Solved: Re: View by CLI details of Policy Packages

Matlu · ‎2025-06-26

Hi,

I have a MDS that has about 10 CMAs, each CMA has more than 4 ‘Policy Packages’.

Is there a way to view by CLI of the MDS, see the list of policy packages that are ‘tied’ to a particular CMA?

Thanks for your comments

G_W_Albrecht · ‎2025-06-26

https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/show-package~v2 shows the target gateways for the package

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

the_rock · ‎2025-06-26

Hey brother,

Try below, its my lab, regular mgmt, not MDS, but should be same.

Andy

[Expert@CP-MANAGEMENT:0]# mgmt_cli show packages
Username: admin
Password:
packages:
- uid: "0fd04089-8f41-424a-aeb3-0534161618ca"
name: "R82-SSL-INSPECTION-LAB-POLICY"
type: "package"
domain:
uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
name: "SMC User"
domain-type: "domain"
icon: "Blades/Access"
color: "cyan"
from: 1
to: 1
total: 1

Best,
Andy
"Have a great day and if its not, change it"

View solution in original post

Daniel_Kuhl1 · ‎2025-07-02

@Matlu I checked on my lab. I got the same output as you from MDS:

[Expert@A-MDS:0]# mgmt_cli login api-key "API-KEY"
uid: "17a0067d-bef7-4b0c-a075-14179532dcef"
sid: "McLfS6kPLMq3B8jKywHXGDnDDs2B5CEfzTpTB6aSVik"
url: "https://127.0.0.1:443/web_api"
session-timeout: 600
api-server-version: "1.9.1"
user-name: "api-user"
user-uid: "0ac44df8-9f52-4f33-b2a4-04c03ccc4304"

[Expert@A-MDS:0]# mgmt_cli show packages --session-id "McLfS6kPLMq3B8jKywHXGDnDDs2B5CEfzTpTB6aSVik"
packages: []
total: 0

You need to login to the specific domain and then you got the packages:

[Expert@A-MDS:0]# mgmt_cli login api-key "API-KEY" domain "Alpha"
uid: "6d143c11-4a7b-4f22-8a00-660350bd5c2a"
sid: "p4mbKWT6fHQrAtkXewfBVmDkeqEL-InurxYHi9xv9H0"
url: "https://127.0.0.1:443/web_api"
session-timeout: 600
last-login-was-at: 
  posix: 1751463922464
  iso-8601: "2025-07-02T15:45+0200"
api-server-version: "1.9.1"
user-name: "api-user"
user-uid: "0ac44df8-9f52-4f33-b2a4-04c03ccc4304"

[Expert@A-MDS:0]# mgmt_cli show packages --session-id "p4mbKWT6fHQrAtkXewfBVmDkeqEL-InurxYHi9xv9H0"
packages: 
- uid: "0a96b8c1-e9bf-43ba-b604-26e2831d4b15"
  name: "A-VSX_VSX"
  type: "package"
  domain: 
    uid: "0f60c08a-e6ac-4180-9678-8fb98ee13e8e"
    name: "Alpha"
    domain-type: "domain"
  icon: "Blades/Access"
  color: "black"
- uid: "0fd04089-8f41-424a-aeb3-0534161618ca"
  name: "Alpha-Policy"
  type: "package"
  domain: 
    uid: "0f60c08a-e6ac-4180-9678-8fb98ee13e8e"
    name: "Alpha"
    domain-type: "domain"
  icon: "Blades/Access"
  color: "black"
- uid: "e6cd96da-6564-4a90-a593-a2f7868c8622"
  name: "DMZ-Policy"
  type: "package"
  domain: 
    uid: "0f60c08a-e6ac-4180-9678-8fb98ee13e8e"
    name: "Alpha"
    domain-type: "domain"
  icon: "Blades/Access"
  color: "sea green"
- uid: "9c1143d8-86b7-42f6-a457-127a547a17c3"
  name: "Internal-Policy"
  type: "package"
  domain: 
    uid: "0f60c08a-e6ac-4180-9678-8fb98ee13e8e"
    name: "Alpha"
    domain-type: "domain"
  icon: "Blades/Access"
  color: "crete blue"
from: 1
to: 4
total: 4

You could use a script looping through all domains and get the packages.

View solution in original post

G_W_Albrecht · ‎2025-06-26

https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/show-package~v2 shows the target gateways for the package

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

the_rock · ‎2025-06-26

Hey brother,

Try below, its my lab, regular mgmt, not MDS, but should be same.

Andy

[Expert@CP-MANAGEMENT:0]# mgmt_cli show packages
Username: admin
Password:
packages:
- uid: "0fd04089-8f41-424a-aeb3-0534161618ca"
name: "R82-SSL-INSPECTION-LAB-POLICY"
type: "package"
domain:
uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
name: "SMC User"
domain-type: "domain"
icon: "Blades/Access"
color: "cyan"
from: 1
to: 1
total: 1

Best,
Andy
"Have a great day and if its not, change it"

the_rock · ‎2025-06-26

Btw, built MDS lab quickly and same command I gave you also worked fine.

Andy

Best,
Andy
"Have a great day and if its not, change it"

Matlu · ‎2025-06-26

Bro,
Do you apply the command in the main MDS, or do you jump to a CMA to apply it there?
Thanks

the_rock · ‎2025-06-26

I did it on mds.

