Re: mgmt_cli "set application-site"

stallwoodj · ‎2024-06-07

Hi,

FYI I've just raised an SR for the management API (R81.20 T65).

When using the above command, if you had previously included the value "urls-defined-as-regular-expression true" then the SET command will reset it to false, unless you include this argument again.

Thanks

Jamie

the_rock · ‎2024-06-07

Can you send command you did? I can try it on my lab mgmt

Andy

stallwoodj · ‎2024-06-07

Hi Andy,

Using the BASH script below to send the commands (argument 1 being a filename):

#!/bin/bash
#
session=`mgmt_cli -r true login --format json| jq -r '.sid'`
COUNT=0
FILE=`mktemp`
F=`mktemp`

grep ^[^#] <$1 >$F

while IFS= read -r line
do
echo "echo $line" >>$FILE
echo "usleep 100" >>$FILE
echo "mgmt_cli $line ignore-warnings true --ignore-errors true --session-id \"$session\" 2>&1" >>$FILE
COUNT=$((COUNT+1))
if [ `expr $COUNT \% 2000` = "0" ]; then
echo "mgmt_cli publish --session-id \"$session\" 2>&1" >>$FILE
fi
done <$F

source $FILE
mgmt_cli publish --session-id $session 2>&1
mgmt_cli logout --session-id $session 2>&1
rm $FILE $F

The command set in question:

set session description "Create Blacklist Object" new-name "APCL-API"
add application-site name "Sample-Blocklist" primary-category "High Risk" urls-defined-as-regular-expression true url-list.1 "dummy"
set application-site name "Sample-Blocklist" url-list.add "\\/site\\.com"
set application-site name "Sample-Blocklist" url-list.add "\\.site\\.com"
set application-site name "Sample-Blocklist" url-list.remove "dummy"

Thanks

Jamie

the_rock · ‎2024-06-07

Just rebooting it, will try soon.

Andy

the_rock · ‎2024-06-07

Just tried, yes, I see your point.

stallwoodj · ‎2024-07-02

Some clarification: it seems to be only the REMOVE verb affecting it.

Thanks

Jamie

PhoneBoy · ‎2024-06-07

There are a few API calls like that (particularly with Gateway objects).
Please send me the SR in a PM.
Also tagging @Omer_Kleinstern

stallwoodj · ‎2024-09-10

Interestingly, it wasn't the remove command alone that was resetting the flag, but only if the PREVIOUS command failed to explicitly specify the flag (the commands were not completely atomic). I've had a private hotfix built and tested successfully (for application-site only), so hopefully this will be rolled into a hotfix take soon.

PhoneBoy · ‎2024-09-10

Yes, that's the exact behavior I was talking about.

Duane_Toler · ‎2024-06-07

Have you considered Ansible by chance? Check Point has modules for the set/show/delete application-site APIs:

https://docs.ansible.com/ansible/latest/collections/check_point/mgmt/cp_mgmt_application_site_module...

With this, you can specify that attribute as part of the request. Ansible will handle your login session and you get a consistent interface.

---
- name: Manage application sites
  hosts: mgmt_server
  connection: httpapi
  gather_facts: false
  become: false

  vars:
    ansible_api_key: MGMT_API_KEY
    ansible_network_os: check_point.mgmt.checkpoint
    block_list:
      name: Sample_Blocklist
      primary_category: High Risk
      url_list:
        add:
          - '\/site.com'
          - '\.site\.com'
        remove:
          - dummy


  tasks:
    - name: Get application site info
      check_point.mgmt.cp_mgmt_application_site:
        name: app_site_facts

    - name: Update application sites
      check_point.mgmt.cp_mgmt_application_site:
        name: "{{ block_list.name }}"
        primary_category: "{{ block_list.primary_category }}"
        url_list: "{{ (app_site_facts['ansible_facts']['application_site']['url_list'] |list) + block_list.url_list.add | difference(block_list.url_list.remove) }}"
        urls_defined_as_regular_expression: true

...

(Untested, but should be close)

The idea is to "model" the object you want then work with the model. It pays enormous dividends, tho.

Are you a member of CheckMates?

mgmt_cli "set application-site"