Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Simon_Macpherso
Advisor
Jump to solution

API Policy Install

Hello,

Management API Reference v1.8.1 states for the policy -> install-policy endpoint, the argument parameter 'targets' is a required argument.

I have tested this requirement and it seems the 'targets' argument parameter is not required. This was tested on the following environments -Management R81.10 JHF baseline (API version 1.8) -Management R81.10 JHF take 79 (API version 1.8.1)

If the following example command is run, the "standard" policy is installed on ALL gateways, including gateways where "Specified Gateways" for installation targets is configured and a gateway is specified.

mgmt_cli install-policy policy-package "standard" access true --format json 

My understanding if required arguments are they are just that. If the required argument is not entered, the command should fail with reason "Missing parameter: [targets]. This would be the expected result for a required argument. Just as 'policy-package' is a required argument - if the 'policy-package' argument parameter is not included in the command, the command fails with reason "Missing parameter: [policy-package].

After discovering the command did not fail if a target was not specified, I thought the policy might only be installed on all gateways where the installation target setting was set to 'All Gateways'. However as mentioned above the policy is installed on ALL gateways, regardless of the current installation target setting on the policy.

This seems like a bug and there should be a safety net for this feature.

I want to specify a specific target, but we also need it to prompt or fail and return "Missing parameter: [targets] if a target is not specified.  Ensuring the "targets" argument parameter is a required argument will prevent a specific policy package being installed on unintended gateways.

Regards,

Simon

0 Kudos
1 Solution

Accepted Solutions
Omer_Kleinstern
Employee
Employee

I confirm that this is a documentation issue and @Tal_Paz-Fridman is correct.

When you run the command without specifying the policy targets it will only install on the targets as specified on the Policy Package.

View solution in original post

0 Kudos
8 Replies
Tal_Paz-Fridman
Employee
Employee

Hi

When I run the command without specifying the policy targets it only install on the targets as specified on the Policy Package.

Do you experience a different behavior?

 

Policy installation targets.png

0 Kudos
Simon_Macpherso
Advisor

Hi @Tal_Paz-Fridman,

What you described above is correct and expected. 

When I run the command without specifying a policy target, if the installation target is set to 'All gateways', the policy installs on all gateways, including on gateways that are configured as targets in another other policies.  I expected the policy would only be installed on gateways that weren't already configured as targets.  So to avoid this you must specify the intended installation targets for the policy you are installing, otherwise you may deploy the policy to all gateways across your estate. 

Regards,

Simon   

0 Kudos
PhoneBoy
Admin
Admin

Looks like a documentation bug.
Paging @Omer_Kleinstern 

v1.9 says that targets isn't required (earlier versions list it as required).
https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/install-policy~v1.9%20 

Omer_Kleinstern
Employee
Employee

I confirm that this is a documentation issue and @Tal_Paz-Fridman is correct.

When you run the command without specifying the policy targets it will only install on the targets as specified on the Policy Package.

0 Kudos
genisis__
Leader Leader
Leader

Is there a way to install multiple policy packages at once?

I generally do this as an example:
mgmt_cli --session-id $session install-policy policy-package "POLICY1" access true threat-prevention true

mgmt_cli --session-id $session install-policy policy-package "POLICY2" access true threat-prevention true

 

but would ideally like to execute this in one command

0 Kudos
Bob_Zimmerman
Authority
Authority

No such call exists right now, but you could do it with xargs:

echo "POLICY1" "POLICY2" | xargs -n 1 mgmt_cli --sync false --session-id "$session" install-policy access true threat-prevention true policy-package

If that doesn't work, you may need to handle the substitution explicitly:

echo "POLICY1" "POLICY2" | xargs -n 1 -I % mgmt_cli --sync false --session-id "$session" install-policy access true threat-prevention true policy-package "%"

It technically runs one call, then runs the next call. It's "one command" from the perspective of entering it, though. The '--sync false' part tells it to not wait for the first policy to finish installing before issuing the second install-policy call.

0 Kudos
genisis__
Leader Leader
Leader

Update:
Completed testing and this worked:
session=`mgmt_cli -r true login --format json| jq -r '.sid'`
echo "POLICY1" "POLICY2" | xargs -n 1 mgmt_cli --sync false --session-id "$session" install-policy access true threat-prevention true policy-package


This did not work:
session=`mgmt_cli -r true login --format json| jq -r '.sid'`
echo "POLICY1" "POLICY2" | xargs -n 1 -I % mgmt_cli --sync false --session-id "$session" install-policy access true threat-prevention true policy-package "%"

Got this message:
code: "generic_err_object_not_found"
message: "Requested object [POLICY1 POLICY2] not found"

0 Kudos
Bob_Zimmerman
Authority
Authority

I forgot GNU xargs is broken. You have to explicitly set the delimiter if you want -I to work on anything less than a whole line. On Linux, try this:

echo "POLICY1" "POLICY2" | xargs -d ' ' -n 1 -I % mgmt_cli --sync false --session-id "$session" install-policy access true threat-prevention true policy-package "%"

As a demo of how this works:

[Expert@DallasSA]# echo "POLICY1" "POLICY2" | xargs -d' ' -n 1 -I % echo "Value: %"
Value: POLICY1
Value: POLICY2

Weirdly, it prints an extra newline at the end of its output. As long as you can ignore that, it should work fine. Alternatively, you can just translate spaces into newlines like so:

[Expert@DallasSA:0]# echo "POLICY1" "POLICY2" | tr ' ' '\n' | xargs -I % echo "Value: %"
Value: POLICY1
Value: POLICY2

Ultimately, xargs is the way to take multiple items of input, carve them up, and feed them into invocations of some other command. It definitely works with one input item per line, and should work with a series of input items separated by spaces. If it doesn't, you have a few ways to deal with it.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events