This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Tho
Contributor
‎2023-01-16 08:24 AM
Jump to solution

Change Expiration Date Users

Hello, 

 

I would like to know how we can adjust the expiration date without going through all users one by one.

 

Thanks in advance. 

0 Kudos
1 Solution

Accepted Solutions
Tho
Contributor
‎2023-01-18 04:51 AM
In response to PhoneBoy
Jump to solution

Script is working now, this got the job done: 

#!/bin/bash
# script is checking and changing expiration date for all internal users in CP MGMT database
# usage: chmod 700 && ./script.sh

date=1704037500139 #setup checked date in ms epoch time - 2023-12-31 16:45
new_date="2026-01-31" #setup new desired date in ISO format

offset=0
echo "Checking expiration time of all users..."
echo -e "";
while true; do
users_list=$(mgmt_cli -r true show users offset $offset limit 50 --format json --port 4434 |jq '.objects[].name')
if [ "$users_list" = "[]" ]; then
break
fi
for user in $users_list; do
expiration=`mgmt_cli -r true show user name $user --format json --port 4434 |jq '."expiration-date".posix'`
echo User: $user, $expiration
echo ""

if [ $date \> $expiration ];
then
echo "$user will expire before 31.12.2023 23:55";
echo "Setting new expiration..."
echo ""
mgmt_cli -r true set user name $user expiration-date "$new_date" --format json --port 4434 > /dev/null
else
echo "$user will expire not before: `date -d @$( echo "($expiration + 500) / 1000" | bc)`";
fi;
done
offset=$((offset+50))
done

 

Thanks @PhoneBoy 

View solution in original post

0 Kudos
16 Replies
PhoneBoy
Admin
Admin
‎2023-01-16 04:01 PM
Jump to solution

Use a script to do it.
See: https://community.checkpoint.com/t5/Scripts/Extend-local-users-expiration-local-API-bash-scripts/m-p... 

0 Kudos
Tho
Contributor
‎2023-01-17 05:40 AM
In response to PhoneBoy
Jump to solution

We will test it, thank you. 

0 Kudos
Tho
Contributor
‎2023-01-17 06:05 AM
In response to PhoneBoy
Jump to solution

Hello PhoneBoy, 

 

This is what I get back when we are running the script: 

jq: error: Cannot iterate over null
Logout failed
Checking expiration time of all users...

What am I doing wrong? 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-01-17 01:25 PM
In response to Tho
Jump to solution

What version/JHF of management are you running?
I believe the script requires R80.40 with the latest recommended JHF or above.

0 Kudos
Tho
Contributor
‎2023-01-17 01:28 PM
In response to PhoneBoy
Jump to solution

We are running R81.10 take 335.

 

 

0 Kudos
Tho
Contributor
‎2023-01-17 01:32 PM
In response to Tho
Jump to solution

This is the script we are using: 

 

#!/bin/bash
# Created by tvobruba
# version 001
# script is checking and changing expiration date for all internal users in CP MGMT database
# usage: chmod 700 && ./script.sh

date=1609459162000 #setup checked date in ms epoch time - 2020-12-31 16:45
new_date="2036-01-31" #setup new desired date in ISO format

# export list of users to file
mgmt_cli -r true show users --format json |jq '.objects[].name' > list.txt


echo "Checking expiration time of all users..."
echo -e "";
for user in `cat ./list.txt`; do

expiration=`mgmt_cli -r true show user name $user --format json |jq '."expiration-date".posix'`
echo User: $user, $expiration
echo ""

if [ $date \> $expiration ];
then
echo "$user will expire before 31.12.2020 23:55";
echo "Setting new expiration..."
echo ""
mgmt_cli -r true set user name $user expiration-date "$new_date" --format json
else
echo "$user will expire not before: `date -d @$( echo "($expiration + 500) / 1000" | bc)`";
fi;

done

rm -f ./list.txt

 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-01-17 02:20 PM
In response to Tho
Jump to solution

What does the following command show?

mgmt_cli -r true show users --format json

Note this script may not work as-is (especially if you have more than 500 users) and will require modifications to get you the desired result.

0 Kudos
Tho
Contributor
‎2023-01-17 04:09 PM
In response to PhoneBoy
Jump to solution

This is what the command shows:

{
"code" : "generic_error",
"message" : "Error 404. The Management API service is not available. Please check that the Management API server is up and running."
}

Logout failed

I already checked the API service is up and running. 

When I run the command 'api status' it shows me this info:

When running mgmt_cli commands add '--port 44 34'

We have close to 400 users at the moment. 

 

0 Kudos
Tho
Contributor
‎2023-01-17 04:19 PM
In response to Tho
Jump to solution

When I run the same command and I add --port 4434  at the end (mgmt_cli -r true show users --format json --port 4434) it shows me a bunch of users, so that works now. 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-01-17 04:47 PM
In response to Tho
Jump to solution

If you've changed the default port, yes, you will have to modify the script accordingly as mgmt_cli assumes port 443 otherwise.

