Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Rabindra_Khadka
Contributor
Jump to solution

How to list and export the objects member from the network group in checkpoint management server

Hello everyone,

 

We need to list all the objects members along with the name and IP-Address from the particular network group to the CSV format. The checkpoint management server is in R80.20 version. Is there any way from commandline or others to exports the object members along with the name and ip address from the particular network group in csv format.

Please help if there is any solution.

@phoneboy 

 

 

 

Thanks 

0 Kudos
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin

With the correct command, it's not difficult to get CSV output:

mgmt_cli -r true show-group name "groupname" --format json | jq '.members[] | [.name, ."ipv4-address"] |@csv' -r

Just to explain:

  • mgmt_cli -r true is how you can utilize the API from a CLI (-r true means "login as root user" which only works on the local management server)
  • show-group is the API command for showing a specific group specified by the name parameter.
  • --format json tells mgmt_cli to output the data in JSON format.
  • jq parses the JSON output from mgmt_cli, in this case pulling out the all the "name" and "ipv4-address" entries from members and outputting to CSV.

View solution in original post

PhoneBoy
Admin
Admin

Sure, it's possible, but you're getting into scripting territory.

mgmt_cli -r true login > sid.txt;
mgmt_cli -s sid.txt --format json show-groups | jq -r '.objects[] | .name' | while read X; do
    echo $X
    mgmt_cli -s sid.txt show-group name "$X" --format json | jq '.members[] | [.name, ."ipv4-address",.subnet4,."mask-length4"] |@csv' -r
    echo
done

Just to explain what's going on here:

  • We're logging into the API once and saving the session in sid.txt, which we reuse in other commands.
  • We're querying the API to get all the groups, then showing each one with some specific information (object name, ipv4-address for host objects, network and mask for network objects)

Limitations of the above:

  • If IPv6 is in use, you will have to adjust the jq command accordingly to output the specific fields you want.
  • For large numbers of groups or objects in a group, you will have to make multiple calls using limit/offset calls.
  • This does not handle nested groups (groups inside of groups), which will require additional scripting.

 

View solution in original post

(1)
35 Replies
Vincent_Bacher
Advisor
Advisor

Hi,

i am not Phoneboy but nevertheless i take the liberty to answer 😊

I'd suggest to have a look at the R8x-export-import-api-scripts on GitHub.

Cheers
Vincent

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
Rabindra_Khadka
Contributor

thanks vincent,

 

but is there documents or process to follow to run this script

0 Kudos
Eric_Beasley
Employee
Employee

Hi,

So the method that @PhoneBoy  provided is good for a specific group, and provides the requested information.

The script sets on GitHub that @Vincent_Bacher references, will dump all currently supported objects, and create a groups export for all groups with all members, but this does not include additional information, because the export generated to allow import and building/rebuilding of the group memberships after the groups were imported.

The scripts have documentation provided by using the --help CLI option when running, and additional information is provided in the *.MD files of the GitHub.

What the scripts do provide is a method to learn how to cycle through a block of objects and use that approach to generate a output desired, and to that end I've tried to document what the script is doing internally with enough detail and intelligent naming of things to make that possible.

0 Kudos
Danny
Champion Champion
Champion

Consider using JSON over CSV format for exporting group contents that can be nested (groups within groups).

Use the following command on expert mode of your SmartCenter Server to export the first 500 members of a group object:

mgmt_cli login -r true show group name [GROUP] –format json details-level full offset 0 limit 500 –port 443
0 Kudos
Rabindra_Khadka
Contributor

Thanks Danny

 

let me try this one. i will update you regarding this.

0 Kudos
PhoneBoy
Admin
Admin

With the correct command, it's not difficult to get CSV output:

mgmt_cli -r true show-group name "groupname" --format json | jq '.members[] | [.name, ."ipv4-address"] |@csv' -r

Just to explain:

  • mgmt_cli -r true is how you can utilize the API from a CLI (-r true means "login as root user" which only works on the local management server)
  • show-group is the API command for showing a specific group specified by the name parameter.
  • --format json tells mgmt_cli to output the data in JSON format.
  • jq parses the JSON output from mgmt_cli, in this case pulling out the all the "name" and "ipv4-address" entries from members and outputting to CSV.
Rabindra_Khadka
Contributor

Thanks Phoneboy

 

this is what i am looking for 

 

0 Kudos
Darren_Fishwick
Explorer

Hi i have been testing this and all looks really good. However what does the @csv command do at the end

i.e. mgmt_cli -r true show-group name "groupname" --format json | jq '.members[] | [.name, ."ipv4-address"] |@csv' -r

