- Products
- Learn
- Local User Groups
- Partners
- More
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
Join our TechTalk: Malware 2021 to Present Day
Building a Preventative Cyber Program
Be a CloudMate!
Check out our cloud security exclusive space!
Check Point's Cyber Park is Now Open
Let the Games Begin!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hello,
I'm trying to import service objects from a CSV file.
There are existing objects that use the same port. All object names are unique.
Expectedly mgmt_cli is returning a warning that the port is already in use by another service.
I've added ignore-warnings true to the end of my statement but the changes are still discarded 'Executed command failed. Changes are discarded'.
-----------------------------------------------------------------------------------
Example statement:
mgmt_cli -m <mgmt ip> -u <username> add service-udp -b services_udp.csv ignore-warnings true
-----------------------------------------------------------------------------------
Example:
Line 281: code: 'err_validation_failed'
message: "Validation failed with 1 warning'
warnings:
- message: "The port is already used by another service."
-----------------------------------------------------------------------------------
Do you know why this is occurring?
Management server: R80.40 Take 89
API version: 1.6.1
Regards,
Simon
Are you trying to import services with ports where other services already exits and using the same port?
This will lead to dupplicates.
The service object is using the same port number as another object, but one or more other properties may differ. So, they are not duplicate objects.
If you want to create objects via the batch (-b) parameter and a reference to a csv file you have to specify all arguments in the referenced csv file.
So, in your example "mgmt_cli -m <mgmt ip> -u <username> add service-udp -b services_udp.csv ignore-warnings true" the "ignore-warnings true" part in the command leads to the error, as it does not get rendered by the mgmt_cli. What you need to do is to add an extra header to your csv ("ignore-warnings") and afterwards apply the "true" value for each line in the csv. You basically should end up with something like that:
Regards,
Maik
(btw, the reason for that is that the -b parameter just loops over the csv arguments and "glues" it together with the initial mgmt_cli command, that's why you can not combine arguments via batch import and manually mentioned ones)
Hi Maik
I've tested the import with my existing csv appended as suggested, and a test one matching the contents above but it fails.
Line 2: code: "generic_err_invalid_parameter"
message: "Parameter [ignore-warnings] value is not valid.
I've tried with the following statements
mgmt_cli -m <mgmt ip> -u <username> add service-udp -b services_udp.csv ignore-warnings true
mgmt_cli -m <mgmt ip> -u <username> add service-udp -b services_udp.csv
Regards,
Simon
That's weird, I tested my described solution yesterday before posting my answer. The test has been done via the latest R80.40 SmartConsole demo environment.
Could you post a snipped of your csv file like headers and a few lines (maybe change the port or name if you want)?
What would be the correct csv header value for a nested JSON object?
For example, if I wanted to export the value of the radius server name for a user object, then import it.
e.g.
"radius-server": {
"name": <name>
I think Radius server objects are not supported via the management api. However, wasn't your initial question related to udp services?
In general you specify all the required parameters in the csv header, that otherwise would be mentioned as a mgmt_cli argument.
So for example, to come back to your initial issue with the udp service import...
The mgmt api documentation lists several possible parameters and which value is expected for each => https://sc1.checkpoint.com/documents/R80/APIs/#gui-cli/add-service-udp%20
All of these may be mentioned in the header, the ones declared with "Required" are obviously required, meaning that your command will fail if you do not mention them.
As I am writing this... could you try to do the same import as already tested yesterday, but this time write the "ignore-warnings" header in parenthese?
So the first line of your csv file should look something like that...
name,port,"ignore-warnings"
service1,123,true
service2,1234,true
The reason why I ask this is that I sucessfully executed my command under windows, could be the case that you try to run ths directly on the mgmt server and therefore linux. This could result in the issue and may require the parentheses.
Yes my initial question was about services-udp but could also apply to other imports.
The other questions was unrelated so I will post it in a separate post if it cant be answered here. But just to note, it's not a radius server object, it's a user object with a radius-server property. And the radius-server property has sub-properties i.e. name. This data can be accessed via the management api so the question is, can it be exported and imported to and from a csv using --batch. If so, I need to know what the csv header naming format is where the export is a nested object e.g. radius-server.name, encryption.enable-ike. I was simply using the radius-server property as an example.
Getting back to the original issue, let me check the import with added parenthesis and get back to you.
Ah okay, now I understand the question. In this case, when you want to create a user, you would use the following csv header:
"name","authentication-method","radius-server","encryption.enable-ike"
demouser,radius,myradiusobject,true
In this case the "radius-server" value in the header is directly related to the authentication method value. So for example, you can not use this field if the authentication method is not equal to radius. The second point, in rehards to nested information you are correct, such a case can be mentioned by combining values with a dot (like "encryption.enable-ike"). But there is no general rule, as the different API calls differ in the expected values. I would advice you to strictly follow the documentation (https://sc1.checkpoint.com/documents/latest/APIs/#cli/add-user~v1.7%20). Also, just to be sure, verify that you use the correct documentation regarding your api version. (You can check your [supported] api version/s by using the command "mgmt_cli show api-versions".)
Also... if you want to create multiple users and not all of them use the radius authentication method I think you need to split the import to different csv files.
The reason for that is that the api may not be able to render information like this...
"name","authentication-method","radius-server","tacacs-server","encryption.enable-ike"
radiususer,radius,myradiusobject,NULL,true
tacacsuser,tacacs,NULL,mytacacsobject,true
I hope this explanation makes sense to follow... maybe there even is a way to do something like shown above, but in the past I created multiple files in such a case, one per auth method.
When adding a user, I receive the following
"code" : "generic_err_invalid_parameter"
message: "Parameter [enable-ike] value is not valid (full path: encryption.enable-ike"
If I add parenthesis to the head encryption.enable-ike i.e. "encryption.enable-ike" the following is returned
"code" : "generic_err_invalid_parameter"
message: "Unrecognized parameter [\"encryption]"
I've stripped down the csv to only include users that use radius authentication and adjusted the headers accordingly.
Have the header be encryption.”enable-ike” instead of “encryption.enable-ike”.
Guessing the hyphenated parameter is causing issues (specifically when translated to JSON).
100% correct, maybe I should test stuff before posting a solution when I haven't done this in over a year 🤔
Hey
When I enclose these objects in parenthesis, i.e. encryption.”enable-ike”, encryption.”enable-public-key", the following is returned.
"code" : "generic_err_invalid_parameter_name",
"message" : "Unrecognized parameter [\"enable-ike\"] (full path: encryption.\"enable-ike\")"
}
Line 1010: {
"code" : "generic_err_invalid_parameter_name",
"message" : "Unrecognized parameter [\"enable-ike\"] (full path: encryption.\"enable-ike\")"
}
{ "response" : []}
Regards,
Simon
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY