This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Andrew_Larrick
Participant
‎2023-10-31 05:53 AM
Jump to solution

How to Set topology on a simple gateway using the mgmt_cli

MGMT is R81.20

I am writing a script to deploy a new common network ( common in name and vlan  but different subnets ) across a mix of 600+ simple gateways and clusters.

I have a working script for deploying the networks at the device level, and have mostly completed the script to update each of the objects on the management server.  I can set all the needed settings on the cluster object just fine, however the simple gateways are holding me up.

Note in the mgmt_cli document indicates adding an interface using mgmt_cli will remove any existing interfaces.  I figured out I can just have it run a get topology and it will find the interfaces however the topology settings are wrong.  I see the commands to modify the topology settings but they don't work.  below is the command I am trying:

mgmt_cli set simple-gateway name "DD-test1" interfaces.name "bond0.808" interfaces.topology "INTERNAL" interfaces.topology-settings.ip-address-behind-this-interface "network defined by the interface ip and net mask" --format json

 

I have tried trimming the command down to just set the topology to internal  and even just the name, anytime I do interface I get an error that says "interfaces" in not a valid parameter.  Even though it clearly is based on the documents and when I look at the object from the mgmt_cli.

Is there a piece of the command I am missing?

Thanks in Advance for any assistance

Drew Larrick

 

0 Kudos
1 Solution

Accepted Solutions
Bob_Zimmerman
Authority
Authority
‎2023-10-31 08:19 AM
Jump to solution

When using add-simple-gateway or set-simple-gateway, the 'interfaces' key expects a list. With mgmt_cli, you need to specify it like:

interfaces.1.name "bond0.808" \
interfaces.1.topology "internal" \
interfaces.1.topology-settings.ip-address-behind-this-interface "network defined by the interface ip and net mask"

You don't need to use the \newline thing. I added that to make it more obvious how the keys need to be specified.

Note that you MUST provide all interfaces in the API call. Doesn't matter whether you're adding a new firewall object or modifying an existing one. At the end of a successful call, the firewall's interface table will contain exactly the interfaces you specify in the call.

View solution in original post

23 Replies
Tal_Paz-Fridman
Employee
Employee
‎2023-10-31 06:43 AM
Jump to solution

Did you look at the example from the Management API Reference Guide:

mgmt_cli add simple-gateway name "gw1" color "yellow" ipv4-address "192.0.2.230" version "R80" one-time-password "aaaa" firewall true vpn true application-control true url-filtering true ips true anti-bot true anti-virus true threat-emulation true nat-hide-internal-interfaces true icap-server true interfaces.1.name "eth0" interfaces.1.ipv4-address "192.0.2.230" interfaces.1.ipv4-network-mask "255.255.255.128" interfaces.1.anti-spoofing true interfaces.1.topology "EXTERNAL" interfaces.2.name "eth1" interfaces.2.ipv4-address "192.0.2.88" interfaces.2.ipv4-network-mask "255.255.255.0" interfaces.2.anti-spoofing true interfaces.2.topology "INTERNAL"  --format json
 • "--format json" is optional. By default the output is presented in plain text.

 

Check Point - Management API reference.png

 

0 Kudos
Andrew_Larrick
Participant
‎2023-10-31 06:52 AM
In response to Tal_Paz-Fridman
Jump to solution

Yes I am working from the that document, however I don't want to add a whole new gateway object I just need to update a bunch of existing gateways.  I also don't want to add an interface as it has a warning. "Network interfaces. When a gateway is updated with a new interfaces, the existing interfaces are removed."  To get around this I am jsut having the system do a get topology on the device and that adds the new interfaces but the topology is wrong.  And sadly there are no examples of interface manipulation for the simple gateways like there is for the clusters.

0 Kudos
the_rock
Legend
Legend
‎2023-10-31 07:15 AM
In response to Andrew_Larrick
Jump to solution

Good point. I also checked whole doc and did not see anything like that either.

Andy

0 Kudos
the_rock
Legend
Legend
‎2023-10-31 07:17 AM
Jump to solution

Closest I see is this...

