Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
JuPo
Employee
Employee

CLI command to disconnect all SmartConsole sessions/users

Hi guys,

is there any CLI command (except cpstop) that disconnects all SmartConsole sessions/users?

 

Thx

Juraj

 

10 Replies
Tal_Paz-Fridman
Employee
Employee

You can use Management API commands:

https://sc1.checkpoint.com/documents/latest/APIs/#cli/disconnect~v1.8%20

 

As you can see, there are additional options; you can also Publish, Discard, Takeover another session (not just of SmartConsole)

 

Management API reference - disconnect.jpg

JuPo
Employee
Employee

Hi @Tal_Paz-Fridman ,

unfortunately, provided solution doesn`t work for me. I see connection on port 18190 established even after executing mgmt_cli disconnect for all existing session-uids. Am I doing anything wrong?

[Expert@cp-mng:0]# netstat -ptna | grep -E '(18190|19009)' | grep -vE '(127.0.0.*127.0.0|LISTEN)'
tcp 0 0 ::ffff:172.20.3.33:18190 ::ffff:172.20.21.152:1100 ESTABLISHED 15745/fwm

[Expert@cp-mng:0]# mgmt_cli show sessions -r true --format json | jq -r .objects[].uid | while read -r uid; do mgmt_cli disconnect uid $uid -r true; done
message: "OK"
--------------------------------------------
Time: [15:48:08] 8/1/2022
---------------------------------------------
"Publish operation" succeeded (100%)

[Expert@cp-mng:0]# netstat -ptna | grep -E '(18190|19009)' | grep -vE '(127.0.0.*127.0.0|LISTEN)'
tcp 0 0 ::ffff:172.20.3.33:18190 ::ffff:172.20.21.152:1100 ESTABLISHED 15745/fwm

 

BR

Juraj

 

0 Kudos
Tal_Paz-Fridman
Employee
Employee

Hi 

I tried it in my lab and it disconnected the SmartConsole with the relevant notification message.

Did you check if SmartConsole was actually disconnected? 

BR

Tal

JuPo
Employee
Employee

Hi @Tal_Paz-Fridman ,

SC is running on customers admin computer and I am checking this during the night, so I can not verify it. Anyway even after running mgmt_cli disconnect I see a connection on port 18190. The connection is alive - verified by tcpdump. I am wondering why this connection is not terminated after running mgmt_cli disconnect.

My intention is to run migrate export without running cpstop before the export. I am using netstat to verity that there are no connections on port 18190 and 19009 to ensure that no SC admins are connected to the mgmt server.

j

 

 

 

0 Kudos
the_rock
Champion
Champion

Hey @Tal_Paz-Fridman ...sorry to respond so late on this thread, but can you tell me if below command would be right to say, disconnect admin from smart console. I tried, but no luck...

[Expert@MANAGEMENT:0]# mgmt_cli show session -u admin
Password:
uid: "89720905-a10c-4c37-900d-5f838b440327"
type: "session"
domain:
uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
name: "SMC User"
domain-type: "domain"
state: "open"
user-name: "admin"
description: ""
last-login-time:
posix: 1645675092743
iso-8601: "2022-02-23T22:58-0500"
expired-session: false
application: "WEB_API"
changes: 0
in-work: true
ip-address: "127.0.0.1"
locks: 0
connection-mode: "read write"
session-timeout: 600
connected-server:
uid: "c8212fa6-fa7c-5e44-ae2f-a19bd304c2de"
name: "MANAGEMENT"
type: "checkpoint-host"
domain:
uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
name: "SMC User"
domain-type: "domain"
icon: "NetworkObjects/management"
color: "black"
comments: ""
color: "black"
icon: "Objects/worksession"
tags: []
meta-info:
lock: "unlocked"
validation-state: "ok"
last-modify-time:
posix: 1645675092749
iso-8601: "2022-02-23T22:58-0500"
last-modifier: "admin"
creation-time:
posix: 1645675092620
iso-8601: "2022-02-23T22:58-0500"
creator: "admin"
read-only: true

