thanks vincent,

but is there documents or process to follow to run this script

Hi,

So the method that @PhoneBoy  provided is good for a specific group, and provides the requested information.

The script sets on GitHub that @Vincent_Bacher references, will dump all currently supported objects, and create a groups export for all groups with all members, but this does not include additional information, because the export generated to allow import and building/rebuilding of the group memberships after the groups were imported.

The scripts have documentation provided by using the --help CLI option when running, and additional information is provided in the *.MD files of the GitHub.

What the scripts do provide is a method to learn how to cycle through a block of objects and use that approach to generate a output desired, and to that end I've tried to document what the script is doing internally with enough detail and intelligent naming of things to make that possible.

Thanks Danny

let me try this one. i will update you regarding this.

Thanks Phoneboy

this is what i am looking for 

Hi i have been testing this and all looks really good. However what does the @csv command do at the end

i.e. mgmt_cli -r true show-group name "groupname" --format json | jq '.members[] | [.name, ."ipv4-address"] |@csv' -r

I was expecting a csv file to be created but i cant find it

Thanks

Hi, I'm new to checkpoint this week and have some issues with the R80.30 platform. I have a need to extract the members ( hostname and ipv4) details from certain groups ( some seem to have more than a couple of hundred entries) from specific groups.  I have navigated to the respective Group and indeed a .csv is produced. The only issue is that the .csv output only contains (from memory) the last modified date with the respective user name of who made the last change.  I now need a method to extract the members and have found this article. Now I have no test env to test your suggested commands. Can you confirm that these are non intrusive to any normal operations and will give me the correct outputs.

Is this command executable from the "admin" account ?

Hi Phoneboy,

I'm making some further extractions from the Db from the specific Network Group called "GP_WinUpdates_Exceptions".

I run the following and get the output shown:-

"mgmt_cli -r true show-group name "GP_WinUpdates_Exceptions" offset 500 --format json | jq '.members[] | [.name, ."ipv4-address"] |@csv' -r

I get the following error: can you please advise on what may be the issue please?

"jq: error: Cannot iterate over null"

These are read-only commands and shouldn't cause any issues.
That said, if you want to try and rehearse this in an entirely test environment, you can do this and more using the Automation and Orchestration lab in CheckMates Labs.

One caveat: if a group has too many items in it, you may have to execute the command multiple times with different offset values.
If I recall correctly, the limit is 500 items, so to get the next 500 items, you'd do:

mgmt_cli -r true show-group name "groupname" offset 500 --format json | jq '.members[] | [.name, ."ipv4-address"] |@csv' -r

Hi PhoneBoy, The above worked great , I have a further request now which I have tried but had no success with.  I need to list the Object Group and as the contained output need the results for the Service Port/ Socket id.  Can you please advise on the string that I would need to extract this data. ( We have recently upgraded to R80.40 but again the CSV export from GUI seems not to be working)  Your assistance is greatly appreciated.  Thanks JED.

The above is for network object groups.
Service groups are a different type, but a similar type of command is used:

mgmt_cli -r true show-service-group name "NBT" --format json | jq '.members[] | [.name, .type, .port] | @csv' -r

Jed, remove this part - offset 500 - it worked for me after doing that.

Is it the same for R80.10, because I can't find the CCV file. Could you please help me ?  

am getting below error while phrasing above command.

[Expert@FX:0]# mgmt_cli -r true show-group name "EXT-MOVEiT" --format json | jq '.members[] | [.name, ."ipv4-address"] |@csv' -r >EXT_MOVEiT.json
Logout failed
parse error: Invalid numeric literal at line 1, column 9

API Settings:
---------------------
Accessibility: Require all granted
Automatic Start: Enabled

Processes:

Name State PID More Information
-------------------------------------------------
API Started 31143
CPM Started 16920 Check Point Security Management Server is running and ready
FWM Started 18638
APACHE Started 3908

Port Details:
-------------------
JETTY Internal Port: 50277
APACHE Gaia Port: 4434 (a non-default port)
When running mgmt_cli commands add '--port 4434'
When using web-services, add port 4434 to the URL

--------------------------------------------
Overall API Status: Started

am getting below error while phrasing above command. 

Thank you for this.

An additional question if I may...

Is it possible to recursively do this for all the network groups where I have a large number of network groups set up?

Or alternatively to extract all the network group names passing them on to this command to extract for each network group?

I need to to the same, where you able to export all your groups?

