- CheckMates
- :
- Products
- :
- Developers
- :
- API / CLI Discussion
- :
- Re: SmartConsole CLI Question
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SmartConsole CLI Question
I've spun up an R80.10 management server for API testing. I've been working with the SmartConsole CLI as my admins would have access there and could benefit from some mass object creation by importing a file. With that said, on my test management server (R80.10 JHF 154) I can successfully run the syntax below with desired results.
# add group object
add group name AD-Servers
# add host objects
add host name AD100 ip-address 192.168.1.100 groups.1 AD-Servers
add host name AD101 ip-address 192.168.1.101 groups.1 AD-Servers
etc.
# add network
add network name net_10.0.0.0_b24 subnet 10.0.0.0 subnet-mask 255.255.255.0
# add section
add access-section layer Network position top name "Test Rules"
# add rule
add access-rule layer Network position.top "Test Rules" name "Test AD Rule" source AD-Servers destination net_10.0.0.0_b24 service.1 ldap service.2 http action Accept track Log install-on LABFW comments "Comments here"
This works when there is a single "Standard" policy on the management server so I created a second policy named "Test" and im trying to target then the rule above to be injected into the "Test" policy, not "Standard" anymore.
Within the mgmt_cli there is a policy-package option where you can specify the desired package. Is there no ability to specify a policy you want to execute the code above on (obviously rule creation only) when using the SmatrConsole CLI?
I have looked through the Management API page section in 'add access-rule' with no luck, maybe I'm missing it? Can someone let me know how I can accomplish this?
Thanks in advance!
- Labels:
-
Access Policy
- Tags:
- smartconsole cli
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Policy packages is a pre-R80 concept.
In R80+, you create policy rules in layers.
The layers as they show in SmartConsole may not be exactly how you refer to them in the API.
You can use show access-layers to see all the layers.
You can do add access-rule to this layer and do a position based on name/UID of the rule you want to add before/after.
> show access-layers
access-layers:
- uid: "410b9c55-6532-414c-b1c6-7fce1dac2f80"
name: "Branch_Office_Policy Network"
type: "access-layer"
domain:
uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
name: "SMC User"
domain-type: "domain"
- uid: "20192579-0739-45b5-98e8-937b3bccedbc"
name: "Customer Service Server Layer"
type: "access-layer"
domain:
uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
name: "SMC User"
domain-type: "domain"
- uid: "aef957ef-bf58-4368-9936-7991ca1d37f8"
name: "Data Center Layer"
type: "access-layer"
domain:
uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
name: "SMC User"
domain-type: "domain"
- uid: "4756db5b-e3bc-4c52-8e22-d1417577629f"
name: "Guest Exception Layer"
type: "access-layer"
domain:
uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
name: "SMC User"
domain-type: "domain"
- uid: "b406b732-2437-4848-9741-6eae1f5bf112"
name: "Network"
type: "access-layer"
domain:
uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
name: "SMC User"
domain-type: "domain"
- uid: "2397e1ac-bfd1-46c3-a20c-5ecbd5c2f0ec"
name: "Public FTP Layer"
type: "access-layer"
domain:
uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
name: "SMC User"
domain-type: "domain"
- uid: "2af4b5b7-275c-4b51-94b6-73be0d77644e"
name: "RDP Exceptions Layer"
type: "access-layer"
domain:
uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
name: "SMC User"
domain-type: "domain"
- uid: "4e205afd-6c09-4a63-a86d-976343d8c78d"
name: "Web Control Layer"
type: "access-layer"
domain:
uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
name: "SMC User"
domain-type: "domain"
from: 1
to: 8
total: 8
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Dameon! Happy Thanksgiving! You pointed me in the right direction.
Just to add, and close the loop for anyone who runs into this as well, this is R80.10 management with R77.30 or below gateways using pre-R80 packages. In other words, I am not using layers as my gateways are not to R80.10 yet.
The show access-layers command output "Test Network" & "Network" as the 2 main layers I had. With this I was able to use the command below (in conjunction with the other commands from my original post) to add a rule into the "Test" policy, not into "Standard".
From the looks of it, any policy, other than "Standard" that you would want to target would use a "POLICYNAME Network" approach, where POLICYNAME would be in this case, "Test Network" or "Mike Network" etc.
# add rule
add access-rule layer "Test Network" position.top "Test Rules" name "Test AD Rule" source AD-Servers destination net_10.0.0.0_b24 service.1 ldap service.2 http action Accept track Log install-on LABFW comments "Comments here"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using one of the scripts on CheckMates, I've had a few other variations of this naming concept.
Definitely best to check the exact name (or use the uid) via the API
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Found this old thread. Is there any way to find just access control rulebase names which are used to for installation and verification? Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Never mind. Figured out the problem. In show access-layers set details-level to full then jq select (.firewall == true and .domain."domain-type" == "domain" and ."implicit-cleanup-action" == "drop").
