This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Carsten_Weber
Contributor
‎2020-02-26 01:25 AM
Jump to solution

Showing existing Access Role results in error

Hi,

I am trying to display the content of a large "Access Role"...way too big to copy content entry by entry. I started with the following command to see what it might display. What am I doing wrong?

The command I derived from the "Management API Reference 1.6" was this...
Example command in bash:
mgmt_cli show access-role name "Test1234"

The output is this:
Username: user1
Password:
code: "generic_err_object_not_found"
message: "Requested object [Test1234] not found"

 

I tested the API as well bash command "api status":
####################################################
API Settings:
---------------------
Accessibility: Require all granted
Automatic Start: Enabled

Processes:

Name State PID More Information
-------------------------------------------------
API Started 5591
CPM Started 9996 Check Point Security Management Server is running and ready
FWM Started 7107
APACHE Started 9017

Port Details:
-------------------
JETTY Internal Port: 50277
APACHE Gaia Port: 443


--------------------------------------------
Overall API Status: Started
--------------------------------------------

API readiness test SUCCESSFUL. The server is up and ready to receive connections

Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'

####################################################

Regards
Carsten

0 Kudos
1 Solution

Accepted Solutions
Carsten_Weber
Contributor
‎2020-05-22 07:25 AM
Jump to solution

Hello again,

I finaly managed to reuse my "mgm_cli" session in order to sucessfully run my "Access Role" query and to find the time to report back here. (only used on MDM/DMS (a specific domain))
Thanks to all that helped me figuring out the commands needed.

What I wanted to achieve:

  • To get a list of all the Access Roles created on the Management Server
  • To get the "MS Active Directory (AD)"-groups contained within these Access Roles
  • Later I needed to be able to accociate the AD-groups to the Access Roles

The Background:

  • Migration of AD-entries to a different Active Directory. Which ones are used in the firewall rules and mapping of the existing ones to the according Access Role where they can be found to be replaced

What I needed to do (tested on MDM only):

  1. Get the domain "objid" (required on MDM)
  2. Login to the mgmt_cli and reuse this session for further commands to be copy/pasted for prozessing
  3. Generate a list of Access Roles (AR)
  4. Use the list of AR to genrate one list of AD-groups used in all ARs
  5. Compose an Excel file where each AD-group has a corresponding AR in the adjacent cell, so both columns can be searched.

 

The commands:

  1. Get the Domain "objid"(MDM)
    psql_client cpm postgres -c"select objid,name from domainbase_data where dlesession=0 and not deleted;"
  2. Log in to the Domain with the "objid" identified before (MDM)
    mgmt_cli login -d 78sd67ff4-2114-4542-821e-e3ed48f7e102 -u <user> -p <password> > /var/log/tmp/sid.txt.$$
    <user> = you need to replace this with the account name of the user required to authenticate
    <password> = you need to replace this with the according password of the account specified in "-u"

  3. Generate the ist of ARs, reusing the login session from above
    mgmt_cli -s /var/log/tmp/sid.txt.$$ show access-roles limit 500 offset 0 --format json | $CPDIR/jq/jq -r .objects[].name > /var/log/tmp/ARs.txt
    mgmt_cli -s /var/log/tmp/sid.txt.$$ show access-roles limit 500 offset 500 --format json | $CPDIR/jq/jq -r .objects[].name >> /var/log/tmp/ARs.txt
    mgmt_cli -s /var/log/tmp/sid.txt.$$ show access-roles limit 500 offset 1000 --format json | $CPDIR/jq/jq -r .objects[].name >> /var/log/tmp/ARs.txt
    mgmt_cli -s /var/log/tmp/sid.txt.$$ show access-roles limit 500 offset 1500 --format json | $CPDIR/jq/jq -r .objects[].name >> /var/log/tmp/ARs.tx
    These are 4 separate commands. You need more if your list of Access Roles is longer than 1500!
    There is a hard limit of a maximum of 500 entries when using "show access-roles". Default is 50. This requires the use of the parameters "limit" (amount of AR entries) and "offset" (where to start counting in the list of AR entries). Funny enough stopping (limit) at 500 and starting (offset) at 500 in the next command does not cause a duplicate entry to output!

