yea, thought that was the case.  This doesn't work as straight forward for us.  Oh well.  

Thanks!

I have figured out a way to do what I need done.

Something like this:  (this allows me to just show our domains which make up our North America gateways...other grep's to grab just EMEA, APAC, etc...)

mgmt_cli login -r true > $ID; mgmt_cli show domains -s /var/log/tmp/id.txt --format json | grep name | grep -v "System Data"  | grep -v "LAC\|EMEA\|APAC" | sed -e 's/\"name\" : \"//' | sed -e 's/\",//' |sed 's/[][*]\|[[:space:]]//g'; mgmt_cli logout -s $ID >/dev/null

Then to install the various policies across each domain pulled from the list above.

for POLICY in $(mgmt_cli login -r true > $ID; mgmt_cli show-packages -d $DOMAIN --root true --format text | grep -B1 package | grep name | awk '{print $2}' | tr -d '"' |sed 's/[][*]\|[[:space:]]//g'; mgmt_cli logout -s $ID >/dev/null)
do
mgmt_cli login domain "$DOMAIN" -r true > $ID; mgmt_cli install-policy policy-package $POLICY access true -s $ID --format json ; mgmt_cli logout -s $ID >/dev/null
done

still a work in progress, but does it relatively painlessly.  I do a lot of stuff before/after this to massage the data and perform other tasks such as policy verification across all domains.  So far, this seems to be doing the trick in my lab.

Excellent!

You are on the right track. If you need any assistance, please let me know.

Robert.

Thanks.  once I get the whole thing working the way I want it I'll post a clean version of the whole set of scripts.  Lots of cleanup in the move to R80 as some things are *much* easier to do now.  

Here is the problem I am having right now.  

My script does this:

DOMAINS=$1
for DOMAIN in `echo $DOMAINS | sed -e 's/,/ /g'`
do
echo "DOMAIN = $DOMAIN"
if [ "$2" == "-install" ] ; then
start=`date +%s`
for POLICY in $(mgmt_cli show-packages -d $DOMAIN --root true --format text | grep -B1 package | grep name | awk '{print $2}' | tr -d '"' |sed 's/[][*]\|[[:space:]]//g')
do
echo "Policy = $POLICY"
mgmt_cli install-policy policy-package $POLICY -d $DOMAIN access true --root true --format json
done
end=`date +%s`
runtime=$((end-start))
echo "Elapsed time for $DOMAIN: $((runtime /60)) minutes and $(($runtime %60)) seconds"
echo " "
else
if [ -z "`mgmt_cli show domain name ${DOMAIN} --format json --root true | jq -r '."global-domain-assignments"[]'`" ]; then
echo "Domain \"${DOMAIN}\" has no Global Domain assigned, skipping it."
else
echo "Reassigning Global Domain \"${GPOL_NAME}\" to Domain \"${DOMAIN}\"..."
mgmt_cli assign-global-assignment global-domains ${GPOL_NAME} dependent-domains ${DOMAIN} --root true --format json
fi
fi
done

so,  this works great except for one fatal flaw.   A policy with no installation targets will cause you some headaches (speaking from experience)

One of our domains has about 8 policies.  Someone has a new policy built that he is staging work for a future deployment.  He does not have a cluster object built yet for it to be tied to.

so my script installed all the policies and then it got to that fresh policy and installed it to EVERY gateway...and it probably did it with glee!  

If you tried this in the GUI it would prompt you in hopes to avoid your own stupidity.  If you do a Global Policy assignment from the GUI with the option to install policy it will do it based on the gateway and not the policy.  

The API does not allow this same type of logic.  I have to pass either the policy (which gives me the above results) or policy + gateway which I would have to generate some sort of list to be able to do that.

Ivan,

If I understand you correctly, you want to avoid installing a policy with 'all' installation targets defined. Right?

Within the "show-packages" loop per POLICY, add a "show-package" API call per that POLICY and check the "installation-targets" field, and act based on its value(s).

Robert.

Few product observations:

1. R80.10 does not yet support a policy with no targets. So this situation can't happen.

2. As a best practice it's better to specify very specific policy targets when creating policy packages and not having the same gateway in the target list of multiple policies. Since this isn't enforced automatically by the Security Management Server and it's more of a best practice, you can probably achieve it using a separated "validator" script if you like.

My assumption is that he has "All" targets configured by default.

As I mentioned, he should detect such configuration in his script and avoid the installation.

Robert.

I was looking at this last night in my lab. I made a policy assigned to my lab gateway and created a few with no target. Was able to figure out all to filter out ones that did not have a specific target and added an output for install commands;

mgmt_cli -r true show packages details-level full --format json | jq --raw-output '.packages[] | select(."installation-targets" == "all" |not) | ("mgmt_cli -r true install-policy policy-package " + (.name) + " access true")'  >install-policy.txt; chmod 777 install-policy.txt; ./install-policy.txt

Looks fine, that is excatly what I was talking about...

How did this work for you?

Robert.

Worked as expected. It ignores the two policies that have "ALL" assigned basically it only extracts the ones that have a target listed. Then it ran my list and installed policy as expected.

Fantastic!!!  Thanks.   

Could you please let me know the exact procedure along with commands for global policy installation on gateways via management server. Thank you.