This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Richard_Carson
Contributor
‎2018-09-28 03:25 AM
Jump to solution

problems deleting an application access-layer via API

I have mulitple policy packages that have a security layer and a application layer. The application layer appeared after importing from migrate import from R77, i do not want it. I would like to remove this layer from all these policy packages.

The application layer has only 1 rule


Any -> Internet -> accept -> detailed log :accounting

I thought i would just be able to delete the layer from the API. It deletes perfectly from the SmartConsole. I have tried


deleting the application access layer

mgmt_cli -r true -d Mgmt1 delete access-layer uid "12345678-abcd-4710-a798-12345609f989"
code: "generic_err_object_deletion"
message: "Object MyPolicy Application could not be deleted because it is referenced by other objects, run where-used command for details"

I have verified that I have the correct id for the application layer, using show object uid.

mgmt_cli -r true -d Mgmt1 where-used uid "12345678-abcd-4710-a798-12345609f989"
code: "generic_err_object_not_found"
message: "Requested object [12345678-805c-4710-a798-12345609f989] not found"

where used doesnt work on this object, ok expected i think.


I tried to delete the 1 rule from the application access layer

mgmt_cli -r true -d Mgmt1 delete access-rule layer "12345678-abcd-4710-a798-12345609f989" rule-number 1 --format json
{
"code" : "generic_error",
"message" : "Runtime error: Cannot delete the only child of the rulebase."
}

So , can i delete this using the API, what am i missing?

Labels
1 Solution

Accepted Solutions
Sergey_Aliev
Employee Alumnus
Employee Alumnus
‎2018-10-03 02:26 AM
Jump to solution

To summarize:

I actually found out that the layer is used by the Policy Package itself in cpm.elg:

 

02/10/18 14:15:18,667 ERROR coresvc.internal.ObjectCrudSvcImpl [qtp185018416-250140]: ObjectDeletionException with objId = f81dc4aa-43df-4f84-b9c5-65fc1f2e76ad, objName = Access-Layer Name, reason = it is used by the following object(s):

Policy Package objid:[8796dc52-0ac6-4611-b0bc-e05bd41a3a9b] (field:layers)

The where-used should of worked as well, but let's put that aside.

We basically need to remove the layer from the policy package first, before we try to remove it completely:

[Expert@R80.10:0]# mgmt_cli -r true -d IP/Domain set package name "Package Name" access-layers.remove.1 "Acess-Layer Name"

Now after we removed the access-layer from the package we can remove it.

[Expert@R80.10:0]# mgmt_cli -r true -d IP/Domain delete access-layer name "Access-Layer Name"

View solution in original post

4 Replies
PhoneBoy
Admin
Admin
‎2018-09-28 10:36 AM
Jump to solution

You should be able to delete it from the API.

I would open a TAC ticket so we can troubleshoot what's going on.

0 Kudos
Lari_Luoma
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2018-10-01 05:47 PM
Jump to solution

Hi!

I tested this and got the same error... I had a shared inline layer, which I was only able to delete from the SmartConsole, but not by using API. API tells that the object is in use. However, I can delete it without any warnings from SmartConsole. If it was really in use I would expect of getting the same error message in SmartConsole.

I'm using R80.20.

0 Kudos
Sergey_Aliev
Employee Alumnus
Employee Alumnus
‎2018-10-03 02:26 AM
Jump to solution

To summarize:

I actually found out that the layer is used by the Policy Package itself in cpm.elg:

 

02/10/18 14:15:18,667 ERROR coresvc.internal.ObjectCrudSvcImpl [qtp185018416-250140]: ObjectDeletionException with objId = f81dc4aa-43df-4f84-b9c5-65fc1f2e76ad, objName = Access-Layer Name, reason = it is used by the following object(s):

Policy Package objid:[8796dc52-0ac6-4611-b0bc-e05bd41a3a9b] (field:layers)

The where-used should of worked as well, but let's put that aside.

We basically need to remove the layer from the policy package first, before we try to remove it completely:

[Expert@R80.10:0]# mgmt_cli -r true -d IP/Domain set package name "Package Name" access-layers.remove.1 "Acess-Layer Name"

Now after we removed the access-layer from the package we can remove it.

[Expert@R80.10:0]# mgmt_cli -r true -d IP/Domain delete access-layer name "Access-Layer Name"

Richard_Carson
Contributor
‎2018-10-04 09:12 PM
In response to Sergey_Aliev
Jump to solution

Thank you Sergey. I have tried this and confirmed that it works. I guess the GUI is calling some extra functions behind the scene to remove it from the policy package first.

2 follow ups i think!

1. where used need to work - would have helped here

2. i think it would be useful to have something in the api documentation to suggest that you need to remove the layer from the package first , or perhaps the call should just do this as it does in the GUI?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events