Solved: Re: mgmt_cli

dotank2 · ‎2023-07-18

hi all,

hi trying to create very simple script.

im using command line from the smart console. i create a group and i want to add all geo policy countries i have.

i create a group using set group name "Geo-Block"

and now i want to add countries.

so i do: set group name "Geo-Block" members.add "countrie1" members.add "countries2" and its not working

the error is:

code:"generic_err_object_not_found"

message: "Requested object [countrie1] not found"

Bob_Zimmerman · ‎2023-07-18

Another important note. This syntax:

mgmt_cli ... members.add "country1" members.add "country2"

won't actually work. You need to specify it like this:

mgmt_cli ... members.add.1 "country1" members.add.2 "country2"

View solution in original post

Bob_Zimmerman · ‎2023-07-19

That error indicates the command you actually ran was slightly different. Something like this:

set group name "Geo-Block" members.add.1 "Albania1"

After running this:

[Expert@DallasSA]# mgmt_cli -f json -r true update-updatable-objects-repository-content
...
[Expert@DallasSA]# mgmt_cli -f json -r true show updatable-objects-repository-content details-level full limit 500 offset 0 | jq -c '.objects[]|.' >> updatable.json
[Expert@DallasSA]# mgmt_cli -f json -r true show updatable-objects-repository-content details-level full limit 500 offset 500 | jq -c '.objects[]|.' >> updatable.json
[Expert@DallasSA]# mgmt_cli -f json -r true show updatable-objects-repository-content details-level full limit 500 offset 1000 | jq -c '.objects[]|.' >> updatable.json
[Expert@DallasSA]# mgmt_cli -f json -r true show updatable-objects-repository-content details-level full limit 500 offset 1500 | jq -c '.objects[]|.' >> updatable.json
[Expert@DallasSA]# mgmt_cli -f json -r true show updatable-objects-repository-content details-level full limit 500 offset 2000 | jq -c '.objects[]|.' >> updatable.json
[Expert@DallasSA]# mgmt_cli -f json -r true show updatable-objects-repository-content details-level full limit 500 offset 2500 | jq -c '.objects[]|.' >> updatable.json
[Expert@DallasSA]# mgmt_cli -f json -r true show updatable-objects-repository-content details-level full limit 500 offset 3000 | jq -c '.objects[]|.' >> updatable.json
[Expert@DallasSA]# mgmt_cli -f json -r true show updatable-objects-repository-content details-level full limit 500 offset 3500 | jq -c '.objects[]|.' >> updatable.json
[Expert@DallasSA]# mgmt_cli -f json -r true show updatable-objects-repository-content details-level full limit 500 offset 4000 | jq -c '.objects[]|.' >> updatable.json
[Expert@DallasSA]# wc -l updatable.json 
4249 updatable.json
[Expert@DallasSA]# grep "GEO Locations" updatable.json | jq '."name-in-updatable-objects-repository"' | sort
"Afghanistan"
"Africa"
"Aland Islands"
"Albania"
"Algeria"
"American Samoa"
"Andorra"
"Angola"
"Anguilla"
"Antarctica Other"
"Antarctica"
...

you can see all of the country object names. Each country object must be imported via 'mgmt_cli ... add updatable-object uid-in-updatable-objects-repository <UUID>' before you can actually use it. Once imported, the names will be as above.

View solution in original post

Bob_Zimmerman · ‎2023-07-20

After creating updatable.json as above, you can import all of the objects in the "GEO Locations" tree like so:

[Expert@DallasSA]# mgmt_cli -f json -r true login > session.txt

[Expert@DallasSA]# grep "GEO Locations" updatable.json | jq '."uid-in-updatable-objects-repository"' | xargs -L 1 -I % mgmt_cli -f json -s session.txt add updatable-object uid-in-updatable-objects-repository %
...

[Expert@DallasSA]# mgmt_cli -f json -s session.txt publish
...

[Expert@DallasSA]# mgmt_cli -f json -s session.txt logout && rm session.txt

On a lab SmartCenter (Hyper-V VM on an Intel Atom C3758; 2c, 8 GB, 200 GB storage backed by a ~1 GB/s SATA SSD array), all that took about five minutes (including writing the commands) and left me with 258 objects in my management.

Afterwards, I ran this to test all of the country names you've reported problems with:

[Expert@DallasSA]# mgmt_cli -f json -s session.txt add group name "Geo-Block" members.1 Albania members.2 Algeria members.3 Togo members.4 Tunisia
{
  "uid" : "6ff07760-8c91-41ed-92b0-2f497d30aa83",
  "name" : "Geo-Block",
  "type" : "group",
  "domain" : {
    "uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
    "name" : "SMC User",
    "domain-type" : "domain"
  },
  "members" : [ {
    "uid" : "09bfd6cf-3608-4ef1-9e10-5553a81083c8",
    "name" : "Tunisia",
    "type" : "updatable-object",
    "domain" : {
      "uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
      "name" : "SMC User",
      "domain-type" : "domain"
    },
    "icon" : "@app/cp_geo_tn",
    "color" : "black"
  }, {
    "uid" : "a6e54df5-4b0c-46ee-a081-25575b36e66a",
    "name" : "Algeria",
    "type" : "updatable-object",
    "domain" : {
      "uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
      "name" : "SMC User",
      "domain-type" : "domain"
    },
    "icon" : "@app/cp_geo_dz",
    "color" : "black"
  }, {
    "uid" : "54346ff0-2d5e-42f2-9a3e-f3c9c18d126c",
    "name" : "Togo",
    "type" : "updatable-object",
    "domain" : {
      "uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
      "name" : "SMC User",
      "domain-type" : "domain"
    },
    "icon" : "@app/cp_geo_tg",
    "color" : "black"
  }, {
    "uid" : "9125b1e0-891c-41d1-81ac-1d90f63bbcb0",
    "name" : "Albania",
    "type" : "updatable-object",
    "domain" : {
      "uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
      "name" : "SMC User",
      "domain-type" : "domain"
    },
    "icon" : "@app/cp_geo_al",
    "color" : "black"
  } ],
  "groups" : [ ],
  "comments" : "",
  "color" : "black",
  "icon" : "General/group",
  "tags" : [ ],
  "meta-info" : {
    "lock" : "unlocked",
    "validation-state" : "ok",
    "last-modify-time" : {
      "posix" : 1689861228450,
      "iso-8601" : "2023-07-20T09:53-0400"
    },
    "last-modifier" : "WEB_API",
    "creation-time" : {
      "posix" : 1689861228450,
      "iso-8601" : "2023-07-20T09:53-0400"
    },
    "creator" : "WEB_API"
  },
  "read-only" : true
}

To update an existing group, you would need to use 'set' instead of 'add', and all of the mentions of 'members.' should be replaced with 'members.add.'.

View solution in original post

Tal_Paz-Fridman · ‎2023-07-18

What is the version you are using? Are you trying to add to the older Geo Policy or to the Access Control Rulebase?

For adding to the Rulebase which is the recommended way you first need to import the relevant Updatable Object:

https://sc1.checkpoint.com/documents/latest/APIs/#cli/add-updatable-object~v1.9%20

dotank2 · ‎2023-07-18

hi

im use management version r81.10.

i have geo policy in the shared policy. and i want to create rule in the access rule with all the countries that i want to block.

so i create a group, and I can't add country objects to the group.

and the command "show updatable-objects-repository-content" not give me the parameter of uri.

dotank2 · ‎2023-07-18

And something strange happens, when I blocked for example Israel it worked.
Me trying to block Albania doesn't work

this is work: set group name "Geo-Block" members.add "israel"

this is now working: set group name "Geo-Block" members.add "albnia"

the_rock · ‎2023-07-18

In the command, you mispelled Albania...it shows albnia

Bob_Zimmerman · ‎2023-07-18

Another important note. This syntax:

mgmt_cli ... members.add "country1" members.add "country2"

won't actually work. You need to specify it like this:

mgmt_cli ... members.add.1 "country1" members.add.2 "country2"

the_rock · ‎2023-07-18

Thats it, just verified!

dotank2 · ‎2023-07-18

hi

thank you for your response.

i do the command:

set group name "Geo-Block" members.add.1 "Albania" members.add.2 "Algeria"

and the error is same:

code: "generic_err_object_not_found"
message: "Requested object [Albania1] not found"

Hugo_vd_Kooij · ‎2023-07-18

Can you break down the chnage into adding 1 country per line? That is how I would do it anyway as I can then loop over a list. Be it 1 or 10 or 100 countries it will be the same code.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>

dotank2 · ‎2023-07-18

hi

i try it, also don't works

Bob_Zimmerman · ‎2023-07-19

That error indicates the command you actually ran was slightly different. Something like this:

set group name "Geo-Block" members.add.1 "Albania1"

After running this:

