- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Why do Hackers Love IoT Devices so Much?
Join our TechTalk on Aug 17, at 5PM CET | 11AM EST
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hi guys,
I would like to ask if there are some plans to include handling users via API in future releases (local account creation, certificate generation, etc.)? Now there is no such possibility via API and I think it could be very handy when migrating from different platforms
thx for info
Hi Ivo,
Yes, there are plans to support User objects via API.
Unfortunately, I cannot provide estimations for release version/date at this moment.
Robert.
Hi
This is also a feature I would like. Is there any update on when it may be included?
thanks
Paul
Hi Paul,
Our R&D is working to provide full support for users creation with a standard API commands.
Meanwhile, you can use this thread to create users with a non-standard approach -
https://community.checkpoint.com/docs/DOC-2844
Robert.
Thanks Robert, appreciate the speedy response.
We have an audit requirement to send a list of users that are contained within a specific user group monthly. It sounds like an easy request but so far I am failing. I'm no API / JSON expert by the way. Do you know if there's a simple way to do this?
This bash script expects an users group name as its parameter, and creates a text file with this name containing all users names -
#!/bin/sh
JQ=${CPDIR}/jq/jq
GROUP_NAME=$1
USERS_FILE="users.json"
USER_FILE="user.json"
USER_NAMES_FILE="$GROUP_NAME.txt"
> $USER_NAMES_FILE
mgmt_cli -r true show generic-objects name $GROUP_NAME details-level full -f json > $USERS_FILE
if [ $? -ne 1 ]; then
USERS_UIDS=($($JQ -r '.objects[] | .emptyFieldName[] | .' $USERS_FILE))
for USER_UID in ${USERS_UIDS[@]}; do
echo 'User UID: '"$USER_UID"
mgmt_cli -r true show generic-object uid $USER_UID -f json > $USER_FILE
if [ $? -ne 1 ]; then
USER_NAME=($($JQ -r '.name' $USER_FILE))
echo 'User Name: '"$USER_NAME"
echo $USER_NAME >> $USER_NAMES_FILE
fi
done
fi
you should run it on your management server.
Robert.
Thanks again Robert
I took the script. Copied it onto my Mgt Server (/home/admin). Renamed it as Users_in_group.sh . Did a chmod to allow for execution (777).
In expert mode ran as "./Users_in_group.sh Our-Group-name-var"
And got "/Users_in_group: cannot execute binary file" error message.
Excuse my lack of knowledge here but am I doing something wrong?
run dos2unix on it before the execution.
Apologies Robert - I was offsite the least week. I tried it there and it's working for me a treat. Thanks so much for your help.
Paul
One more thing Robert - It runs fine from the command line as admin. When I try to schedule the command via job scheduler on GAIA www GUI it gives me the following errors.
Any ideas? It's the same user running the same command in both cases. Maybe it's shell related?
The scheduled job is to run this command (your script is called Usergplist.sh)
./Usergplist.sh treas_users
The job fails with the following output:
./Usergplist.sh: line 12: mgmt_cli: command not found
./Usergplist.sh: line 14: /jq/jq: No such file or directory
did you apply the chmod 777 on the script?
Hi Robert
Yes I did. The script works fine directly from SSH command line. It only fails, as above, via job scheduler on Web Interface.
The job scheduler command syntax is also exactly the same via SSH command line and Web interface.
Any ideas?
Hi Paul,
I've no idea how the job scheduler works.
Maybe Dameon Welch Abernathy can assist here.
Robert.
That's because certain environment variables aren't set when you run via cron/job scheduler that ARE set when run from the CLI.
From the above:
Thanks Dameon & Robert Decker
I have now modified the script as below but am now getting a different error. I don't even see how this shared library is being called by the script. Reckon this is hopefully the last hurdle!
Just to confirm, the script still runs fine from CLI.
