This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
RamiShahar
Contributor
‎2023-05-31 06:00 AM
Jump to solution

set-access-rule -error "message" : "Add Any is not allowed"

HI to all

Since api version 1.7 we cant use this api as we get this error 

{
  "code" : "generic_err_invalid_parameter",
  "message" : "Add Any is not allowed"
}

How We Send the API:
https://<HOST>/web_api/v1.8/set-access-rule
{
    "uid":"B71F2D99-4F3E-4568-93CC-6388D022CA36",
    "layer":"6a5b4108-a94e-4f5d-974b-8d8c431fdd5f",
    "service":
    {        "add":["Any"]
    }
}

Added here photo of the request and response

 

In version under 1.7 it works on the same api and request

Any idea what I might be missing?

Preview file
48 KB
0 Kudos
1 Solution

Accepted Solutions
Omer_Kleinstern
Employee
Employee
‎2023-05-31 11:39 PM
In response to PhoneBoy
Jump to solution

@PhoneBoy is correct. 

You cannot add "Any" to an existing collection of services.

You can set the entire collection to "Any":

 

https://<CP_IP>/web_api/v1.7/set-access-rule

Body: 

{

  "name" : "88c36229-e60d-4590-a5d9-387344dba9f1",

  "layer" : "8a994dd3-993e-4c0c-92a1-a8630b153f4c",

  "service: ["Any"]

}

 

View solution in original post

10 Replies
the_rock
MVP Platinum
MVP Platinum
‎2023-05-31 06:17 AM
Jump to solution

I cant open photo you attached, would you mind send the command you did? I can try it in my lab on R81.20

Andy

Best,
Andy
0 Kudos
RamiShahar
Contributor
‎2023-05-31 10:37 AM
In response to the_rock
Jump to solution

Sure 

This is the request's "url"

https://<CP_IP>/web_api/v1.7/set-access-rule

Body: 

{

  "name" : "88c36229-e60d-4590-a5d9-387344dba9f1",

  "layer" : "8a994dd3-993e-4c0c-92a1-a8630b153f4c",

"service":

    {

        "add":["Any"]

    } 

}

 

name= ruleUID

layer=NetowrkLayerUID

 

Result

{

    "code": "generic_err_invalid_parameter",

    "message": "Add Any is not allowed"

}

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-05-31 10:38 AM
In response to RamiShahar
Jump to solution

Will test soon.

Andy

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-05-31 10:45 AM
In response to RamiShahar
Jump to solution

All I get is below...

{
  "code" : "generic_err_missing_session_id",
  "message" : "No query parameters are found"
}
Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
‎2023-05-31 05:46 PM
Jump to solution

@Omer_Kleinstern correct me if I’m wrong, but I don’t think you can add “Any” to a rule?
You certainly can’t do it without removing what’s already in the cell first.
Depending on your version and preference setting, removing all items from a source/destination should result in either an Any or a None (the rule default).

YakovKoren
Explorer
‎2023-05-31 10:33 PM
In response to PhoneBoy
Jump to solution

Hi,

When trying to remove the last object from the rule, we get the following:

{
"code" : "err_validation_failed",
"message" : "Validation failed with 1 warning",
"warnings" : [ {
"message" : "Access Rule contains an object of type 'None' in the Service & Applications column. This rule will never be matched."
} ]
}.

 

We know it worked up until Api version 1.6.

Is there a way to add flag or something so we can successfully remove all objects and make the rule to have 'Any'?

0 Kudos
PhoneBoy
Admin
Admin
‎2023-06-01 07:18 AM
In response to YakovKoren
Jump to solution

While you clearly have an answer, I feel it's worth explaining this difference in behavior.
In R81.10, we added "None" as a possible entry for the Source/Destination/Service field.
If a rule contains "none" in the Source/Destination/Service field, no traffic will match it.
You can change the default behavior for the Source/Destination/Service field when:

  • New rules are added (previously this was always any any any drop)
  • When the last item in the cell is removed (i.e. does it become Any or None)

Refer to the following screenshot:

image.png

If you're wanting to explicitly set the field to Any, it should be done as @Omer_Kleinstern advised.

0 Kudos
Omer_Kleinstern
Employee
Employee
‎2023-05-31 11:39 PM
In response to PhoneBoy
Jump to solution

@PhoneBoy is correct. 

You cannot add "Any" to an existing collection of services.

You can set the entire collection to "Any":

 

https://<CP_IP>/web_api/v1.7/set-access-rule

Body: 

{

  "name" : "88c36229-e60d-4590-a5d9-387344dba9f1",

  "layer" : "8a994dd3-993e-4c0c-92a1-a8630b153f4c",

  "service: ["Any"]

}

 

YakovKoren
Explorer
‎2023-06-01 12:08 AM
In response to Omer_Kleinstern
Jump to solution

Works!

Thank you for the fast response!

0 Kudos
RamiShahar
Contributor
‎2023-06-01 12:51 AM
In response to Omer_Kleinstern
Jump to solution

Thx for your time and help  

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events