[Expert@DallasSA]# mgmt_cli -f json -r true update-updatable-objects-repository-content
...
[Expert@DallasSA]# mgmt_cli -f json -r true show updatable-objects-repository-content details-level full limit 500 offset 0 | jq -c '.objects[]|.' >> updatable.json
[Expert@DallasSA]# mgmt_cli -f json -r true show updatable-objects-repository-content details-level full limit 500 offset 500 | jq -c '.objects[]|.' >> updatable.json
[Expert@DallasSA]# mgmt_cli -f json -r true show updatable-objects-repository-content details-level full limit 500 offset 1000 | jq -c '.objects[]|.' >> updatable.json
[Expert@DallasSA]# mgmt_cli -f json -r true show updatable-objects-repository-content details-level full limit 500 offset 1500 | jq -c '.objects[]|.' >> updatable.json
[Expert@DallasSA]# mgmt_cli -f json -r true show updatable-objects-repository-content details-level full limit 500 offset 2000 | jq -c '.objects[]|.' >> updatable.json
[Expert@DallasSA]# mgmt_cli -f json -r true show updatable-objects-repository-content details-level full limit 500 offset 2500 | jq -c '.objects[]|.' >> updatable.json
[Expert@DallasSA]# mgmt_cli -f json -r true show updatable-objects-repository-content details-level full limit 500 offset 3000 | jq -c '.objects[]|.' >> updatable.json
[Expert@DallasSA]# mgmt_cli -f json -r true show updatable-objects-repository-content details-level full limit 500 offset 3500 | jq -c '.objects[]|.' >> updatable.json
[Expert@DallasSA]# mgmt_cli -f json -r true show updatable-objects-repository-content details-level full limit 500 offset 4000 | jq -c '.objects[]|.' >> updatable.json
[Expert@DallasSA]# wc -l updatable.json 
4249 updatable.json
[Expert@DallasSA]# grep "GEO Locations" updatable.json | jq '."name-in-updatable-objects-repository"' | sort
"Afghanistan"
"Africa"
"Aland Islands"
"Albania"
"Algeria"
"American Samoa"
"Andorra"
"Angola"
"Anguilla"
"Antarctica Other"
"Antarctica"
...

you can see all of the country object names. Each country object must be imported via 'mgmt_cli ... add updatable-object uid-in-updatable-objects-repository <UUID>' before you can actually use it. Once imported, the names will be as above.

the_rock · ‎2023-07-19

Thanks @Bob_Zimmerman ...thats SUPER HELPFUL mate 👍👍👍

dotank2 · ‎2023-07-20

yes but how do i import all of the list?

Bob_Zimmerman · ‎2023-07-20

After creating updatable.json as above, you can import all of the objects in the "GEO Locations" tree like so:

[Expert@DallasSA]# mgmt_cli -f json -r true login > session.txt

[Expert@DallasSA]# grep "GEO Locations" updatable.json | jq '."uid-in-updatable-objects-repository"' | xargs -L 1 -I % mgmt_cli -f json -s session.txt add updatable-object uid-in-updatable-objects-repository %
...

[Expert@DallasSA]# mgmt_cli -f json -s session.txt publish
...

[Expert@DallasSA]# mgmt_cli -f json -s session.txt logout && rm session.txt

On a lab SmartCenter (Hyper-V VM on an Intel Atom C3758; 2c, 8 GB, 200 GB storage backed by a ~1 GB/s SATA SSD array), all that took about five minutes (including writing the commands) and left me with 258 objects in my management.

Afterwards, I ran this to test all of the country names you've reported problems with:

[Expert@DallasSA]# mgmt_cli -f json -s session.txt add group name "Geo-Block" members.1 Albania members.2 Algeria members.3 Togo members.4 Tunisia
{
  "uid" : "6ff07760-8c91-41ed-92b0-2f497d30aa83",
  "name" : "Geo-Block",
  "type" : "group",
  "domain" : {
    "uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
    "name" : "SMC User",
    "domain-type" : "domain"
  },
  "members" : [ {
    "uid" : "09bfd6cf-3608-4ef1-9e10-5553a81083c8",
    "name" : "Tunisia",
    "type" : "updatable-object",
    "domain" : {
      "uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
      "name" : "SMC User",
      "domain-type" : "domain"
    },
    "icon" : "@app/cp_geo_tn",
    "color" : "black"
  }, {
    "uid" : "a6e54df5-4b0c-46ee-a081-25575b36e66a",
    "name" : "Algeria",
    "type" : "updatable-object",
    "domain" : {
      "uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
      "name" : "SMC User",
      "domain-type" : "domain"
    },
    "icon" : "@app/cp_geo_dz",
    "color" : "black"
  }, {
    "uid" : "54346ff0-2d5e-42f2-9a3e-f3c9c18d126c",
    "name" : "Togo",
    "type" : "updatable-object",
    "domain" : {
      "uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
      "name" : "SMC User",
      "domain-type" : "domain"
    },
    "icon" : "@app/cp_geo_tg",
    "color" : "black"
  }, {
    "uid" : "9125b1e0-891c-41d1-81ac-1d90f63bbcb0",
    "name" : "Albania",
    "type" : "updatable-object",
    "domain" : {
      "uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
      "name" : "SMC User",
      "domain-type" : "domain"
    },
    "icon" : "@app/cp_geo_al",
    "color" : "black"
  } ],
  "groups" : [ ],
  "comments" : "",
  "color" : "black",
  "icon" : "General/group",
  "tags" : [ ],
  "meta-info" : {
    "lock" : "unlocked",
    "validation-state" : "ok",
    "last-modify-time" : {
      "posix" : 1689861228450,
      "iso-8601" : "2023-07-20T09:53-0400"
    },
    "last-modifier" : "WEB_API",
    "creation-time" : {
      "posix" : 1689861228450,
      "iso-8601" : "2023-07-20T09:53-0400"
    },
    "creator" : "WEB_API"
  },
  "read-only" : true
}

