This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
mikesleath
Participant
‎2020-10-14 12:59 AM

add-access-rule install-on target issue

I am using the add-access-rule call to add a rule using the following JSON construct

{
"vpn": "Any",
"layer": "Test_Domain Security",
"comments": "First rule addition test",
"service": [
"ssh"
],
"action": "Accept",
"name": "MIKE_TEST_RULE",
"destination": [
"DEST_PROD_NETWORKS"
],
"source": [
"SOURCE_PROD_NETWORKS"
],
"install-on": [
"G_DOMAIN_Firewalls_global"
],
"track": {
"type": "Log"
},
"position": {
"below": "a13b68a5-83aa-4cf1-bcc4-490c82e40f07"
}
}

The rule adds successfully, however the domain uses a global policy where, in the install-on
field of the global rules the object defining the install on group is a global dynamic
network object that gets resolved to a local "simple" group defined at the domain level.

This means that effectively there are two objects of the same named defined in the Domain

G_DOMAIN_Firewalls_global - global dynamic network object
G_DOMAIN_Firewalls_global - locally defined simple group

When the API call adds the rule using the object that is used in the install-on field is
the one from the global domain and not the locally defined group (snippet of return JSON below)


"install-on" : [
{
"type" : "DynamicGlobalNetworkObject",
"name" : "G_DOMAIN_Firewalls_global",
"domain" : {
"domain-type" : "global domain",
"uid" : "1e294ce0-367a-11e3-aa6e-0800200c9a66",
"name" : "Global"
},
"uid" : "0b657037-ebd1-8d48-b455-76111da0ea7d"
}
],

If the install-on is defined using it's UID then all works correctly. However it would be
better to define the value by name and have the API select the correct object (the global
dynamic group is not a valid selection at the local level as far as I know).

Is it possible to instruct the API which object/domain combination to use? If so how is
value constructed?

Thanks in advance for any help.

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2020-10-14 06:57 AM

It looks like you can specify the domain in the API call.
https://sc1.checkpoint.com/documents/latest/APIs/index.html#web/add-access-rule~v1.6.1

0 Kudos
mikesleath
Participant
‎2020-10-14 07:23 AM
In response to PhoneBoy

Sorry, I'm just not seeing where I specify that. I can see the domain "owning" the object is part of the return JSON, but I just can't see how to specify the domain owning the object in the request portion.

Or are you saying it can be specified as part of the install-on list? If so do you have an example of how that is structured. 

Thanks a lot.

0 Kudos
mikesleath
Participant
‎2020-10-15 07:59 AM
In response to mikesleath

Just by way of an update... I raised this issue through our dedicated Diamond Support engineer and the development team for the API have confirmed that the above behaviour is a problem that needs to be addressed i.e. the add-access-rule API call should not select the "global" version of the object when adding a rule to a domain policy. The workaround is to reference the install-on object by its UID.

If there is a way to specify which domain an object should belong to when making other calls could you provide an example?

0 Kudos
PhoneBoy
Admin
Admin
‎2020-10-15 08:33 AM
In response to mikesleath

Hm, you're right, I misread the documentation.
It seems you can only specify the name or the UID of an object as part of the call, which is problematic in this case.
In general, UID is always more specific than name.
@Omer_Kleinstern 

0 Kudos