Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
bjohnson
Participant

Display list of Smart Center users via CLI - R88.X

Version R88.X
Looking for a CLI command to display the list of SMART center users currently configured as well privilege (read, read/write).  Thank you.

0 Kudos
9 Replies
PhoneBoy
Admin
Admin

Probably the easiest way to do it:

mgmt_cli -r true --domain "System Data" --format json show administrators details-level full | jq -r '.objects[] | [.name, ."permissions-profile".name] | @csv '

This will show you the username and Permission Profile name in CSV format. 
This assumes the Permission Profile name is meaningful as it has a bunch of different permissions associated with it.

bjohnson
Participant

The command provided works.  TYVM!!!

bjohnson
Participant

Hi,

 

One follow up question.  The output appears to be truncated to 50 entries.  Can you please advise how to expand the output to exceed 50 entries?

0 Kudos
PhoneBoy
Admin
Admin

For performance reasons, the API only returns a limited number of results (50 in this case).
To get the next 50 results:

mgmt_cli -r true --domain "System Data" --format json show administrators details-level full limit 50 offset 50 | jq -r '.objects[] | [.name, ."permissions-profile".name] | @csv '

Repeat, incrementing offset by another 50, until you have all the results.
0 Kudos
tsnopek
Explorer

Hello PhoneBoy,

your answer is helpful - thank you for that.

However let me please extend that question a bit.

I am wondering if there is any unified way how to extract those user from all versions of Checkpoints?

As far as I understand there are different methods used in versions 80.x and higher ... and older type 77.x

What I have found for older versions 77.x there is a solution shortly described here: http://expert-mode.blogspot.com/2011/11/checkpoint-how-to-export-list-of-vpn.html (using command: fwm dbexport -f /tmp/users_dump.xls   and then   cat /tmp/users_dump.xls)

Honestly it's a bit clumsy to work with such data since further delimitation and some polishing in Excel is needed, but still better than check it out manually in GUI.

My question is if there exists a solution to extract those users in the same way like for 80.x also for older versions.

We just simply need to extract those locally configured IDs and their privileges in order to run the outcome through a script to obtain results of periodical user access re-validation.

Your expertise can be greatly helpful!

Thank you in advance for your answer!

0 Kudos
PhoneBoy
Admin
Admin

There is no unified way to do this between R77.x and R80.x as the management infrastructure in these versions is very different.
Also, locally defined users don't have supported API commands.
For users in known groups, you can use the script here: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/users-via-API/td-p/13578
0 Kudos
_Val_
Admin
Admin

Sorry, could not resist 🙂

Wow, how is it there in the future? Did we win against coronavirus yet? In my reality, it is still a bunch of R80.x releases in 2020. 

0 Kudos
bjohnson
Participant

😳oops, sorry for the typo. 

_Val_
Admin
Admin

No worries, we all need a little joke one in a while, especially now 🙂