This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kim_Moberg
Advisor
Friday

mgmt_cli validation check

Hi Check Mates,

Been working on a simple standard change which I wanted to create a simple automation task.

I have been working on this in three steps.

1) Using CMD via SmartConsole adding a Network Object and then add this to a Network Group object.  That simply worked.

I am running these the commands

 

add network name "TestObj" subnet xxx.xxx.xxx.xxx subnet-mask xxx.xxx.xxx.xxx
set group name "Proxy_Access" members.add "TestObj"

 

publish
Install policy

 

2) Working on a shell script to be executed on SMS server doing exactly the same steps above. This works too.

I have created a script name "add_object_to_group.sh" and given right to execute with "chmod 777".

Script looks like

 

#/bin/bash
clear

# ask for credentials from user
echo "Please enter your username and password"
read -p "Enter username and press [ENTER]: " USER
read -s -p "Enter password and press [ENTER]: " PASS
echo

mgmt_cli login user ${USER} password ${PASS} > id.txt

# in case of an error: print to screen the error message and abort
if [ $? -ne 0 ]; then
echo "Login command failed."
cat id.txt
exit 1
fi

# Ask for user to enter a Name of Network Object
echo
echo "Please enter a Network Object Name e.g TestObj "
read -p "Enter Network Object Name  eg. TestObj [ENTER] : " NetworkObjectName

# Ask for user to enter a Source Subnet for Network Object Name
echo
echo "Please define the Network Object Network subnet"
read -p "Enter subnet eg. 10.80.212.0 [ENTER] : " NetworkObjectSubNet

while [[ ! "$NetworkObjectSubNet" =~ '^((25[0-5]|2[0-4][0-9]|[01][0-9][0-9]|[0-9]{1,2})[.]){3}(25[0-5]|2[0-4][0-9]|[01][0-9][0-9]|[0-9]{1,2})$' ]]; do
    read -p "Not a valid IP Subnet. Re-enter: " NetworkObjectSubNet
done

read -p "Enter subnet-mask eg. 255.255.255.0 [ENTER] : " NetworkObjectSubNetMask

while [[ ! "$NetworkObjectSubNetMask" =~ '^((255)\.(0|128|192|224|240|248|252|254|255)\.(0|128|192|224|240|248|252|254|255)\.(0|128|192|224|240|248|252|254|255))$' ]]; do
    read -p "Not an Subnet Mask. Re-enter: " NetworkObjectSubNetMask
done

# Run the mgmt_cli against CP SMS Server
mgmt_cli -s id.txt add network name "${NetworkObjectName}" subnet "${NetworkObjectSubNet}" subnet-mask "${NetworkObjectSubNetMask}"
mgmt_cli -s id.txt set group name "Proxy_Access" members.add "${NetworkObjectName}"

# Publish the creation of Network Object and add it to Network Group
mgmt_cli publish -s id.txt
mgmt_cli logout -s id.txt

 

 

3) Moving script our from SMS server to be run in Linux jumphost. I haven't yet worked on this because I want to complete my above steps first.

 

I am lacking some kind of error handling in my script and I haven't been able to find any examples of being able to do so.
I know I have a validation check for login if anything goes wrong. Or can I use the same method from login validation in each of the steps?

Example of error handling would be.

1) In case Network Object Name exist.

2) in case of two objects have then same subnet in use. In SmartConsole you can have different object names with the same subnet.

3) I want to be sure that I am not trying to add a network object to a network group if it already exist etc.

 

Anyone can help me or give me a direction?

Thanks

Best Regards
Kim
0 Kudos
3 Replies
Kim_Moberg
Advisor
Friday

I want to be able to do validation check when running mgmt_cli commands

mgmt_cli -s id.txt add network name "${NetworkObjectName}" subnet "${NetworkObjectSubNet}" subnet-mask "${NetworkObjectSubNetMask}"
mgmt_cli -s id.txt set group name "Proxy_Access" members.add "${NetworkObjectName}"

 

Best Regards
Kim
0 Kudos
Bob_Zimmerman
Authority
Authority
Friday

Rather than a static "id.txt" for the session cookie, I would use a variable populated by mktemp. That way, multiple people could use the tool at the same time.

 

sessionCookie=$(mktemp)
mgmt_cli login user "${USER}" password "${PASS}" >"${sessionCookie}"
...
...
mgmt_cli -s "${sessionCookie}" add network name ...

As for error handling, you would have to actually read the messages. Something like this:

apiOut="$(mgmt_cli -f json -s "${sessionCookie}" add network name ...)"
if [ "1" = "$0" ];then
errorText="$(echo "${apiOut}" | jq '.some.path.here')"
case "${errorText}" in
	"Some error string")
		# Handle this error.
		;;
	"A different error string")
		# Handle a different error.
		;;
	*)
		# This is the default case, where errors you don't specifically detect end up.
		echo "Got an error I don't know how to handle: ${errorText}"
		exit 1
		;;
esac
fi

You would replace '.some.path.here' with the path in an API call error to the description of the error. I forget what it is off the top of my head. You would then have an item in the case statement for each error you want to handle.

Note that adding a network to a group which already contains it isn't harmful. I wouldn't bother trying to detect that.

 

0 Kudos
Amir_Senn
Employee
Employee
yesterday

Try to use:

nohup mgmt_cli -s id.txt add network name dummy subnet 1.1.1.0 subnet-mask 255.255.255.0 2>/dev/null &nohup mgmt_cli -s id.txt add network name "${NetworkObjectName}" subnet "${NetworkObjectSubNet}" subnet-mask "${NetworkObjectSubNetMask}" 2>/dev/null &
nohup mgmt_cli -s id.txt set group name "Proxy_Access" members.add "${NetworkObjectName}" 2>/dev/null &

This will write all output to "nohup.out".

If all is ok it wouldn't write anything to it. If you have an issue it will write it.

 

So for example, in the script after running the command while having a another object of the same name:

Please enter your username and password
Enter username and press [ENTER]: aa
Enter password and press [ENTER]:

Please enter a Network Object Name e.g TestObj
Enter Network Object Name eg. TestObj [ENTER] : dummy

Please define the Network Object Network subnet
Enter subnet eg. 10.80.212.0 [ENTER] : 1.2.6.0
Enter subnet-mask eg. 255.255.255.0 [ENTER] : 255.255.255.0


---------------------------------------------
Time: [18:34:09] 26/1/2025
---------------------------------------------
"Publish operation" succeeded (100%)
tasks:
- task-id: "01234567-89ab-cdef-91b4-d9616ebd3c7b"
task-name: "Publish operation"
status: "succeeded"
progress-percentage: 100
suppressed: false
task-details:
- publishResponse:
numberOfPublishedChanges: 0
mode: "async"
revision: "d214d4f0-1644-49e4-9ddd-60ebf4f67ab6"

message: "OK"

[Expert@MGMT:0]# cat nohup.out
code: "err_validation_failed"
message: "Validation failed with 1 error"
errors:
- message: "More than one object named 'dummy' exists."

[Expert@MGMT:0]#

Kind regards, Amir Senn
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    CheckMates Events