This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
saitoh
Advisor
4 weeks ago
Jump to solution

how to newly add objects to install-on in bulk/batch using mgmt_cli?

Hi experts,

 

R82 vm management server with JHF Take 60

 

I would like to know the easiest method to add newly added gateway object to Install On of more than 1000 rules of access control policy.

Adding them to each rule in front of our customers is nightmare 😞

 

What I tried is:

1. create csv file which looks like

command,layer,position,install-on.add

set access-rule,testpolicy.1.newly_added_gateway

set access-rule,testpolicy.2.newly_added_gateway ... and so on.

 

2. import, and move it to /home/admin/

 

3. mgmt_cli login

#mgmt_cli login -u admin -p > id.txt

pass password prompt

 

4. try mgmt_cli set access-rule --batch

but it says:

# mgmt_cli set access-rule --batch /home/admin/installon_add.csv -s id.txtLine 2: code: "generic_err_invalid_parameter_name"message: "Unrecognized parameter [command]"Line 3: code: "generic_err_invalid_parameter_name"message: "Unrecognized parameter [command]"

...

 

also tried mgmt_cli --batch, but

# mgmt_cli --batch /home/admin/installon_add.csv -s id.txt

Error: No command name was specified!

 

No idea what to try next.

Any comments would be highly appreciated!

 

Saitoh

sliver bullet: casting repero or tossing it into the harbor
0 Kudos
1 Solution

Accepted Solutions
Tomer_Noy
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
4 weeks ago
Jump to solution

Technically, there are multiple ways to script what you are trying to do.

But, I would consider looking at the way you manage your target gateways and the Install On column. It's possible that with some changes, you can greatly simplify things and avoid having to do all this work every time you add another gateway.

In general, every policy package has a definition for the potential installation targets. By default it's set to "All Gateways", but you can (and usually should) set the specific gateways that should get this policy.
image.png

When editing your actual FW rulebase, there is no need to explicitly put your gateways in the Install On column. You can leave the default of "Policy Targets" and your rules will be applied to all gateways that are installed with this package.

There are of course legitimate cases for applying specific rules only to a subset of the gateways that get this policy. Usually this doesn't include all rules, but can still include a large number.
In such cases, it's advised to create a Network Object group and place the relevant gateways in that group. Then put that group in the Install On column. When you have another gateway that should get the same rules, just add that gateway to the group. Using groups keeps the entire policy more organized (also for Source and Destination columns).

Make sure to only place gateways in that group, otherwise it won't let you put that group in the Install On cell.

You might want to create a script to identify all the rules that currently reference the set of gateways and modify the Install On to reference the new group. This would be a one-time effort.

You can also use the "Where Used" dialog with the "Replace" option and choose one of the gateways and replace all references to it with the group. Just do it carefully since you may not want to accidentally replace references in other contexts. 

Replace Where Used.png

You can double-check your changes before you publish with the Changes Report.

Changes Report.png

View solution in original post

(1)
4 Replies
Vincent_Bacher
MVP Silver
MVP Silver
4 weeks ago
Jump to solution

Usually i would use a python script for that but if you want to create a csv, i guess the file should look like this:

layer,rule-number,install-on.add
testpolicy,1,newly_added_gateway
testpolicy,2,newly_added_gateway
testpolicy,3,newly_added_gateway


and then something like that:

mgmt_cli -r true set access-rule --batch /path/file.csv


or so. Hope i have it in mind correctly

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
(1)
Tomer_Noy
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
4 weeks ago
Jump to solution

Technically, there are multiple ways to script what you are trying to do.

But, I would consider looking at the way you manage your target gateways and the Install On column. It's possible that with some changes, you can greatly simplify things and avoid having to do all this work every time you add another gateway.

In general, every policy package has a definition for the potential installation targets. By default it's set to "All Gateways", but you can (and usually should) set the specific gateways that should get this policy.
image.png

When editing your actual FW rulebase, there is no need to explicitly put your gateways in the Install On column. You can leave the default of "Policy Targets" and your rules will be applied to all gateways that are installed with this package.

There are of course legitimate cases for applying specific rules only to a subset of the gateways that get this policy. Usually this doesn't include all rules, but can still include a large number.
In such cases, it's advised to create a Network Object group and place the relevant gateways in that group. Then put that group in the Install On column. When you have another gateway that should get the same rules, just add that gateway to the group. Using groups keeps the entire policy more organized (also for Source and Destination columns).

Make sure to only place gateways in that group, otherwise it won't let you put that group in the Install On cell.

You might want to create a script to identify all the rules that currently reference the set of gateways and modify the Install On to reference the new group. This would be a one-time effort.

You can also use the "Where Used" dialog with the "Replace" option and choose one of the gateways and replace all references to it with the group. Just do it carefully since you may not want to accidentally replace references in other contexts. 

Replace Where Used.png

You can double-check your changes before you publish with the Changes Report.

Changes Report.png

(1)
Vincent_Bacher
MVP Silver
MVP Silver
4 weeks ago
In response to Tomer_Noy
Jump to solution

I’d originally included ‘Install on’ in my post as well, but somehow I deleted a paragraph before sending it.

Head —> Table

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
saitoh
Advisor
4 weeks ago
In response to Tomer_Noy
Jump to solution

Hi @Tomer_Noy ,

I cannot thank you enough, for much detailed, informative answer.

Actually "Replace" method in WhereUsed is a life saver!!!

That is the easiest way to achieve what I need to do. Much appreciated!

 

Saitoh

sliver bullet: casting repero or tossing it into the harbor
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 19 May 2026 @ 08:00 AM (EDT)

    Montreal: P’tits déj Cyber! | Cyber Breakfasts!
    In-Person

    Tue 02 Jun 2026 @ 09:00 AM (CEST)

    CheckMates Live Denmark - Aarhus
    In-Person

    Wed 03 Jun 2026 @ 09:00 AM (CEST)

    CheckMates Live Denmark - Copenhagen
    CheckMates Events