Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
nagarevathi
Participant

How can we install on multiple firewalls using install policy comand from API CLI

Hi Team,

I have explored the API reference posted in checkmates. It has given below command to deploy policy from API CLI to deploy on single firewall. Similarly, If we want to run policy installation on all firewalls of CMA. What is the command?

API Referrence:

https://sc1.checkpoint.com/documents/latest/APIs/index.html#gui-cli/install-policy~v1.2

Single Firewall:

mgmt_cli install-policy policy-package "standard" access true threat-prevention true targets.1 "corporate-gateway" --version 1.1 --format json

Multiple Firewall:

mgmt_cli install-policy policy-package "standard" access true threat-prevention true targets.1 "corporate-gateway corporate-gateway1 corporate-gateway2 " --version 1.1 --format json

In double quotes, can we include multiple firewalls by giving space?

Regards

Revathi 

0 Kudos
7 Replies
PhoneBoy
Admin
Admin

No, you use multiple target parameters like so:

mgmt_cli install-policy policy-package "standard" access true threat-prevention true targets.1 "corporate-gateway" targets.2 "corporate-gateway1" targets.3 "corporate-gateway2 " --version 1.1 --format json

nagarevathi
Participant

Hi Admin,

mgmt_cli install-policy policy-package "standard" access true threat-prevention true targets.1 "corporate-gateway" targets.2 "corporate-gateway1" targets.3 "corporate-gateway2 " --version 1.1 --format json

The above command will help to deploy multiple firewalls with 1 common policy. If I want to install different policies for each gateway. How we have to do that?
Policy A - Gateway A
Policy B - Gateway B
Policy C - Gateway C

Regards
Revathi
PhoneBoy
Admin
Admin

It’s a separate command for each gateway/policy combination.

0 Kudos
ByL_telecom
Explorer

Hello,

We have about 175 SMB devices (1430 devices) in our environment that share the same policy. Every time we do a change we have to install in small batches (20 devices for example) due to limitation of installing for all devices at one time.

It's possible via API to do some script or configuration to get all 1430 devices from SmartConsole and then install policy in batches of 20 devices until all of them are up-to-date?

 

Thanks.

0 Kudos
PhoneBoy
Admin
Admin

Can this be scripted? Sure.
Is there something Pre-built that does this? No.
At a high-level, you would do something like:

  • Query the API for the relevant gateways (maybe set a tag for each gateway with that same policy to make it easier)
  • Issue a policy install for the first twenty gateways.
  • Monitor for completion of the policy instal action and repeat for the next twenty gateways.

 

0 Kudos
ByL_telecom
Explorer

Hello,

Which API query could we use to monitor the status of instalation? 

I found a way to get the gateways and also the API command to install the policy, but can't find how to know if the policy installation is complete or not

 

Thanks.

0 Kudos
ByL_telecom
Explorer

Forget it, I've found a way, after executing "install-policy policy-package" i can parse any of "success" messages for example and the start another installation

0 Kudos