This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Simon_Macpherso
Advisor
‎2022-11-29 10:43 PM
Jump to solution

API Policy Install

Hello,

Management API Reference v1.8.1 states for the policy -> install-policy endpoint, the argument parameter 'targets' is a required argument.

I have tested this requirement and it seems the 'targets' argument parameter is not required. This was tested on the following environments -Management R81.10 JHF baseline (API version 1.8) -Management R81.10 JHF take 79 (API version 1.8.1)

If the following example command is run, the "standard" policy is installed on ALL gateways, including gateways where "Specified Gateways" for installation targets is configured and a gateway is specified.

mgmt_cli install-policy policy-package "standard" access true --format json 

My understanding if required arguments are they are just that. If the required argument is not entered, the command should fail with reason "Missing parameter: [targets]. This would be the expected result for a required argument. Just as 'policy-package' is a required argument - if the 'policy-package' argument parameter is not included in the command, the command fails with reason "Missing parameter: [policy-package].

After discovering the command did not fail if a target was not specified, I thought the policy might only be installed on all gateways where the installation target setting was set to 'All Gateways'. However as mentioned above the policy is installed on ALL gateways, regardless of the current installation target setting on the policy.

This seems like a bug and there should be a safety net for this feature.

I want to specify a specific target, but we also need it to prompt or fail and return "Missing parameter: [targets] if a target is not specified.  Ensuring the "targets" argument parameter is a required argument will prevent a specific policy package being installed on unintended gateways.

Regards,

Simon

0 Kudos
1 Solution

Accepted Solutions
Omer_Kleinstern
Employee
Employee
‎2022-11-30 01:57 PM
In response to PhoneBoy
Jump to solution

I confirm that this is a documentation issue and @Tal_Paz-Fridman is correct.

When you run the command without specifying the policy targets it will only install on the targets as specified on the Policy Package.

View solution in original post

0 Kudos
4 Replies
Tal_Paz-Fridman
Employee
Employee
‎2022-11-30 03:31 AM
Jump to solution

Hi

When I run the command without specifying the policy targets it only install on the targets as specified on the Policy Package.

Do you experience a different behavior?

 

Policy installation targets.png

0 Kudos
Simon_Macpherso
Advisor
‎2022-12-04 04:31 PM
In response to Tal_Paz-Fridman
Jump to solution

Hi @Tal_Paz-Fridman,

What you described above is correct and expected. 

When I run the command without specifying a policy target, if the installation target is set to 'All gateways', the policy installs on all gateways, including on gateways that are configured as targets in another other policies.  I expected the policy would only be installed on gateways that weren't already configured as targets.  So to avoid this you must specify the intended installation targets for the policy you are installing, otherwise you may deploy the policy to all gateways across your estate. 

Regards,

Simon   

0 Kudos
PhoneBoy
Admin
Admin
‎2022-11-30 10:51 AM
Jump to solution

Looks like a documentation bug.
Paging @Omer_Kleinstern 

v1.9 says that targets isn't required (earlier versions list it as required).
https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/install-policy~v1.9%20 

Omer_Kleinstern
Employee
Employee
‎2022-11-30 01:57 PM
In response to PhoneBoy
Jump to solution

I confirm that this is a documentation issue and @Tal_Paz-Fridman is correct.

When you run the command without specifying the policy targets it will only install on the targets as specified on the Policy Package.

0 Kudos