Best,
Andy
"Have a great day and if its not, change it"

Matlu · ‎2025-06-26

[Expert@MDS:0]#
[Expert@MDS:0]# mgmt_cli show packages
Username: cpsc_admin
Password:
packages: []
total: 0

[Expert@MDS:0]#
[Expert@MDS:0]#
[Expert@MDS:0]#
[Expert@MDS:0]#
[Expert@MDS:0]# mdsenv 10.123.94.133
[Expert@MDS:0]#
[Expert@MDS:0]# mgmt_cli show packages
Username: cpsc_admin
Password:
packages: []
total: 0

[Expert@MDS:0]#

I have tested the command, with an account that has permissions, but I get empty results, whether I run it on the main MDS, or on a particular CMA.

The detail is that the CMA that I have, really do have several POLICY PACKAGES tied to each CMA.

It is strange

the_rock · ‎2025-06-26

I had to sadly delete that lab, as I had to build something else for a pressing issue I was dealing with, but it definitely worked for me using that exact same command,

You are sure that account has super user permissions?

Andy

Best,
Andy
"Have a great day and if its not, change it"

Daniel_Kuhl1 · ‎2025-07-02

As @the_rock mentioned make sure your user has the Profile "Multi-Domain Super User" assigned.

the_rock · ‎2025-07-02

@Daniel_Kuhl1 I dont know if thats a must, but it would definitely help.

Andy

Best,
Andy
"Have a great day and if its not, change it"

Daniel_Kuhl1 · ‎2025-07-02

@Matlu I checked on my lab. I got the same output as you from MDS:

[Expert@A-MDS:0]# mgmt_cli login api-key "API-KEY"
uid: "17a0067d-bef7-4b0c-a075-14179532dcef"
sid: "McLfS6kPLMq3B8jKywHXGDnDDs2B5CEfzTpTB6aSVik"
url: "https://127.0.0.1:443/web_api"
session-timeout: 600
api-server-version: "1.9.1"
user-name: "api-user"
user-uid: "0ac44df8-9f52-4f33-b2a4-04c03ccc4304"

[Expert@A-MDS:0]# mgmt_cli show packages --session-id "McLfS6kPLMq3B8jKywHXGDnDDs2B5CEfzTpTB6aSVik"
packages: []
total: 0

You need to login to the specific domain and then you got the packages:

[Expert@A-MDS:0]# mgmt_cli login api-key "API-KEY" domain "Alpha"
uid: "6d143c11-4a7b-4f22-8a00-660350bd5c2a"
sid: "p4mbKWT6fHQrAtkXewfBVmDkeqEL-InurxYHi9xv9H0"
url: "https://127.0.0.1:443/web_api"
session-timeout: 600
last-login-was-at: 
  posix: 1751463922464
  iso-8601: "2025-07-02T15:45+0200"
api-server-version: "1.9.1"
user-name: "api-user"
user-uid: "0ac44df8-9f52-4f33-b2a4-04c03ccc4304"

[Expert@A-MDS:0]# mgmt_cli show packages --session-id "p4mbKWT6fHQrAtkXewfBVmDkeqEL-InurxYHi9xv9H0"
packages: 
- uid: "0a96b8c1-e9bf-43ba-b604-26e2831d4b15"
  name: "A-VSX_VSX"
  type: "package"
  domain: 
    uid: "0f60c08a-e6ac-4180-9678-8fb98ee13e8e"
    name: "Alpha"
    domain-type: "domain"
  icon: "Blades/Access"
  color: "black"
- uid: "0fd04089-8f41-424a-aeb3-0534161618ca"
  name: "Alpha-Policy"
  type: "package"
  domain: 
    uid: "0f60c08a-e6ac-4180-9678-8fb98ee13e8e"
    name: "Alpha"
    domain-type: "domain"
  icon: "Blades/Access"
  color: "black"
- uid: "e6cd96da-6564-4a90-a593-a2f7868c8622"
  name: "DMZ-Policy"
  type: "package"
  domain: 
    uid: "0f60c08a-e6ac-4180-9678-8fb98ee13e8e"
    name: "Alpha"
    domain-type: "domain"
  icon: "Blades/Access"
  color: "sea green"
- uid: "9c1143d8-86b7-42f6-a457-127a547a17c3"
  name: "Internal-Policy"
  type: "package"
  domain: 
    uid: "0f60c08a-e6ac-4180-9678-8fb98ee13e8e"
    name: "Alpha"
    domain-type: "domain"
  icon: "Blades/Access"
  color: "crete blue"
from: 1
to: 4
total: 4

You could use a script looping through all domains and get the packages.

the_rock · ‎2025-07-02

Did not know that command, thanks Daniel!

Andy

Best,
Andy
"Have a great day and if its not, change it"

Bob_Zimmerman · ‎2025-07-02

If you just want the package names under every domain on an MDS or SmartCenter, this will do it:

domains="$(mgmt_cli -f json -r true show domains | jq '.objects[].name' | tr -d '"' | tr ' ' '\n')";echo "${domains}" | while read domainName;do mgmt_cli -f json -r true -d "${domainName}" show packages | jq -c ".packages[]|{domain:\"${domainName:-$(hostname)}\",name:.name}";done

If you want the installation targets, that's also doable, but more complicated:

domains="$(mgmt_cli -f json -r true show domains | jq '.objects[].name' | tr -d '"' | tr ' ' '\n')";echo "${domains}" | while read domainName;do mgmt_cli -f json -r true -d "${domainName}" show packages details-level full | jq -c ".packages[]|{domain:\"${domainName:-$(hostname)}\",name:.name,targets:(if (.\"installation-targets\" | type) == \"array\" then [.\"installation-targets\"[]|.name] else [.\"installation-targets\"] end)}";done

Note that these don't include packages defined in the global domain.

Edit: fixed a minor bug in the installation targets. Check Point returns either a list or a string in that property, and jq doesn't handle that ambiguity.

Are you a member of CheckMates?

View by CLI details of Policy Packages