This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Bob_Zimmerman
Authority
Authority
‎2024-01-27 03:53 PM

Disappearing object type in APIv1.9 (R81.20)

Just found a weird bug in R81.20 jumbo 41. I've only seen it on a lab MDS so far, and the affected object types suggest it may be limited to MDSs:

[Expert@TestMDS:0]# mgmt_cli -f json -r true show object uid d98894f9-57ef-6649-a69f-5f3dcf09a02c
{
  "object" : {
    "uid" : "d98894f9-57ef-6649-a69f-5f3dcf09a02c",
    "name" : "TestMDS",
    "type" : "CpmiMds",
    "domain" : {
      "uid" : "a0eebc99-afed-4ef8-bb6d-fedfedfedfed",
      "name" : "System Data",
      "domain-type" : "mds"
    },
    "icon" : "Provider-1/login_mds_obj",
    "color" : "black"
  }
}

[Expert@TestMDS:0]# mgmt_cli -f json -r true show object uid d98894f9-57ef-6649-a69f-5f3dcf09a02c details-level full
{
  "object" : {
    "uid" : "d98894f9-57ef-6649-a69f-5f3dcf09a02c",
    "name" : "TestMDS",
    "type" : "",
    "domain" : {
      "uid" : "a0eebc99-afed-4ef8-bb6d-fedfedfedfed",
      "name" : "System Data",
      "domain-type" : "mds"
    },
    "color" : "black",
    "meta-info" : {
      "validation-state" : "ok",
      "last-modify-time" : {
        "posix" : 1706384267583,
        "iso-8601" : "2024-01-27T19:37+0000"
      },
      "last-modifier" : "System",
      "creation-time" : {
        "posix" : 1706384267583,
        "iso-8601" : "2024-01-27T19:37+0000"
      },
      "creator" : "System"
    },
    "tags" : [ ],
    "icon" : "Provider-1/login_mds_obj",
    "comments" : "",
    "display-name" : "",
    "customFields" : null
  }
}

When I add details-level full, the object's type field becomes an empty string. So far, it happens for CpmiMds, CpmiPv1Customer, and CpmiPv1ExternalCaWithCert objects.

It definitely does not occur with 97aeb36a-9aea-11d5-bd16-0090272ccb30 (the object "None"), which has a type of CpmiAnyObject.

0 Kudos
6 Replies
JozkoMrkvicka
Authority
Authority
‎2024-01-28 12:04 AM

In R81.20 Take 43, the API version was upgraded to 1.9.1. You can also try to specify older versions, in order to find if such a bug is seen in all versions, or just on newer ones.

Kind regards,
Jozko Mrkvicka
0 Kudos
Bob_Zimmerman
Authority
Authority
‎2024-01-28 07:14 AM
In response to JozkoMrkvicka

I missed that jumbo 43 is out. With it, MDS objects now have the type "mds" (instead of the older type "CpmiMds"), and that type sticks around with details-level full. The other two are still broken, though. I rebuilt the MDS from scratch, installed jumbo 43, then built my initial config:

[Expert@TestMDS:0]# cpinfo -y mgmt

This is Check Point CPinfo Build 914000239 for GAIA
[MGMT]
	HOTFIX_R81_20_JUMBO_HF_MAIN	Take:  43



[Expert@TestMDS:0]# mgmt_cli -f json -r true show object uid de41548d-81c8-4133-ba04-2b2b6710c2a4
{
  "object" : {
    "uid" : "de41548d-81c8-4133-ba04-2b2b6710c2a4",
    "name" : "TestMDS",
    "type" : "mds",
    "domain" : {...},
    "icon" : "Objects/mds",
    "color" : "black"
  }
}
[Expert@TestMDS:0]# mgmt_cli -f json -r true show object uid de41548d-81c8-4133-ba04-2b2b6710c2a4 details-level full
{
  "object" : {
    "uid" : "de41548d-81c8-4133-ba04-2b2b6710c2a4",
    "name" : "TestMDS",
    "type" : "mds",
    "domain" : {...},
    "ipv4-address" : "169.254.0.3",
    "ipv6-address" : "",
    "sic-name" : "cn=cp_mgmt,o=TestMDS.standingmds.mylab.local.rwwthh",
    "sic-state" : "trust established",
    "server-type" : "multi-domain server",
    "ip-pool-first" : "",
    "ip-pool-last" : "",
    "domains" : [ {...}, {
      "uid" : "288d18bb-666c-4592-a511-b3caa02e8089",
      "name" : "Contoso",
      "type" : "domain",
      "domain" : {...},
      "global-domain-assignments" : [ "fe8f9107-b344-409e-98df-a1c3db8fbf93" ],
      "domain-type" : "domain",
      "servers" : [...],
      "comments" : "",
      "color" : "black",
      "icon" : "Objects/domain",
      "tags" : [ ],
      "meta-info" : {...},
      "read-only" : false,
      "available-actions" : {...}
    }, {...} ],
    "global-domains" : [...],
    "color" : "black",
    "icon" : "Objects/mds",
    "tags" : [ ],
    "meta-info" : {...},
    "read-only" : false,
    "available-actions" : {...}
  }
}



