Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Chandhrasekar_S
Collaborator

R80.10 Add Access-Rule using RESTAPI on policy package

All,

I want to add an access-rule on a specific policy package using REST API on R80.10 management server

I went through the below url, however I don't see, which policy package this rule will be placed in. I have multiple policy packages and want the access-rule to be placed in the right package

https://sc1.checkpoint.com/documents/latest/APIs/index.html#web/add-access-rule~v1.1

18 Replies
Ron_Izraeli
Employee
Employee

Hi Chandhrasekar,

access-rule is contained in an access-layer therefore, add-access-rule API command require an access-layer name/uid as parameter.

You could use where-used API command with layer name/uid as parameter to figure out in which policies this layer is being used before/after adding an access-rule.

Would it answer your requirement?

Chandhrasekar_S
Collaborator

Thanks very much Ron for the reply. It explains

Chandhrasekar_S
Collaborator

Thanks Ron. I was successfully able to create access-rule using REST API and specifying "layer" name placed the rule under correct policy package

however I am facing a different issue now. I was curious, and want to find out the result of "where-used". The output shows only the following "@{used-directly=} . It doesn't provide any more info on the policy , objects, rule , uid etc

I am using power shell to execute my scripts. do you happen to know why I am not getting a detailed result with all the parameters

@{used-directly=}

0 Kudos

the used-directly output value should provide a list of usages. In the case of an objects used in an access control rule, it should specify the rule, layer and policy. If this is not the case, can you provide your request and response syntax here?

0 Kudos
Chandhrasekar_S
Collaborator

Hi Tomer,

Code below

# Ignore SSL cert Exception

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}

# Login to Management server and obtain sid


$URL = "https://xx.xx.xx.xx/web_api"
$Action = "/login"
$URLAnon = "$URL$Action"

$headers = @{    "Content-Type" = "application/json"
    }

$login = @{
      "user" = "admin"
      "password" = "YYYYYYYYY"
    }

$login = $login | ConvertTo-Json

$response = Invoke-RestMethod -Method Post -Headers $headers -Uri $URLAnon -Body $login

$sid = $response.sid


# Where-Used


$Action = "/where-used"
$URLAnon = "$URL$Action"

$headers = @{
    "Content-Type" = "application/json"
    "X-chkp-sid" = $sid
    }

$WhereUsed = @{
 
  "name" = "MY-WEBSERVERS"

}

$WhereUsed = $WhereUsed | ConvertTo-Json


$result = Invoke-RestMethod -Method Post -Headers $headers -Uri $URLAnon -Body $WhereUsed

#$result = $result | Convert-To-Json

Write-Host $result

0 Kudos

thanks, what was the output in this case?

0 Kudos
Chandhrasekar_S
Collaborator

Below is the output I got

@{used-directly=}

0 Kudos

Are you sure that this host object is placed in the source or the destination of one of your rules? Perhaps it's inside a group inside that rule? If that is the case, you will need to add "indirect: true" to your request and receive indirect usages.

0 Kudos
Robert_Decker
Employee Alumnus
Employee Alumnus

In addition to Tomer's answer, the "indirect-max-depth" field (default is 5) determines the maximum nesting level during indirect usage search.

Robert.

0 Kudos
Chandhrasekar_S
Collaborator

Can you please let me know, where do I change the "indirect-max-depth" field .Thanks!

0 Kudos
Chandhrasekar_S
Collaborator

I did change the indirect-max-depth field to 250 to the REST API body I send, but the powershell output is still the same

$WhereUsed = @{

"name" = "xxxxssss-SERVERS"

"indirect-max-depth" = 250

}

0 Kudos
Chandhrasekar_S
Collaborator

The Group Object is being used in a access-rule and the output does display correctly

@{used-directly=}

The problem is, I am not able to view all the parameters.

0 Kudos
Robert_Decker
Employee Alumnus
Employee Alumnus

Chandhrasekar_S
Collaborator

Hello,

I did try sending 'details-level' in my powershell code. I got the same result

I modified the powershell result to result.'used-directly'  now I am getting total but still other output aren't visible

My new output. I still couldn't see whether its used in objects or access-control-rules.

I don't know if this is checkpoint issue or power shell issue. If any one familiar with Power shell, can you please check my code and help.

@{total=1; objects=System.Object[]; threat-prevention-rules=System.Object[]; nat-rules=System.Object[]; access-control-rules=System.Obj

ect[]}

======================================

# Ignore SSL cert Exception

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}

# Login to Management server and obtain sid

 

$URL = "https://xx.xx.xx.xx/web_api"

$Action = "/login"

$URLAnon = "$URL$Action"

$headers = @{ "Content-Type" = "application/json"

}

$login = @{

"user" = "admin"

"password" = "yyyyy"

}

$login = $login | ConvertTo-Json

$response = Invoke-RestMethod -Method Post -Headers $headers -Uri $URLAnon -Body $login

$sid = $response.sid

 

# Where-Used

 

$Action = "/where-used"

$URLAnon = "$URL$Action"

$headers = @{

"Content-Type" = "application/json"

"X-chkp-sid" = $sid

}

$WhereUsed = @{

"name" = "MY-HOST"

}

$WhereUsed = $WhereUsed | ConvertTo-Json

 

$result = Invoke-RestMethod -Method Post -Headers $headers -Uri $URLAnon -Body $WhereUsed

 

Write-Host $result.'used-directly'

======================================

0 Kudos
Robert_Decker
Employee Alumnus
Employee Alumnus

Hi,

In order to verify whether this is checkpoint issue or power shell issue, try running the command directly on the management server using mgmt_cli utility and examine the results - 

https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/where-used~v1.1

Refer to the examples at the bottom of the page.

Robert.

0 Kudos
Chandhrasekar_S
Collaborator

Thank you Robert! I was able to use mgmt_cli utility and get the UID and Name of the layer and can now create the access-rule using REST API. I wish I can get them using my power shell code itself, it would enable me to do end to end automation and orchestration...

0 Kudos
Robert_Decker
Employee Alumnus
Employee Alumnus

Try changing the title of this post to something like - "R80.10 Add Access-Rule using RESTAPI and PowerShell", so that Power Shell experts can notice and assist.

Robert.

Robert_Decker
Employee Alumnus
Employee Alumnus

In addition, read this thread, maybe you will find it useful - 

https://community.checkpoint.com/thread/5684-web-api-issues-with-run-script-and-install-policy-from-... 

Robert.