Error from Job scheduler:
/opt/CPshrd-R80/bin/mgmt_cli: error while loading shared libraries: libmgmt_cli_utils.so: cannot open shared object file: No such file or directory
Adjusted script:
#!/bin/sh
JQ=/opt/CPshrd-R80/jq/jq
GROUP_NAME=$1
USERS_FILE="users.json"
USER_FILE="user.json"
USER_NAMES_FILE="$GROUP_NAME.txt"
> $USER_NAMES_FILE
/opt/CPshrd-R80/bin/mgmt_cli -r true show generic-objects name $GROUP_NAME details-level full -f json > $USERS_FILE
if [ $? -ne 1 ]; then
USERS_UIDS=($($JQ -r '.objects[] | .emptyFieldName[] | .' $USERS_FILE))
for USER_UID in ${USERS_UIDS[@]}; do
echo 'User UID: '"$USER_UID"
/opt/CPshrd-R80/bin/mgmt_cli -r true show generic-object uid $USER_UID -f json > $USER_FILE
if [ $? -ne 1 ]; then
USER_NAME=($($JQ -r '.name' $USER_FILE))
echo 'User Name: '"$USER_NAME"
echo $USER_NAME >> $USER_NAMES_FILE
fi
done
fi
Hi Paul,
The libmgmt_cli_utils.so library is used internally by mgmt_cli tool.
It is located in - "/opt/CPshrd-R80/lib" folder. You have to reference this folder too in your command execution path.
Robert.
Hi Robert
I have played around with this for a while with no luck.
Is this what you mean below? I doubt it... it doesn't look right to me and I'm a complete novice. If so - it's still failing with the same error.
Sorry about this - how should the "/opt/CPshrd-R80/lib/" be included in the command execution path?
Thanks again
#!/bin/sh
JQ=/opt/CPshrd-R80/jq/jq
GROUP_NAME=$1
USERS_FILE="users.json"
USER_FILE="user.json"
USER_NAMES_FILE="$GROUP_NAME.txt"
> $USER_NAMES_FILE
/opt/CPshrd-R80/bin/mgmt_cli -r true show /opt/CPshrd-R80/lib/generic-objects name $GROUP_NAME details-level full -f json > $USERS_FILE
if [ $? -ne 1 ]; then
USERS_UIDS=($($JQ -r '.objects[] | .emptyFieldName[] | .' $USERS_FILE))
for USER_UID in ${USERS_UIDS[@]}; do
echo 'User UID: '"$USER_UID"
/opt/CPshrd-R80/bin/mgmt_cli -r true show /opt/CPshrd-R80/lib/generic-object uid $USER_UID -f json > $USER_FILE
if [ $? -ne 1 ]; then
USER_NAME=($($JQ -r '.name' $USER_FILE))
echo 'User Name: '"$USER_NAME"
echo $USER_NAME >> $USER_NAMES_FILE
fi
done
fi
In your script, include the following line before any commands are executed:
source /opt/CPshrd-R80/tmp/.CPprofile.sh
This should set all the necessary variables.
(Note this may need to be changed after major upgrades)
Then you can do the mgmt_cli commands without paths (e.g. mgmt_cli -r true show generic-objects name $GROUP_NAME details-level full -f json > $USERS_FILE)
Thanks Dameon - that's a very useful command. All working now. Thanks for all you help ( & Robert too).
Paul
Thank you for this! I hit the same well getting a script to run & found this point. Problem solved!
Hey @Robert_Decker
thank you so much for the script.
I have testet it. It also works on R80.30 Mgmt.
Only small things have to be adapted.
#!/bin/sh
JQ=/opt/CPshrd-R80.30/jq/jq
GROUP_NAME=$1
USERS_FILE="users.json"
USER_FILE="user.json"
USER_NAMES_FILE="$GROUP_NAME.txt"
> $USER_NAMES_FILE
/opt/CPshrd-R80.30/bin/mgmt_cli -r true show generic-objects name $GROUP_NAME details-level full -f json > $USERS_FILE
if [ $? -ne 1 ]; then
USERS_UIDS=($($JQ -r '.objects[] | .emptyFieldName[] | .' $USERS_FILE))
for USER_UID in ${USERS_UIDS[@]}; do
echo 'User UID: '"$USER_UID"
/opt/CPshrd-R80.30/bin/mgmt_cli -r true show generic-object uid $USER_UID -f json > $USER_FILE
if [ $? -ne 1 ]; then
USER_NAME=($($JQ -r '.name' $USER_FILE))
echo 'User Name: '"$USER_NAME"
echo $USER_NAME >> $USER_NAMES_FILE
fi
done
fi
Would anyone happen to have a script that would list all users and all groups with users? We have a client that requests a list of users and groups every month. I was able to use this script to get the groups individually and then merged the txt files into an Excel spreadsheet, but would like to avoid that last step if at all possible.
Thanks in advance!
Hi All,
I have tried using this script via CMD line on my primary MDS and get the following error
Error: The parameters of show-generic-objects command should be provided in pairs (key and value). You have provided an odd number of parameters which suggests that you are probably missing a parameter.
basically what i am trying to achieve is to extract all of the users from a group within a specific domain. Is it possible from this script?
