topic Re: Output from show-gateways-and-servers API call in API / CLI Discussion

Output from show-gateways-and-servers API call

ZdenekR — Mon, 16 Sep 2024 23:21:09 GMT

Hello all,

I am working on the script that collects a policy package for the specific gateway (virtual system).
It works very well in the lab but in production environment I noticed the following
behavior.

API call "show-gateways-and-servers" with "details-level full" should return
list of objects. If the object type is equal to "CpmiVsxClusterNetobj" and it is
virtual system there should be "policy" object that contains the key "access-policy-name".

See the example below (the output is shortened):

{ "uid" : "f47b987d-f3d8-4ae2-b5ca-a562c7fd43ef", "name" : "VS01", "type" : "CpmiVsClusterNetobj", "domain" : { "uid" : "886fb185-487f-4ccf-94f4-ddc8443f6760", "name" : "DOM02", "domain-type" : "domain" }, "policy" : { "access-policy-installed" : true, "access-policy-name" : "VS01_POL01", "access-policy-installation-date" : { "posix" : 1726439380347, "iso-8601" : "2024-09-16T00:29+0200" }, "threat-policy-installed" : false

But in production there are several virtual systems which has the "policy" object empty like in the following example:

{ "uid" : "f47b987d-f3d8-4ae2-b5ca-a562c7fd43ef", "name" : "VS05", "type" : "CpmiVsClusterNetobj", "domain" : { "uid" : "886fb185-487f-4ccf-94f4-ddc8443f6761", "name" : "DOM05", "domain-type" : "domain" }, "policy" : { }, "threat-policy-installed" : false

My understanding is that in case a policy package was successfully installed on a virtual system, the "policy" object should not stay empty. Is my understanding correct? Or are there any corner cases when this is not true? Like after MDS server upgrade or after purging all revisions from a domain. To be honest, I have already tested all mentioned corner cases in a lab, but I was not able to simulate the situation with empty "policy" object.

We are using 2x MDS server with version R81.20 Take 76 + 2x MLM. Firewalls are using VSX R81.10 or R81.20. I have noticed that if the "policy" object is empty also "Installation History" shows empty "Access Control Policy" and "Access Installation Date" in SmartConsole application. Like this:

Do you have any idea about this behavior? Is this a bug?

Any suggestions would be greatly appreciated.

Regards,

ZdenekR

Re: Output from show-gateways-and-servers API call

_Val_ — Tue, 17 Sep 2024 07:29:12 GMT

Before anything else, can you show what your script looks like? Also, do you actually follow up the policy installation process results in your script? Installation success/error messages could give you a clue.

Re: Output from show-gateways-and-servers API call

ZdenekR — Tue, 17 Sep 2024 09:29:23 GMT

Hi,

thanks for your quick reply. To be honest, it is a python module on which I am working, which probably will be difficult to present here. But I created another bash script which can be easily understood and can show the problem I am dealing with. See this:

#!/bin/bash fwname=$1 mgmt_cli -r true login > session fwname="VS01" [Expert@MDS01:0]# mgmt_cli show gateways-and-servers details-level full -f json -s session | jq --arg fwname "$fwname" -r '.["objects"][] | select(.type=="CpmiVsClusterNetobj" and .name==$fwname) | [.name,.policy]' mgmt_cli logout -s session

In my lab the output from the above script looks like this:

[Expert@MDS01:0]# ./getppol.sh VS01 [ "VS01", { "access-policy-installed": true, "access-policy-name": "VS01_POL01", "access-policy-installation-date": { "posix": 1726439380347, "iso-8601": "2024-09-16T00:29+0200" }, "threat-policy-installed": false } ] message: "OK" [Expert@MDS01:0]#

In production environment the output looks like this:

[Expert@srv01_mds01:0]# ./getppol.sh VS02 [ "VS02", { } ] message: "OK" [Expert@srv01_mds01:0]#

I will probably open a TAC case with Check Point but before I do it I would like to know someones view on this problem. Is this a bug? or Does this shows a problem within the production environment? or Might this be a result of an upgrade and simple policy installation will resolve this issue?

I have not tried to install a policy yet as this means to open a change, go through an approval process and to answer lots of questions. But this will be probably the next step before I open the TAC case.

Anyway, any help and comment is really appreciated.

Regards,

ZdenekR

Re: Output from show-gateways-and-servers API call

PhoneBoy — Tue, 17 Sep 2024 21:28:28 GMT

Not sure how well VS objects are handled here.
Tagging @Omer_Kleinstern

Re: Output from show-gateways-and-servers API call

ZdenekR — Tue, 24 Sep 2024 14:59:10 GMT

Hi all,

I reinstalled a policy package for the virtual system that was causing issues, and everything started working as expected. However, I still consider this to be a bug, with the reinstallation serving only as the workaround. When using the 'show-gateways-and-servers' API call, you should receive a non-empty 'policy' object for each virtual system where a policy package was previously installed.

Regards,

ZdenekR

Re: Output from show-gateways-and-servers API call

PhoneBoy — Wed, 25 Sep 2024 17:12:13 GMT

This should probably be addressed through a TAC case: https://help.checkpoint.com