mgmt_cli validation check

Kim_Moberg · ‎2025-01-24

Hi Check Mates,

Been working on a simple standard change which I wanted to create a simple automation task.

I have been working on this in three steps.

1) Using CMD via SmartConsole adding a Network Object and then add this to a Network Group object. That simply worked.

I am running these the commands

add network name "TestObj" subnet xxx.xxx.xxx.xxx subnet-mask xxx.xxx.xxx.xxx
set group name "Proxy_Access" members.add "TestObj"

publish
Install policy

2) Working on a shell script to be executed on SMS server doing exactly the same steps above. This works too.

I have created a script name "add_object_to_group.sh" and given right to execute with "chmod 777".

Script looks like

#/bin/bash
clear

# ask for credentials from user
echo "Please enter your username and password"
read -p "Enter username and press [ENTER]: " USER
read -s -p "Enter password and press [ENTER]: " PASS
echo

mgmt_cli login user ${USER} password ${PASS} > id.txt

# in case of an error: print to screen the error message and abort
if [ $? -ne 0 ]; then
echo "Login command failed."
cat id.txt
exit 1
fi

# Ask for user to enter a Name of Network Object
echo
echo "Please enter a Network Object Name e.g TestObj "
read -p "Enter Network Object Name  eg. TestObj [ENTER] : " NetworkObjectName

# Ask for user to enter a Source Subnet for Network Object Name
echo
echo "Please define the Network Object Network subnet"
read -p "Enter subnet eg. 10.80.212.0 [ENTER] : " NetworkObjectSubNet

while [[ ! "$NetworkObjectSubNet" =~ '^((25[0-5]|2[0-4][0-9]|[01][0-9][0-9]|[0-9]{1,2})[.]){3}(25[0-5]|2[0-4][0-9]|[01][0-9][0-9]|[0-9]{1,2})$' ]]; do
    read -p "Not a valid IP Subnet. Re-enter: " NetworkObjectSubNet
done

read -p "Enter subnet-mask eg. 255.255.255.0 [ENTER] : " NetworkObjectSubNetMask

while [[ ! "$NetworkObjectSubNetMask" =~ '^((255)\.(0|128|192|224|240|248|252|254|255)\.(0|128|192|224|240|248|252|254|255)\.(0|128|192|224|240|248|252|254|255))$' ]]; do
    read -p "Not an Subnet Mask. Re-enter: " NetworkObjectSubNetMask
done

# Run the mgmt_cli against CP SMS Server
mgmt_cli -s id.txt add network name "${NetworkObjectName}" subnet "${NetworkObjectSubNet}" subnet-mask "${NetworkObjectSubNetMask}"
mgmt_cli -s id.txt set group name "Proxy_Access" members.add "${NetworkObjectName}"

# Publish the creation of Network Object and add it to Network Group
mgmt_cli publish -s id.txt
mgmt_cli logout -s id.txt

3) Moving script our from SMS server to be run in Linux jumphost. I haven't yet worked on this because I want to complete my above steps first.

I am lacking some kind of error handling in my script and I haven't been able to find any examples of being able to do so.
I know I have a validation check for login if anything goes wrong. Or can I use the same method from login validation in each of the steps?

Example of error handling would be.

1) In case Network Object Name exist.

2) in case of two objects have then same subnet in use. In SmartConsole you can have different object names with the same subnet.

3) I want to be sure that I am not trying to add a network object to a network group if it already exist etc.

Anyone can help me or give me a direction?

Thanks

Best Regards
Kim

Kim_Moberg · ‎2025-01-24

I want to be able to do validation check when running mgmt_cli commands

mgmt_cli -s id.txt add network name "${NetworkObjectName}" subnet "${NetworkObjectSubNet}" subnet-mask "${NetworkObjectSubNetMask}"
mgmt_cli -s id.txt set group name "Proxy_Access" members.add "${NetworkObjectName}"

Best Regards
Kim

Bob_Zimmerman · ‎2025-01-24

Rather than a static "id.txt" for the session cookie, I would use a variable populated by mktemp. That way, multiple people could use the tool at the same time.

sessionCookie=$(mktemp)
mgmt_cli login user "${USER}" password "${PASS}" >"${sessionCookie}"
...
...
mgmt_cli -s "${sessionCookie}" add network name ...

As for error handling, you would have to actually read the messages. Something like this:

apiOut="$(mgmt_cli -f json -s "${sessionCookie}" add network name ...)"
if [ "1" = "$0" ];then
errorText="$(echo "${apiOut}" | jq '.some.path.here')"
case "${errorText}" in
	"Some error string")
		# Handle this error.
		;;
	"A different error string")
		# Handle a different error.
		;;
	*)
		# This is the default case, where errors you don't specifically detect end up.
		echo "Got an error I don't know how to handle: ${errorText}"
		exit 1
		;;
esac
fi

You would replace '.some.path.here' with the path in an API call error to the description of the error. I forget what it is off the top of my head. You would then have an item in the case statement for each error you want to handle.

Note that adding a network to a group which already contains it isn't harmful. I wouldn't bother trying to detect that.

Amir_Senn · ‎2025-01-26

Try to use:

nohup mgmt_cli -s id.txt add network name dummy subnet 1.1.1.0 subnet-mask 255.255.255.0 2>/dev/null &nohup mgmt_cli -s id.txt add network name "${NetworkObjectName}" subnet "${NetworkObjectSubNet}" subnet-mask "${NetworkObjectSubNetMask}" 2>/dev/null &
nohup mgmt_cli -s id.txt set group name "Proxy_Access" members.add "${NetworkObjectName}" 2>/dev/null &

This will write all output to "nohup.out".

If all is ok it wouldn't write anything to it. If you have an issue it will write it.

So for example, in the script after running the command while having a another object of the same name:

Please enter your username and password
Enter username and press [ENTER]: aa
Enter password and press [ENTER]:

Please enter a Network Object Name e.g TestObj
Enter Network Object Name eg. TestObj [ENTER] : dummy

Please define the Network Object Network subnet
Enter subnet eg. 10.80.212.0 [ENTER] : 1.2.6.0
Enter subnet-mask eg. 255.255.255.0 [ENTER] : 255.255.255.0

---------------------------------------------
Time: [18:34:09] 26/1/2025
---------------------------------------------
"Publish operation" succeeded (100%)
tasks:
- task-id: "01234567-89ab-cdef-91b4-d9616ebd3c7b"
task-name: "Publish operation"
status: "succeeded"
progress-percentage: 100
suppressed: false
task-details:
- publishResponse:
numberOfPublishedChanges: 0
mode: "async"
revision: "d214d4f0-1644-49e4-9ddd-60ebf4f67ab6"

message: "OK"

[Expert@MGMT:0]# cat nohup.out
code: "err_validation_failed"
message: "Validation failed with 1 error"
errors:
- message: "More than one object named 'dummy' exists."

[Expert@MGMT:0]#

Kind regards, Amir Senn

Duane_Toler · ‎2025-03-14

I know this is a little late for this party, but I would highly suggest you do this with Ansible and the Check Point modules. It handles all of this backend dirty work for you, plus you gain consistency along the way. You can also structure your playbooks to collect before/after states and completely discard the entire operation, giving you the chance to fully test the entire sequence so you can run it at a later date (such as "maintenance weekend", when you're already short on time and short on patience).

Shameless plug: I have a series (link in my signature line below) on setting up an Ansible host, dependencies, and introductions to playbooks, etc. First 5 episodes are available now, with more coming.

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

Are you a member of CheckMates?

mgmt_cli validation check