[Expert@TestMDS:0]# mgmt_cli -f json -r true show object uid e1707092-53e4-4bdd-82e0-cb4ae8054eb5
{
  "object" : {
    "uid" : "e1707092-53e4-4bdd-82e0-cb4ae8054eb5",
    "name" : "Contoso",
    "type" : "CpmiPv1Customer",
    "domain" : {...},
    "icon" : "Provider-1/customer",
    "color" : "black"
  }
}
[Expert@TestMDS:0]# mgmt_cli -f json -r true show object uid e1707092-53e4-4bdd-82e0-cb4ae8054eb5 details-level full
{
  "object" : {
    "uid" : "e1707092-53e4-4bdd-82e0-cb4ae8054eb5",
    "name" : "Contoso",
    "type" : "",
    "domain" : {...},
    "color" : "black",
    "meta-info" : {...},
    "tags" : [ ],
    "icon" : "Provider-1/customer",
    "comments" : "",
    "display-name" : "",
    "customFields" : null
  }
}



[Expert@TestMDS:0]# mgmt_cli -f json -r true show object uid 6fdfb2a8-8ed9-df4e-92e1-a3942a61fd52
{
  "object" : {
    "uid" : "6fdfb2a8-8ed9-df4e-92e1-a3942a61fd52",
    "name" : "gInternalCA_of_Contoso",
    "type" : "CpmiPv1ExternalCaWithCert",
    "domain" : {...},
    "icon" : "Unknown",
    "color" : "black"
  }
}
[Expert@TestMDS:0]# mgmt_cli -f json -r true show object uid 6fdfb2a8-8ed9-df4e-92e1-a3942a61fd52 details-level full
{
  "object" : {
    "uid" : "6fdfb2a8-8ed9-df4e-92e1-a3942a61fd52",
    "name" : "gInternalCA_of_Contoso",
    "type" : "",
    "domain" : {...},
    "color" : "black",
    "meta-info" : {...},
    "tags" : [ ],
    "icon" : "Unknown",
    "comments" : "",
    "display-name" : "",
    "customFields" : null
  }
}
0 Kudos
Bob_Zimmerman
Authority
Authority
‎2024-01-28 07:47 AM
In response to Bob_Zimmerman

Just found one which is much worse:

[Expert@TestMDS:0]# mgmt_cli -f json -r true show object uid 3a3e0556-ada9-5144-af97-7a527916e979
{
  "object" : {
    "uid" : "3a3e0556-ada9-5144-af97-7a527916e979",
    "name" : "AnyHost",
    "type" : "trusted-client",
    "domain" : {
      "uid" : "a0eebc99-afed-4ef8-bb6d-fedfedfedfed",
      "name" : "System Data",
      "domain-type" : "mds"
    },
    "icon" : "General/GuiClient",
    "color" : "black"
  }
}
[Expert@TestMDS:0]# mgmt_cli -f json -r true show object uid 3a3e0556-ada9-5144-af97-7a527916e979 details-level full
{
  "object" : {
    "uid" : "3a3e0556-ada9-5144-af97-7a527916e979",
    "name" : "AnyHost",
    "type" : "any",
    "domain" : {
      "uid" : "a0eebc99-afed-4ef8-bb6d-fedfedfedfed",
      "name" : "System Data",
      "domain-type" : "mds"
    },
    "domains-assignment" : [ ],
    "multi-domain-server-trusted-client" : true,
    "comments" : "",
    "color" : "black",
    "icon" : "General/GuiClient",
    "tags" : [ ],
    "meta-info" : {
      "lock" : "unlocked",
      "validation-state" : "ok",
      "last-modify-time" : {
        "posix" : 1706448920836,
        "iso-8601" : "2024-01-28T13:35+0000"
      },
      "last-modifier" : "System",
      "creation-time" : {
        "posix" : 1706448920836,
        "iso-8601" : "2024-01-28T13:35+0000"
      },
      "creator" : "System"
    },
    "read-only" : false,
    "available-actions" : {
      "edit" : "true",
      "delete" : "true",
      "clone" : "true"
    }
  }
}
0 Kudos
Bob_Zimmerman
Authority
Authority
‎2024-01-28 12:08 PM
In response to Bob_Zimmerman

The MDS situation is weirder than I initially thought. There are at least two different objects for the MDS. One shows up when you run 'show mdss'. Mine has the UUID de41548d-81c8-4133-ba04-2b2b6710c2a4 with type: mds, and the type remains when you add 'details-level full' to the call.

The other one shows up in 'show objects'. Mine has the UUID 7f54e8a1-e856-ba45-bca2-7fa14782eca4 with type: CpmiMds, and the type becomes an empty string when you add 'details-level full' to the call.

