Solved: CLI command to disconnect all SmartConsole session...

JuPo · ‎2022-01-06

Hi guys,

is there any CLI command (except cpstop) that disconnects all SmartConsole sessions/users?

Thx

Juraj

Nicholas_Cuba · ‎2023-03-02

In a R81.20 management server, i.e. Management API v1.9 , this one-liner worked for me to disconnect everyone logged in to the management's SmartConsole

mgmt_cli -r true show sessions details-level full -f json | jq -r '.objects[] | select(."user-name" != "WEB_API") | .uid' | while read -r uid; do mgmt_cli -r true disconnect uid $uid; done

View solution in original post

Tal_Paz-Fridman · ‎2022-01-06

You can use Management API commands:

https://sc1.checkpoint.com/documents/latest/APIs/#cli/disconnect~v1.8%20

As you can see, there are additional options; you can also Publish, Discard, Takeover another session (not just of SmartConsole)

JuPo · ‎2022-01-08

Hi @Tal_Paz-Fridman ,

unfortunately, provided solution doesn`t work for me. I see connection on port 18190 established even after executing mgmt_cli disconnect for all existing session-uids. Am I doing anything wrong?

[Expert@cp-mng:0]# netstat -ptna | grep -E '(18190|19009)' | grep -vE '(127.0.0.*127.0.0|LISTEN)'
tcp 0 0 ::ffff:172.20.3.33:18190 ::ffff:172.20.21.152:1100 ESTABLISHED 15745/fwm 

[Expert@cp-mng:0]# mgmt_cli show sessions -r true --format json | jq -r .objects[].uid | while read -r uid; do mgmt_cli disconnect uid $uid -r true; done
message: "OK"
--------------------------------------------
Time: [15:48:08] 8/1/2022
---------------------------------------------
"Publish operation" succeeded (100%) 

[Expert@cp-mng:0]# netstat -ptna | grep -E '(18190|19009)' | grep -vE '(127.0.0.*127.0.0|LISTEN)'
tcp 0 0 ::ffff:172.20.3.33:18190 ::ffff:172.20.21.152:1100 ESTABLISHED 15745/fwm

BR

Juraj

Tal_Paz-Fridman · ‎2022-01-11

Hi

I tried it in my lab and it disconnected the SmartConsole with the relevant notification message.

Did you check if SmartConsole was actually disconnected?

BR

Tal

JuPo · ‎2022-01-22

Hi @Tal_Paz-Fridman ,

SC is running on customers admin computer and I am checking this during the night, so I can not verify it. Anyway even after running mgmt_cli disconnect I see a connection on port 18190. The connection is alive - verified by tcpdump. I am wondering why this connection is not terminated after running mgmt_cli disconnect.

My intention is to run migrate export without running cpstop before the export. I am using netstat to verity that there are no connections on port 18190 and 19009 to ensure that no SC admins are connected to the mgmt server.

j

the_rock · ‎2022-02-23

Hey @Tal_Paz-Fridman ...sorry to respond so late on this thread, but can you tell me if below command would be right to say, disconnect admin from smart console. I tried, but no luck...

[Expert@MANAGEMENT:0]# mgmt_cli show session -u admin
Password:
uid: "89720905-a10c-4c37-900d-5f838b440327"
type: "session"
domain:
uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
name: "SMC User"
domain-type: "domain"
state: "open"
user-name: "admin"
description: ""
last-login-time:
posix: 1645675092743
iso-8601: "2022-02-23T22:58-0500"
expired-session: false
application: "WEB_API"
changes: 0
in-work: true
ip-address: "127.0.0.1"
locks: 0
connection-mode: "read write"
session-timeout: 600
connected-server:
uid: "c8212fa6-fa7c-5e44-ae2f-a19bd304c2de"
name: "MANAGEMENT"
type: "checkpoint-host"
domain:
uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
name: "SMC User"
domain-type: "domain"
icon: "NetworkObjects/management"
color: "black"
comments: ""
color: "black"
icon: "Objects/worksession"
tags: []
meta-info:
lock: "unlocked"
validation-state: "ok"
last-modify-time:
posix: 1645675092749
iso-8601: "2022-02-23T22:58-0500"
last-modifier: "admin"
creation-time:
posix: 1645675092620
iso-8601: "2022-02-23T22:58-0500"
creator: "admin"
read-only: true

[Expert@MANAGEMENT:0]# mgmt_cli disconnect uid "89720905-a10c-4c37-900d-5f838b440327"
Username: admin
Password:
message: "OK"

---------------------------------------------
Time: [22:58:46] 23/2/2022
---------------------------------------------
"Publish operation" succeeded (100%)
[Expert@MANAGEMENT:0]#

JuPo · ‎2022-02-24

Hi @the_rock,

it didn`t work for me, too. I tried it for a single user and for all users:

mgmt_cli show sessions -r true --format json | jq -r .objects[].uid | while read -r uid; do mgmt_cli disconnect uid $uid -r true; done
message: "OK"

the_rock · ‎2022-02-24

I know...lets see if @Tal_Paz-Fridman can provide us with exact syntax we need. Following api guide, I ran exact commands it gave, but no luck. I have a feeling maybe UID is wrong, but its not clear how to confirm it for specific user.

the_rock · ‎2022-02-24

Also, command you gave did work for me, but if I try below, it does NOT disconnect me from smart console...

