Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Ivory

How to add access rule using CLI in r80.30

Jump to solution

Hello,

I want to add an access rule using CLI in firewall r80.30.

Can anyone please guide me to any document or provide the commands?

Thanks!

0 Kudos
1 Solution

Accepted Solutions
Highlighted
Admin
Admin

Re: How to add access rule using CLI in r80.30

Jump to solution
Like Maarten said, this is possible with mgmt_cli add access-rule.
For documentation: https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.5

There are several examples on the community.
One that allows you to build the policy that exists in Demo Mode: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/My-Security-Management-Setup-Scri...

View solution in original post

0 Kudos
9 Replies
Highlighted

Re: How to add access rule using CLI in r80.30

Jump to solution
Access roles can only be added on the management, not directly on the gateway.
Also when you run a standalone setup the only way is to add the access role in the policy on the management and then push the policy to the gateway. Check Point does not use a ACL type rulebase on the gateway, it is compiled on the management server and then sent to the gateway.

To add a rule in a policy on the management server you can use the API of which you can find all documentation online and lotst of information here on the forum.

Regards, Maarten
0 Kudos
Highlighted
Ivory

Re: How to add access rule using CLI in r80.30

Jump to solution
I am sorry, in my context, "Access rule" means "policy". I was wondering is there a way to add a policy on management server using CLI?
0 Kudos
Highlighted
Admin
Admin

Re: How to add access rule using CLI in r80.30

Jump to solution
Like Maarten said, this is possible with mgmt_cli add access-rule.
For documentation: https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.5

There are several examples on the community.
One that allows you to build the policy that exists in Demo Mode: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/My-Security-Management-Setup-Scri...

View solution in original post

0 Kudos
Highlighted
Ivory

Re: How to add access rule using CLI in r80.30

Jump to solution
Thank you so much for helping!
0 Kudos
Highlighted
Ivory

Re: How to add access rule using CLI in r80.30

Jump to solution
Sorry I have one more doubt on same topic. I was able to create a policy using mgmt_cli. I used this syntax:

mgmt_cli add access-rule layer "my_policy Network" source "43.1.1.3" destination "27.1.1.2" service "any" action "accept" track-settings.type "Log" position "1" name "rule1" install-on "chkpt" --port 4434

My doubt: Can i create a source/destination ip address using cli. Because in this scenario, policy gets install if i have already added a source/destination ip. otherwise throws me an error
code: "generic_err_object_not_found"
message: "Requested object [43.1.1.3] not found"
0 Kudos
Highlighted

Re: How to add access rule using CLI in r80.30

Jump to solution
Nope, for that you first need to create the host object:
mgmt_cli add host name Myhost ip_address 43.1.1.3
Then use Myhost as the source in your access rule.
Regards, Maarten
0 Kudos
Highlighted
Ivory

Re: How to add access rule using CLI in r80.30

Jump to solution
Thank you for your quick response Maarten. Okay So correct me if I am wrong, if I have to create 1000 policies (working on a script) with 1000 different source ip, i have to create 1000 host object manually first?

0 Kudos
Highlighted
Admin
Admin

Re: How to add access rule using CLI in r80.30

Jump to solution
Correct.
Note that a given rule can contain multiple source/destination objects.
Also, you can create objects for networks as well.
That might simplify the policy that gets created.
0 Kudos
Highlighted
Ivory

Re: How to add access rule using CLI in r80.30

Jump to solution
Got it. Thanks
0 Kudos