This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Duane_Toler
MVP Silver
MVP Silver
‎2021-12-14 02:20 PM
Jump to solution

"where-used" does "publish" ?

 

mgmt_cli -f json -r true -d DOMAIN where-used name "object"

At the end, mgmt_cli does a session publish... !??!

Yes I know can do a full session login and choose "read-only: true",  but for a quick "where-used", I didn't think that'd be necessary.

 

API v1.6.1  (R80.40 + recent JHF)

 

That behavior seems a bit odd, and frankly scares the life out of me! (I'm a paranoid curmudgeon...)

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos
2 Solutions

Accepted Solutions
Omer_Kleinstern
Employee
Employee
‎2022-04-04 06:49 AM
In response to MR_K
Jump to solution

Hi,

 

The publish was removed from where-used in R81.

You can open a TAC case to port the fix.

 

Thanks,

Omer

View solution in original post

0 Kudos
Tomer_Noy
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2022-04-04 01:09 PM
In response to MR_K
Jump to solution

It sounds like you are writing a script to iterate through all domains and run "where-used" on some global object to see which domains are using it and how. Indeed, publishing on every domain will slow things down, so it should be avoided. However, that is not the only way to speed things up...

Starting from API version 1.7, there is a new parameter to the "where-used" command called "domains-to-process". If you log into the System Domain and run the where-used from there, then you can pass domains-to-process = ALL_DOMAINS_ON_THIS_SERVER. That will run an efficient where-used calculation on all domains on this server.

The internal query leverages indexes that span domains and is much more efficient than iterating over domains and doing a separate where-used on each one. 

This functionality is also available in SmartConsole starting from R81 in the System domain. It comes with another feature called cross-domain search that lets you find object definitions across domains (not just where-used).

** If you have multiple MDS servers with different active domains, you should run it once per server.

** You mentioned that you are using API version 1.6, so this might not be accessible to you, but it's worth sharing for the general population and of course will be useful for you once you upgrade

View solution in original post

8 Replies
PhoneBoy
Admin
Admin
‎2021-12-14 03:54 PM
Jump to solution

mgmt_cli -r true will do a publish after logging in and executing the specified command.
That’s expected behavior. 

Duane_Toler
MVP Silver
MVP Silver
‎2021-12-14 04:14 PM
In response to PhoneBoy
Jump to solution

🤣 🤣 🤣 🤣 🤣 🤣 🤣 🤣 🤣 

Wow, it's been A LONG time apparently since I last used "-r true"!! *now* I remember... whew.  That's what I get for spending most of my time in "session land"!  

Thanks for kick. 😁

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2021-12-14 06:36 PM
In response to Duane_Toler
Jump to solution

I know, I always forget that too LOL

Best,
Andy
0 Kudos
MR_K
Contributor
‎2022-04-04 03:42 AM
In response to PhoneBoy
Jump to solution

Hey @PhoneBoy,

Thanks for that answer, but the publish also occurs when not using -r true.

That's what I see in the CLI:

mgmt_cli where-used name ext-node-52.52.64.247 -d Global show-membership true
Username: *{username}*
Password:
used-directly:
total: 1
objects:
- uid: "5f5058e7-47fc-4409-8149-e8c61a1785d1"
name: "ext-tie.gti.mcaffee.com"
type: "group"
domain:
uid: "1e294ce0-367a-11e3-aa6e-0800200c9a66"
name: "Global"
domain-type: "global domain"
threat-prevention-rules: []
nat-rules: []
access-control-rules: []
https-rules: []

 

---------------------------------------------
Time: [12:31:13] 4/4/2022
---------------------------------------------
"Publish operation" in progress (10%)


---------------------------------------------
Time: [12:31:23] 4/4/2022
---------------------------------------------
"Publish operation" succeeded (100%)

 

Do you have an idea why the publish comes here too?
I am trying to write a script that will do a where-used for each CMA, and having a Publish after every one makes the command take ages!

Also running on API v1.6.1

0 Kudos
PhoneBoy
Admin
Admin
‎2022-04-04 06:28 AM
In response to MR_K
Jump to solution

Hm... good question.
@Omer_Kleinstern ?
Might also be worth a TAC case.

0 Kudos
Omer_Kleinstern
Employee
Employee
‎2022-04-04 06:49 AM
In response to MR_K
Jump to solution

Hi,

 

The publish was removed from where-used in R81.

You can open a TAC case to port the fix.

 

Thanks,

Omer

0 Kudos
Tomer_Noy
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2022-04-04 01:09 PM
In response to MR_K
Jump to solution

It sounds like you are writing a script to iterate through all domains and run "where-used" on some global object to see which domains are using it and how. Indeed, publishing on every domain will slow things down, so it should be avoided. However, that is not the only way to speed things up...

Starting from API version 1.7, there is a new parameter to the "where-used" command called "domains-to-process". If you log into the System Domain and run the where-used from there, then you can pass domains-to-process = ALL_DOMAINS_ON_THIS_SERVER. That will run an efficient where-used calculation on all domains on this server.

The internal query leverages indexes that span domains and is much more efficient than iterating over domains and doing a separate where-used on each one. 

This functionality is also available in SmartConsole starting from R81 in the System domain. It comes with another feature called cross-domain search that lets you find object definitions across domains (not just where-used).

** If you have multiple MDS servers with different active domains, you should run it once per server.

** You mentioned that you are using API version 1.6, so this might not be accessible to you, but it's worth sharing for the general population and of course will be useful for you once you upgrade

S_E_
Advisor
‎2022-07-01 05:03 AM
In response to Tomer_Noy
Jump to solution

@Tomer_Noy wrote:

 

...The internal query leverages indexes that span domains and is much more efficient than iterating over domains and doing a separate where-used on each one. 

This functionality is also available in SmartConsole starting from R81 in the System domain. It comes with another feature called cross-domain search that lets you find object definitions across domains (not just where-used).

** If you have multiple MDS servers with different active domains, you should run it once per server.

 

Hi,

we run into the same challenge (MDSM R80.40) 

Using Global Policy with Global objects and pushing to domain policies works good. But the feature 'where used' does not work in this case. Running 'where used' in global policy might report 'not used' but in reality heavily used inside domains and provides confusion for admins/HelpDesk.

So upgrading might tackle cross-domain search. But you need to run manually on every MDS in the HA construct. correct?

Do you have any proposal/idea for such szenarios?

Regards

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events