Andy

[Expert@MANAGEMENT:0]# mgmt_cli show sessions -r true
objects:
- uid: "e21b5f0f-02ab-47ff-825e-0ce527fd8424"
type: "session"
domain:
uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
name: "SMC User"
domain-type: "domain"
icon: "Objects/worksession"
color: "black"
from: 1
to: 1
total: 1

[Expert@MANAGEMENT:0]# mgmt_cli mgmt_cli disconnect uid "41e821a0-3720-11e3-aa6e-0800200c9fde"
Error: The parameters of mgmt_cli command should be provided in pairs (key and value). You have provided an odd number of parameters which suggests that you are probably missing a parameter.
[Expert@MANAGEMENT:0]# mgmt_cli disconnect uid "41e821a0-3720-11e3-aa6e-0800200c9fde"
Username: admin
Password:
message: "OK"

---------------------------------------------
Time: [11:10:24] 24/2/2022
---------------------------------------------
"Publish operation" succeeded (100%)
[Expert@MANAGEMENT:0]# mgmt_cli disconnect uid "e21b5f0f-02ab-47ff-825e-0ce527fd8424"
Username: admin
Password:
message: "OK"

---------------------------------------------
Time: [11:11:08] 24/2/2022
---------------------------------------------
"Publish operation" succeeded (100%)

the_rock · ‎2022-02-24

I think I got it...below is what worked. I looked for UID under worksession line...

[Expert@MANAGEMENT:0]#
[Expert@MANAGEMENT:0]# mgmt_cli show sessions -r true
objects:
- uid: "81431391-fbfc-49d5-9d76-7b9fcc4ba6c8"
type: "session"
domain:
uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
name: "SMC User"
domain-type: "domain"
icon: "Objects/worksession"
color: "black"
- uid: "97d857c5-b045-412c-8361-2e7b12a4d5be"
type: "session"
domain:
uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
name: "SMC User"
domain-type: "domain"
icon: "Objects/worksession"
color: "black"
from: 1
to: 2
total: 2

[Expert@MANAGEMENT:0]# mgmt_cli disconnect -r true uid "97d857c5-b045-412c-8361-2e7b12a4d5be"
message: "OK"

---------------------------------------------
Time: [11:18:12] 24/2/2022
---------------------------------------------
"Publish operation" succeeded (100%)
[Expert@MANAGEMENT:0]#

JozkoMrkvicka · ‎2022-01-23

If your management is protected by gateway (should be), then you can use SAM rule on the gateway to cut all connections from all users connected to specific port used by SC (port tcp/19009 in case of R8x):

source: any

destination: management IP (or IPs in case of HA)

port: tcp/19009

action: reject

Another similar option would be to add access deny rule for specific time range (like till next hour). But depends what is connection persistance as it may happen that the new rule will be valid only for new connections, but not for already established (for that SAM can help).

Kind regards,
Jozko Mrkvicka

Nicholas_Cuba · ‎2023-03-02

In a R81.20 management server, i.e. Management API v1.9 , this one-liner worked for me to disconnect everyone logged in to the management's SmartConsole

mgmt_cli -r true show sessions details-level full -f json | jq -r '.objects[] | select(."user-name" != "WEB_API") | .uid' | while read -r uid; do mgmt_cli -r true disconnect uid $uid; done

the_rock · ‎2023-03-02

EXCELLENT! Just tested and disconnected 3 people connected to my R81.20 lab smart console. THANK YOU 🙌🙌 @Nicholas_Cuba

Nicholas_Cuba · ‎2023-03-02

I suspect the previous one-liners were kicking themselves out. mgmt_cli -r true logs in with username WEB_API, and it always seems to be the first user's info listed in a show sessions output.

the_rock · ‎2023-03-02

Makes sense. In all honesty, Im probably the WORST person when it comes to api commands, so unless I verify in the lab first, I would not give it to anyone, haha.

Andy

Are you a member of CheckMates?

CLI command to disconnect all SmartConsole sessions/users