Re: SmartConsole CLI Question

Mike_A · ‎2018-11-21

I've spun up an R80.10 management server for API testing. I've been working with the SmartConsole CLI as my admins would have access there and could benefit from some mass object creation by importing a file. With that said, on my test management server (R80.10 JHF 154) I can successfully run the syntax below with desired results.

# add group object

add group name AD-Servers

# add host objects

add host name AD100 ip-address 192.168.1.100 groups.1 AD-Servers

add host name AD101 ip-address 192.168.1.101 groups.1 AD-Servers

etc.

# add network

add network name net_10.0.0.0_b24 subnet 10.0.0.0 subnet-mask 255.255.255.0

# add section

add access-section layer Network position top name "Test Rules"

# add rule

add access-rule layer Network position.top "Test Rules" name "Test AD Rule" source AD-Servers destination net_10.0.0.0_b24 service.1 ldap service.2 http action Accept track Log install-on LABFW comments "Comments here"

This works when there is a single "Standard" policy on the management server so I created a second policy named "Test" and im trying to target then the rule above to be injected into the "Test" policy, not "Standard" anymore.

Within the mgmt_cli there is a policy-package option where you can specify the desired package. Is there no ability to specify a policy you want to execute the code above on (obviously rule creation only) when using the SmatrConsole CLI?

I have looked through the Management API page section in 'add access-rule' with no luck, maybe I'm missing it? Can someone let me know how I can accomplish this?

Thanks in advance!

PhoneBoy · ‎2018-11-21

Policy packages is a pre-R80 concept.

In R80+, you create policy rules in layers.

The layers as they show in SmartConsole may not be exactly how you refer to them in the API.

You can use show access-layers to see all the layers.

You can do add access-rule to this layer and do a position based on name/UID of the rule you want to add before/after.

> show access-layers

access-layers:
- uid: "410b9c55-6532-414c-b1c6-7fce1dac2f80"
name: "Branch_Office_Policy Network"
type: "access-layer"
domain:
uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
name: "SMC User"
domain-type: "domain"
- uid: "20192579-0739-45b5-98e8-937b3bccedbc"
name: "Customer Service Server Layer"
type: "access-layer"
domain:
uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
name: "SMC User"
domain-type: "domain"
- uid: "aef957ef-bf58-4368-9936-7991ca1d37f8"
name: "Data Center Layer"
type: "access-layer"
domain:
uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
name: "SMC User"
domain-type: "domain"
- uid: "4756db5b-e3bc-4c52-8e22-d1417577629f"
name: "Guest Exception Layer"
type: "access-layer"
domain:
uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
name: "SMC User"
domain-type: "domain"
- uid: "b406b732-2437-4848-9741-6eae1f5bf112"
name: "Network"
type: "access-layer"
domain:
uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
name: "SMC User"
domain-type: "domain"
- uid: "2397e1ac-bfd1-46c3-a20c-5ecbd5c2f0ec"
name: "Public FTP Layer"
type: "access-layer"
domain:
uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
name: "SMC User"
domain-type: "domain"
- uid: "2af4b5b7-275c-4b51-94b6-73be0d77644e"
name: "RDP Exceptions Layer"
type: "access-layer"
domain:
uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
name: "SMC User"
domain-type: "domain"
- uid: "4e205afd-6c09-4a63-a86d-976343d8c78d"
name: "Web Control Layer"
type: "access-layer"
domain:
uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
name: "SMC User"
domain-type: "domain"
from: 1
to: 8
total: 8

Mike_A · ‎2018-11-22

Thanks Dameon! Happy Thanksgiving! You pointed me in the right direction.

Just to add, and close the loop for anyone who runs into this as well, this is R80.10 management with R77.30 or below gateways using pre-R80 packages. In other words, I am not using layers as my gateways are not to R80.10 yet.

The show access-layers command output "Test Network" & "Network" as the 2 main layers I had. With this I was able to use the command below (in conjunction with the other commands from my original post) to add a rule into the "Test" policy, not into "Standard".

From the looks of it, any policy, other than "Standard" that you would want to target would use a "POLICYNAME Network" approach, where POLICYNAME would be in this case, "Test Network" or "Mike Network" etc.

# add rule

add access-rule layer "Test Network" position.top "Test Rules" name "Test AD Rule" source AD-Servers destination net_10.0.0.0_b24 service.1 ldap service.2 http action Accept track Log install-on LABFW comments "Comments here"

PhoneBoy · ‎2018-11-26

Using one of the scripts on CheckMates, I've had a few other variations of this naming concept.

Definitely best to check the exact name (or use the uid) via the API

Jin_Zhou · ‎2022-02-21

Found this old thread. Is there any way to find just access control rulebase names which are used to for installation and verification? Thanks.

Jin_Zhou · ‎2022-02-21

Never mind. Figured out the problem. In show access-layers set details-level to full then jq select (.firewall == true and .domain."domain-type" == "domain" and ."implicit-cleanup-action" == "drop").

Are you a member of CheckMates?

SmartConsole CLI Question