Check Point API example (mgmt_cli in bash) of how to filter using a string with spaces in it

Eric_Beasley — Mon, 28 Jul 2025 15:43:50 GMT

UPDATED 2025-07-28 : defined ${JQ} and provided alternative script examples

We have an undocumented issue that is required to build a more complex filter when searching for content that is space separated, like for example “Cisco WebEx” or “Cisco WebEx Recording” or “Cisco RV”.

No where in documentation is this problem addressed, there are NO examples to be found (as of 2025-07-25, R82 JHF 34 and earlier)! Sorry R&D, lacking documentation at any level for this is a problem.

Now, I beat my head against this and tried some things, and found something interesting… I’m using mgmt_cli, but this should apply in web api also!

First the example of WHAT DOES NOT WORK! as a filter, since the space is apparently some delimeter to “stop” looking at what is provided...

[Expert@Mgmt-01:0]# mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco RV" -r true -f json | ${JQ} '.protections[] | ."name"' "Cisco ACS Windows Bypass Authentication Unauthorized Access Ver2" "Cisco Adaptive Security Appliance Buffer Overflow (CVE-2016-1287)" "Cisco Adaptive Security Appliance Cross Site Scripting (CVE-2020-3580)" "Cisco Adaptive Security Appliance Directory Traversal (CVE-2020-3452)" "Cisco Adaptive Security Appliance Privilege Escalation (CVE-2016-6367)" "Cisco Adaptive Security Appliance Privilege Escalation (CVE-2022-20759)" "Cisco Adaptive Security Appliance Remote Code Execution (CVE-2018-0101)" "Cisco Adaptive Security Appliance Web Services Denial of Service" "Cisco AnyConnect Secure Mobility Client Privilege Escalation (CVE-2020-3153)" "Cisco AnyConnect VPN Client ActiveX Code Execution" "Cisco AnyConnect VPN Client Software Downgrade Code Execution" "Cisco Application Networking Manager Default User Credentials Security Bypass" "Cisco ASA Disable Password Remote Code Execution (CVE-2016-6366)" "Cisco ASA VPN Portal Cross-Site Scripting" "Cisco CNS Network Registrar Denial of Service" "Cisco Collaboration Server Cross-Site Scripting (CVE-2010-0641)" "Cisco Common Services Devices Center Cross Site Scripting" "Cisco Common Services Framework Help Servlet Cross-Site Scripting" "Cisco Data Center Network Manager Arbitrary File Deletion (CVE-2019-15981)" "Cisco Data Center Network Manager Arbitrary File Upload" "Cisco Data Center Network Manager Authentication Bypass (CVE-2019-15976)" "Cisco Data Center Network Manager Command Injection" "Cisco Data Center Network Manager Directory Traversal (CVE-2019-15980)" "Cisco Data Center Network Manager SQL Injection (CVE-2019-15984)" "Cisco Elastic Services Controller REST API Authentication Bypass (CVE-2019-1867)" [Expert@Mgmt-01:0]#

If you want to try it, here is just the mgmt_cli call, you need to be in expert to run this way:

export JQ="${CPDIR}/jq/jq" mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco RV" -r true -f json | ${JQ} '.protections[] | ."name"' # Alternatively mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco RV" -r true -f json | jq '.protections[] | ."name"'

NOTE that we have nothing that is even close to something that should filter with “Cisco RV”. Using the text like one would in SmartConsole fails!

Now for my example that works, we need to replace the space (“ “) with ampersand (“&”), all spaces in the required string!

[Expert@Mgmt-01:0]# mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco&RV" -r true -f json | ${JQ} '.protections[] | ."name"' "Cisco RV Command Injection (CVE-2020-3331)" "Cisco RV Routers Authentication Bypass (CVE-2018-0127)" "Cisco RV Routers Authentication Bypass (CVE-2019-1898)" "Cisco RV016 FIRMWARE Privilege Escalation (CVE-2023-20118)" "Cisco RV132W Command Injection (CVE-2018-0125)" "Cisco RV320 and RV325 Command Injection (CVE-2023-20117)" "Cisco RV320 and RV325 Routers Information Disclosure (CVE-2019-1653)" "Cisco RV320 Command Injection (CVE-2019-1652)" "Cisco RV320 Firmware Command Injection (CVE-2023-20128)" "Cisco RV340 Arbitrary File Upload (CVE-2023-20073)" [Expert@Mgmt-01:0]#

Again if you want to try it, here is just the mgmt_cli call, you need to be in expert to run this way:

