This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Maarten_Sjouw
Champion
Champion
‎2018-09-19 11:25 AM
Jump to solution

multidomain and mgmt_cli

I was trying to add a number of object this week, I had done some last week. Last week I added them to 1 domain and now I wanted to add them to another domain, what I did upfront was mdsenv <Domain>  and started issuing the commands, this worked like a charm.

Today however when I tried to add some objects to another domain, using the same way, first set the mdsenv to the correct domain, then started issuing the (copy paste) the mgmt_cli commands, the objects ended up in the domain that I used last week???

I found out by going in the second domain and use the new network objects but were not there. Then when I issued the mgmt_cli show networks command, it showed me all the network objects from the other domain I worked on last week.

Hmm, ok maybe I need to do a set domain name <domain> command first? Well in the expert mode with mgmt_cli, that did not work, unknown object.

So ok lets try from clish and use the mgmt commands instead, as the first command used mgmt set domain name <Domain> and then issued the add network commands. they were accepted, no error messages. Going into Smartconsole, none of the networks I added are there, nor in the other domain nor in the Global domain.

What am I doing wrong?

Regards, Maarten
0 Kudos
1 Solution

Accepted Solutions
Amiad_Stern
Employee
Employee
‎2018-09-20 10:10 PM
Jump to solution

Lari is right, you need to login to the desired domain then perform desired commands.

Copy pasting Lari's answer with some comments:

// login to domain named MyDomain and save 'session-id' into text file called id.txt. (you can use -d "MyDomain" as well)

# mgmt_cli login user admin password vpn123 domain "MyDomain" > id.txt 

// use the id.txt as a file from which the session-id (your token) is taken and perform add host command.

# mgmt_cli add host name “Minion1” ip-address 1.2.3.4 color “yellow” -s id.txt

// publish and logout (again using the same session-id)

# mgmt_cli publish –s id.txt
# mgmt_cli logout –s id.txt

Few comments on your issue:

  • No need for mdsenv when working with API since you should specify which domain you would like to login to.
  • If you don't specify domain, the default is 'System Data' (which means the MDS)
  • In your case, the fact that you didn't see you object in Global or domain is because i guess you didn't specify any domain on your login and thus objects were created in 'System Data' domain (the MDS) so GUI will not show you these kind of objects in MDS....  

View solution in original post

5 Replies
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2018-09-20 09:56 AM
Jump to solution

There's is a switch you must add to your mgmt_cli, think it was -s but could be -d, just run help for the command. Works for me every time    not at my desk to check

0 Kudos
Lari_Luoma
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2018-09-20 11:43 AM
Jump to solution

Hi Maarten!

In MDS there is one API server serving all the domains, so you should use the MDS leading interface IP address and authenticate to the domain that you want to manipulate.

Example:

# mgmt_cli login user admin password vpn123 domain "MyDomain" > id.txt
# mgmt_cli add host name “Minion1” ip-address 1.2.3.4 color “yellow” -s id.txt
# mgmt_cli publish –s id.txt
# mgmt_cli logout –s id.txt

0 Kudos
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2018-09-20 11:27 PM
In response to Lari_Luoma
Jump to solution

agreed - i normally use session id to carry out all commands, else just add domain every time

[--domain, -d]
Name, uid or IP-address of the management domain.
Environment variable: MGMT_CLI_DOMAIN

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2018-09-21 12:25 AM
In response to Lari_Luoma
Jump to solution

Ok thank you very Lari, this was the missing bit. My guess that the mdsenv command would put you in the right environment was incorrect then.

Still I really do not understand why it worked the first time?

Regards, Maarten
0 Kudos
Amiad_Stern
Employee
Employee
‎2018-09-20 10:10 PM
Jump to solution

Lari is right, you need to login to the desired domain then perform desired commands.

Copy pasting Lari's answer with some comments:

// login to domain named MyDomain and save 'session-id' into text file called id.txt. (you can use -d "MyDomain" as well)

# mgmt_cli login user admin password vpn123 domain "MyDomain" > id.txt 

// use the id.txt as a file from which the session-id (your token) is taken and perform add host command.

# mgmt_cli add host name “Minion1” ip-address 1.2.3.4 color “yellow” -s id.txt

// publish and logout (again using the same session-id)

# mgmt_cli publish –s id.txt
# mgmt_cli logout –s id.txt

Few comments on your issue:

  • No need for mdsenv when working with API since you should specify which domain you would like to login to.
  • If you don't specify domain, the default is 'System Data' (which means the MDS)
  • In your case, the fact that you didn't see you object in Global or domain is because i guess you didn't specify any domain on your login and thus objects were created in 'System Data' domain (the MDS) so GUI will not show you these kind of objects in MDS....  

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events