Andy

https://sc1.checkpoint.com/documents/latest/APIs/?#cli/get-interfaces~v1.9%20

0 Kudos
Andrew_Larrick
Participant
‎2023-10-31 07:36 AM
In response to the_rock
Jump to solution

Yep,  That is exactly what I am doing. This at least adds the interface to the object, just with the wrong topology.  Struggling to understand why cluster and gateway are so different. I can run the following on a cluster and it works perfectly:

mgmt_cli set simple-cluster name "<cluster-name>" interfaces.add.name "bond0.808" interfaces.add.ip-address "<IP>" interfaces.add.ipv4-mask-length "24" interfaces.add.interface-type "cluster" interfaces.add.topology "INTERNAL" interfaces.add.topology-settings.ip-address-behind-this-interface "network defined by the interface ip and net mask" interfaces.add.anti-spoofing "true" members.update.1.name "<Member1 name>" members.update.1.interfaces.name "bond0.808" members.update.1.interfaces.ipv4-address "<member1-IP>" members.update.1.interfaces.ipv4-network-mask "255.255.255.0" members.update.2.name "<Member2 name>" members.update.2.interfaces.name "bond0.808" members.update.2.interfaces.ipv4-address "<Member2-IP>" members.update.2.interfaces.ipv4-network-mask "255.255.255.0" --format json

I have tried to modify this to match settings for a GW but it does not work.   

 

~Drew

 

0 Kudos
the_rock
Legend
Legend
‎2023-10-31 07:40 AM
In response to Andrew_Larrick
Jump to solution

I will go through the example in the api guide and see if it matches.

Andy

0 Kudos
the_rock
Legend
Legend
‎2023-10-31 07:44 AM
In response to Andrew_Larrick
Jump to solution

Hm, definitely looks right to me based on the example...what is the error you get?

Andy

0 Kudos
Andrew_Larrick
Participant
‎2023-10-31 07:50 AM
In response to the_rock
Jump to solution

 

[Expert@fwmgmtdev:0]# mgmt_cli set simple-gateway name "DD-sgw-test1" interfaces.name "bond0.80 8" interfaces.topology "INTERNAL" interfaces.topology-settings.ip-address-behind-this-inter face "network defined by the interface ip and net mask" --format json
Username: admin
Password:
{
"code" : "generic_err_invalid_parameter",
"message" : "Parameter [interfaces] value is not valid"
}
Executed command failed. Changes are discarded.
[Expert@fwmgmtdev:0]#

 

 

Preview file
36 KB
0 Kudos
the_rock
Legend
Legend
‎2023-10-31 08:16 AM
In response to Andrew_Larrick
Jump to solution

Hm...seems it does not like something with interface name. Can you confirm thats indeed the right name if you run ifconfig -a from expert mode?

Andy

0 Kudos
Andrew_Larrick
Participant
‎2023-10-31 08:20 AM
In response to the_rock
Jump to solution

Actually I did a show on the gateway and the interface is here.

[Expert@fwmgmtdev:0]# mgmt_cli show simple-gateway name "DD-sgw-test1"
Username: admin
Password:
uid: "04e0c86a-896f-4db0-b236-093c3e770bd5"
name: "DD-sgw-test1"
type: "simple-gateway"
domain:
uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
name: "SMC User"
domain-type: "domain"
interfaces:
- uid: "054d2127-5aba-4905-b712-489d8f29a70a"
name: "bond0.808"
network-interface-type: "ethernet"
ipv4-address: "xxx.xxx.xxx.xxx"
ipv4-network-mask: "255.255.254.0"
ipv4-mask-length: 23
ipv6-address: ""
comments: ""
color: "black"
icon: "NetworkObjects/network"
topology: "automatic"
topology-automatic-calculation: "internal"
topology-settings:
ip-address-behind-this-interface: "network defined by routing"
interface-leads-to-dmz: false
anti-spoofing: true
anti-spoofing-settings:
action: "prevent"
exclude-packets: false
spoof-tracking: "log"
security-zone: false

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2023-10-31 08:50 AM
In response to Andrew_Larrick
Jump to solution

Check out the documentation for set-simple-gateway. The key 'interfaces' doesn't accept an Object, it only accepts a List: Object. To specify a list in mgmt_cli, you add a number in that position in the key path. Rather than 'interfaces.name', it needs to be 'interfaces.1.name'. Then the next item in the list is 'interfaces.2.name', and so on.