# Corrected 2025-07-28, missing "&" export JQ="${CPDIR}/jq/jq" mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco&RV" -r true -f json | ${JQ} '.protections[] | ."name"' # Alternatively mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco&RV" -r true -f json | jq '.protections[] | ."name"'

Replacing the space (“ “) with ampersand (“&”) does the trick. Let’s look at some more examples for verification…

This time it’s “Cisco WebEx Recording”: First with spaces

[Expert@Mgmt-01:0]# mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco WebEx Recording" -r true -f json | ${JQ} '.protections[] | ."name"' "Cisco ACS Windows Bypass Authentication Unauthorized Access Ver2" "Cisco Adaptive Security Appliance Buffer Overflow (CVE-2016-1287)" "Cisco Adaptive Security Appliance Cross Site Scripting (CVE-2020-3580)" "Cisco Adaptive Security Appliance Directory Traversal (CVE-2020-3452)" "Cisco Adaptive Security Appliance Privilege Escalation (CVE-2016-6367)" "Cisco Adaptive Security Appliance Privilege Escalation (CVE-2022-20759)" "Cisco Adaptive Security Appliance Remote Code Execution (CVE-2018-0101)" "Cisco Adaptive Security Appliance Web Services Denial of Service" "Cisco AnyConnect Secure Mobility Client Privilege Escalation (CVE-2020-3153)" "Cisco AnyConnect VPN Client ActiveX Code Execution" "Cisco AnyConnect VPN Client Software Downgrade Code Execution" "Cisco Application Networking Manager Default User Credentials Security Bypass" "Cisco ASA Disable Password Remote Code Execution (CVE-2016-6366)" "Cisco ASA VPN Portal Cross-Site Scripting" "Cisco CNS Network Registrar Denial of Service" "Cisco Collaboration Server Cross-Site Scripting (CVE-2010-0641)" "Cisco Common Services Devices Center Cross Site Scripting" "Cisco Common Services Framework Help Servlet Cross-Site Scripting" "Cisco Data Center Network Manager Arbitrary File Deletion (CVE-2019-15981)" "Cisco Data Center Network Manager Arbitrary File Upload" "Cisco Data Center Network Manager Authentication Bypass (CVE-2019-15976)" "Cisco Data Center Network Manager Command Injection" "Cisco Data Center Network Manager Directory Traversal (CVE-2019-15980)" "Cisco Data Center Network Manager SQL Injection (CVE-2019-15984)" "Cisco Elastic Services Controller REST API Authentication Bypass (CVE-2019-1867)" [Expert@Mgmt-01:0]#

Again if you want to try it, here is just the mgmt_cli call, you need to be in expert to run this way:

export JQ="${CPDIR}/jq/jq" mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco WebEx Recording" -r true -f json | ${JQ} '.protections[] | ."name"' # Alternatively mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco WebEx Recording" -r true -f json | jq '.protections[] | ."name"'

Again the original text that would work in SmartConsole fails as entered.

Let’s try with replacing the space (“ “) with ampersand (“&”) trick:

We’ll start with just the first part, so “Cisco WebEx” to see that there would be more:

[Expert@Mgmt-01:0]# mgmt_cli show threat-protections limit 250 offset 0 details-level "standard" filter "Cisco&WebEx" -r true -f json | ${JQ} '.protections[] | ."name"' "Cisco WebEx Meeting Manager ActiveX Control Buffer Overflow" "Cisco Webex Meetings Desktop App Update Service Command Injection (CVE-2018-15442)" "Cisco WebEx Meetings Server and Center Remote Code Execution" "Cisco WebEx Player ATAS32.DLL Remote Code Execution" "Cisco WebEx Player ATDL2006.dll Heap Memory Corruption" "Cisco WebEx Player Malformed .WRF File Code Execution" "Cisco WebEx Recording Format Player atas32.dll Integer Overflow" "Cisco WebEx Recording Format Player atas32.dll Memory Corruption" "Cisco WebEx Recording Format Player atas32.dll Subrecords Integer Overflow" "Cisco WebEx Recording Format Player atdl2006.dll Buffer Overflow" "Cisco WebEx Recording Format Player atdl2006.dll Integer Overflow" "Cisco WebEx Recording Format Player Buffer Overflow (CVE-2012-1337)" "Cisco Webex Teams code Injection (CVE-2019-1636)" "Cisco WebEx UCF atucfobj.dll ActiveX NewObject Buffer Overflow - Ver2" [Expert@Mgmt-01:0]#

