Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
vaidehi
Participant

How to add access rule using CLI in r80.30

Jump to solution

Hello,

I want to add an access rule using CLI in firewall r80.30.

Can anyone please guide me to any document or provide the commands?

Thanks!

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
Like Maarten said, this is possible with mgmt_cli add access-rule.
For documentation: https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.5

There are several examples on the community.
One that allows you to build the policy that exists in Demo Mode: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/My-Security-Management-Setup-Scri...

View solution in original post

12 Replies
Maarten_Sjouw
Champion
Champion
Access roles can only be added on the management, not directly on the gateway.
Also when you run a standalone setup the only way is to add the access role in the policy on the management and then push the policy to the gateway. Check Point does not use a ACL type rulebase on the gateway, it is compiled on the management server and then sent to the gateway.

To add a rule in a policy on the management server you can use the API of which you can find all documentation online and lotst of information here on the forum.

Regards, Maarten
vaidehi
Participant
I am sorry, in my context, "Access rule" means "policy". I was wondering is there a way to add a policy on management server using CLI?
PhoneBoy
Admin
Admin
Like Maarten said, this is possible with mgmt_cli add access-rule.
For documentation: https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.5

There are several examples on the community.
One that allows you to build the policy that exists in Demo Mode: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/My-Security-Management-Setup-Scri...

View solution in original post

vaidehi
Participant
Thank you so much for helping!
0 Kudos
vaidehi
Participant
Sorry I have one more doubt on same topic. I was able to create a policy using mgmt_cli. I used this syntax:

mgmt_cli add access-rule layer "my_policy Network" source "43.1.1.3" destination "27.1.1.2" service "any" action "accept" track-settings.type "Log" position "1" name "rule1" install-on "chkpt" --port 4434

My doubt: Can i create a source/destination ip address using cli. Because in this scenario, policy gets install if i have already added a source/destination ip. otherwise throws me an error
code: "generic_err_object_not_found"
message: "Requested object [43.1.1.3] not found"
0 Kudos
Maarten_Sjouw
Champion
Champion
Nope, for that you first need to create the host object:
mgmt_cli add host name Myhost ip_address 43.1.1.3
Then use Myhost as the source in your access rule.
Regards, Maarten
0 Kudos
vaidehi
Participant
Thank you for your quick response Maarten. Okay So correct me if I am wrong, if I have to create 1000 policies (working on a script) with 1000 different source ip, i have to create 1000 host object manually first?

PhoneBoy
Admin
Admin
Correct.
Note that a given rule can contain multiple source/destination objects.
Also, you can create objects for networks as well.
That might simplify the policy that gets created.
0 Kudos
vaidehi
Participant
Got it. Thanks
0 Kudos
Security_Consul
Participant

I added multi rule but got error

Line 2: code: "generic_err_invalid_parameter_name"
message: "Unrecognized parameter [action]"

Following this Guide in action field is correct "accept" Why I got still error invalid parameter?

https://sc1.checkpoint.com/documents/latest/APIs/index.html?#cli/add-access-rule~v1.6%20

PhoneBoy
Admin
Admin
Try it as Accept instead of accept.
Some of the API calls are case sensitive.
0 Kudos
Security_Consul
Participant

Thank you!!

0 Kudos