This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Chandhrasekar_S
Collaborator
‎2018-01-12 11:50 AM

R80.10 Add Access-Rule using RESTAPI on policy package

All,

I want to add an access-rule on a specific policy package using REST API on R80.10 management server

I went through the below url, however I don't see, which policy package this rule will be placed in. I have multiple policy packages and want the access-rule to be placed in the right package

https://sc1.checkpoint.com/documents/latest/APIs/index.html#web/add-access-rule~v1.1

18 Replies
Ron_Izraeli
Employee
Employee
‎2018-01-12 01:52 PM

Hi Chandhrasekar,

access-rule is contained in an access-layer therefore, add-access-rule API command require an access-layer name/uid as parameter.

You could use where-used API command with layer name/uid as parameter to figure out in which policies this layer is being used before/after adding an access-rule.

Would it answer your requirement?

Chandhrasekar_S
Collaborator
‎2018-01-12 02:20 PM
In response to Ron_Izraeli

Thanks very much Ron for the reply. It explains

Chandhrasekar_S
Collaborator
‎2018-01-13 07:28 PM
In response to Chandhrasekar_S

Thanks Ron. I was successfully able to create access-rule using REST API and specifying "layer" name placed the rule under correct policy package

however I am facing a different issue now. I was curious, and want to find out the result of "where-used". The output shows only the following "@{used-directly=} . It doesn't provide any more info on the policy , objects, rule , uid etc

I am using power shell to execute my scripts. do you happen to know why I am not getting a detailed result with all the parameters

@{used-directly=}

0 Kudos
Tomer_Sole
Mentor
Mentor
‎2018-01-14 12:50 AM
In response to Chandhrasekar_S

the used-directly output value should provide a list of usages. In the case of an objects used in an access control rule, it should specify the rule, layer and policy. If this is not the case, can you provide your request and response syntax here?

0 Kudos
Chandhrasekar_S
Collaborator
‎2018-01-16 05:45 PM

Hi Tomer,

Code below

# Ignore SSL cert Exception

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}

# Login to Management server and obtain sid


$URL = "https://xx.xx.xx.xx/web_api"
$Action = "/login"
$URLAnon = "$URL$Action"

$headers = @{    "Content-Type" = "application/json"
    }

$login = @{
      "user" = "admin"
      "password" = "YYYYYYYYY"
    }

$login = $login | ConvertTo-Json

$response = Invoke-RestMethod -Method Post -Headers $headers -Uri $URLAnon -Body $login

$sid = $response.sid


# Where-Used


$Action = "/where-used"
$URLAnon = "$URL$Action"

$headers = @{
    "Content-Type" = "application/json"
    "X-chkp-sid" = $sid
    }

$WhereUsed = @{
 
  "name" = "MY-WEBSERVERS"

}

$WhereUsed = $WhereUsed | ConvertTo-Json


$result = Invoke-RestMethod -Method Post -Headers $headers -Uri $URLAnon -Body $WhereUsed

#$result = $result | Convert-To-Json

Write-Host $result

0 Kudos
Tomer_Sole
Mentor
Mentor
‎2018-01-17 12:26 AM
In response to Chandhrasekar_S

thanks, what was the output in this case?

0 Kudos
Chandhrasekar_S
Collaborator
‎2018-01-17 06:01 AM

Below is the output I got

@{used-directly=}

0 Kudos
Tomer_Sole
Mentor
Mentor
‎2018-01-17 06:10 AM
In response to Chandhrasekar_S

Are you sure that this host object is placed in the source or the destination of one of your rules? Perhaps it's inside a group inside that rule? If that is the case, you will need to add "indirect: true" to your request and receive indirect usages.

0 Kudos
Robert_Decker
Advisor
‎2018-01-17 07:31 AM
In response to Chandhrasekar_S

In addition to Tomer's answer, the "indirect-max-depth" field (default is 5) determines the maximum nesting level during indirect usage search.

Robert.

0 Kudos
Chandhrasekar_S
Collaborator
‎2018-01-29 02:13 PM
In response to Robert_Decker

Can you please let me know, where do I change the "indirect-max-depth" field .Thanks!

0 Kudos
Chandhrasekar_S
Collaborator
‎2018-01-29 02:27 PM
In response to Chandhrasekar_S

I did change the indirect-max-depth field to 250 to the REST API body I send, but the powershell output is still the same

$WhereUsed = @{

"name" = "xxxxssss-SERVERS"

"indirect-max-depth" = 250

}

0 Kudos
Chandhrasekar_S
Collaborator
‎2018-01-17 07:44 AM

The Group Object is being used in a access-rule and the output does display correctly

@{used-directly=}

The problem is, I am not able to view all the parameters.

0 Kudos
Robert_Decker
Advisor
‎2018-01-17 07:50 AM
In response to Chandhrasekar_S

Chandhrasekar_S
Collaborator
‎2018-01-20 04:52 PM

Hello,

I did try sending 'details-level' in my powershell code. I got the same result

I modified the powershell result to result.'used-directly'  now I am getting total but still other output aren't visible

My new output. I still couldn't see whether its used in objects or access-control-rules.

I don't know if this is checkpoint issue or power shell issue. If any one familiar with Power shell, can you please check my code and help.

@{total=1; objects=System.Object[]; threat-prevention-rules=System.Object[]; nat-rules=System.Object[]; access-control-rules=System.Obj

ect[]}

======================================

# Ignore SSL cert Exception

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}

# Login to Management server and obtain sid

 

$URL = "https://xx.xx.xx.xx/web_api"

$Action = "/login"

$URLAnon = "$URL$Action"

$headers = @{ "Content-Type" = "application/json"

}

$login = @{

"user" = "admin"

"password" = "yyyyy"

}

$login = $login | ConvertTo-Json

$response = Invoke-RestMethod -Method Post -Headers $headers -Uri $URLAnon -Body $login

$sid = $response.sid

 

# Where-Used

 

$Action = "/where-used"

$URLAnon = "$URL$Action"

$headers = @{

"Content-Type" = "application/json"

"X-chkp-sid" = $sid

}

$WhereUsed = @{

"name" = "MY-HOST"

}

$WhereUsed = $WhereUsed | ConvertTo-Json

 

$result = Invoke-RestMethod -Method Post -Headers $headers -Uri $URLAnon -Body $WhereUsed

 

Write-Host $result.'used-directly'

======================================

0 Kudos
Robert_Decker
Advisor
‎2018-01-28 01:58 AM
In response to Chandhrasekar_S

Hi,

In order to verify whether this is checkpoint issue or power shell issue, try running the command directly on the management server using mgmt_cli utility and examine the results - 

https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/where-used~v1.1

Refer to the examples at the bottom of the page.

Robert.

0 Kudos
Chandhrasekar_S
Collaborator
‎2018-01-29 02:10 PM
In response to Robert_Decker

Thank you Robert! I was able to use mgmt_cli utility and get the UID and Name of the layer and can now create the access-rule using REST API. I wish I can get them using my power shell code itself, it would enable me to do end to end automation and orchestration...

0 Kudos
Robert_Decker
Advisor
‎2018-01-30 01:08 AM
In response to Chandhrasekar_S

Try changing the title of this post to something like - "R80.10 Add Access-Rule using RESTAPI and PowerShell", so that Power Shell experts can notice and assist.

Robert.

Robert_Decker
Advisor
‎2018-01-30 01:29 AM
In response to Chandhrasekar_S

In addition, read this thread, maybe you will find it useful - 

https://community.checkpoint.com/thread/5684-web-api-issues-with-run-script-and-install-policy-from-... 

Robert.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events