This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
sudhir_mirajkar
Participant
‎2021-06-21 09:51 PM

Adding Service Group in a access-rule

i am facing issue adding a service group to an access rule while creating a new rule.

i have a rule where i need to add services and service groups.

i get error the the entry is not unique.

below is the syntax i am using.

add access-rule layer "standard" name "test" position 10 source "node a" destination "nodeb" destination.1 "nodec" service "ssh" service.1 "shiva_vpn_group" action "accept"

i am  not able to find anything in API Doc or the community.

thanks

0 Kudos
4 Replies
Sigbjorn
Advisor
‎2021-06-22 01:41 AM

Can you show the exact error message you're getting?

Two things that stick out to me, layer would usually be "Network" or "Application" if the policy package is Standard (Default behavior) - You can verify the layer by opening Manage policies and layers and looking at the Layers -> Access Control section

And when adding several objects, I would use service.1 and service.2 instead of service and service.1 (Same for dst)

0 Kudos
sudhir_mirajkar
Participant
‎2021-06-22 01:51 AM
In response to Sigbjorn

Hi,

here is the error i get
code: "generic_err_object_field_not_unique"
message: "Requested object name [pcANYWHERE] is not unique."

the layer name in the question is a typo its a Network layer

i tried your suggestion of using service.1 and service.2 but it give me the same error.

i can either add only service or service-group in a API call but not both in one call.

thanks...
 

0 Kudos
Sigbjorn
Advisor
‎2021-06-22 02:00 AM
In response to sudhir_mirajkar

If you search for pcANYWHERE, you will probably find more then one object, maybe a host and a network object by the same name?

If you have objects by the same name, you should first try to rename one of the objects. (It's likely to cause you even more pain down the road otherwise.)

The other option would be to specify the object by uid instead of name.

0 Kudos
sudhir_mirajkar
Participant
‎2021-06-22 02:09 AM
In response to Sigbjorn

HI,

i was not aware that even if we call service to be added it will look at other objects as well for the name.

i do see the same name is used for an app category.

so looks like i will have to go with UID for this.

thanks for your help here. 

0 Kudos