This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ng0cph0ng
Explorer
‎2024-10-25 07:17 PM
Jump to solution

Adding sub-interface vlan via mgmt_cli

Im new in Check Points API, i have read some documents and try to add new vlan sub-interface, I tried "add interface eth0 vlan 20", but it doesnt work. How can i do. I can add vlan 10 manually, btw i use R81.20.

Preview file
20 KB
Preview file
5 KB
0 Kudos
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin
‎2024-10-30 01:16 PM
In response to PhoneBoy
Jump to solution

To give another example, I present the following GW object, which has the following interfaces defined:

image.png

I used the following mgmt_cli command:

mgmt_cli -r true set simple-gateway name "R8120-GW" interfaces.1.name "eth0" interfaces.1.ipv4-address "10.6.5.210" interfaces.1.ipv4-network-mask "255.255.255.0" interfaces.1.topology "external" interfaces.2.name "eth1" interfaces.2.ipv4-address "192.168.100.1" interfaces.2.ipv4-network-mask "255.255.255.0" interfaces.2.topology "internal" interfaces.2.topology-settings.ip-address-behind-this-interface "network defined by the interface ip and net mask" interfaces.3.name "eth2" interfaces.3.ipv4-address "192.168.200.1" interfaces.3.ipv4-network-mask "255.255.255.0" interfaces.3.topology "internal" interfaces.3.topology-settings.ip-address-behind-this-interface "network defined by the interface ip and net mask"

The end result:

image.png

Note that you might need to pass more parameters to set the interfaces per your specifications.
However, that should be more than enough to get you started.

View solution in original post

0 Kudos
PhoneBoy
Admin
Admin
‎2024-10-31 08:59 AM
In response to ng0cph0ng
Jump to solution

Yes, and this problem is addressed in R82 with the add-interface endpoint.
Continuing with the above object, let's say I wanted to add eth3.
My call would look something like this:

mgmt_cli -r true add interface name "eth3" gateway-uid "375bebfe-989b-4cd8-80c0-001d2736ccc1" ipv4-address "192.168.150.1" ipv4-mask-length "24" security-zone-settings.auto-calculated "false" security-zone-settings.specific-zone "WirelessZone" topology "internal" topology-settings.ip-address-behind-this-interface "network defined by the interface ip and net mask"

It looks something like this in SmartConsole:

image.png

FYI @Omer_Kleinstern when I tried to use ipv4-network-mask instead of ipv4-mask-length in the above, I got a validation error. 
I assume this a bug?
Also, it seems that there is no option in the add-interface endpoint (or the set-interface one) to actually enable the specified security zone.

View solution in original post

0 Kudos
8 Replies
PhoneBoy
Admin
Admin
‎2024-10-28 02:31 PM
Jump to solution

You're doing this from SmartConsole CLI, which is not where you need to enter this command.
Log into the gateway via SSH/console.

0 Kudos
ng0cph0ng
Explorer
‎2024-10-28 08:57 PM
In response to PhoneBoy
Jump to solution

Thanks for your reply, I used this script to add vlan but it show me the error. Can you check my script and guide me how to do it.

Preview file
13 KB
Preview file
22 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2024-10-29 10:08 AM
In response to ng0cph0ng
Jump to solution

It seems like you're trying to use the clish command in the API to add this interface to the relevant network object.
That's not how to do it.

You must use the set simple-gateway API call and specify ALL the interfaces for that gateway object, including the one you want to add.
In R82, there is an add-interface endpoint where it appears you can add an interface to an existing gateway object. 

0 Kudos
ng0cph0ng
Explorer
‎2024-10-29 07:59 PM
In response to PhoneBoy
Jump to solution

Can you make it more clearly? When I use set simple-gateway with my gateway uid, I have parameter interfaces.i. I tried set simple-gateway uid "UID" interfaces.i. ... and it always show error.
I just want to add vlan sub-interfaces, Im using R81.20. When I log into the gateway via console. I use "add interface eth0 vlan 10" and some "set interface ...", it work. I want to try to do it with expert mode (mgmt_cli) to add multiple vlans at once. Can I do it on R81.20?

0 Kudos
PhoneBoy
Admin
Admin
‎2024-10-30 01:10 PM
In response to ng0cph0ng
Jump to solution

As stated, you cannot just "add" an interfaces to an existing simple-gateway object.
Your API call must include ALL the interfaces (both existing and ones you wish to add).
This is specified in the API documentation:

image.png

See this thread for an example: https://community.checkpoint.com/t5/Management/How-to-Set-topology-on-a-simple-gateway-using-the-mgm... 

0 Kudos
PhoneBoy
Admin
Admin
‎2024-10-30 01:16 PM
In response to PhoneBoy
Jump to solution

To give another example, I present the following GW object, which has the following interfaces defined:

image.png

I used the following mgmt_cli command:

mgmt_cli -r true set simple-gateway name "R8120-GW" interfaces.1.name "eth0" interfaces.1.ipv4-address "10.6.5.210" interfaces.1.ipv4-network-mask "255.255.255.0" interfaces.1.topology "external" interfaces.2.name "eth1" interfaces.2.ipv4-address "192.168.100.1" interfaces.2.ipv4-network-mask "255.255.255.0" interfaces.2.topology "internal" interfaces.2.topology-settings.ip-address-behind-this-interface "network defined by the interface ip and net mask" interfaces.3.name "eth2" interfaces.3.ipv4-address "192.168.200.1" interfaces.3.ipv4-network-mask "255.255.255.0" interfaces.3.topology "internal" interfaces.3.topology-settings.ip-address-behind-this-interface "network defined by the interface ip and net mask"

The end result:

image.png

Note that you might need to pass more parameters to set the interfaces per your specifications.
However, that should be more than enough to get you started.

0 Kudos
ng0cph0ng
Explorer
‎2024-10-30 07:45 PM
In response to PhoneBoy
Jump to solution

I see, so every time I add interface, I need to define the old interface and the new interface. I find that quite inconvenient. For example, if I already have 10 interfaces and want to add 10 new interfaces, I will use an API call for 20 interfaces. However, thanks for the helpful solution.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-10-31 08:59 AM
In response to ng0cph0ng
Jump to solution

Yes, and this problem is addressed in R82 with the add-interface endpoint.
Continuing with the above object, let's say I wanted to add eth3.
My call would look something like this:

mgmt_cli -r true add interface name "eth3" gateway-uid "375bebfe-989b-4cd8-80c0-001d2736ccc1" ipv4-address "192.168.150.1" ipv4-mask-length "24" security-zone-settings.auto-calculated "false" security-zone-settings.specific-zone "WirelessZone" topology "internal" topology-settings.ip-address-behind-this-interface "network defined by the interface ip and net mask"

It looks something like this in SmartConsole:

image.png

FYI @Omer_Kleinstern when I tried to use ipv4-network-mask instead of ipv4-mask-length in the above, I got a validation error. 
I assume this a bug?
Also, it seems that there is no option in the add-interface endpoint (or the set-interface one) to actually enable the specified security zone.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events