0 Kudos
Tho
Contributor
‎2023-01-17 04:56 PM
In response to PhoneBoy
Jump to solution

Ok, I modified the script a tiny bit:

#!/bin/bash
# Created by tvobruba
# version 001
# script is checking and changing expiration date for all internal users in CP MGMT database
# usage: chmod 700 && ./script.sh

date=1609459162000 #setup checked date in ms epoch time - 2020-12-31 16:45
new_date="2036-01-31" #setup new desired date in ISO format

# export list of users to file
mgmt_cli -r true show users --format json --port 4434 |jq '.objects[].name' > list.txt


echo "Checking expiration time of all users..."
echo -e "";
for user in `cat ./list.txt`; do

expiration=`mgmt_cli -r true show user name $user --format json --port 4434 |jq '."expiration-date".posix'`
echo User: $user, $expiration
echo ""

if [ $date \> $expiration ];
then
echo "$user will expire before 31.12.2020 23:55";
echo "Setting new expiration..."
echo ""
mgmt_cli -r true set user name $user expiration-date "$new_date" --format json
else
echo "$user will expire not before: `date -d @$( echo "($expiration + 500) / 1000" | bc)`";
fi;

done

rm -f ./list.txt

 

The script is now running and it's checking the expiration date of the users that start with letter a, b and c and then it stops. 

Example: 

"x" will expire not before: Sat Jan 31 00:00:00 CET 2026
User: "x", 1769814000000

"x" will expire not before: Sat Jan 31 00:00:00 CET 2026
User: "x", 1769814000000

"x" will expire not before: Sat Jan 31 00:00:00 CET 2026
User: "x", 1769814000000

"x" will expire not before: Sat Jan 31 00:00:00 CET 2026
User: "x", 1769814000000

"x" will expire not before: Sat Jan 31 00:00:00 CET 2026

We already changed the expiration date of some users to 31-1-2026 (manually). 

How to go from here? 

 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-01-17 05:15 PM
In response to Tho
Jump to solution

I suspect you have more users than the result of "show users" will return on its own.
Which means you will need to make multiple calls to show users with the "offset" parameter to get all the users.
This exact issue was discussed here: https://community.checkpoint.com/t5/API-CLI-Discussion/Export-Users-with-Specific-Expiry-amp-and-Val... 

0 Kudos
Tho
Contributor
‎2023-01-18 04:51 AM
In response to PhoneBoy
Jump to solution

Script is working now, this got the job done: 

#!/bin/bash
# script is checking and changing expiration date for all internal users in CP MGMT database
# usage: chmod 700 && ./script.sh

date=1704037500139 #setup checked date in ms epoch time - 2023-12-31 16:45
new_date="2026-01-31" #setup new desired date in ISO format

offset=0
echo "Checking expiration time of all users..."
echo -e "";
while true; do
users_list=$(mgmt_cli -r true show users offset $offset limit 50 --format json --port 4434 |jq '.objects[].name')
if [ "$users_list" = "[]" ]; then
break
fi
for user in $users_list; do
expiration=`mgmt_cli -r true show user name $user --format json --port 4434 |jq '."expiration-date".posix'`
echo User: $user, $expiration
echo ""

if [ $date \> $expiration ];
then
echo "$user will expire before 31.12.2023 23:55";
echo "Setting new expiration..."
echo ""
mgmt_cli -r true set user name $user expiration-date "$new_date" --format json --port 4434 > /dev/null
else
echo "$user will expire not before: `date -d @$( echo "($expiration + 500) / 1000" | bc)`";
fi;
done
offset=$((offset+50))
done

 

Thanks @PhoneBoy 

0 Kudos
Hugo_vd_Kooij
MVP Gold
MVP Gold
‎2023-01-17 10:39 PM
In response to Tho
Jump to solution

This is how I took care of it automatically:

 

# Validate API status, exit 101 if not running
APISTATUS=`api status|grep 'API Status'|awk '{print $4}'`
if [ "$APISTATUS" != "Started" ]; then
echo "API Server is not available but $APISTATUS"
exit 101
fi

# Get API port, set MMGMT CLI accordingly
APIPORT=`api status|grep "Gaia Port"|awk '{print $4}'`
MGMTCLI="mgmt_cli --port $APIPORT"  

 

So you can use the SMGMT_CLI command on every SmartCenter.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Tho
Contributor
‎2023-01-18 04:52 AM
In response to Hugo_vd_Kooij
Jump to solution

Thanks Hugo, will try this. 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-01-18 09:08 AM
In response to Hugo_vd_Kooij
Jump to solution

Clever!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events