This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Eric_Beasley
Employee
Employee
‎2025-07-25 03:49 PM

Check Point API example (mgmt_cli in bash) of how to filter using a string with spaces in it

UPDATED 2025-07-28 :  defined ${JQ} and provided alternative script examples

We have an undocumented issue that is required to build a more complex filter when searching for content that is space separated, like for example “Cisco WebEx” or “Cisco WebEx Recording” or “Cisco RV”.

No where in documentation is this problem addressed, there are NO examples to be found (as of 2025-07-25, R82 JHF 34 and earlier)!  Sorry R&D, lacking documentation at any level for this is a problem.

Now, I beat my head against this and tried some things, and found something interesting…  I’m using mgmt_cli, but this should apply in web api also!

First the example of WHAT DOES NOT WORK! as a filter, since the space is apparently some delimeter to “stop” looking at what is provided...

[Expert@Mgmt-01:0]# mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco RV" -r true -f json | ${JQ} '.protections[] | ."name"'
"Cisco ACS Windows Bypass Authentication Unauthorized Access Ver2"
"Cisco Adaptive Security Appliance Buffer Overflow (CVE-2016-1287)"
"Cisco Adaptive Security Appliance Cross Site Scripting (CVE-2020-3580)"
"Cisco Adaptive Security Appliance Directory Traversal (CVE-2020-3452)"
"Cisco Adaptive Security Appliance Privilege Escalation (CVE-2016-6367)"
"Cisco Adaptive Security Appliance Privilege Escalation (CVE-2022-20759)"
"Cisco Adaptive Security Appliance Remote Code Execution (CVE-2018-0101)"
"Cisco Adaptive Security Appliance Web Services Denial of Service"
"Cisco AnyConnect Secure Mobility Client Privilege Escalation (CVE-2020-3153)"
"Cisco AnyConnect VPN Client ActiveX Code Execution"
"Cisco AnyConnect VPN Client Software Downgrade Code Execution"
"Cisco Application Networking Manager Default User Credentials Security Bypass"
"Cisco ASA Disable Password Remote Code Execution (CVE-2016-6366)"
"Cisco ASA VPN Portal Cross-Site Scripting"
"Cisco CNS Network Registrar Denial of Service"
"Cisco Collaboration Server Cross-Site Scripting (CVE-2010-0641)"
"Cisco Common Services Devices Center Cross Site Scripting"
"Cisco Common Services Framework Help Servlet Cross-Site Scripting"
"Cisco Data Center Network Manager Arbitrary File Deletion (CVE-2019-15981)"
"Cisco Data Center Network Manager Arbitrary File Upload"
"Cisco Data Center Network Manager Authentication Bypass (CVE-2019-15976)"
"Cisco Data Center Network Manager Command Injection"
"Cisco Data Center Network Manager Directory Traversal (CVE-2019-15980)"
"Cisco Data Center Network Manager SQL Injection (CVE-2019-15984)"
"Cisco Elastic Services Controller REST API Authentication Bypass (CVE-2019-1867)"
[Expert@Mgmt-01:0]#

If you want to try it, here is just the mgmt_cli call, you need to be in expert to run this way:

export JQ="${CPDIR}/jq/jq"
mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco RV" -r true -f json | ${JQ} '.protections[] | ."name"'

# Alternatively

mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco RV" -r true -f json | jq '.protections[] | ."name"'

 

NOTE that we have nothing that is even close to something that should filter with “Cisco RV”.  Using the text like one would in SmartConsole fails!

Eric_Beasley_0-1753482619930.png

 

Now for my example that works, we need to replace the space (“ “) with ampersand (“&”), all spaces in the required string!

[Expert@Mgmt-01:0]# mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco&RV" -r true -f json | ${JQ} '.protections[] | ."name"'
"Cisco RV Command Injection (CVE-2020-3331)"
"Cisco RV Routers Authentication Bypass (CVE-2018-0127)"
"Cisco RV Routers Authentication Bypass (CVE-2019-1898)"
"Cisco RV016 FIRMWARE Privilege Escalation (CVE-2023-20118)"
"Cisco RV132W Command Injection (CVE-2018-0125)"
"Cisco RV320 and RV325 Command Injection (CVE-2023-20117)"
"Cisco RV320 and RV325 Routers Information Disclosure (CVE-2019-1653)"
"Cisco RV320 Command Injection (CVE-2019-1652)"
"Cisco RV320 Firmware Command Injection (CVE-2023-20128)"
"Cisco RV340 Arbitrary File Upload (CVE-2023-20073)"
[Expert@Mgmt-01:0]#