Again if you want to try it,

export JQ="${CPDIR}/jq/jq" mgmt_cli show threat-protections limit 250 offset 0 details-level "standard" filter "Cisco&WebEx" -r true -f json | ${JQ} '.protections[] | ."name"' # Alternatively mgmt_cli show threat-protections limit 250 offset 0 details-level "standard" filter "Cisco&WebEx" -r true -f json | jq '.protections[] | ."name"'

And now the full “Cisco WebEx Recording” as we would like to filter:

[Expert@Mgmt-01:0]# mgmt_cli show threat-protections limit 250 offset 0 details-level "standard" filter "Cisco&WebEx&Recording" -r true -f json | ${JQ} '.protections[] | ."name"' "Cisco WebEx Recording Format Player atas32.dll Integer Overflow" "Cisco WebEx Recording Format Player atas32.dll Memory Corruption" "Cisco WebEx Recording Format Player atas32.dll Subrecords Integer Overflow" "Cisco WebEx Recording Format Player atdl2006.dll Buffer Overflow" "Cisco WebEx Recording Format Player atdl2006.dll Integer Overflow" "Cisco WebEx Recording Format Player Buffer Overflow (CVE-2012-1337)" [Expert@Mgmt-01:0]# mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco&WebEx&Recording" -r true -f json | ${JQ} '.protections[] | ."name"' "Cisco WebEx Recording Format Player atas32.dll Integer Overflow" "Cisco WebEx Recording Format Player atas32.dll Memory Corruption" "Cisco WebEx Recording Format Player atas32.dll Subrecords Integer Overflow" "Cisco WebEx Recording Format Player atdl2006.dll Buffer Overflow" "Cisco WebEx Recording Format Player atdl2006.dll Integer Overflow" "Cisco WebEx Recording Format Player Buffer Overflow (CVE-2012-1337)" [Expert@Mgmt-01:0]#

And the pure command line code:

export JQ="${CPDIR}/jq/jq" mgmt_cli show threat-protections limit 250 offset 0 details-level "standard" filter "Cisco&WebEx&Recording" -r true -f json | ${JQ} '.protections[] | ."name"' # Alternatively mgmt_cli show threat-protections limit 250 offset 0 details-level "standard" filter "Cisco&WebEx&Recording" -r true -f json | jq '.protections[] | ."name"'

or:

export JQ="${CPDIR}/jq/jq" mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco&WebEx&Recording" -r true -f json | ${JQ} '.protections[] | ."name"' # Alternatively mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco&WebEx&Recording" -r true -f json | jq '.protections[] | ."name"'

In the above example I ran it twice to also show that expanding the range for limit versus offset didn’t change the results.

Which brings the need for a proper example to check for the total number of items we would get in a filter, since that might be needed to iterate a few times for large filter results in excess of 500 results:

[Expert@Mgmt-01:0]# mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco" -r true -f json | ${JQ} '.total' 163 [Expert@Mgmt-01:0]# mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco&WebEx" -r true -f json | ${JQ} '.total' 14 [Expert@Mgmt-01:0]# mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco&WebEx&Recording" -r true -f json | ${JQ} '.total' 6 [Expert@Mgmt-01:0]# mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco&RV" -r true -f json | ${JQ} '.total' 10 [Expert@Mgmt-01:0]# mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Adobe" -r true -f json | ${JQ} '.total' 2489 [Expert@CORE-G3-Mgmt-01:0]#

And just the code for those who want to copy-paste:

export JQ="${CPDIR}/jq/jq" mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco" -r true -f json | ${JQ} '.total' mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco&WebEx" -r true -f json | ${JQ} '.total' mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco&WebEx&Recording" -r true -f json | ${JQ} '.total' mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco&RV" -r true -f json | ${JQ} '.total' mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Adobe" -r true -f json | ${JQ} '.total' # Alternatively mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco" -r true -f json | jq '.total' mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco&WebEx" -r true -f json | jq '.total' mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco&WebEx&Recording" -r true -f json | jq '.total' mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco&RV" -r true -f json | jq '.total' mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Adobe" -r true -f json | jq '.total'

For the example above with “Adobe” we may need to iterate up to 5 times if the limit is 500 and we want the complete set, but that is an example for another time.

BR, thanks for challenge, and I hope everyone finds some use in this,

Eric

PS: Why ${JQ} ? In my environment I map ${JQ} to jq version 1.6 that I've put on the system to get the best jq results with the more current version than the default version 1.4 implemented on Gaia OS.

Re: Check Point API example (mgmt_cli in bash) of how to filter using a string with spaces in it

PhoneBoy — Fri, 25 Jul 2025 23:44:55 GMT

Great work!
Curious how you stumbled on the ampersand.