Sure, it's possible, but you're getting into scripting territory.

mgmt_cli -r true login > sid.txt;
mgmt_cli -s sid.txt --format json show-groups | jq -r '.objects[] | .name' | while read X; do
    echo $X
    mgmt_cli -s sid.txt show-group name "$X" --format json | jq '.members[] | [.name, ."ipv4-address",.subnet4,."mask-length4"] |@csv' -r
    echo
done

Just to explain what's going on here:

• We're logging into the API once and saving the session in sid.txt, which we reuse in other commands.
• We're querying the API to get all the groups, then showing each one with some specific information (object name, ipv4-address for host objects, network and mask for network objects)

Limitations of the above:

• If IPv6 is in use, you will have to adjust the jq command accordingly to output the specific fields you want.
• For large numbers of groups or objects in a group, you will have to make multiple calls using limit/offset calls.
• This does not handle nested groups (groups inside of groups), which will require additional scripting.

We need to list all the objects members along with the name, IP-Address and Comments from the particular network group to the CSV format. The checkpoint management server is in R80.20 version. Is there any way from commandline or others to exports the object members with the comments 

I tried various forms of:

mgmt_cli show-group details-level full limit 500 --format json | $CPDIR/jq/jq '.objects[] | [ .["name"], .["color"], .["comments"], .["port"], .["meta-info"]["last-modifier"] ] | @csv' -r

The result is always more or less, So I could get all  information excepted the comments.

you missed logout as last line 🙂

mgmt_cli -s sid.txt logout

Hi Phone Boy,

We have lots of groups and when I run this command it stops not even half way through. You mention  I might need to run lmits or offsets to get the rest. I don;t really know scripting. 

What would the script look like to run this? Where would I insert offset or limit and what do they mean?

Thanks

D

You might want to check this post, which goes over how to write a rolling collector to handle a larger list than 500 objects.
https://community.checkpoint.com/t5/API-CLI-Discussion/Parsing-the-output-of-quot-mgmt-cli-quot/m-p/...

If you want a canned script set to export, import, delete, set objects using CSV files, you can check here:
https://community.checkpoint.com/t5/API-CLI-Discussion/CLI-API-Example-for-exporting-importing-and-d... the actual current scripts are here:  https://github.com/mybasementcloud/R8x-export-import-api-scripts 

Eric

Tried this , but ended with error. please suggest.

SMS>
| [.name, ."ipv4-address"] |@csv' -r "groupname" --format json | jq '.members[]
MGMT9000 Failed to execute command. For more details see log file.
SMS>
SMS>
SMS>
SMS> cpstat os

Product Name: SVN Foundation
SVN Foundation Version String: R80.30
SVN Foundation Build Number: 993000019
SVN Foundation Status: OK
OS Name: Gaia
OS Major Version: 3
OS Minor Version: 10
OS Build Number: -
OS SP Major: -
OS SP Minor: -
OS Version Level:
Appliance SN:
Appliance Name: Standard PC (i440FX + PIIX, 1996)
Appliance Manufacturer: Other

Thanks this command for me as well. 

[Expert@SMS:0]# mgmt_cli -r true show-group name "s2fs_Group_1" --format json | jq '.members[] | [.name, ."ipv4-address"] |@csv' -r > abc.txt
[Expert@SMS:0]# ls -l
total 4
-rw-rw---- 1 admin root 445 Mar 30 21:56 abc.txt
[Expert@SMS:0]# cat abc.txt
"host_10.10.10.10","10.10.10.10"
"host_10.10.10.11","10.10.10.11"
"host_10.10.10.12","10.10.10.12"
"host_10.10.10.13","10.10.10.13"
"host_10.10.10.14","10.10.10.14"
"host_10.10.10.15","10.10.10.15"
"host_10.10.10.16","10.10.10.16"
"host_10.10.10.17","10.10.10.17"
"host_10.10.10.18","10.10.10.18"

I just ran the above command on a R80.30 management server however I only get the Object name within the group No IP address, Can you help Please

mgmt_cli -r true show-group name "Group_Name" --format json | jq '.members[] | [.name, ."ipv4-address"] |@csv' -r

output

"A_Branch_Data",
"B_Branch_Data",
"C_Branch_Data",

I suspect the members og A_Branch_Data are not host objects, but rather network objects.
Network objects do not have a field ipv4-address.
You'll need to do something like:

    mgmt_cli -s sid.txt show-group name "$X" --format json | jq '.members[] | [.name, ."ipv4-address",.subnet4,."mask-length4"] |@csv' -r

And be mindful of the over caveats I noted above.