This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Firewall_Head
Explorer
‎2024-09-03 04:04 PM
Jump to solution

Unable to add administrators via mgmt_cli

Dear Checkmates,

OS:R81.10 JHF_156

I am trying to import a list of administrators using a .csv file via the mgmt_cli but it doesn't work and shows the error:

" Line 2: code: "err_inappropriate_domain_type"
message: "This command can work only on domains of type MDS. Cannot execute it in the current domain (current domain type is Domain)."

API details:

[Expert@SA_1:0]# mgmt_cli -r true login
uid: "7b8f6efd-fef1-4ab9-a152-f6205edbaffc"
sid: "jBl4yyzlVFA52kP2MWfisetNXQpGFHx6HfkRVEsQd_4"
url: "https://127.0.0.1:443/web_api"
session-timeout: 600
last-login-was-at:
posix: 1725397582
iso-8601: "2024-09-04T02:36+0530"
read-only: false
standby: false
api-server-version: "1.8.1"

I am attaching a snap of the csv file which I have created, please let me know how to get this working.

Thanks in advance!

==========

WR,

FH

 

Preview file
27 KB
0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2024-09-04 03:01 PM
In response to Firewall_Head
Jump to solution

The domain is only relevant on and is specified as part of the login call.
In all other cases, the session ID is sufficient.
In this case, I am piping the output out the login call to sid.txt so it can be read by subsequent calls (-s sid.txt).
Using the CSV file you provided, the following commands worked on my system:

mgmt_cli -r true -s 'System Data' > sid.txt
mgmt_cli -s sid.txt add administrator -b admins.csv
mgmt_cli -s sid.txt publish

The publish is required for committing any changes made through the API.
Otherwise, the changes will be locked in the created session until it is published or discarded.
Here is the result the API provided when I queried the user:

[Expert@R82-EA1:0]# mgmt_cli -s sid.txt show administrator name sayooj --format json
{
  "uid" : "1bb02495-4e3e-4c0e-9660-e2bc52224d5a",
  "name" : "sayooj",
  "type" : "administrator",
  "domain" : {
    "uid" : "a0eebc99-afed-4ef8-bb6d-fedfedfedfed",
    "name" : "System Data",
    "domain-type" : "mds"
  },
  "email" : "",
  "phone-number" : "",
  "authentication-method" : "check point password",
  "must-change-password" : true,
  "permissions-profile" : {
  "uid" : "ff2c8363-eedd-4d06-a140-a2ede779f09e",
  "name" : "Super User",
  "type" : "domain-permissions-profile",
  "domain" : {
    "uid" : "a0bbbc99-adef-4ef8-bb6d-defdefdefdef",
    "name" : "Check Point Data",
    "domain-type" : "data domain"
  },
  "icon" : "General/Role",
  "color" : "black"
},
"sic-name" : "",
"comments" : "",
"color" : "black",
"icon" : "General/Administrator",
"tags" : [ ],
"meta-info" : {
  "lock" : "unlocked",
  "validation-state" : "ok",
  "last-modify-time" : {
    "posix" : 1725486662429,
    "iso-8601" : "2024-09-04T16:51-0500"
  },
  "last-modifier" : "WEB_API",
  "creation-time" : {
    "posix" : 1725486662429,
    "iso-8601" : "2024-09-04T16:51-0500"
  },
  "creator" : "WEB_API"
},
"read-only" : false,
"available-actions" : {
  "edit" : "true",
  "delete" : "true",
  "clone" : "true"
  }
}
[Expert@R82-EA1:0]#

 

View solution in original post

(1)
6 Replies
PhoneBoy
Admin
Admin
‎2024-09-03 05:28 PM
Jump to solution

Yes, because administrator users must be added only in the System Data domain as stated in the documentation.
Which means, at the login step, the domain must be specified (e.g. mgmt_cli -r true -d 'System Data').
This is true regardless of whether it's Multi-Domain or not.

Firewall_Head
Explorer
‎2024-09-04 11:08 AM
In response to PhoneBoy
Jump to solution

@PhoneBoy Thanks for your reply.

When i tried to do the same using the steps mentioned again I am encountering problems.

Attaching image for your reference, can you help me with the right usage of the command if am wrong.

=======

WR,
FH

Preview file
97 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2024-09-04 01:27 PM
In response to Firewall_Head
Jump to solution

First of all, subsequent mgmt_cli commands must reference the session that was obtained from the login API call.
This is either done with the --session-id or -s parameter to mgmt_cli.
None of the following commands did that, which is why most of your commands after the login are failing.