Re: Check Point API example (mgmt_cli in bash) of how to filter using a string with spaces in it

the_rock — Sat, 26 Jul 2025 00:44:07 GMT

Now you got me curious. I will test this on both R81.20 and R82 in the lab.

Andy

Re: Check Point API example (mgmt_cli in bash) of how to filter using a string with spaces in it

the_rock — Sat, 26 Jul 2025 11:59:34 GMT

Just tried on R82 jumbo 34 mgmt lab and all I get is below.

Andy

[Expert@CP-MANAGEMENT:0]# mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco RV" -r true -f json | ${JQ} '.protections[] | ."name"'
-bash: .protections[] | ."name": command not found
[Expert@CP-MANAGEMENT:0]#

Re: Check Point API example (mgmt_cli in bash) of how to filter using a string with spaces in it

Bob_Zimmerman — Sat, 26 Jul 2025 21:34:00 GMT

That's because you haven't defined the JQ environment variable, so it expands to nothing, leaving '.protections[] | ."name"' as the next token passed to the shell. Either defining JQ="jq" or replacing "${JQ}" with jq will work.

Re: Check Point API example (mgmt_cli in bash) of how to filter using a string with spaces in it

the_rock — Sat, 26 Jul 2025 23:41:04 GMT

Thank you, will try tomorrow.

Andy

Re: Check Point API example (mgmt_cli in bash) of how to filter using a string with spaces in it

the_rock — Sun, 27 Jul 2025 13:58:44 GMT

Excellent, that worked!

Andy

[Expert@CP-MANAGEMENT:0]# mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco RV" -r true -f json | jq '.protections[] | ."name"'
"Cisco ACS Windows Bypass Authentication Unauthorized Access Ver2"
"Cisco Adaptive Security Appliance Buffer Overflow (CVE-2016-1287)"
"Cisco Adaptive Security Appliance Cross Site Scripting (CVE-2020-3580)"
"Cisco Adaptive Security Appliance Directory Traversal (CVE-2020-3452)"
"Cisco Adaptive Security Appliance Privilege Escalation (CVE-2016-6367)"
"Cisco Adaptive Security Appliance Privilege Escalation (CVE-2022-20759)"
"Cisco Adaptive Security Appliance Remote Code Execution (CVE-2018-0101)"
"Cisco Adaptive Security Appliance Web Services Denial of Service"
"Cisco AnyConnect Secure Mobility Client Privilege Escalation (CVE-2020-3153)"
"Cisco AnyConnect VPN Client ActiveX Code Execution"
"Cisco AnyConnect VPN Client Software Downgrade Code Execution"
"Cisco Application Networking Manager Default User Credentials Security Bypass"
"Cisco ASA Disable Password Remote Code Execution (CVE-2016-6366)"
"Cisco ASA VPN Portal Cross-Site Scripting"
"Cisco CNS Network Registrar Denial of Service"
"Cisco Collaboration Server Cross-Site Scripting (CVE-2010-0641)"
"Cisco Common Services Devices Center Cross Site Scripting"
"Cisco Common Services Framework Help Servlet Cross-Site Scripting"
"Cisco Data Center Network Manager Arbitrary File Deletion (CVE-2019-15981)"
"Cisco Data Center Network Manager Arbitrary File Upload"
"Cisco Data Center Network Manager Authentication Bypass (CVE-2019-15976)"
"Cisco Data Center Network Manager Command Injection"
"Cisco Data Center Network Manager Directory Traversal (CVE-2019-15980)"
"Cisco Data Center Network Manager SQL Injection (CVE-2019-15984)"
"Cisco Elastic Services Controller REST API Authentication Bypass (CVE-2019-1867)"
[Expert@CP-MANAGEMENT:0]#

topic Check Point API example (mgmt_cli in bash) of how to filter using a string with spaces in it in API / CLI Discussion

Check Point API example (mgmt_cli in bash) of how to filter using a string with spaces in it

Re: Check Point API example (mgmt_cli in bash) of how to filter using a string with spaces in it

Re: Check Point API example (mgmt_cli in bash) of how to filter using a string with spaces in it

Re: Check Point API example (mgmt_cli in bash) of how to filter using a string with spaces in it

Re: Check Point API example (mgmt_cli in bash) of how to filter using a string with spaces in it

Re: Check Point API example (mgmt_cli in bash) of how to filter using a string with spaces in it

Re: Check Point API example (mgmt_cli in bash) of how to filter using a string with spaces in it