How can we install on multiple firewalls using ins...

nagarevathi · ‎2019-05-22

Hi Team,

I have explored the API reference posted in checkmates. It has given below command to deploy policy from API CLI to deploy on single firewall. Similarly, If we want to run policy installation on all firewalls of CMA. What is the command?

API Referrence:

https://sc1.checkpoint.com/documents/latest/APIs/index.html#gui-cli/install-policy~v1.2

Single Firewall:

mgmt_cli install-policy policy-package "standard" access true threat-prevention true targets.1 "corporate-gateway" --version 1.1 --format json

Multiple Firewall:

mgmt_cli install-policy policy-package "standard" access true threat-prevention true targets.1 "corporate-gateway corporate-gateway1 corporate-gateway2 " --version 1.1 --format json

In double quotes, can we include multiple firewalls by giving space?

Regards

Revathi

PhoneBoy · ‎2019-05-22

No, you use multiple target parameters like so:

mgmt_cli install-policy policy-package "standard" access true threat-prevention true targets.1 "corporate-gateway" targets.2 "corporate-gateway1" targets.3 "corporate-gateway2 " --version 1.1 --format json

nagarevathi · ‎2019-05-22

Hi Admin,

mgmt_cli install-policy policy-package "standard" access true threat-prevention true targets.1 "corporate-gateway" targets.2 "corporate-gateway1" targets.3 "corporate-gateway2 " --version 1.1 --format json

The above command will help to deploy multiple firewalls with 1 common policy. If I want to install different policies for each gateway. How we have to do that?
Policy A - Gateway A
Policy B - Gateway B
Policy C - Gateway C

Regards
Revathi

PhoneBoy · ‎2021-01-08

It’s a separate command for each gateway/policy combination.

ByL_telecom · ‎2021-01-07

Hello,

We have about 175 SMB devices (1430 devices) in our environment that share the same policy. Every time we do a change we have to install in small batches (20 devices for example) due to limitation of installing for all devices at one time.

It's possible via API to do some script or configuration to get all 1430 devices from SmartConsole and then install policy in batches of 20 devices until all of them are up-to-date?

Thanks.

PhoneBoy · ‎2021-01-08

Can this be scripted? Sure.
Is there something Pre-built that does this? No.
At a high-level, you would do something like:

Query the API for the relevant gateways (maybe set a tag for each gateway with that same policy to make it easier)
Issue a policy install for the first twenty gateways.
Monitor for completion of the policy instal action and repeat for the next twenty gateways.

ByL_telecom · ‎2021-01-11

Hello,

Which API query could we use to monitor the status of instalation?

I found a way to get the gateways and also the API command to install the policy, but can't find how to know if the policy installation is complete or not

Thanks.

ByL_telecom · ‎2021-01-11

Forget it, I've found a way, after executing "install-policy policy-package" i can parse any of "success" messages for example and the start another installation

EnriqueGB · ‎2022-04-21

Any chance that you share the script?

I'm scripting a related situation and it would be great to have something to compare with.

allen_saldanha · ‎2022-06-18

can share my friend

Are you a member of CheckMates?

How can we install on multiple firewalls using install policy comand from API CLI