group defined at the domain level.

This means that effectively there are two objects of the same named defined in the Domain

G_DOMAIN_Firewalls_global - global dynamic network object
G_DOMAIN_Firewalls_global - locally defined simple group

When the API call adds the rule using the object that is used in the install-on field is
the one from the global domain and not the locally defined group (snippet of return JSON below)

"install-on" : [
{
"type" : "DynamicGlobalNetworkObject",
"name" : "G_DOMAIN_Firewalls_global",
"domain" : {
"domain-type" : "global domain",
"uid" : "1e294ce0-367a-11e3-aa6e-0800200c9a66",
"name" : "Global"
},
"uid" : "0b657037-ebd1-8d48-b455-76111da0ea7d"
}
],

If the install-on is defined using it's UID then all works correctly. However it would be
better to define the value by name and have the API select the correct object (the global
dynamic group is not a valid selection at the local level as far as I know).

Is it possible to instruct the API which object/domain combination to use? If so how is
value constructed?

Thanks in advance for any help.

Re: add-access-rule install-on target issue

PhoneBoy — Wed, 14 Oct 2020 13:57:56 GMT

It looks like you can specify the domain in the API call.
https://sc1.checkpoint.com/documents/latest/APIs/index.html#web/add-access-rule~v1.6.1

Re: add-access-rule install-on target issue

mikesleath — Wed, 14 Oct 2020 14:27:32 GMT

Sorry, I'm just not seeing where I specify that. I can see the domain "owning" the object is part of the return JSON, but I just can't see how to specify the domain owning the object in the request portion.

Or are you saying it can be specified as part of the install-on list? If so do you have an example of how that is structured.

Thanks a lot.

Re: add-access-rule install-on target issue

mikesleath — Thu, 15 Oct 2020 14:59:58 GMT

Just by way of an update... I raised this issue through our dedicated Diamond Support engineer and the development team for the API have confirmed that the above behaviour is a problem that needs to be addressed i.e. the add-access-rule API call should not select the "global" version of the object when adding a rule to a domain policy. The workaround is to reference the install-on object by its UID.

If there is a way to specify which domain an object should belong to when making other calls could you provide an example?

Re: add-access-rule install-on target issue

PhoneBoy — Thu, 15 Oct 2020 15:33:49 GMT

Hm, you're right, I misread the documentation.
It seems you can only specify the name or the UID of an object as part of the call, which is problematic in this case.
In general, UID is always more specific than name.
@Omer_Kleinstern