- CheckMates
- :
- Products
- :
- Developers
- :
- API / CLI Discussion
- :
- Re: problems deleting an application access-layer ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
problems deleting an application access-layer via API
I have mulitple policy packages that have a security layer and a application layer. The application layer appeared after importing from migrate import from R77, i do not want it. I would like to remove this layer from all these policy packages.
The application layer has only 1 rule
Any -> Internet -> accept -> detailed log :accounting
I thought i would just be able to delete the layer from the API. It deletes perfectly from the SmartConsole. I have tried
deleting the application access layer
mgmt_cli -r true -d Mgmt1 delete access-layer uid "12345678-abcd-4710-a798-12345609f989"
code: "generic_err_object_deletion"
message: "Object MyPolicy Application could not be deleted because it is referenced by other objects, run where-used command for details"
I have verified that I have the correct id for the application layer, using show object uid.
mgmt_cli -r true -d Mgmt1 where-used uid "12345678-abcd-4710-a798-12345609f989"
code: "generic_err_object_not_found"
message: "Requested object [12345678-805c-4710-a798-12345609f989] not found"
where used doesnt work on this object, ok expected i think.
I tried to delete the 1 rule from the application access layer
mgmt_cli -r true -d Mgmt1 delete access-rule layer "12345678-abcd-4710-a798-12345609f989" rule-number 1 --format json
{
"code" : "generic_error",
"message" : "Runtime error: Cannot delete the only child of the rulebase."
}
So , can i delete this using the API, what am i missing?
- Labels:
-
Access Policy
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To summarize:
I actually found out that the layer is used by the Policy Package itself in cpm.elg:
02/10/18 14:15:18,667 ERROR coresvc.internal.ObjectCrudSvcImpl [qtp185018416-250140]: ObjectDeletionException with objId = f81dc4aa-43df-4f84-b9c5-65fc1f2e76ad, objName = Access-Layer Name, reason = it is used by the following object(s):
Policy Package objid:[8796dc52-0ac6-4611-b0bc-e05bd41a3a9b] (field:layers)
The where-used should of worked as well, but let's put that aside.
We basically need to remove the layer from the policy package first, before we try to remove it completely:
[Expert@R80.10:0]# mgmt_cli -r true -d IP/Domain set package name "Package Name" access-layers.remove.1 "Acess-Layer Name"
Now after we removed the access-layer from the package we can remove it.
[Expert@R80.10:0]# mgmt_cli -r true -d IP/Domain delete access-layer name "Access-Layer Name"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should be able to delete it from the API.
I would open a TAC ticket so we can troubleshoot what's going on.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi!
I tested this and got the same error... I had a shared inline layer, which I was only able to delete from the SmartConsole, but not by using API. API tells that the object is in use. However, I can delete it without any warnings from SmartConsole. If it was really in use I would expect of getting the same error message in SmartConsole.
I'm using R80.20.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To summarize:
I actually found out that the layer is used by the Policy Package itself in cpm.elg:
02/10/18 14:15:18,667 ERROR coresvc.internal.ObjectCrudSvcImpl [qtp185018416-250140]: ObjectDeletionException with objId = f81dc4aa-43df-4f84-b9c5-65fc1f2e76ad, objName = Access-Layer Name, reason = it is used by the following object(s):
Policy Package objid:[8796dc52-0ac6-4611-b0bc-e05bd41a3a9b] (field:layers)
The where-used should of worked as well, but let's put that aside.
We basically need to remove the layer from the policy package first, before we try to remove it completely:
[Expert@R80.10:0]# mgmt_cli -r true -d IP/Domain set package name "Package Name" access-layers.remove.1 "Acess-Layer Name"
Now after we removed the access-layer from the package we can remove it.
[Expert@R80.10:0]# mgmt_cli -r true -d IP/Domain delete access-layer name "Access-Layer Name"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Sergey. I have tried this and confirmed that it works. I guess the GUI is calling some extra functions behind the scene to remove it from the policy package first.
2 follow ups i think!
1. where used need to work - would have helped here
2. i think it would be useful to have something in the api documentation to suggest that you need to remove the layer from the package first , or perhaps the call should just do this as it does in the GUI?