Solved: Re: Adding Snort Protections to MDS

eranlif · ‎2026-02-02

Hi,

I am trying to add Snort-based protections to an R82 MDS, using API only.

The flow is:

1. put-file - getting a Snort rules file on the MDS

2. add-threat-protections - importing the new protections

3. publish - getting the protections parsed into the Global domain

4. set-threat-protections - setting the new protections to "Prevent" on all default profiles

5. publish

6. set-global-assignment - setting the stage for applying the change (I am using "'manage-protection-actions': True ")

7. assign-global-assignment - getting the new protections to the dependent-domains

At this point, running show-threat-protections after logging into the dependent-domain (using login-to-domain) shows that the new protections do exist in the dependent-domain. Now my code calls "publish" to finish the flow.

Everything seems to work, but the Snort protections that were added to the Global domain do not show in the dependent-domain Managements.

The same thing happens when I follow the manual flow described on https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_ThreatPrevention_AdminGuide/Conten... (under "Importing SNORT Protection Rules to the Multi-Domain Server). After I upload the Snort rules file to the Global domain and re-Assign to the dependent-domains, the new protections do not show in the domains' Management servers. (The manual instructions don't say whether this is the expected behavior or not!)

Is there something I am missing in this flow? Has anyone succeeded in getting this to work?

Thanks for any ideas!

Youssef_Obeidal · ‎2026-02-05

Hi,

I just tested it on R82 with the latest jumbo.
Using the MGMT API, imported the Snort protections to the global domain.
After that i enabled the "manage protection" check box, and performed global domain assignment.
Once the assignment is done, I saw the Snort protection imported into the global domain, also in the local domain.

View solution in original post

PhoneBoy · ‎2026-02-02

It's possible the protections are still enforced, but don't show in the dependent domain's objects.
What say you @Omer_Kleinstern?

Youssef_Obeidal · ‎2026-02-05

Hi,

I just tested it on R82 with the latest jumbo.
Using the MGMT API, imported the Snort protections to the global domain.
After that i enabled the "manage protection" check box, and performed global domain assignment.
Once the assignment is done, I saw the Snort protection imported into the global domain, also in the local domain.

the_rock · ‎2026-02-05

Excellent, thanks for letting us know!

Best,
Andy
"Have a great day and if its not, change it"

the_rock · ‎2026-02-02

Had customer ask me this recently. Would be nice to know if its possible.

Best,
Andy
"Have a great day and if its not, change it"

eranlif · ‎2026-02-03

Just to keep the conversation going... 🙂

I checked the manual flow of uploading the Snort package to the dependent-domain. This works fine from the UI. However, the API based code that works for adding Snort protections to a single-domain management returns a 403 Error when I try to run it on the dependent-domain management.
This may indicate that it's "not allowed" to directly manage such assets using API, but maybe it's just some configuration issue I can solve... In the latter case, I might be able to use Snort protections in dependent-domains, using API only, after all.

(Not sure what this might do to the relationship between Global domain and dependent-domains, BTW.)

Are you a member of CheckMates?

Adding Snort Protections to MDS