[Expert@MANAGEMENT:0]# mgmt_cli disconnect uid "89720905-a10c-4c37-900d-5f838b440327"
Username: admin
Password:
message: "OK"

 

---------------------------------------------
Time: [22:58:46] 23/2/2022
---------------------------------------------
"Publish operation" succeeded (100%)
[Expert@MANAGEMENT:0]#

JuPo
Employee
Employee

Hi @the_rock,

it didn`t work for me, too. I tried it for a single user and for all users: 

mgmt_cli show sessions -r true --format json | jq -r .objects[].uid | while read -r uid; do mgmt_cli disconnect uid $uid -r true; done
message: "OK"

 

the_rock
Champion
Champion

I know...lets see if @Tal_Paz-Fridman can provide us with exact syntax we need. Following api guide, I ran exact commands it gave, but no luck. I have a feeling maybe UID is wrong, but its not clear how to confirm it for specific user.

0 Kudos
the_rock
Champion
Champion

Also, command you gave did work for me, but if I try below, it does NOT disconnect me from smart console...

Andy

 

[Expert@MANAGEMENT:0]# mgmt_cli show sessions -r true
objects:
- uid: "e21b5f0f-02ab-47ff-825e-0ce527fd8424"
type: "session"
domain:
uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
name: "SMC User"
domain-type: "domain"
icon: "Objects/worksession"
color: "black"
from: 1
to: 1
total: 1

[Expert@MANAGEMENT:0]# mgmt_cli mgmt_cli disconnect uid "41e821a0-3720-11e3-aa6e-0800200c9fde"
Error: The parameters of mgmt_cli command should be provided in pairs (key and value). You have provided an odd number of parameters which suggests that you are probably missing a parameter.
[Expert@MANAGEMENT:0]# mgmt_cli disconnect uid "41e821a0-3720-11e3-aa6e-0800200c9fde"
Username: admin
Password:
message: "OK"

 

---------------------------------------------
Time: [11:10:24] 24/2/2022
---------------------------------------------
"Publish operation" succeeded (100%)
[Expert@MANAGEMENT:0]# mgmt_cli disconnect uid "e21b5f0f-02ab-47ff-825e-0ce527fd8424"
Username: admin
Password:
message: "OK"

 

---------------------------------------------
Time: [11:11:08] 24/2/2022
---------------------------------------------
"Publish operation" succeeded (100%)

the_rock
Champion
Champion

I think I got it...below is what worked. I looked for UID under worksession line...


[Expert@MANAGEMENT:0]#
[Expert@MANAGEMENT:0]# mgmt_cli show sessions -r true
objects:
- uid: "81431391-fbfc-49d5-9d76-7b9fcc4ba6c8"
type: "session"
domain:
uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
name: "SMC User"
domain-type: "domain"
icon: "Objects/worksession"
color: "black"
- uid: "97d857c5-b045-412c-8361-2e7b12a4d5be"
type: "session"
domain:
uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
name: "SMC User"
domain-type: "domain"
icon: "Objects/worksession"
color: "black"
from: 1
to: 2
total: 2

[Expert@MANAGEMENT:0]# mgmt_cli disconnect -r true uid "97d857c5-b045-412c-8361-2e7b12a4d5be"
message: "OK"

 

---------------------------------------------
Time: [11:18:12] 24/2/2022
---------------------------------------------
"Publish operation" succeeded (100%)
[Expert@MANAGEMENT:0]#

JozkoMrkvicka
Leader
Leader

If your management is protected by gateway (should be), then you can use SAM rule on the gateway to cut all connections from all users connected to specific port used by SC (port tcp/19009 in case of R8x):

source: any

destination: management IP (or IPs in case of HA)

port: tcp/19009

action: reject

 

Another similar option would be to add access deny rule for specific time range (like till next hour). But depends what is connection persistance as it may happen that the new rule will be valid only for new connections, but not for already established (for that SAM can help).

Kind regards,
Jozko Mrkvicka
0 Kudos