I was expecting a csv file to be created but i cant find it

Thanks

0 Kudos
PhoneBoy
Admin
Admin
Normally jq will output results in JSON format.
@csv will convert the output to CSV.
If you want it to a file, you'll have to pipe the output from the command to a file.
Darren_Fishwick
Explorer
Thank you for the update
Regards
0 Kudos
JED
Explorer

Hi, I'm new to checkpoint this week and have some issues with the R80.30 platform. I have a need to extract the members ( hostname and ipv4) details from certain groups ( some seem to have more than a couple of hundred entries) from specific groups.  I have navigated to the respective Group and indeed a .csv is produced. The only issue is that the .csv output only contains (from memory) the last modified date with the respective user name of who made the last change.  I now need a method to extract the members and have found this article. Now I have no test env to test your suggested commands. Can you confirm that these are non intrusive to any normal operations and will give me the correct outputs.

Is this command executable from the "admin" account ?

 

 

Hi Phoneboy,

I'm making some further extractions from the Db from the specific Network Group called "GP_WinUpdates_Exceptions".

I run the following and get the output shown:-

"mgmt_cli -r true show-group name "GP_WinUpdates_Exceptions" offset 500 --format json | jq '.members[] | [.name, ."ipv4-address"] |@csv' -r

I get the following error: can you please advise on what may be the issue please?

"jq: error: Cannot iterate over null"

 

0 Kudos
PhoneBoy
Admin
Admin

These are read-only commands and shouldn't cause any issues.
That said, if you want to try and rehearse this in an entirely test environment, you can do this and more using the Automation and Orchestration lab in CheckMates Labs.

One caveat: if a group has too many items in it, you may have to execute the command multiple times with different offset values.
If I recall correctly, the limit is 500 items, so to get the next 500 items, you'd do:

mgmt_cli -r true show-group name "groupname" offset 500 --format json | jq '.members[] | [.name, ."ipv4-address"] |@csv' -r

JED
Explorer

Hi PhoneBoy, The above worked great , I have a further request now which I have tried but had no success with.  I need to list the Object Group and as the contained output need the results for the Service Port/ Socket id.  Can you please advise on the string that I would need to extract this data. ( We have recently upgraded to R80.40 but again the CSV export from GUI seems not to be working)  Your assistance is greatly appreciated.  Thanks JED.

 

0 Kudos
PhoneBoy
Admin
Admin

The above is for network object groups.
Service groups are a different type, but a similar type of command is used:

mgmt_cli -r true show-service-group name "NBT" --format json | jq '.members[] | [.name, .type, .port] | @csv' -r

 

hnouel
Explorer

Jed, remove this part - offset 500 - it worked for me after doing that.

0 Kudos
eliascoranti
Explorer

Is it the same for R80.10, because I can't find the CCV file. Could you please help me ?  

0 Kudos
Sec_Boy
Explorer

am getting below error while phrasing above command.

 

[Expert@FX:0]# mgmt_cli -r true show-group name "EXT-MOVEiT" --format json | jq '.members[] | [.name, ."ipv4-address"] |@csv' -r >EXT_MOVEiT.json
Logout failed
parse error: Invalid numeric literal at line 1, column 9


API Settings:
---------------------
Accessibility: Require all granted
Automatic Start: Enabled

Processes:

Name State PID More Information
-------------------------------------------------
API Started 31143
CPM Started 16920 Check Point Security Management Server is running and ready
FWM Started 18638
APACHE Started 3908

Port Details:
-------------------
JETTY Internal Port: 50277
APACHE Gaia Port: 4434 (a non-default port)
When running mgmt_cli commands add '--port 4434'
When using web-services, add port 4434 to the URL


--------------------------------------------
Overall API Status: Started

0 Kudos
Sec_Boy
Explorer

am getting below error while phrasing above command. 

parse error: Invalid numeric literal at line 1, column 9
Logout failed

 

 

0 Kudos
Kola_CP
Explorer

Thank you for this.

An additional question if I may...

Is it possible to recursively do this for all the network groups where I have a large number of network groups set up?

Or alternatively to extract all the network group names passing them on to this command to extract for each network group?

Jan_Z
Explorer

I need to to the same, where you able to export all your groups?

 

0 Kudos
PhoneBoy
Admin
Admin

Sure, it's possible, but you're getting into scripting territory.

mgmt_cli -r true login > sid.txt;
mgmt_cli -s sid.txt --format json show-groups | jq -r '.objects[] | .name' | while read X; do
    echo $X
    mgmt_cli -s sid.txt show-group name "$X" --format json | jq '.members[] | [.name, ."ipv4-address",.subnet4,."mask-length4"] |@csv' -r
    echo
done

Just to explain what's going on here:

  • We're logging into the API once and saving the session in sid.txt, which we reuse in other commands.
  • We're querying the API to get all the groups, then showing each one with some specific information (object name, ipv4-address for host objects, network and mask for network objects)

Limitations of the above:

  • If IPv6 is in use, you will have to adjust the jq command accordingly to output the specific fields you want.
  • For large numbers of groups or objects in a group, you will have to make multiple calls using limit/offset calls.
  • This does not handle nested groups (groups inside of groups), which will require additional scripting.