  4. Generate the list of AD-groups, reusing the login session from above once again
(for i in $(< /var/log/tmp/ARs.txt) ; do echo \# $i\;$(mgmt_cli -s /var/log/tmp/sid.txt.$$ show access-role name "$i" --format json | $CPDIR/jq/jq -r .users[].name | awk '{print $0 "\r"}' | sed 's/ //g') ; done) > /var/log/tmp/AD-groups.txt

 

The output is a list like the following, I am able to finalize in Excel to my needs (because I am not that good at text editing with linux). Maybe I'll get some help for that and optimize it, so it does not require so much work in Excel as it does now:

# G_SharedServices;ad_group_G_SharedServices
# G_Developer_ALL;ad_group_G_T_LI_Developer
 ad_group_G_T_CD_Developer
 ad_group_G_T_DSRF_Developer
 ad_group_G_T_AOUTO_Developer
 ad_group_G_T_CC_Developer
 ...snip...
 ad_group_G_JKSD_Dev_Tst
 ad_group_G_RCRM_Developer
 ad_group_G_CDE_BSC_Fortz_Developer
 ad_group_G_SME_Dev_Tst
 ad_group_G_POP_DevTest
 ad_group_G_OCC_CS_Developer
# G_MaltedBausda;ad_group_G_MaltedBausda
# G_MaltedBausda_QA;ad_group_G_MaltedBausda_QA
  • "# " I added to differenciate the name of th AR in the list from the AD-Groups more easily (I remove it in Excel later).
  • ";" was simple enough for me to add, that made it easier to import the text to excel and immediately split into two columns using this as a seperator for ARs and containing AD-groups
  • "ad_group_", "ad_user_" and "ad_branch_" I have to remove or transform in to a category in Excel for now

 

This is something I can work with easily enough for now. Feel free to improve the output especially in the 4th command. Or the number of commands needed in 3rd step overcomming the limit of 500 entries being output at once.

I hope this helps other people in dire need 😉

Best regards

Carsten

 

PS.: Some "invalid HTML has been removed", I checked but could not find the location of the "removal" and also did not see the commands being broken. Let me know if you find an error, so I can fix it.

View solution in original post

0 Kudos
9 Replies
Carsten_Weber
Contributor
‎2020-02-26 03:31 AM
Jump to solution

Just to clarify:

I was looking for an existing AR Object!
I then created a new and simple one "Test1234" with one user (me), which I also did not find using this command.

 

Meanwhile...I tried something else (looking for a a normal group) with the same result as above:

mgmt_cli show group name "<GroupName>"
Username: user1
Password:
  code: "generic_err_object_not_found"
  message: "Requested object [<GroupName>] not found"

...and also...

mdsenv <Domainname>
clish
mgmt login
Enter password:
mgmt show group name "<GroupName>"
  MGMT9000 code: "generic_err_object_not_found"
  message: "Requested object [<GroupName>] not found"

 

...this works, so I must be doint something right:

mgmt show login-message
  type: "login-message"
  domain:
  uid: "a7dcedsa-afed-4ef8-bf6e-fedfedfedfed"
  name: "System Data"
  domain-type: "mds"
  show-message: false
  warning: true
  message: "This system is for authorized use only"
  header: "Warning"

 

This is a MDM R80.30, by the way.

0 Kudos
PhoneBoy
Admin
Admin
‎2020-02-26 08:29 PM
In response to Carsten_Weber
Jump to solution

How precisely are you logging in via the API and passing the session tokens?
Are you passing a “domain” parameter as part of this?
Please show the precise command (obscuring sensitive details).
0 Kudos
Carsten_Weber
Contributor
‎2020-02-27 06:35 AM
In response to PhoneBoy
Jump to solution

Hi PhoneBoy,

thanks for your interest in this.

I issued the commands as shown. 

I tried two methods:

- 'mgmt_cli'   (being asked for credentials every single time)
- 'clish ; mgmt login ; mgmt show access-role name “<AR_Object_Name>"'   (being asked for creds only once)

 

But as of now I am communicating with Rami Dayan from TAC in a ticket. He just mentioned this parameter as well. So he suggested to try this (results shown as well):

# mdsenv <Domain_Name>
(tried on domain level, which might be useless, but anyway, just in case)
(also tried with "mdsenv" on MDS level)

# mgmt_cli show access-role name “<AR_Object_Name>” -d <Domain_Name>
  Username: <user_name>
  Password: 
  code: "generic_error"
  message: "Runtime error: Domain '<Domain_Name>' not found!"

 

I might need to run another debug for him.

 

Thanks a lot.

