Re: Creating Firewall Rules per CLI

Yasushi_Kono1 · ‎2017-12-06

Hi eXperts,

I am trying to create Firewall rules completely with CLI commands. I started the following Syntax:

[Expert@A-SMS:0]# mgmt_cli login user cpadmin -p vpn123 > sid.txt

[Expert@A-SMS:0]# mgmt_cli add access-layer name "Bravo_Standard" --format json -s sid.txt

[Expert@A-SMS:0]# mgmt_cli add access-rule layer "Bravo_Standard" position 1 name "NetBIOS rule" service.1 "rip" service.2 "bootp" service.3 "NBT service.4 "udp-high-ports" action "drop" --format json -s sid.txt

[Expert@A-SMS:0]# mgmt_cli publish -s sid.txt

Everything looks fine, but I cannot see any policies just added in SmartConsole. Nor can I install the newly created policy with

[Expert@A-SMS:0]# mgmt_cli install-policy policy-package "Bravo_Standard" targets B-GW

So, what I am doing wrong?

Any hint will highly be appreciated.

Kind regards,

Yasushi

Robert_Decker · ‎2017-12-06

Hi,

What are you trying to accomplish?

Are you willing to create a rulebase with inline layers (R80.10 style), or just a flat rulebase (R77.30 style)?

Robert.

Yasushi_Kono1 · ‎2017-12-06

Hi Robert,

Thank you for your reply.

I wanted to start with the flat rulebase, But. afterwards, I wanted to learn how to create an inline layer.

Cheers,

Yasushi

Von meinem iPhone mithilfe von TouchDown (www.symantec.com) gesendet

Robert_Decker · ‎2017-12-07

Here you go - the FLAT rulebase:

1. create a policy package:

mgmt_cli add package name "my_policy" threat-prevention "false" -s id.txt

2. add the rules to the NETWORK (!!!) layer:

mgmt_cli add access-rule layer "my_policy Network" source "any" destination "h1" service "http" action "accept" track-settings.type "Log" position "1" name "rule1" -s id.txt

3. publish:

mgmt_cli -s id.txt publish

This is the result in SmartConsole:

Please pay attention that the Cleanup Rule is automatically created along with the package creation.

You can also add sections, like in R77:

mgmt_cli add access-section layer "my_policy Network" position 1 name "New Section 1" -s id.txt

mgmt_cli -s id.txt publish

Hope this can assist.

Robert.

Yasushi_Kono1 · ‎2017-12-07

I tested that and it worked perfectly for me!

Thanks a lot for sharing your valuable knowledge with us!

Kind regards,

Yasushi

Yasushi_Kono1 · ‎2018-02-02

Hello Robert,

now, I am about to write a bash script with which I wanted to create policies interactively. At first sight, no big deal. But, if you wanted to add multiple objects (for source, destination or service), I am struggling with that.

What is the correct syntax for adding another source object into an existing rule?

I tried:

mgmt_cli set access-rule layer "Testpol Network" source Host_A -s id.txt

but then, Host_A replaces the host object instead of being added it.

Thanks a lot in advance!

Kind regards,

Yasushi

Robert_Decker · ‎2018-02-02

Use "source.add" syntax. The ".add" allows adding to the existing sources.

https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/set-access-rule~v1.1

Robert.

network_operat2 · ‎2018-03-15

the flat rule is not getting added for me through cli command which u have given above

Robert_Decker · ‎2018-03-15

please post here the commands you are using.

Are you a member of CheckMates?

Creating Firewall Rules per CLI