To update an existing group, you would need to use 'set' instead of 'add', and all of the mentions of 'members.' should be replaced with 'members.add.'.

dotank2 · ‎2023-07-27

works thank you

the_rock · ‎2023-07-27

Thanks for the update!

dotank2 · ‎2023-07-18

also i do ssh to the managment.

and same command i get an error:

"Authentication to server failed."

but the username is correct and i have permission "GAIA api"

dotank2 · ‎2023-07-19

updating

The script works only on objects built in the system.

The problem is that it is an updateable object, for example countries.

That is, I do the command:
mgmt_cli set group name "Geo-Block" members.add.1 "host1" members.add.2 "host2" > working

And I do the command:
mgmt_cli set group name "Geo-Block" members.add.1 "Togo" members.add.2 "Tunisia" > not working

And I get a message that it can't find the object.

Now the strange thing is, I do the command:
set group name "Geo-Block" members.add "israel" it works (only on Israel, when I change the country for example Togo, it doesn't work)

Tal_Paz-Fridman · ‎2023-07-19

Did you import the relevant Updatable Object into the database?

https://sc1.checkpoint.com/documents/latest/APIs/#cli/add-updatable-object~v1.9%20

the_rock · ‎2023-07-19

I just tested on R81.20 mgmt server and it failed as well...weird

[Expert@QUANTUM-MANAGEMENT:0]# mgmt_cli set group name "geo-block-test" members.add "albania"
Username: admin
Password:
code: "generic_err_object_not_found"
message: "Requested object [geo-block-test] not found"

Executed command failed. Changes are discarded.
[Expert@QUANTUM-MANAGEMENT:0]#

_Val_ · ‎2023-07-19

You need to fetch the category first. Did you?

the_rock · ‎2023-07-19

Hey Val,

Can you clarify what you are referring to exactly?

Cheers,

Andy

Tal_Paz-Fridman · ‎2023-07-19

Description

Import an updatable object from the repository to the management server. This operation takes effect immediately and doesn't require publishing.

https://sc1.checkpoint.com/documents/latest/APIs/#cli/add-updatable-object~v1.9%20

Bob_Zimmerman · ‎2023-07-19

That message is saying the group you're trying to add the member to doesn't exist. 'set' won't create a group.

the_rock · ‎2023-07-19

@Bob_Zimmerman ...layer 8 problem Homer Simpson moment...DUH lol

Anyway, command @dotank2 gave did actually work now

[Expert@QUANTUM-MANAGEMENT:0]# mgmt_cli set group name "geo-group-test" members.add.1 "Togo" members.add.2 "Tunisia"
Username: admin
Password:

---------------------------------------------
Time: [10:59:37] 19/7/2023
---------------------------------------------
"Publish operation" succeeded (100%)
[Expert@QUANTUM-MANAGEMENT:0]#

Andy

dotank2 · ‎2023-07-19

hi @the_rock

I have a slightly different error message.
The problem for me is the country object, for example Tunisia.
With you, he registered on the group itself.

Anyway, it still doesn't work for me.
And it is not clear what command I need to give to import the updateable object

i used the command:mgmt_cli add updatable-object uid-in-updatable-objects-repository Togo

but i get error:

mgmt_cli add updatable-object uid-in-updatable-objects-repository Togo
Username: XXXX
Password: XXXX
code: "generic_error"
message: "Parameter [uid-in-updatable-objects-repository] with value [Togo] not found."

Executed command failed. Changes are discarded.

the_rock · ‎2023-07-20

Understood...let me test it later and see what happens.

Andy

the_rock · ‎2023-07-20

I just tried and get the same, but based on the error we see, appears its the parameter thats wrong...

genisis__ · ‎2023-08-04

Question:

Is there a way to do a dry run of mgm_cli commands to catch any syntax errors etc, prior to a scheduled implementation? Would be dame handy if this was possible.

Bob_Zimmerman · ‎2023-08-04

You can always log in with a read/write session (not using 'read-only true'), run commands, then discard the session afterwards. Only a few things like installing policy and building firewall objects have effects which persist even if you discard the session in which you did them.

Are you a member of CheckMates?

mgmt_cli

Description