Second, you may not have defined the CSV file correctly. 
The first line in the CSV must correspond to the parameter names for the relevant API call: https://sc1.checkpoint.com/documents/latest/APIs/#cli/add-administrator~v1.9.1%20
The subsequent lines are the relevant values that are passed to each one.

To troubleshoot issues with the CSV file, I'd need to see it (or a sample of it).

0 Kudos
Firewall_Head
Explorer
‎2024-09-04 02:24 PM
In response to PhoneBoy
Jump to solution

Hi @PhoneBoy ,

I tried as you suggested but no luck, I am pasting my session output below for your reference.

[Expert@SA_1:0]# mgmt_cli -r true login
uid: "c192f3fd-6405-4ceb-a8ef-d9412408eec6"
sid: "obw7pv2mp6o7-C6LMIKCQfad9QV87W9dd-x8tsHruwM"
url: "https://127.0.0.1:443/web_api"
session-timeout: 600
last-login-was-at:
posix: 1725484400
iso-8601: "2024-09-05T02:43+0530"
read-only: false
standby: false
api-server-version: "1.8.1"

[Expert@SA_1:0]# mgmt_cli add administrator -b admins.csv --session-id obw7pv2mp6o7-C6LMIKCQfad9QV87W9dd-x8tsHruwM -d 'System Data'
Line 2: code: "err_inappropriate_domain_type"
message: "This command can work only on domains of type MDS. Cannot execute it in the current domain (current domain type is Domain)."


[Expert@SA_1:0]# cat admins.csv
name,password,authentication-method,permissions-profile
sayooj,e3w2q1,check point password,Super User
[Expert@SA_1:0]#

 

======

WR,

FH

0 Kudos
PhoneBoy
Admin
Admin
‎2024-09-04 03:01 PM
In response to Firewall_Head
Jump to solution

The domain is only relevant on and is specified as part of the login call.
In all other cases, the session ID is sufficient.
In this case, I am piping the output out the login call to sid.txt so it can be read by subsequent calls (-s sid.txt).
Using the CSV file you provided, the following commands worked on my system:

mgmt_cli -r true -s 'System Data' > sid.txt
mgmt_cli -s sid.txt add administrator -b admins.csv
mgmt_cli -s sid.txt publish

The publish is required for committing any changes made through the API.
Otherwise, the changes will be locked in the created session until it is published or discarded.
Here is the result the API provided when I queried the user:

[Expert@R82-EA1:0]# mgmt_cli -s sid.txt show administrator name sayooj --format json
{
  "uid" : "1bb02495-4e3e-4c0e-9660-e2bc52224d5a",
  "name" : "sayooj",
  "type" : "administrator",
  "domain" : {
    "uid" : "a0eebc99-afed-4ef8-bb6d-fedfedfedfed",
    "name" : "System Data",
    "domain-type" : "mds"
  },
  "email" : "",
  "phone-number" : "",
  "authentication-method" : "check point password",
  "must-change-password" : true,
  "permissions-profile" : {
  "uid" : "ff2c8363-eedd-4d06-a140-a2ede779f09e",
  "name" : "Super User",
  "type" : "domain-permissions-profile",
  "domain" : {
    "uid" : "a0bbbc99-adef-4ef8-bb6d-defdefdefdef",
    "name" : "Check Point Data",
    "domain-type" : "data domain"
  },
  "icon" : "General/Role",
  "color" : "black"
},
"sic-name" : "",
"comments" : "",
"color" : "black",
"icon" : "General/Administrator",
"tags" : [ ],
"meta-info" : {
  "lock" : "unlocked",
  "validation-state" : "ok",
  "last-modify-time" : {
    "posix" : 1725486662429,
    "iso-8601" : "2024-09-04T16:51-0500"
  },
  "last-modifier" : "WEB_API",
  "creation-time" : {
    "posix" : 1725486662429,
    "iso-8601" : "2024-09-04T16:51-0500"
  },
  "creator" : "WEB_API"
},
"read-only" : false,
"available-actions" : {
  "edit" : "true",
  "delete" : "true",
  "clone" : "true"
  }
}
[Expert@R82-EA1:0]#

 

(1)
Firewall_Head
Explorer
‎2024-09-04 03:29 PM
In response to PhoneBoy
Jump to solution

Nailed it @PhoneBoy .

Thank you so much for helping me out on this 🤗.

Have a great day!

=======

WR,

FH

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events