Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ivan_Moore
Contributor

Is there a equivalent command to a global policy assignment with install?

in R77 I could run a command like this:

mdscmd install-globalpolicy -install -l DOMAIN

and it would push out all policies in that domain.

I can't find the "-install" option in R80 from the command line...seems to still be there in the GUI

I can do this:

mgmt_cli assign-global-assignment global-domains Global dependent-domains DOMAIN -s ID.txt --format json 

which will do the same as the previous command without the "-install"  Is it possible to do the "-install"?

0 Kudos
14 Replies
Robert_Decker
Advisor

R80 management API doesn't have such option.

This should be done in two steps: assign and then install.

Robert.

0 Kudos
Ivan_Moore
Contributor

yea, thought that was the case.  This doesn't work as straight forward for us.  Oh well.  

Thanks!

0 Kudos
Ivan_Moore
Contributor

I have figured out a way to do what I need done.

Something like this:  (this allows me to just show our domains which make up our North America gateways...other grep's to grab just EMEA, APAC, etc...)

mgmt_cli login -r true > $ID; mgmt_cli show domains -s /var/log/tmp/id.txt --format json | grep name | grep -v "System Data"  | grep -v "LAC\|EMEA\|APAC" | sed -e 's/\"name\" : \"//' | sed -e 's/\",//' |sed 's/[][*]\|[[:space:]]//g'; mgmt_cli logout -s $ID >/dev/null

Then to install the various policies across each domain pulled from the list above.

for POLICY in $(mgmt_cli login -r true > $ID; mgmt_cli show-packages -d $DOMAIN --root true --format text | grep -B1 package | grep name | awk '{print $2}' | tr -d '"' |sed 's/[][*]\|[[:space:]]//g'; mgmt_cli logout -s $ID >/dev/null)
do
mgmt_cli login domain "$DOMAIN" -r true > $ID; mgmt_cli install-policy policy-package $POLICY access true -s $ID --format json ; mgmt_cli logout -s $ID >/dev/null
done

still a work in progress, but does it relatively painlessly.  I do a lot of stuff before/after this to massage the data and perform other tasks such as policy verification across all domains.  So far, this seems to be doing the trick in my lab.

Robert_Decker
Advisor

Excellent!

You are on the right track. If you need any assistance, please let me know.

Robert.

0 Kudos
Ivan_Moore
Contributor

Thanks.  once I get the whole thing working the way I want it I'll post a clean version of the whole set of scripts.  Lots of cleanup in the move to R80 as some things are *much* easier to do now.  

Ivan_Moore
Contributor

Here is the problem I am having right now.  

My script does this:

DOMAINS=$1
for DOMAIN in `echo $DOMAINS | sed -e 's/,/ /g'`
do
echo "DOMAIN = $DOMAIN"
if [ "$2" == "-install" ] ; then
start=`date +%s`
for POLICY in $(mgmt_cli show-packages -d $DOMAIN --root true --format text | grep -B1 package | grep name | awk '{print $2}' | tr -d '"' |sed 's/[][*]\|[[:space:]]//g')
do
echo "Policy = $POLICY"
mgmt_cli install-policy policy-package $POLICY -d $DOMAIN access true --root true --format json
done
end=`date +%s`
runtime=$((end-start))
echo "Elapsed time for $DOMAIN: $((runtime /60)) minutes and $(($runtime %60)) seconds"
echo " "
else
if [ -z "`mgmt_cli show domain name ${DOMAIN} --format json --root true | jq -r '."global-domain-assignments"[]'`" ]; then
echo "Domain \"${DOMAIN}\" has no Global Domain assigned, skipping it."
else
echo "Reassigning Global Domain \"${GPOL_NAME}\" to Domain \"${DOMAIN}\"..."
mgmt_cli assign-global-assignment global-domains ${GPOL_NAME} dependent-domains ${DOMAIN} --root true --format json
fi
fi
done

so,  this works great except for one fatal flaw.   A policy with no installation targets will cause you some headaches (speaking from experience)

One of our domains has about 8 policies.  Someone has a new policy built that he is staging work for a future deployment.  He does not have a cluster object built yet for it to be tied to.

so my script installed all the policies and then it got to that fresh policy and installed it to EVERY gateway...and it probably did it with glee!  

If you tried this in the GUI it would prompt you in hopes to avoid your own stupidity.  If you do a Global Policy assignment from the GUI with the option to install policy it will do it based on the gateway and not the policy.  

The API does not allow this same type of logic.  I have to pass either the policy (which gives me the above results) or policy + gateway which I would have to generate some sort of list to be able to do that.

0 Kudos
Robert_Decker
Advisor

Ivan,

If I understand you correctly, you want to avoid installing a policy with 'all' installation targets defined. Right?

Within the "show-packages" loop per POLICY, add a "show-package" API call per that POLICY and check the "installation-targets" field, and act based on its value(s).

Robert.

Tomer_Sole
Mentor
Mentor

Few product observations:

1. R80.10 does not yet support a policy with no targets. So this situation can't happen.

2. As a best practice it's better to specify very specific policy targets when creating policy packages and not having the same gateway in the target list of multiple policies. Since this isn't enforced automatically by the Security Management Server and it's more of a best practice, you can probably achieve it using a separated "validator" script if you like.

0 Kudos
Robert_Decker
Advisor

My assumption is that he has "All" targets configured by default.

As I mentioned, he should detect such configuration in his script and avoid the installation.

Robert.

0 Kudos
Adam_Forester
Ambassador
Ambassador

I was looking at this last night in my lab. I made a policy assigned to my lab gateway and created a few with no target. Was able to figure out all to filter out ones that did not have a specific target and added an output for install commands;

mgmt_cli -r true show packages details-level full --format json | jq --raw-output '.packages[] | select(."installation-targets" == "all" |not) | ("mgmt_cli -r true install-policy policy-package " + (.name) + " access true")'  >install-policy.txt; chmod 777 install-policy.txt; ./install-policy.txt

Robert_Decker
Advisor

Looks fine, that is excatly what I was talking about...

How did this work for you?

Robert.

0 Kudos
Adam_Forester
Ambassador
Ambassador

Worked as expected. It ignores the two policies that have "ALL" assigned basically it only extracts the ones that have a target listed. Then it ran my list and installed policy as expected.

Ivan_Moore
Contributor

Fantastic!!!  Thanks.   

Mahi
Explorer

Could you please let me know the exact procedure along with commands for global policy installation on gateways via management server. Thank you.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events