Again if you want to try it, here is just the mgmt_cli call, you need to be in expert to run this way:

 

# Corrected 2025-07-28, missing "&"
export JQ="${CPDIR}/jq/jq"
mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco&RV" -r true -f json | ${JQ} '.protections[] | ."name"'

# Alternatively

mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco&RV" -r true -f json | jq '.protections[] | ."name"'

 

 

Replacing the space (“ “) with ampersand (“&”) does the trick.  Let’s look at some more examples for verification…

This time it’s “Cisco WebEx Recording”:  First with spaces

[Expert@Mgmt-01:0]# mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco WebEx Recording" -r true -f json | ${JQ} '.protections[] | ."name"'
"Cisco ACS Windows Bypass Authentication Unauthorized Access Ver2"
"Cisco Adaptive Security Appliance Buffer Overflow (CVE-2016-1287)"
"Cisco Adaptive Security Appliance Cross Site Scripting (CVE-2020-3580)"
"Cisco Adaptive Security Appliance Directory Traversal (CVE-2020-3452)"
"Cisco Adaptive Security Appliance Privilege Escalation (CVE-2016-6367)"
"Cisco Adaptive Security Appliance Privilege Escalation (CVE-2022-20759)"
"Cisco Adaptive Security Appliance Remote Code Execution (CVE-2018-0101)"
"Cisco Adaptive Security Appliance Web Services Denial of Service"
"Cisco AnyConnect Secure Mobility Client Privilege Escalation (CVE-2020-3153)"
"Cisco AnyConnect VPN Client ActiveX Code Execution"
"Cisco AnyConnect VPN Client Software Downgrade Code Execution"
"Cisco Application Networking Manager Default User Credentials Security Bypass"
"Cisco ASA Disable Password Remote Code Execution (CVE-2016-6366)"
"Cisco ASA VPN Portal Cross-Site Scripting"
"Cisco CNS Network Registrar Denial of Service"
"Cisco Collaboration Server Cross-Site Scripting (CVE-2010-0641)"
"Cisco Common Services Devices Center Cross Site Scripting"
"Cisco Common Services Framework Help Servlet Cross-Site Scripting"
"Cisco Data Center Network Manager Arbitrary File Deletion (CVE-2019-15981)"
"Cisco Data Center Network Manager Arbitrary File Upload"
"Cisco Data Center Network Manager Authentication Bypass (CVE-2019-15976)"
"Cisco Data Center Network Manager Command Injection"
"Cisco Data Center Network Manager Directory Traversal (CVE-2019-15980)"
"Cisco Data Center Network Manager SQL Injection (CVE-2019-15984)"
"Cisco Elastic Services Controller REST API Authentication Bypass (CVE-2019-1867)"
[Expert@Mgmt-01:0]#

Again if you want to try it, here is just the mgmt_cli call, you need to be in expert to run this way:

export JQ="${CPDIR}/jq/jq"
mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco WebEx Recording" -r true -f json | ${JQ} '.protections[] | ."name"'

# Alternatively

mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco WebEx Recording" -r true -f json | jq '.protections[] | ."name"'

 

Again the original text that would work in SmartConsole fails as entered.

Eric_Beasley_1-1753482619932.png

Let’s try with replacing the space (“ “) with ampersand (“&”) trick:

We’ll start with just the first part, so “Cisco WebEx” to see that there would be more:

[Expert@Mgmt-01:0]# mgmt_cli show threat-protections limit 250 offset 0 details-level "standard" filter "Cisco&WebEx" -r true -f json | ${JQ} '.protections[] | ."name"'
"Cisco WebEx Meeting Manager ActiveX Control Buffer Overflow"
"Cisco Webex Meetings Desktop App Update Service Command Injection (CVE-2018-15442)"
"Cisco WebEx Meetings Server and Center Remote Code Execution"
"Cisco WebEx Player ATAS32.DLL Remote Code Execution"
"Cisco WebEx Player ATDL2006.dll Heap Memory Corruption"
"Cisco WebEx Player Malformed .WRF File Code Execution"
"Cisco WebEx Recording Format Player atas32.dll Integer Overflow"
"Cisco WebEx Recording Format Player atas32.dll Memory Corruption"
"Cisco WebEx Recording Format Player atas32.dll Subrecords Integer Overflow"
"Cisco WebEx Recording Format Player atdl2006.dll Buffer Overflow"
"Cisco WebEx Recording Format Player atdl2006.dll Integer Overflow"
"Cisco WebEx Recording Format Player Buffer Overflow (CVE-2012-1337)"
"Cisco Webex Teams code Injection (CVE-2019-1636)"
"Cisco WebEx UCF atucfobj.dll ActiveX NewObject Buffer Overflow - Ver2"
[Expert@Mgmt-01:0]#