[Expert@TestMDS:0]# mgmt_cli -f json -r true show mdss
{
  "objects" : [ {
    "uid" : "de41548d-81c8-4133-ba04-2b2b6710c2a4",
    "name" : "TestMDS",
    "type" : "mds",
    "domain" : {...},
    "icon" : "Objects/mds",
    "color" : "black"
  } ],
  "from" : 1,
  "to" : 1,
  "total" : 1
}
[Expert@TestMDS:0]# mgmt_cli -f json -r true show object uid de41548d-81c8-4133-ba04-2b2b6710c2a4
{
  "object" : {
    "uid" : "de41548d-81c8-4133-ba04-2b2b6710c2a4",
    "name" : "TestMDS",
    "type" : "mds",
    "domain" : {...},
    "icon" : "Objects/mds",
    "color" : "black"
  }
}
[Expert@TestMDS:0]# !! details-level full
mgmt_cli -f json -r true show object uid de41548d-81c8-4133-ba04-2b2b6710c2a4 details-level full
{
  "object" : {
    "uid" : "de41548d-81c8-4133-ba04-2b2b6710c2a4",
    "name" : "TestMDS",
    "type" : "mds",
    "domain" : {...},
    "ipv4-address" : "169.254.0.3",
    "ipv6-address" : "",
    "sic-name" : "cn=cp_mgmt,o=TestMDS.standingmds.mylab.local.rwwthh",
    "sic-state" : "trust established",
    "server-type" : "multi-domain server",
    "ip-pool-first" : "",
    "ip-pool-last" : "",
    "domains" : [...],
    "global-domains" : [...],
    "color" : "black",
    "icon" : "Objects/mds",
    "tags" : [ ],
    "meta-info" : {...},
    "read-only" : false,
    "available-actions" : {...}
  }
}



[Expert@TestMDS:0]# mgmt_cli -f json -r true show objects limit 500 | jq -c ".objects[]|." | grep '"TestMDS"' | jq .
{
  "uid": "7f54e8a1-e856-ba45-bca2-7fa14782eca4",
  "name": "TestMDS",
  "type": "CpmiMds",
  "domain": {...},
  "icon": "Provider-1/login_mds_obj",
  "color": "black"
}
[Expert@TestMDS:0]# mgmt_cli -f json -r true show object uid 7f54e8a1-e856-ba45-bca2-7fa14782eca4
{
  "object" : {
    "uid" : "7f54e8a1-e856-ba45-bca2-7fa14782eca4",
    "name" : "TestMDS",
    "type" : "CpmiMds",
    "domain" : {...},
    "icon" : "Provider-1/login_mds_obj",
    "color" : "black"
  }
}
[Expert@TestMDS:0]# !! details-level full
mgmt_cli -f json -r true show object uid 7f54e8a1-e856-ba45-bca2-7fa14782eca4 details-level full
{
  "object" : {
    "uid" : "7f54e8a1-e856-ba45-bca2-7fa14782eca4",
    "name" : "TestMDS",
    "type" : "",
    "domain" : {...},
    "color" : "black",
    "meta-info" : {...},
    "tags" : [ ],
    "icon" : "Provider-1/login_mds_obj",
    "comments" : "",
    "display-name" : "",
    "customFields" : null
  }
}

 

0 Kudos
the_rock
Legend
Legend
‎2024-01-28 01:26 PM
In response to JozkoMrkvicka

Correct, it was upgraded, but from what I can see, not too many improvements.

Best,

Andy

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2024-01-28 07:22 AM

Another odd quirk I noticed. Certain object types have different names depending on the details-level. This is a simple-gateway defined in the domain named Contoso:

[Expert@TestMDS:0]# mgmt_cli -f json -r true show object uid 325be8e8-1c20-48a8-9800-8aedfcc80feb
{
  "object" : {
    "uid" : "325be8e8-1c20-48a8-9800-8aedfcc80feb",
    "name" : "BerlinFW",
    "type" : "simple-gateway",
    "domain" : {
      "uid" : "a0eebc99-afed-4ef8-bb6d-fedfedfedfed",
      "name" : "System Data",
      "domain-type" : "mds"
    },
    "icon" : "NetworkObjects/gateway",
    "color" : "black"
  }
}
[Expert@TestMDS:0]# mgmt_cli -f json -r true show object uid 325be8e8-1c20-48a8-9800-8aedfcc80feb details-level full
{
  "object" : {
    "uid" : "325be8e8-1c20-48a8-9800-8aedfcc80feb",
    "name" : "BerlinFW_._._Contoso",
    "type" : "simple-gateway",
    "domain" : {
      "uid" : "a0eebc99-afed-4ef8-bb6d-fedfedfedfed",
      "name" : "System Data",
      "domain-type" : "mds"
    },
    "interfaces" : [ ],
    "ipv4-address" : "10.111.255.1",
    "dynamic-ip" : false,
    "version" : "R81.20",
    ...
  }
}

So far, I have seen this with simple-gateway, simple-cluster, cluster-member, and checkpoint-host objects.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top