Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
PeterH
Participant
Jump to solution

API set-access-rule Adding / removing Source or destination

I done the following with mgmt_cli:

set access-rule rule-number 1 layer "Test Network" source.add "Test_Host1"

set access-rule rule-number 1 layer "Test Network" source.add "Test_Host2"

set access-rule rule-number 1 layer "Test Network" source.add "Test_Host3"

set access-rule rule-number 1 layer "Test Network" source.add "Test_Host4"

set access-rule rule-number 1 layer "Test Network" destination.remove "Test_Host1"

set access-rule rule-number 1 layer "Test Network" destination.remove "Test_Host2"

set access-rule rule-number 1 layer "Test Network" destination.remove "Test_Host3"

set access-rule rule-number 1 layer "Test Network" destination.remove "Test_Host4"

 

How can I do the same with curl?

source.add as well destination.remove gets the error

"code" : "generic_err_invalid_syntax",
"message" : "Payload is not a valid JSON"

 

 

 

1 Solution

Accepted Solutions
Ryan_Darst
Employee
Employee

For the source/destination/service fields we can use the add/remove functions of the set-access-rule api call.

Here is an example in JSON of adding hosts as a source to a rule.  This will add the three hosts to the source of the rule without having to specify all of the sources that are there already.

{
"name" : "Test Rule",
"layer" : "Network",
"source" : { "add" : ["host1", "host2", "host3"]
   }
}

 

Hope this helps.

View solution in original post

9 Replies
PhoneBoy
Admin
Admin
What precisely did you try?
0 Kudos
PeterH
Participant

Hi PhoneBoy

As you can see I added Test_Host1 to Test_Host4 into the source column of the existing Rule 1 in Policy Package Test, as well removing Test_Host1 to Test_Host4 from the destination column in the same Rule and Policy. I did that successful within the mgmt_cli tool, but would like to do the same with curl or curl_cli.

The problem is the syntax in the curly brackets of curl  ...set-access-rule -d '{"rule-number" : "1", "layer" : "Test Network", "source.add" : "Test_Host5"}'

 

0 Kudos
PeterH
Participant

Hi PhoneBoy

In the meantime I found a workarround for the problem.
Simply list all sources or destinations in the rule and then add or remove selectiv.

- add Test_Host1 to Test_Host4 into source column
set-access-rule -d '{"rule-number" : "1", "layer" : "Test Network", "source" : ["Test_Host1","Test_Host2","Test_Host3","Test_Host4"]}

- remove Test_Host1 from source column
set-access-rule -d '{"rule-number" : "1", "layer" : "Test Network", "source" : ["Test_Host2","Test_Host3","Test_Host4"]}

The same for destionation.

I think there should be a simpler solution for that.

0 Kudos
Ryan_Darst
Employee
Employee

For the source/destination/service fields we can use the add/remove functions of the set-access-rule api call.

Here is an example in JSON of adding hosts as a source to a rule.  This will add the three hosts to the source of the rule without having to specify all of the sources that are there already.

{
"name" : "Test Rule",
"layer" : "Network",
"source" : { "add" : ["host1", "host2", "host3"]
   }
}

 

Hope this helps.

PeterH
Participant
Many thanks, much easier than my workarround
0 Kudos
genisis__
Leader Leader
Leader

I'm trying to do something similar where I want to use a single command to add a new rule which contains a few sources and destination below an existing rule.

I did this:
mgmt_cli add access-rule uid <uid reference> layer "Standard Network" position.below "<uid reference>" name "Test Rule" source "HOST1","HOST2" destination "GROUP1" service "http" action "Accept" track type "Log"

This does not work, and I cannot find an example on the Checkpoint API reference site.  The site does not show example of all the parameters you can use for a given action ie. in this case 'add access-rule'.

0 Kudos
Alex-
Leader Leader
Leader

I got this working in a test environment.

 

 

[Expert@cptestenv:0]# mgmt_cli -r true add access-rule name "Access to GROUP1" layer "Network" position.below "44b0b0fc-524b-40c4-b0a2-581312446dc8" source.1 "HOST1" source.2 "HOST2" destination "GROUP
1" action "accept" service.1 "http" service.2 "https" track "log"


---------------------------------------------
Time: [18:12:14] 31/5/2023
---------------------------------------------
"Publish operation"  succeeded  (100%)

 

 

Looking at set access-rule there is the .add action you can append to either source, destination or objects to make a batch import but it doesn't seem to be present in add access-rule. So depending of the size of your list to import you could create a rule with add access-rule then batch import sources or destinations in it with a CSV by calling set access-rule source.add, destination.add, service.add in one call referencing the name or uid of the rule in question.

 

 

0 Kudos
genisis__
Leader Leader
Leader

Thanks Alex.

Would use .csv for large imports, for small changes the above is great.  I'll certainly give this ago.

 

What frustrates me is there are no examples for the different action you can have on the API reference pages, would  be nice if Checkpoint provided an example for every parameter scenario (I know this is allot) it would save allot of time.

 

0 Kudos
genisis__
Leader Leader
Leader

All works,  one observation I wanted to add a section heading as well, and noted that you have do this last, keeping in mind you want everything to be added under and existing uid.

session=`mgmt_cli -r true login --format json| jq -r '.sid'`
mgmt_cli --session-id $session add group name "GROUP1" color "Sea Green" comments "Test Group"

mgmt_cli --session-id $session set group name "GROUP1" members.add.1 HOST1

mgmt_cli --session-id $session add access-rule name "Test Rule" layer "Network" position.below "7216a217-6d28-449a-9e04-eb6e6aa4b01b" source "HOST2" destination "GROUP1" action "accept" service.1 "microsoft-ds" service.2 "nbsession" track "log" comments "New rule added"

mgmt_cli --session-id $session add access-section layer "Network" position.below "7216a217-6d28-449a-9e04-eb6e6aa4b01b" name "Section for new rule"

mgmt_cli --session-id $session publish

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events