Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
SalmanKaleem
Explorer

Mgmt_Cli to create VPN directional Match condition

Create an access rule/set an access rule using Mgmt_Cli to create VPN directional Match condition

0 Kudos
7 Replies
PhoneBoy
Admin
Admin

VPN Directional Match is a global property, described here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 
There isn't an official API to actually set this global property, but I believe these can be set with generic-objects.
You can get a list of the properties from here: https://community.checkpoint.com/t5/API-CLI-Discussion/How-to-Query-Global-Properties-via-CLI/m-p/37... 

Directional Match rules are described in the API documentation for set-access-rule.
https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/set-access-rule~v1.7%20 
However, I don't see any specific examples of how to set it using mgmt_cli. 
@Omer_Kleinstern can you provide a more precise example here?

0 Kudos
SalmanKaleem
Explorer

@PhoneBoy Thanks for additional details. Actually, we are automating the deployment of checkpoint auto scaling clusters that require creation of controllers, templates & policies. We are stuck with following VPN rule creation. 

 

mgmt_cli set access-rule name "tgw-community VPN Traffic Rule" layer "Network " vpn add directional from "tgw-community" to "External_clear" -s sid.txt

What are we missing with the above rule as per https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/set-access-rule~v1.7%20

mgmt_cli set access-rule name "tgw-community VPN Traffic Rule" layer "Network " vpn add directional from "tgw-community" to "tgw-community" -s sid.txt

 

 

Setting Value

Source Any

Destination Any

VPN
(Directional Match)
tgw-community -> tgw-community
tgw-community -> External_clear

Services & Applications Any

Action Accept

Track Log

0 Kudos
PhoneBoy
Admin
Admin

Keep in mind mgmt_cli is turning your CLI command into JSON name/value pairs.
So it's possibly something like:

mgmt_cli set access-rule name "tgw-community VPN Traffic Rule" layer "Network " vpn add directional.from "tgw-community" directional.to "tgw-community" -s sid.txt

or

mgmt_cli set access-rule name "tgw-community VPN Traffic Rule" layer "Network " vpn add directional.0.from "tgw-community" directional.0.to "tgw-community" -s sid.txt

0 Kudos
SalmanKaleem
Explorer

I get this error for both directional.0.from & directional.from

 

mgmt_cli set access-rule name "tgw-community VPN Traffic Rule" layer "Network" vpn add directional.0.from "tgw-community" directional.0.to "tgw-community" -s sid.txt
code: "generic_err_invalid_parameter_name"
message: "Unrecognized parameter [directional]"

0 Kudos
PhoneBoy
Admin
Admin

@Omer_Kleinstern can you help with the correct syntax in this case?

0 Kudos
chkp-royl
Employee
Employee

Hi Salman,

When working with mgmt_cli tool, the path to each parameter should be followed with "."

Try this:

mgmt_cli set access-rule name "tgw-community VPN Traffic Rule" layer "Network" vpn.add.directional.0.from "tgw-community" vpn.add.directional.0.to "tgw-community" -s sid.txt

 

Roy

0 Kudos
Harshpal_Bhati
Employee
Employee

Harshpal_Bhati_0-1613971460838.png

For other user above syntax was worked for salman .

0 Kudos