topic Re: How to add a rule with multiple actions in API / CLI Discussion

How to add a rule with multiple actions

Maarten_Sjouw — Tue, 23 Oct 2018 12:45:10 GMT

I'm working on a baseline for an inline policy to enable URL Filtering and Application control for a customer that has not used this before, I searched through the questions here but could not find a response that would give me the clue.

I run into some issues, while most things work just fine, adding and filling groups and creating the Layer with all rules, I'm just hitting a few snags, like when I add a drop rule I would also like to show the default Block Page, however I can only add 1 action Item, how can you add more actions?

The layer is added but unless I set it to shared the layer cannot be manually used as an inline layer. After the test I wanted to remove the layer again, it is not in use but delete layer is grayed out, in Manage Policies and Layers.

Re: How to add a rule with multiple actions

Joshua_Hatter — Tue, 23 Oct 2018 13:50:28 GMT

You must have App/URL or content awareness enabled on the layer to add other actions. I suspect this is the issue. On the layer be sure the additional blades are checked.

Re: How to add a rule with multiple actions

Maarten_Sjouw — Tue, 23 Oct 2018 14:16:56 GMT

in the create of the rule I had used applications-and-url-filtering "true" when I created the layer, so that part is ok, but what is the syntax for adding multiple actions?

Re: How to add a rule with multiple actions

Joshua_Hatter — Tue, 23 Oct 2018 14:58:19 GMT

So this is per the API?

So under the documentation add-access-rule, you need to supply the user-check object with field interaction.

It wasn't clear in the docs(Amiad Stern‌) what was valid for this field, so I reverse engineered by making a rule in SmartConsole, then using show-access-rule to see how it returned.

An example would be:

#mgmt_cli add-access-rule layer "<layer>" position top action drop user-check.interaction "Blocked Message - Access Control"

This added a rule as drop with standard Blocked Message.

Re: How to add a rule with multiple actions

Maarten_Sjouw — Tue, 23 Oct 2018 15:42:17 GMT

Ok, so the thing I could not find in the documentation was the user-check.interaction "Blocked Message - Access Control" part, that helps to make that last bit clear, thanks a lot.

Re: How to add a rule with multiple actions

Maarten_Sjouw — Wed, 24 Oct 2018 04:43:47 GMT

If anyone is interested I can post this script that will create this shared layer:

CriticalBlock has the categories Child Abuse, Critical Risk and a newly created category Blacklist in it.

HighBlock only has High risk in it And NormalAllow contains a newly category WhiteList.

Normalblock contains a list of default (best practice) block categories.

All is very simple to adjust, but it is a nice template to start with.

Re: How to add a rule with multiple actions

Vladimir — Sun, 16 Dec 2018 13:35:58 GMT

Maarten, please do post the script.

Thank you,

Vladimir

Re: How to add a rule with multiple actions

Maarten_Sjouw — Mon, 17 Dec 2018 09:04:03 GMT

here it is:

mgmt_cli login user admin password <PW> domain <Domain> -m <IP> > id.txt
mgmt_cli add application-site-category name "WhiteList" description "Custom Whitelist category" -s id.txt
mgmt_cli add application-site-category name "BlackList" description "Custom Blacklist category" -s id.txt
mgmt_cli add application-site-group name "CriticalBlock" members.1 "Critical Risk" members.2 "Child Abuse" members.3 "BlackList" -s id.txt
mgmt_cli add application-site-group name "HighAllow" -s id.txt
mgmt_cli add application-site-group name "HighBlock" members.1 "High Risk" -s id.txt
mgmt_cli add application-site-group name "NormalAllow" members.1 "WhiteList" -s id.txt
mgmt_cli add application-site-group name "NormalBlock" members.1 "Anonymizer" members.2 "Botnets" members.9 "Illegal Drugs" -s id.txt
mgmt_cli set application-site-group name "NormalBlock" members.add "File Storage and Sharing" -s id.txt
mgmt_cli set application-site-group name "NormalBlock" members.add "File Upload" -s id.txt
mgmt_cli set application-site-group name "NormalBlock" members.add "Gambling" -s id.txt
mgmt_cli set application-site-group name "NormalBlock" members.add "Games" -s id.txt
mgmt_cli set application-site-group name "NormalBlock" members.add "Hate / Racism" -s id.txt
mgmt_cli set application-site-group name "NormalBlock" members.add "Illegal / Questionable" -s id.txt
mgmt_cli set application-site-group name "NormalBlock" members.add "Illegal Drugs" -s id.txt
mgmt_cli set application-site-group name "NormalBlock" members.add "Media Sharing" -s id.txt
mgmt_cli set application-site-group name "NormalBlock" members.add "Media Streams" -s id.txt
mgmt_cli set application-site-group name "NormalBlock" members.add "Nudity" -s id.txt
mgmt_cli set application-site-group name "NormalBlock" members.add "P2P File Sharing" -s id.txt
mgmt_cli set application-site-group name "NormalBlock" members.add "Pornography" -s id.txt
mgmt_cli set application-site-group name "NormalBlock" members.add "Sex" -s id.txt
mgmt_cli set application-site-group name "NormalBlock" members.add "Spam" -s id.txt
mgmt_cli set application-site-group name "NormalBlock" members.add "Spyware / Malicious Sites" -s id.txt
mgmt_cli set application-site-group name "NormalBlock" members.add "Suspicious Content" -s id.txt
mgmt_cli set application-site-group name "NormalBlock" members.add "Tasteless" -s id.txt
mgmt_cli set application-site-group name "NormalBlock" members.add "Violence" -s id.txt
mgmt_cli set application-site-group name "NormalBlock" members.add "Weapons" -s id.txt
mgmt_cli set application-site-group name "NormalBlock" members.add "Web Advertisements" -s id.txt
mgmt_cli add service-group name "Blocked-Ports" members.1 "smtp" -s id.txt
mgmt_cli set service-group name "Blocked-Ports" members.add "imap" -s id.txt
mgmt_cli set service-group name "Blocked-Ports" members.add "IMAP-SSL" -s id.txt
mgmt_cli set service-group name "Blocked-Ports" members.add "pop-3" -s id.txt
mgmt_cli set service-group name "Blocked-Ports" members.add "POP3S" -s id.txt
mgmt_cli set service-group name "Blocked-Ports" members.add "SMTPS" -s id.txt
mgmt_cli set service-group name "Blocked-Ports" members.add "ssh" -s id.txt
mgmt_cli add access-layer name "Internet-Filter" firewall "false" applications-and-url-filtering "true" shared "true" add-default-rule "false" -s id.txt
mgmt_cli add access-rule layer "Internet-Filter" position 1 name "Drop Critical" service "CriticalBlock" destination "Internet" action "Drop" user-check.interaction "Blocked Message - Access Control" track "log" -s id.txt
mgmt_cli add access-rule layer "Internet-Filter" position 2 name "Allow High Risk" service "HighAllow" destination "Internet" action "Accept" track "log" -s id.txt
mgmt_cli add access-rule layer "Internet-Filter" position 3 name "Block High Risk" service "HighBlock" destination "Internet" action "Drop" user-check.interaction "Blocked Message - Access Control" track "log" -s id.txt
mgmt_cli add access-rule layer "Internet-Filter" position 4 name "Whitelist" service "NormalAllow" destination "Internet" action "Accept" track "log" -s id.txt
mgmt_cli add access-rule layer "Internet-Filter" position 5 name "Block Normal" service "NormalBlock" destination "Internet" action "Drop" user-check.interaction "Blocked Message - Access Control" track "log" -s id.txt
mgmt_cli add access-rule layer "Internet-Filter" position 6 name "Allow Rest" destination "Internet" service "Blocked-Ports" service-negate "true" action "Accept" track "log" -s id.txt
mgmt_cli publish -s id.txt
mgmt_cli logout -s id.txt