Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ZdenekR
Explorer

Output from show-gateways-and-servers API call

Hello all,

I am working on the script that collects a policy package for the specific gateway (virtual system).
It works very well in the lab but in production environment I noticed the following
behavior.

API call "show-gateways-and-servers" with "details-level full" should return
list of objects. If the object type is equal to "CpmiVsxClusterNetobj" and it is
virtual system there should be "policy" object that contains the key "access-policy-name".

See the example below (the output is shortened):

{
    "uid" : "f47b987d-f3d8-4ae2-b5ca-a562c7fd43ef",
    "name" : "VS01",
    "type" : "CpmiVsClusterNetobj",
    "domain" : {
      "uid" : "886fb185-487f-4ccf-94f4-ddc8443f6760",
      "name" : "DOM02",
      "domain-type" : "domain"
    },
    "policy" : {
      "access-policy-installed" : true,
      "access-policy-name" : "VS01_POL01",
      "access-policy-installation-date" : {
        "posix" : 1726439380347,
        "iso-8601" : "2024-09-16T00:29+0200"
      },
      "threat-policy-installed" : false


But in production there are several virtual systems which has the "policy" object empty like in the following example:

{
    "uid" : "f47b987d-f3d8-4ae2-b5ca-a562c7fd43ef",
    "name" : "VS05",
    "type" : "CpmiVsClusterNetobj",
    "domain" : {
      "uid" : "886fb185-487f-4ccf-94f4-ddc8443f6761",
      "name" : "DOM05",
      "domain-type" : "domain"
    },
    "policy" : {
    },
      "threat-policy-installed" : false


My understanding is that in case a policy package was successfully installed on a virtual system, the "policy" object should not stay empty. Is my understanding correct? Or are there any corner cases when this is not true? Like after MDS server upgrade or after purging all revisions from a domain. To be honest, I have already tested all mentioned corner cases in a lab, but I was not able to simulate the situation with empty "policy" object.

We are using 2x MDS server with version R81.20 Take 76 + 2x MLM. Firewalls are using VSX R81.10 or R81.20. I have noticed that if the "policy" object is empty also "Installation History" shows empty "Access Control Policy" and "Access Installation Date" in SmartConsole application. Like this:

smartconsole.png

Do you have any idea about this behavior? Is this a bug?

Any suggestions would be greatly appreciated.

Regards,

ZdenekR

 

 

 

0 Kudos
5 Replies
_Val_
Admin
Admin

Before anything else, can you show what your script looks like? Also, do you actually follow up the policy installation process results in your script? Installation success/error messages could give you a clue.

0 Kudos
ZdenekR
Explorer

Hi,

thanks for your quick reply. To be honest, it is a python module on which I am working, which probably will be difficult to present here. But I created another bash script which can be easily understood and can show the problem I am dealing with. See this:

#!/bin/bash
fwname=$1
mgmt_cli -r true login > session
fwname="VS01"
[Expert@MDS01:0]# mgmt_cli show gateways-and-servers details-level full -f json -s session | jq --arg fwname "$fwname" -r '.["objects"][] | select(.type=="CpmiVsClusterNetobj" and .name==$fwname) | [.name,.policy]'
mgmt_cli logout -s session

In my lab the output from the above script looks like this:

[Expert@MDS01:0]# ./getppol.sh VS01
[
  "VS01",
  {
    "access-policy-installed": true,
    "access-policy-name": "VS01_POL01",
    "access-policy-installation-date": {
      "posix": 1726439380347,
      "iso-8601": "2024-09-16T00:29+0200"
    },
    "threat-policy-installed": false
  }
]
message: "OK"

[Expert@MDS01:0]#

In production environment the output looks like this:

[Expert@srv01_mds01:0]# ./getppol.sh VS02
[
  "VS02",
  {
  }
]
message: "OK"

[Expert@srv01_mds01:0]#

I will probably open a TAC case with Check Point but before I do it I would like to know someones view on this problem. Is this a bug? or Does this shows a problem within the production environment? or Might this be a result of an upgrade and simple policy installation will resolve this issue?

I have not tried to install a policy yet as this means to open a change, go through an approval process and to answer lots of questions. But this will be probably the next step before I open the TAC case.

Anyway, any help and comment is really appreciated.

Regards,

ZdenekR

0 Kudos
ZdenekR
Explorer

Hi all,

I reinstalled a policy package for the virtual system that was causing issues, and everything started working as expected. However, I still consider this to be a bug, with the reinstallation serving only as the workaround. When using the 'show-gateways-and-servers' API call, you should receive a non-empty 'policy' object for each virtual system where a policy package was previously installed.

Regards,

ZdenekR

0 Kudos
PhoneBoy
Admin
Admin

This should probably be addressed through a TAC case: https://help.checkpoint.com 

0 Kudos
PhoneBoy
Admin
Admin

Not sure how well VS objects are handled here.
Tagging @Omer_Kleinstern 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events