 

(1)
RheinTec
Explorer

We need to list all the objects members along with the name, IP-Address and Comments from the particular network group to the CSV format. The checkpoint management server is in R80.20 version. Is there any way from commandline or others to exports the object members with the comments 

I tried various forms of:

mgmt_cli show-group details-level full limit 500 --format json | $CPDIR/jq/jq '.objects[] | [ .["name"], .["color"], .["comments"], .["port"], .["meta-info"]["last-modifier"] ] | @csv' -r

The result is always more or less, So I could get all  information excepted the comments.

 

 

 

 

 

 

0 Kudos
JozkoMrkvicka
Mentor
Mentor

you missed logout as last line 🙂

mgmt_cli -s sid.txt logout

Kind regards,
Jozko Mrkvicka
0 Kudos
DH_ND
Participant

Hi Phone Boy,

 

We have lots of groups and when I run this command it stops not even half way through. You mention  I might need to run lmits or offsets to get the rest. I don;t really know scripting. 

What would the script look like to run this? Where would I insert offset or limit and what do they mean?

 

Thanks

 

D

0 Kudos
Eric_Beasley
Employee
Employee

You might want to check this post, which goes over how to write a rolling collector to handle a larger list than 500 objects.
https://community.checkpoint.com/t5/API-CLI-Discussion/Parsing-the-output-of-quot-mgmt-cli-quot/m-p/...

 

If you want a canned script set to export, import, delete, set objects using CSV files, you can check here:
https://community.checkpoint.com/t5/API-CLI-Discussion/CLI-API-Example-for-exporting-importing-and-d... the actual current scripts are here:  https://github.com/mybasementcloud/R8x-export-import-api-scripts 

 

Eric

0 Kudos
flipnclick
Explorer

Tried this , but ended with error. please suggest.

SMS>
| [.name, ."ipv4-address"] |@csv' -r "groupname" --format json | jq '.members[]
MGMT9000 Failed to execute command. For more details see log file.
SMS>
SMS>
SMS>
SMS> cpstat os

Product Name: SVN Foundation
SVN Foundation Version String: R80.30
SVN Foundation Build Number: 993000019
SVN Foundation Status: OK
OS Name: Gaia
OS Major Version: 3
OS Minor Version: 10
OS Build Number: -
OS SP Major: -
OS SP Minor: -
OS Version Level:
Appliance SN:
Appliance Name: Standard PC (i440FX + PIIX, 1996)
Appliance Manufacturer: Other

0 Kudos
flipnclick
Explorer

Thanks this command for me as well. 

[Expert@SMS:0]# mgmt_cli -r true show-group name "s2fs_Group_1" --format json | jq '.members[] | [.name, ."ipv4-address"] |@csv' -r > abc.txt
[Expert@SMS:0]# ls -l
total 4
-rw-rw---- 1 admin root 445 Mar 30 21:56 abc.txt
[Expert@SMS:0]# cat abc.txt
"host_10.10.10.10","10.10.10.10"
"host_10.10.10.11","10.10.10.11"
"host_10.10.10.12","10.10.10.12"
"host_10.10.10.13","10.10.10.13"
"host_10.10.10.14","10.10.10.14"
"host_10.10.10.15","10.10.10.15"
"host_10.10.10.16","10.10.10.16"
"host_10.10.10.17","10.10.10.17"
"host_10.10.10.18","10.10.10.18"

0 Kudos
Kevin_Stanton
Contributor

I just ran the above command on a R80.30 management server however I only get the Object name within the group No IP address, Can you help Please

mgmt_cli -r true show-group name "Group_Name" --format json | jq '.members[] | [.name, ."ipv4-address"] |@csv' -r

output

"A_Branch_Data",
"B_Branch_Data",
"C_Branch_Data",

 

0 Kudos
PhoneBoy
Admin
Admin

I suspect the members og A_Branch_Data are not host objects, but rather network objects.
Network objects do not have a field ipv4-address.
You'll need to do something like:

    mgmt_cli -s sid.txt show-group name "$X" --format json | jq '.members[] | [.name, ."ipv4-address",.subnet4,."mask-length4"] |@csv' -r

And be mindful of the over caveats I noted above.

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events