topic Re: mgmt_cli validation check in API / CLI Discussion

mgmt_cli validation check

Kim_Moberg — Fri, 24 Jan 2025 10:35:29 GMT

Hi Check Mates,

Been working on a simple standard change which I wanted to create a simple automation task.

I have been working on this in three steps.

1) Using CMD via SmartConsole adding a Network Object and then add this to a Network Group object. That simply worked.

I am running these the commands

add network name "TestObj" subnet xxx.xxx.xxx.xxx subnet-mask xxx.xxx.xxx.xxx set group name "Proxy_Access" members.add "TestObj"

publish
Install policy

2) Working on a shell script to be executed on SMS server doing exactly the same steps above. This works too.

I have created a script name "add_object_to_group.sh" and given right to execute with "chmod 777".

Script looks like

#/bin/bash clear # ask for credentials from user echo "Please enter your username and password" read -p "Enter username and press [ENTER]: " USER read -s -p "Enter password and press [ENTER]: " PASS echo mgmt_cli login user ${USER} password ${PASS} > id.txt # in case of an error: print to screen the error message and abort if [ $? -ne 0 ]; then echo "Login command failed." cat id.txt exit 1 fi # Ask for user to enter a Name of Network Object echo echo "Please enter a Network Object Name e.g TestObj " read -p "Enter Network Object Name eg. TestObj [ENTER] : " NetworkObjectName # Ask for user to enter a Source Subnet for Network Object Name echo echo "Please define the Network Object Network subnet" read -p "Enter subnet eg. 10.80.212.0 [ENTER] : " NetworkObjectSubNet while [[ ! "$NetworkObjectSubNet" =~ '^((25[0-5]|2[0-4][0-9]|[01][0-9][0-9]|[0-9]{1,2})[.]){3}(25[0-5]|2[0-4][0-9]|[01][0-9][0-9]|[0-9]{1,2})$' ]]; do read -p "Not a valid IP Subnet. Re-enter: " NetworkObjectSubNet done read -p "Enter subnet-mask eg. 255.255.255.0 [ENTER] : " NetworkObjectSubNetMask while [[ ! "$NetworkObjectSubNetMask" =~ '^((255)\.(0|128|192|224|240|248|252|254|255)\.(0|128|192|224|240|248|252|254|255)\.(0|128|192|224|240|248|252|254|255))$' ]]; do read -p "Not an Subnet Mask. Re-enter: " NetworkObjectSubNetMask done # Run the mgmt_cli against CP SMS Server mgmt_cli -s id.txt add network name "${NetworkObjectName}" subnet "${NetworkObjectSubNet}" subnet-mask "${NetworkObjectSubNetMask}" mgmt_cli -s id.txt set group name "Proxy_Access" members.add "${NetworkObjectName}" # Publish the creation of Network Object and add it to Network Group mgmt_cli publish -s id.txt mgmt_cli logout -s id.txt

3) Moving script our from SMS server to be run in Linux jumphost. I haven't yet worked on this because I want to complete my above steps first.

I am lacking some kind of error handling in my script and I haven't been able to find any examples of being able to do so.
I know I have a validation check for login if anything goes wrong. Or can I use the same method from login validation in each of the steps?

Example of error handling would be.

1) In case Network Object Name exist.

2) in case of two objects have then same subnet in use. In SmartConsole you can have different object names with the same subnet.

3) I want to be sure that I am not trying to add a network object to a network group if it already exist etc.

Anyone can help me or give me a direction?

Thanks

Re: mgmt_cli validation check

Kim_Moberg — Fri, 24 Jan 2025 10:08:43 GMT

I want to be able to do validation check when running mgmt_cli commands

mgmt_cli -s id.txt add network name "${NetworkObjectName}" subnet "${NetworkObjectSubNet}" subnet-mask "${NetworkObjectSubNetMask}" mgmt_cli -s id.txt set group name "Proxy_Access" members.add "${NetworkObjectName}"

Re: mgmt_cli validation check

Bob_Zimmerman — Fri, 24 Jan 2025 21:09:02 GMT

Rather than a static "id.txt" for the session cookie, I would use a variable populated by mktemp. That way, multiple people could use the tool at the same time.

sessionCookie=$(mktemp) mgmt_cli login user "${USER}" password "${PASS}" >"${sessionCookie}" ... ... mgmt_cli -s "${sessionCookie}" add network name ...

As for error handling, you would have to actually read the messages. Something like this:

apiOut="$(mgmt_cli -f json -s "${sessionCookie}" add network name ...)" if [ "1" = "$0" ];then errorText="$(echo "${apiOut}" | jq '.some.path.here')" case "${errorText}" in "Some error string") # Handle this error. ;; "A different error string") # Handle a different error. ;; *) # This is the default case, where errors you don't specifically detect end up. echo "Got an error I don't know how to handle: ${errorText}" exit 1 ;; esac fi

You would replace '.some.path.here' with the path in an API call error to the description of the error. I forget what it is off the top of my head. You would then have an item in the case statement for each error you want to handle.

Note that adding a network to a group which already contains it isn't harmful. I wouldn't bother trying to detect that.

Re: mgmt_cli validation check

Amir_Senn — Sun, 26 Jan 2025 16:35:22 GMT

Try to use:

nohup mgmt_cli -s id.txt add network name dummy subnet 1.1.1.0 subnet-mask 255.255.255.0 2>/dev/null &nohup mgmt_cli -s id.txt add network name "${NetworkObjectName}" subnet "${NetworkObjectSubNet}" subnet-mask "${NetworkObjectSubNetMask}" 2>/dev/null &
nohup mgmt_cli -s id.txt set group name "Proxy_Access" members.add "${NetworkObjectName}" 2>/dev/null &

This will write all output to "nohup.out".

If all is ok it wouldn't write anything to it. If you have an issue it will write it.

So for example, in the script after running the command while having a another object of the same name:

Please enter your username and password
Enter username and press [ENTER]: aa
Enter password and press [ENTER]:

Please enter a Network Object Name e.g TestObj
Enter Network Object Name eg. TestObj [ENTER] : dummy

Please define the Network Object Network subnet
Enter subnet eg. 10.80.212.0 [ENTER] : 1.2.6.0
Enter subnet-mask eg. 255.255.255.0 [ENTER] : 255.255.255.0

---------------------------------------------
Time: [18:34:09] 26/1/2025
---------------------------------------------
"Publish operation" succeeded (100%)
tasks:
- task-id: "01234567-89ab-cdef-91b4-d9616ebd3c7b"
task-name: "Publish operation"
status: "succeeded"
progress-percentage: 100
suppressed: false
task-details:
- publishResponse:
numberOfPublishedChanges: 0
mode: "async"
revision: "d214d4f0-1644-49e4-9ddd-60ebf4f67ab6"

message: "OK"

[Expert@MGMT:0]# cat nohup.out
code: "err_validation_failed"
message: "Validation failed with 1 error"
errors:
- message: "More than one object named 'dummy' exists."

[Expert@MGMT:0]#

Re: mgmt_cli validation check

Duane_Toler — Sat, 15 Mar 2025 04:29:25 GMT

I know this is a little late for this party, but I would highly suggest you do this with Ansible and the Check Point modules. It handles all of this backend dirty work for you, plus you gain consistency along the way. You can also structure your playbooks to collect before/after states and completely discard the entire operation, giving you the chance to fully test the entire sequence so you can run it at a later date (such as "maintenance weekend", when you're already short on time and short on patience).

Shameless plug: I have a series (link in my signature line below) on setting up an Ansible host, dependencies, and introductions to playbooks, etc. First 5 episodes are available now, with more coming.