Carsten

0 Kudos
PhoneBoy
Admin
Admin
‎2020-02-27 08:03 AM
In response to Carsten_Weber
Jump to solution

mgmt_cli is an API client, which means you have to work with it almost exactly as if you were coding against the API.
That means, in general, you:

  • Login (create a session)
  • Do the thing(s) you wish to do
  • Perform a publish action when you're ready to commit changes.
  • Logout (release the session you created)

The traditional "mdsenv" is irrelevant in this context.
You need to do something like the following:

mgmt_cli login domain "mydomain" > sid.txt
mgmt_cli -s sid.txt show access-role name "Access Role"
mgmt_cli -s sid.txt logout

Or, if you're on the MDS itself, you can simplify this a little:

mgmt_cli -r true --domain "mydomain" show access-role name "Access Role" 

The "-r true" is somewhat like using the -local flag with dbedit in the sense you don't need to provide credentials and it only works on the management server itself.
However, it should only be used if you're doing 1-2 commands as it simulates the entire API flow (login/action/publish/logout).
If you are doing a lot of commands against the API, it will be much more efficient to create (and reuse) a proper session.

0 Kudos
Carsten_Weber
Contributor
‎2020-02-27 09:05 AM
In response to PhoneBoy
Jump to solution

Interesting, this is good to know. Thanks.

  • What happens is the session (or clish) times out and I did not note down the sid? 

Did I somehow overlook your "how to bing with" with examples (incl. MDS) in the documentation? 😳
This is my first time meddling arround with the mgmt_cli, as the GUI does not help in my case. I am interested in showing stuff for now.

  • With "to create (and reuse) a proper session" you mean: "clish;mgmt login"? As this seems to keep the login information.
  • This is not absolute clear to me but I assume when woirking directly on the MDS the only difference bewtween...

- variant 1: "mgmt_cli <what_ever>" (single command)
and
- variant 2: "clish ; mgmt login ; mgmt <what_ever> ; mgmt logout" (multiple commands within one sessions)

...is to leave away "_cli" when connected via the 2nd variant, correct? Or are there additional implications?

  • Do I have to use '-r true --domain "mydomain"' as well in variant 2? Like this:
    • mgmt -r true --domain "mydomain" show access-role name "Access Role"

 

Unfortunately I don't see that I am in a "mgmt" session in the cli.

0 Kudos
PhoneBoy
Admin
Admin
‎2020-02-27 09:49 AM
In response to Carsten_Weber
Jump to solution

Have to admit, I've never seen variant 2 used before this post.
In this case, the session is being handled by clish.
Which, in the context of clish, makes sense.
You still need to pass a domain as part of the login process, which I assume you'd do by something like:

mgmt login user aa password aaaa domain mydomain

Variant 1 only works for very specific commands (e.g. login) or in conjunction with -r true.
(Note that -r true does not appear to work in clish)
And yes, you could do something like mgmt_cli -r true login to create a reusable session.
However, that does not work in clish, only expert mode.

Regardless, in an MDS context, you have to indicate the domain to ensure your session is associated with the correct domain.
Note that a given session can only be associated with one domain.
If you need to do something on a different domain, that requires creating a new session against that domain.

Session tokens time out after 15 minutes of inactivity.
You can always create a new one and/or take over/kill previous sessions in SmartConsole and via the API.

0 Kudos
Carsten_Weber
Contributor
‎2020-02-27 09:23 AM
In response to PhoneBoy
Jump to solution

mgmt_cli login domain "mydomain" > sid.txt

doesn't work, I have to provide credentials, which I don't see being prompted. The output: "Username: " is being written into the sid.txt

0 Kudos
PhoneBoy
Admin
Admin
‎2020-02-27 09:52 AM
In response to Carsten_Weber
Jump to solution

I guess that only works if you provide credentials on the CLI or use -r true.
So something like: mgmt_cli login user aa password aaaa > sid.tdxt
Or you can not pipe the output, note the sid returned, and use that as a parameter in future commands.
0 Kudos
Carsten_Weber
Contributor
‎2020-05-22 07:25 AM
Jump to solution

Hello again,

I finaly managed to reuse my "mgm_cli" session in order to sucessfully run my "Access Role" query and to find the time to report back here. (only used on MDM/DMS (a specific domain))
Thanks to all that helped me figuring out the commands needed.