SACn is the name of the group I am trying to get a list of users from.. obviously nothing here specifies the domain, do i need to include that somehow?
-----------------------------------------------------------------------------------------
#!/bin/sh
JQ=/opt/CPshrd-R80.20/jq/jq
GROUP_NAME=$1
USERS_FILE="users.json"
USER_FILE="user.json"
USER_NAMES_FILE="$GROUP_NAME.txt"
> $USER_NAMES_FILE
/opt/CPshrd-R80.20/bin/mgmt_cli -r true show generic-objects name $SACn details-level full -f json > $USERS_FILE
if [ $? -ne 1 ]; then
USERS_UIDS=($($JQ -r '.objects[] | .emptyFieldName[] | .' $USERS_FILE))
for USER_UID in ${USERS_UIDS[@]}; do
echo 'User UID: '"$USER_UID"
/opt/CPshrd-R80.20/bin/mgmt_cli -r true show generic-object uid $USER_UID -f json > $USER_FILE
if [ $? -ne SACn ]; then
USER_NAME=($($JQ -r '.name' $USER_FILE))
echo 'User Name: '"$USER_NAME"
echo $USER_NAME >> $USER_NAMES_FILE
fi
done
fi
--------------------------------------------------------------------------------------------------
Many thanks in advance
Dave
Hi All,
I ran this script and its working great in R80.30, but I would like the help of experts in scripts to improve this as follows:
Instead of running with ./script.sh <group_name) what can be done to we run something like ./script.sh and it returns a file with all existent groups and its users.
Sample:
result.txt
group1
user1
user2
user3
group2
user3
user4
user8
group6
user1
user8
user10
Thanks if anybody can help..
Congrats you ran it without issues. Can you please provide the scripts you used and how to run it in your management server?
Thanks,
Vince
Tried to used below script with different path location since I'm using R80.40 but still I'm getting below error.
The parameters of show-generic-objects command should be provided in pairs (key and value). You have provided an odd number of parameters which suggests that you are probably missing a parameter.
--------------------------
#!/bin/sh
JQ=/opt/CPshrd-R80.40/jq/jq
GROUP_NAME=$1
USERS_FILE="users.json"
USER_FILE="user.json"
USER_NAMES_FILE="$GROUP_NAME.txt"
> $USER_NAMES_FILE
/opt/CPshrd-R80.40/bin/mgmt_cli -r true show generic-objects name $GROUP_NAME details-level full -f json > $USERS_FILE
if [ $? -ne 1 ]; then
USERS_UIDS=($($JQ -r '.objects[] | .emptyFieldName[] | .' $USERS_FILE))
for USER_UID in ${USERS_UIDS[@]}; do
echo 'User UID: '"$USER_UID"
/opt/CPshrd-R80.40/bin/mgmt_cli -r true show generic-object uid $USER_UID -f json > $USER_FILE
if [ $? -ne 1 ]; then
USER_NAME=($($JQ -r '.name' $USER_FILE))
echo 'User Name: '"$USER_NAME"
echo $USER_NAME >> $USER_NAMES_FILE
fi
done
fi
-------------------------------
By the way the steps I performed to run the scripts are below.
1. Login to the Management Server. In expert mode, execute chmod +x users.sh.
2. Execute ./users.sh
Hope you can help me. Thanks,
Vince
Try changing step 2 to include the name of the group you want to get the user information for:
./users.sh GROUP_NAME
Has anyone tried to add a user on a MDS?
I would like to do the following:
Add a admin user with authentication method RADIUS and then assign the correct Radius Server group object, assign DMS and Permission Profile, set a standard colour for the user, and fill out Additional Info.
I'm also not sure if this is now available in R81, but really would be great if we can assign admins to groups and then assign groups to DMS with permission profiles. In this way we can just add a user to a group and then they have access to the relevant DMS.
In API version 1.6.1 (available from R80.40 take 78) and API version 1.7 (R81), we've added API support for users and user groups:
https://sc1.checkpoint.com/documents/latest/APIs/#cli/add-user~v1.6.1%20
This includes setting the authentication method to RADIUS, and setting a reference to the RADIUS server object.
With this, you should be able to work with the standard APIs and not use the generic-object.
Let us know if this is useful to you!
Nice, another reason to upgrade my P1s. We are planning (by this I mean waiting for the right window) to upgrade to R81.
We are currently on R80.30
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY