cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Ivan_Moore
Nickel

Is there a equivalent command to a global policy assignment with install?

in R77 I could run a command like this:

mdscmd install-globalpolicy -install -l DOMAIN

and it would push out all policies in that domain.

I can't find the "-install" option in R80 from the command line...seems to still be there in the GUI

I can do this:

mgmt_cli assign-global-assignment global-domains Global dependent-domains DOMAIN -s ID.txt --format json 

which will do the same as the previous command without the "-install"  Is it possible to do the "-install"?

Labels (1)
0 Kudos
14 Replies
Employee++
Employee++

Re: Is there a equivalent command to a global policy assignment with install?

R80 management API doesn't have such option.

This should be done in two steps: assign and then install.

Robert.

0 Kudos
Ivan_Moore
Nickel

Re: Is there a equivalent command to a global policy assignment with install?

yea, thought that was the case.  This doesn't work as straight forward for us.  Oh well.  

Thanks!

0 Kudos
Highlighted
Ivan_Moore
Nickel

Re: Is there a equivalent command to a global policy assignment with install?

I have figured out a way to do what I need done.

Something like this:  (this allows me to just show our domains which make up our North America gateways...other grep's to grab just EMEA, APAC, etc...)

mgmt_cli login -r true > $ID; mgmt_cli show domains -s /var/log/tmp/id.txt --format json | grep name | grep -v "System Data"  | grep -v "LAC\|EMEA\|APAC" | sed -e 's/\"name\" : \"//' | sed -e 's/\",//' |sed 's/[][*]\|[[:space:]]//g'; mgmt_cli logout -s $ID >/dev/null

Then to install the various policies across each domain pulled from the list above.

for POLICY in $(mgmt_cli login -r true > $ID; mgmt_cli show-packages -d $DOMAIN --root true --format text | grep -B1 package | grep name | awk '{print $2}' | tr -d '"' |sed 's/[][*]\|[[:space:]]//g'; mgmt_cli logout -s $ID >/dev/null)
do
mgmt_cli login domain "$DOMAIN" -r true > $ID; mgmt_cli install-policy policy-package $POLICY access true -s $ID --format json ; mgmt_cli logout -s $ID >/dev/null
done

still a work in progress, but does it relatively painlessly.  I do a lot of stuff before/after this to massage the data and perform other tasks such as policy verification across all domains.  So far, this seems to be doing the trick in my lab.

Employee++
Employee++

Re: Is there a equivalent command to a global policy assignment with install?

Excellent!

You are on the right track. If you need any assistance, please let me know.

Robert.

0 Kudos
Ivan_Moore
Nickel

Re: Is there a equivalent command to a global policy assignment with install?

Thanks.  once I get the whole thing working the way I want it I'll post a clean version of the whole set of scripts.  Lots of cleanup in the move to R80 as some things are *much* easier to do now.  

Ivan_Moore
Nickel

Re: Is there a equivalent command to a global policy assignment with install?

Here is the problem I am having right now.  

My script does this:

DOMAINS=$1
for DOMAIN in `echo $DOMAINS | sed -e 's/,/ /g'`
do
echo "DOMAIN = $DOMAIN"
if [ "$2" == "-install" ] ; then
start=`date +%s`
for POLICY in $(mgmt_cli show-packages -d $DOMAIN --root true --format text | grep -B1 package | grep name | awk '{print $2}' | tr -d '"' |sed 's/[][*]\|[[:space:]]//g')
do
echo "Policy = $POLICY"
mgmt_cli install-policy policy-package $POLICY -d $DOMAIN access true --root true --format json
done
end=`date +%s`
runtime=$((end-start))
echo "Elapsed time for $DOMAIN: $((runtime /60)) minutes and $(($runtime %60)) seconds"
echo " "
else
if [ -z "`mgmt_cli show domain name ${DOMAIN} --format json --root true | jq -r '."global-domain-assignments"[]'`" ]; then
echo "Domain \"${DOMAIN}\" has no Global Domain assigned, skipping it."
else
echo "Reassigning Global Domain \"${GPOL_NAME}\" to Domain \"${DOMAIN}\"..."
mgmt_cli assign-global-assignment global-domains ${GPOL_NAME} dependent-domains ${DOMAIN} --root true --format json
fi
fi
done

so,  this works great except for one fatal flaw.   A policy with no installation targets will cause you some headaches (speaking from experience)

One of our domains has about 8 policies.  Someone has a new policy built that he is staging work for a future deployment.  He does not have a cluster object built yet for it to be tied to.

so my script installed all the policies and then it got to that fresh policy and installed it to EVERY gateway...and it probably did it with glee!  

If you tried this in the GUI it would prompt you in hopes to avoid your own stupidity.  If you do a Global Policy assignment from the GUI with the option to install policy it will do it based on the gateway and not the policy.  

The API does not allow this same type of logic.  I have to pass either the policy (which gives me the above results) or policy + gateway which I would have to generate some sort of list to be able to do that.

0 Kudos
Employee++
Employee++

Re: Is there a equivalent command to a global policy assignment with install?

Ivan,

If I understand you correctly, you want to avoid installing a policy with 'all' installation targets defined. Right?

Within the "show-packages" loop per POLICY, add a "show-package" API call per that POLICY and check the "installation-targets" field, and act based on its value(s).

Robert.

Re: Is there a equivalent command to a global policy assignment with install?

Few product observations:

1. R80.10 does not yet support a policy with no targets. So this situation can't happen.

2. As a best practice it's better to specify very specific policy targets when creating policy packages and not having the same gateway in the target list of multiple policies. Since this isn't enforced automatically by the Security Management Server and it's more of a best practice, you can probably achieve it using a separated "validator" script if you like.

0 Kudos
Employee++
Employee++

Re: Is there a equivalent command to a global policy assignment with install?

My assumption is that he has "All" targets configured by default.

As I mentioned, he should detect such configuration in his script and avoid the installation.

Robert.

0 Kudos

Re: Is there a equivalent command to a global policy assignment with install?

I was looking at this last night in my lab. I made a policy assigned to my lab gateway and created a few with no target. Was able to figure out all to filter out ones that did not have a specific target and added an output for install commands;

mgmt_cli -r true show packages details-level full --format json | jq --raw-output '.packages[] | select(."installation-targets" == "all" |not) | ("mgmt_cli -r true install-policy policy-package " + (.name) + " access true")'  >install-policy.txt; chmod 777 install-policy.txt; ./install-policy.txt

Employee++
Employee++

Re: Is there a equivalent command to a global policy assignment with install?

Looks fine, that is excatly what I was talking about...

How did this work for you?

Robert.

0 Kudos

Re: Is there a equivalent command to a global policy assignment with install?

Worked as expected. It ignores the two policies that have "ALL" assigned basically it only extracts the ones that have a target listed. Then it ran my list and installed policy as expected.

Ivan_Moore
Nickel

Re: Is there a equivalent command to a global policy assignment with install?

Fantastic!!!  Thanks.   

Mahi
Ivory

Re: Is there a equivalent command to a global policy assignment with install?

Could you please let me know the exact procedure along with commands for global policy installation on gateways via management server. Thank you.

0 Kudos