Again if you want to try it,

export JQ="${CPDIR}/jq/jq"
mgmt_cli show threat-protections limit 250 offset 0 details-level "standard" filter "Cisco&WebEx" -r true -f json | ${JQ} '.protections[] | ."name"'

# Alternatively

mgmt_cli show threat-protections limit 250 offset 0 details-level "standard" filter "Cisco&WebEx" -r true -f json | jq '.protections[] | ."name"'

 

And now the full “Cisco WebEx Recording” as we would like to filter:

[Expert@Mgmt-01:0]# mgmt_cli show threat-protections limit 250 offset 0 details-level "standard" filter "Cisco&WebEx&Recording" -r true -f json | ${JQ} '.protections[] | ."name"'
"Cisco WebEx Recording Format Player atas32.dll Integer Overflow"
"Cisco WebEx Recording Format Player atas32.dll Memory Corruption"
"Cisco WebEx Recording Format Player atas32.dll Subrecords Integer Overflow"
"Cisco WebEx Recording Format Player atdl2006.dll Buffer Overflow"
"Cisco WebEx Recording Format Player atdl2006.dll Integer Overflow"
"Cisco WebEx Recording Format Player Buffer Overflow (CVE-2012-1337)"

[Expert@Mgmt-01:0]# mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco&WebEx&Recording" -r true -f json | ${JQ} '.protections[] | ."name"'
"Cisco WebEx Recording Format Player atas32.dll Integer Overflow"
"Cisco WebEx Recording Format Player atas32.dll Memory Corruption"
"Cisco WebEx Recording Format Player atas32.dll Subrecords Integer Overflow"
"Cisco WebEx Recording Format Player atdl2006.dll Buffer Overflow"
"Cisco WebEx Recording Format Player atdl2006.dll Integer Overflow"
"Cisco WebEx Recording Format Player Buffer Overflow (CVE-2012-1337)"
[Expert@Mgmt-01:0]#

And the pure command line code:

export JQ="${CPDIR}/jq/jq"
mgmt_cli show threat-protections limit 250 offset 0 details-level "standard" filter "Cisco&WebEx&Recording" -r true -f json | ${JQ} '.protections[] | ."name"'

# Alternatively

mgmt_cli show threat-protections limit 250 offset 0 details-level "standard" filter "Cisco&WebEx&Recording" -r true -f json | jq '.protections[] | ."name"'

or:

export JQ="${CPDIR}/jq/jq"
mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco&WebEx&Recording" -r true -f json | ${JQ} '.protections[] | ."name"'

# Alternatively

mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco&WebEx&Recording" -r true -f json | jq '.protections[] | ."name"'

 

In the above example I ran it twice to also show that expanding the range for limit versus offset didn’t change the results.

Which brings the need for a proper example to check for the total number of items we would get in a filter, since that might be needed to iterate a few times for large filter results in excess of 500 results:

[Expert@Mgmt-01:0]# mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco" -r true -f json | ${JQ} '.total'
163

[Expert@Mgmt-01:0]# mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco&WebEx" -r true -f json | ${JQ} '.total'
14

[Expert@Mgmt-01:0]# mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco&WebEx&Recording" -r true -f json | ${JQ} '.total'
6

[Expert@Mgmt-01:0]# mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco&RV" -r true -f json | ${JQ} '.total'
10

[Expert@Mgmt-01:0]# mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Adobe" -r true -f json | ${JQ} '.total'
2489

[Expert@CORE-G3-Mgmt-01:0]#

And just the code for those who want to copy-paste:

export JQ="${CPDIR}/jq/jq"
mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco" -r true -f json | ${JQ} '.total'

mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco&WebEx" -r true -f json | ${JQ} '.total'

mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco&WebEx&Recording" -r true -f json | ${JQ} '.total'

mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco&RV" -r true -f json | ${JQ} '.total'

mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Adobe" -r true -f json | ${JQ} '.total'

# Alternatively

mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco" -r true -f json | jq '.total'

mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco&WebEx" -r true -f json | jq '.total'

mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco&WebEx&Recording" -r true -f json | jq '.total'

mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco&RV" -r true -f json | jq '.total'

mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Adobe" -r true -f json | jq '.total'

For the example above with “Adobe” we may need to iterate up to 5 times if the limit is 500 and we want the complete set, but that is an example for another time.

BR, thanks for challenge, and I hope everyone finds some use in this,

 

Eric

 

PS:  Why ${JQ} ?  In my environment I map ${JQ} to jq version 1.6 that I've put on the system to get the best jq results with the more current version than the default version 1.4 implemented on Gaia OS.

(1)
6 Replies
PhoneBoy
Admin
Admin
‎2025-07-25 04:44 PM

Great work!
Curious how you stumbled on the ampersand.

the_rock
Legend
Legend
‎2025-07-25 05:44 PM

Now you got me curious. I will test this on both R81.20 and R82 in the lab.

Andy

0 Kudos
the_rock
Legend
Legend
‎2025-07-26 04:59 AM

Just tried on R82 jumbo 34 mgmt lab and all I get is below.

Andy

[Expert@CP-MANAGEMENT:0]# mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco RV" -r true -f json | ${JQ} '.protections[] | ."name"'
-bash: .protections[] | ."name": command not found
[Expert@CP-MANAGEMENT:0]#

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2025-07-26 02:34 PM
In response to the_rock

That's because you haven't defined the JQ environment variable, so it expands to nothing, leaving '.protections[] | ."name"' as the next token passed to the shell. Either defining JQ="jq" or replacing "${JQ}" with jq will work.

 

the_rock
Legend
Legend
‎2025-07-26 04:41 PM
In response to Bob_Zimmerman

Thank you, will try tomorrow.

Andy

0 Kudos
the_rock
Legend
Legend
‎2025-07-27 06:58 AM
In response to Bob_Zimmerman

Excellent, that worked!

Andy

[Expert@CP-MANAGEMENT:0]# mgmt_cli show threat-protections limit 25 offset 0 details-level "standard" filter "Cisco RV" -r true -f json | jq '.protections[] | ."name"'
"Cisco ACS Windows Bypass Authentication Unauthorized Access Ver2"
"Cisco Adaptive Security Appliance Buffer Overflow (CVE-2016-1287)"
"Cisco Adaptive Security Appliance Cross Site Scripting (CVE-2020-3580)"
"Cisco Adaptive Security Appliance Directory Traversal (CVE-2020-3452)"
"Cisco Adaptive Security Appliance Privilege Escalation (CVE-2016-6367)"
"Cisco Adaptive Security Appliance Privilege Escalation (CVE-2022-20759)"
"Cisco Adaptive Security Appliance Remote Code Execution (CVE-2018-0101)"
"Cisco Adaptive Security Appliance Web Services Denial of Service"
"Cisco AnyConnect Secure Mobility Client Privilege Escalation (CVE-2020-3153)"
"Cisco AnyConnect VPN Client ActiveX Code Execution"
"Cisco AnyConnect VPN Client Software Downgrade Code Execution"
"Cisco Application Networking Manager Default User Credentials Security Bypass"
"Cisco ASA Disable Password Remote Code Execution (CVE-2016-6366)"
"Cisco ASA VPN Portal Cross-Site Scripting"
"Cisco CNS Network Registrar Denial of Service"
"Cisco Collaboration Server Cross-Site Scripting (CVE-2010-0641)"
"Cisco Common Services Devices Center Cross Site Scripting"
"Cisco Common Services Framework Help Servlet Cross-Site Scripting"
"Cisco Data Center Network Manager Arbitrary File Deletion (CVE-2019-15981)"
"Cisco Data Center Network Manager Arbitrary File Upload"
"Cisco Data Center Network Manager Authentication Bypass (CVE-2019-15976)"
"Cisco Data Center Network Manager Command Injection"
"Cisco Data Center Network Manager Directory Traversal (CVE-2019-15980)"
"Cisco Data Center Network Manager SQL Injection (CVE-2019-15984)"
"Cisco Elastic Services Controller REST API Authentication Bypass (CVE-2019-1867)"
[Expert@CP-MANAGEMENT:0]#

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events