What I wanted to achieve:

  • To get a list of all the Access Roles created on the Management Server
  • To get the "MS Active Directory (AD)"-groups contained within these Access Roles
  • Later I needed to be able to accociate the AD-groups to the Access Roles

The Background:

  • Migration of AD-entries to a different Active Directory. Which ones are used in the firewall rules and mapping of the existing ones to the according Access Role where they can be found to be replaced

What I needed to do (tested on MDM only):

  1. Get the domain "objid" (required on MDM)
  2. Login to the mgmt_cli and reuse this session for further commands to be copy/pasted for prozessing
  3. Generate a list of Access Roles (AR)
  4. Use the list of AR to genrate one list of AD-groups used in all ARs
  5. Compose an Excel file where each AD-group has a corresponding AR in the adjacent cell, so both columns can be searched.

 

The commands:

  1. Get the Domain "objid"(MDM)
    psql_client cpm postgres -c"select objid,name from domainbase_data where dlesession=0 and not deleted;"
  2. Log in to the Domain with the "objid" identified before (MDM)
    mgmt_cli login -d 78sd67ff4-2114-4542-821e-e3ed48f7e102 -u <user> -p <password> > /var/log/tmp/sid.txt.$$
    <user> = you need to replace this with the account name of the user required to authenticate
    <password> = you need to replace this with the according password of the account specified in "-u"

  3. Generate the ist of ARs, reusing the login session from above
    mgmt_cli -s /var/log/tmp/sid.txt.$$ show access-roles limit 500 offset 0 --format json | $CPDIR/jq/jq -r .objects[].name > /var/log/tmp/ARs.txt
    mgmt_cli -s /var/log/tmp/sid.txt.$$ show access-roles limit 500 offset 500 --format json | $CPDIR/jq/jq -r .objects[].name >> /var/log/tmp/ARs.txt
    mgmt_cli -s /var/log/tmp/sid.txt.$$ show access-roles limit 500 offset 1000 --format json | $CPDIR/jq/jq -r .objects[].name >> /var/log/tmp/ARs.txt
    mgmt_cli -s /var/log/tmp/sid.txt.$$ show access-roles limit 500 offset 1500 --format json | $CPDIR/jq/jq -r .objects[].name >> /var/log/tmp/ARs.tx
    These are 4 separate commands. You need more if your list of Access Roles is longer than 1500!
    There is a hard limit of a maximum of 500 entries when using "show access-roles". Default is 50. This requires the use of the parameters "limit" (amount of AR entries) and "offset" (where to start counting in the list of AR entries). Funny enough stopping (limit) at 500 and starting (offset) at 500 in the next command does not cause a duplicate entry to output!

  4. Generate the list of AD-groups, reusing the login session from above once again
(for i in $(< /var/log/tmp/ARs.txt) ; do echo \# $i\;$(mgmt_cli -s /var/log/tmp/sid.txt.$$ show access-role name "$i" --format json | $CPDIR/jq/jq -r .users[].name | awk '{print $0 "\r"}' | sed 's/ //g') ; done) > /var/log/tmp/AD-groups.txt

 

The output is a list like the following, I am able to finalize in Excel to my needs (because I am not that good at text editing with linux). Maybe I'll get some help for that and optimize it, so it does not require so much work in Excel as it does now:

# G_SharedServices;ad_group_G_SharedServices
# G_Developer_ALL;ad_group_G_T_LI_Developer
 ad_group_G_T_CD_Developer
 ad_group_G_T_DSRF_Developer
 ad_group_G_T_AOUTO_Developer
 ad_group_G_T_CC_Developer
 ...snip...
 ad_group_G_JKSD_Dev_Tst
 ad_group_G_RCRM_Developer
 ad_group_G_CDE_BSC_Fortz_Developer
 ad_group_G_SME_Dev_Tst
 ad_group_G_POP_DevTest
 ad_group_G_OCC_CS_Developer
# G_MaltedBausda;ad_group_G_MaltedBausda
# G_MaltedBausda_QA;ad_group_G_MaltedBausda_QA
  • "# " I added to differenciate the name of th AR in the list from the AD-Groups more easily (I remove it in Excel later).
  • ";" was simple enough for me to add, that made it easier to import the text to excel and immediately split into two columns using this as a seperator for ARs and containing AD-groups
  • "ad_group_", "ad_user_" and "ad_branch_" I have to remove or transform in to a category in Excel for now

 

This is something I can work with easily enough for now. Feel free to improve the output especially in the 4th command. Or the number of commands needed in 3rd step overcomming the limit of 500 entries being output at once.

I hope this helps other people in dire need 😉

Best regards

Carsten

 

PS.: Some "invalid HTML has been removed", I checked but could not find the location of the "removal" and also did not see the commands being broken. Let me know if you find an error, so I can fix it.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top