Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Richard_Carson
Contributor
Jump to solution

problems deleting an application access-layer via API

I have mulitple policy packages that have a security layer and a application layer. The application layer appeared after importing from migrate import from R77, i do not want it. I would like to remove this layer from all these policy packages.

The application layer has only 1 rule


Any -> Internet -> accept -> detailed log :accounting

I thought i would just be able to delete the layer from the API. It deletes perfectly from the SmartConsole. I have tried


deleting the application access layer

mgmt_cli -r true -d Mgmt1 delete access-layer uid "12345678-abcd-4710-a798-12345609f989"
code: "generic_err_object_deletion"
message: "Object MyPolicy Application could not be deleted because it is referenced by other objects, run where-used command for details"

I have verified that I have the correct id for the application layer, using show object uid.

mgmt_cli -r true -d Mgmt1 where-used uid "12345678-abcd-4710-a798-12345609f989"
code: "generic_err_object_not_found"
message: "Requested object [12345678-805c-4710-a798-12345609f989] not found"

where used doesnt work on this object, ok expected i think.


I tried to delete the 1 rule from the application access layer

mgmt_cli -r true -d Mgmt1 delete access-rule layer "12345678-abcd-4710-a798-12345609f989" rule-number 1 --format json
{
"code" : "generic_error",
"message" : "Runtime error: Cannot delete the only child of the rulebase."
}

So , can i delete this using the API, what am i missing?

1 Solution

Accepted Solutions
Sergey_Aliev
Employee Alumnus
Employee Alumnus

To summarize:

I actually found out that the layer is used by the Policy Package itself in cpm.elg:

 

02/10/18 14:15:18,667 ERROR coresvc.internal.ObjectCrudSvcImpl [qtp185018416-250140]: ObjectDeletionException with objId = f81dc4aa-43df-4f84-b9c5-65fc1f2e76ad, objName = Access-Layer Name, reason = it is used by the following object(s):

Policy Package objid:[8796dc52-0ac6-4611-b0bc-e05bd41a3a9b] (field:layers)

The where-used should of worked as well, but let's put that aside.

We basically need to remove the layer from the policy package first, before we try to remove it completely:

[Expert@R80.10:0]# mgmt_cli -r true -d IP/Domain set package name "Package Name" access-layers.remove.1 "Acess-Layer Name"

Now after we removed the access-layer from the package we can remove it.

[Expert@R80.10:0]# mgmt_cli -r true -d IP/Domain delete access-layer name "Access-Layer Name"

View solution in original post

4 Replies
PhoneBoy
Admin
Admin

You should be able to delete it from the API.

I would open a TAC ticket so we can troubleshoot what's going on.

0 Kudos
Lari_Luoma
Ambassador Ambassador
Ambassador

Hi!

I tested this and got the same error... I had a shared inline layer, which I was only able to delete from the SmartConsole, but not by using API. API tells that the object is in use. However, I can delete it without any warnings from SmartConsole. If it was really in use I would expect of getting the same error message in SmartConsole.

I'm using R80.20.

0 Kudos
Sergey_Aliev
Employee Alumnus
Employee Alumnus

To summarize:

I actually found out that the layer is used by the Policy Package itself in cpm.elg:

 

02/10/18 14:15:18,667 ERROR coresvc.internal.ObjectCrudSvcImpl [qtp185018416-250140]: ObjectDeletionException with objId = f81dc4aa-43df-4f84-b9c5-65fc1f2e76ad, objName = Access-Layer Name, reason = it is used by the following object(s):

Policy Package objid:[8796dc52-0ac6-4611-b0bc-e05bd41a3a9b] (field:layers)

The where-used should of worked as well, but let's put that aside.

We basically need to remove the layer from the policy package first, before we try to remove it completely:

[Expert@R80.10:0]# mgmt_cli -r true -d IP/Domain set package name "Package Name" access-layers.remove.1 "Acess-Layer Name"

Now after we removed the access-layer from the package we can remove it.

[Expert@R80.10:0]# mgmt_cli -r true -d IP/Domain delete access-layer name "Access-Layer Name"

Richard_Carson
Contributor

Thank you Sergey. I have tried this and confirmed that it works. I guess the GUI is calling some extra functions behind the scene to remove it from the policy package first.

2 follow ups i think!

1. where used need to work - would have helped here

2. i think it would be useful to have something in the api documentation to suggest that you need to remove the layer from the package first , or perhaps the call should just do this as it does in the GUI?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events