topic Automate Administrators creation on R80.10 SMS in Firewall and Security Management

Automate Administrators creation on R80.10 SMS

Juan_Carlos — Tue, 21 Aug 2018 06:34:40 GMT

Hello,

I need to find a way to automate Administrators creation with RADIUS authentication on several Security Sanagement Servers. I don't want the RADIUS administrator to connect on each Security Management Server to creates the Administrators (he is not allowed to do that). I have tried to use the API but unfortunately I got the following message telling me it's not supported :

[sms]# mgmt_cli --port <PORT> -u <USER> -p <PASSWORD> add administrator name "<NAME>" authentication-method "radius" radius-server "<RADIUS_SERVER>"
code: "err_inappropriate_domain_type"
message: "This command can work only on domains of type MDS. Cannot execute it in the current domain (current domain type is Domain)."

Executed command failed. Changes are discarded.
[sms]#

Any idea/trick that I could use to achieve what I want to do?

Thanks

Re: Automate Administrators creation on R80.10 SMS

Marco_Valenti — Tue, 21 Aug 2018 07:10:03 GMT

As the command say this syntax should be used for multi domain env , if you have a smart center you probably need to fix the syntax of this command seems that a permission profile is missing too

Those are example from the api reference

add-administrator

Command

add administrator name "admin" password "secret" must-change-password false email "admin@gmail.com" phone-number "1800-800-800" authentication-method "INTERNAL_PASSWORD" permissions-profile "read write all" --format json  • "--format json" is optional. By default the output is presented in plain text.  • This command is available using the SmartConsole CLI only on a Multi Domain environment and when logged into the MDS domain.

add-administrator (domain super user) in MDM

Command

add administrator name "super_admin" password "aaaa" must-change-password false email "admin@gmail.com" phone-number "1800-800-800" authentication-method "INTERNAL_PASSWORD" multi-domain-profile "domain super user" --format json  • "--format json" is optional. By default the output is presented in plain text.  • This command is available using the SmartConsole CLI only on a Multi Domain environment and when logged into the MDS domain.

Re: Automate Administrators creation on R80.10 SMS

Juan_Carlos — Tue, 21 Aug 2018 07:43:35 GMT

Hello Marco,

Thanks for your quick reply.

I'm not sure I understand what you mean. Even if specifying a permission profile, the examples from the API reference guide says that this "is available using the SmartConsole CLI only on a Multi Domain environment". So it won't work on a SMS

Did I miss something?

Re: Automate Administrators creation on R80.10 SMS

Marco_Valenti — Tue, 21 Aug 2018 08:05:26 GMT

Indeed I have missed that part too early morning here so seems that is not supported on a sms sorry for that

Re: Automate Administrators creation on R80.10 SMS

Juan_Carlos — Tue, 21 Aug 2018 11:47:46 GMT

No problem

Re: Automate Administrators creation on R80.10 SMS

PhoneBoy — Tue, 21 Aug 2018 23:15:56 GMT

You just need to add:

domain "System Data"

To your command.

Re: Automate Administrators creation on R80.10 SMS

Juan_Carlos — Wed, 22 Aug 2018 07:46:41 GMT

Hi Dameon,

It's working, thanks for your help

Re: Automate Administrators creation on R80.10 SMS

Marco_Valenti — Wed, 22 Aug 2018 07:53:23 GMT

a true jedi master advice

Re: Automate Administrators creation on R80.10 SMS

weaamna — Sun, 17 Mar 2019 13:49:44 GMT

--domain 'System Data'

Re: Automate Administrators creation on R80.10 SMS

Václav_Brožík — Wed, 26 Jun 2019 08:57:12 GMT

For me domain "System Data" does not help. I have tested it in R80.10 and R80.20. The API also do not show me any domains:

> show administrators domain "System Data" code: "err_inappropriate_domain_type" message: "This command can work only on domains of type MDS. Cannot execute it in the current domain (current domain type is Domain)." > show administrators --domain "System Data" code: "err_inappropriate_domain_type" message: "This command can work only on domains of type MDS. Cannot execute it in the current domain (current domain type is Domain)." > show domains objects: [] total: 0

Re: Automate Administrators creation on R80.10 SMS

Paul_Hagyard — Fri, 29 Nov 2019 02:06:24 GMT

I am guessing the SmartConsole CLI is logged in to a specific domain - and does not let you specify the domain. This is a real pain if you're using a Check Point cloud SmartCenter (e.g. Endpoint Security cloud) as I don't think you can get OS CLI access (they wouldn't want you to...).