Solved: Re: How to add access rule using CLI in r80.30

vaidehi · ‎2020-01-02

Hello,

I want to add an access rule using CLI in firewall r80.30.

Can anyone please guide me to any document or provide the commands?

Thanks!

PhoneBoy · ‎2020-01-02

Like Maarten said, this is possible with mgmt_cli add access-rule.
For documentation: https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.5

There are several examples on the community.
One that allows you to build the policy that exists in Demo Mode: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/My-Security-Management-Setup-Scri...

View solution in original post

Maarten_Sjouw · ‎2020-01-02

Access roles can only be added on the management, not directly on the gateway.
Also when you run a standalone setup the only way is to add the access role in the policy on the management and then push the policy to the gateway. Check Point does not use a ACL type rulebase on the gateway, it is compiled on the management server and then sent to the gateway.

To add a rule in a policy on the management server you can use the API of which you can find all documentation online and lotst of information here on the forum.

Regards, Maarten

vaidehi · ‎2020-01-02

I am sorry, in my context, "Access rule" means "policy". I was wondering is there a way to add a policy on management server using CLI?

PhoneBoy · ‎2020-01-02

Like Maarten said, this is possible with mgmt_cli add access-rule.
For documentation: https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.5

There are several examples on the community.
One that allows you to build the policy that exists in Demo Mode: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/My-Security-Management-Setup-Scri...

vaidehi · ‎2020-01-03

Thank you so much for helping!

vaidehi · ‎2020-01-03

Sorry I have one more doubt on same topic. I was able to create a policy using mgmt_cli. I used this syntax:

mgmt_cli add access-rule layer "my_policy Network" source "43.1.1.3" destination "27.1.1.2" service "any" action "accept" track-settings.type "Log" position "1" name "rule1" install-on "chkpt" --port 4434

My doubt: Can i create a source/destination ip address using cli. Because in this scenario, policy gets install if i have already added a source/destination ip. otherwise throws me an error
code: "generic_err_object_not_found"
message: "Requested object [43.1.1.3] not found"

Maarten_Sjouw · ‎2020-01-03

Nope, for that you first need to create the host object:
mgmt_cli add host name Myhost ip_address 43.1.1.3
Then use Myhost as the source in your access rule.

Regards, Maarten

vaidehi · ‎2020-01-03

Thank you for your quick response Maarten. Okay So correct me if I am wrong, if I have to create 1000 policies (working on a script) with 1000 different source ip, i have to create 1000 host object manually first?

PhoneBoy · ‎2020-01-03

Correct.
Note that a given rule can contain multiple source/destination objects.
Also, you can create objects for networks as well.
That might simplify the policy that gets created.

vaidehi · ‎2020-01-03

Got it. Thanks

Security_Consul · ‎2020-07-13

I added multi rule but got error

Line 2: code: "generic_err_invalid_parameter_name"
message: "Unrecognized parameter [action]"

Following this Guide in action field is correct "accept" Why I got still error invalid parameter?

https://sc1.checkpoint.com/documents/latest/APIs/index.html?#cli/add-access-rule~v1.6%20

PhoneBoy · ‎2020-07-13

Try it as Accept instead of accept.
Some of the API calls are case sensitive.

Security_Consul · ‎2020-07-13

Thank you!!

Are you a member of CheckMates?

How to add access rule using CLI in r80.30