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2023-10-31 08:19 AM
Jump to solution

When using add-simple-gateway or set-simple-gateway, the 'interfaces' key expects a list. With mgmt_cli, you need to specify it like:

interfaces.1.name "bond0.808" \
interfaces.1.topology "internal" \
interfaces.1.topology-settings.ip-address-behind-this-interface "network defined by the interface ip and net mask"

You don't need to use the \newline thing. I added that to make it more obvious how the keys need to be specified.

Note that you MUST provide all interfaces in the API call. Doesn't matter whether you're adding a new firewall object or modifying an existing one. At the end of a successful call, the firewall's interface table will contain exactly the interfaces you specify in the call.

Andrew_Larrick
Participant
‎2023-10-31 10:23 AM
In response to Bob_Zimmerman
Jump to solution

Thank you.  That is the piece I was missing!!  And yes, now I have an object that only has this interface.   Any idea why this behavior only happens on simple gateways and not clusters?  I can change any individual aspect of an interface on clusters without having to provide info for all interfaces.

 

Thanks again for the help.

~Drew

 

0 Kudos
the_rock
Legend
Legend
‎2023-10-31 10:33 AM
In response to Andrew_Larrick
Jump to solution

Would you mind send the command that worked? Just for the reference, if you dont mind...you can blur out if name, of course and the IP address.

Cheers mate.

Andy

0 Kudos
Andrew_Larrick
Participant
‎2023-10-31 10:39 AM
In response to the_rock
Jump to solution

mgmt_cli set simple-gateway name "<Gateway Name>" interfaces.1.name "<interface name>" interface.1.ipv4-address "<interface IP>" interface.1.ipv4-network-mask "<interface mask>" interfaces.1.topology "INTERNAL" interfaces.1.topology-settings.ip-address-behind-this-interface "network defined by the interface ip and net mask" --format json

But as BobZ mentioned, if you don't include all the interfaces, this will become the only interface on the object.

info between ""s are actual,   

info between "<>" are placeholders. 

 

~Drew

0 Kudos
the_rock
Legend
Legend
‎2023-10-31 10:50 AM
In response to Andrew_Larrick
Jump to solution

Right, but just to confirm, was < and > what you added to make it work compared to when it was failing?

Kind regards,

Andy

0 Kudos
Andrew_Larrick
Participant
‎2023-10-31 10:55 AM
In response to the_rock
Jump to solution

No, Sorry.    The missing piece was    a number after interfaces.   So for example I was doing < interfaces.name "int name" >   but it should have been < interfaces.1.name "int name" >  for the 1st interface in my command,  If I was adding a second interface in the command it would be < interfaces.2.name " int name" >

Has to do with the parameter being a list object. ( thanks again Bob !! )

 

Drew

0 Kudos
the_rock
Legend
Legend
‎2023-10-31 10:58 AM
In response to Andrew_Larrick
Jump to solution

Ag, GOT IT! So < and > characters dont matter really : - )

Andy

0 Kudos
Andrew_Larrick
Participant
‎2023-10-31 11:05 AM
In response to the_rock
Jump to solution

Right, so a real example could be:

mgmt_cli set simple-gateway name "Test-GW1" interfaces.1.name "eth1" interface.1.ipv4-address "192.168.10.1" interface.1.ipv4-network-mask "255.255.255.0" interfaces.1.topology "INTERNAL" interfaces.1.topology-settings.ip-address-behind-this-interface "network defined by the interface ip and net mask" --format json

 

Drew

(1)
the_rock
Legend
Legend
‎2023-10-31 11:09 AM
In response to Andrew_Larrick
Jump to solution

Perfect, thanks a lot and sorry for being pain in the a** (haha), just wanted to make sure I had the right syntax if I ever have to do this myself, thats all.

Cheers mate and have a great day/afternoon/night!

Andy

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2023-10-31 10:59 AM
In response to Andrew_Larrick
Jump to solution

set-simple-cluster's 'interfaces' key accepts data in five forms: four types of Object and one List: Object. The List: Object form behaves the same as set-simple-gateway's 'interfaces' key. You must be hitting one of the other forms to update an interface without removing interfaces you don't specify.

0 Kudos
Andrew_Larrick
Participant
‎2023-10-31 11:07 AM
In response to Bob_Zimmerman
Jump to solution

Thank Bob.    Is there another API way to add an interface to a simple-gateway that doesn't require re-adding all the already existing interface?

Thanks,

Drew

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2023-10-31 11:54 AM
In response to Andrew_Larrick
Jump to solution

There is not.

You could always make a cluster with only one member.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events