https://community.checkpoint.com/people/iain.a36f712c-3b0c-435a-988a-9b5ddd1dc3f0‌ these probably will not work for R80 and above though. We simplified. 

Oh right, I only just noticed this is in the R80.10 management place. Sorry!

It's completely changed yeah, the docs for it are here.. 

Multi-Domain Security Management R80.10 (Part of Check Point Infinity) 

There are some examples from the doco below, but scripts can probably be written easily enough to do something along the lines of:

mdsquerydb CMAs | xargs mgmt_cli add host name host1 ip-address 1.2.3.4 ... servers.multi-domain-server servers.name 

or something like 

CMAs=`mdsquerydb CMAs`; MDSs=`mdsquerydb DomainManagementServers`; for i in $CMAs; do mgmt_cli add host name host1 ip-address 1.2.3.4 ... servers.name $CMAs servers.multi-domain-server $MDSs

Where a syntax example is below, it'l likely take some playing around to re-write your admin scripts from < R77.30 to R80.10:

That sounds like a fun job! 

//To create a new Domain Server:

1. Open a terminal emulation program (such as PuTTY).
2. Open an SSH connection to the Multi-Domain Server.
3. Log in with the superuser credentials.
4. Enter expert mode.
5. Run this command:

   mgmt_cli add domain name <domain_name> servers.ip address "<ipv4>" servers.name "<server_name>" servers.multi-domain-server "<mdm_name>"

   For Example:

   mgmt_cli add domain name "domain1" servers.ip-address "192.0.2.1" servers.name "domain1_ManagementServer_1" servers.multi-domain-server "primary_mdm"

   The Domain Server is created. Log in to 192.0.2.1 to configure the settings.

   //

Iain King / https://www.linkedin.com/in/iain-king-77075a1b/ 

Found a bit of information regarding finding the installation targets, but I'm having trouble getting the result I need. I want to point the query from the MDS towards a specific domain - how do I do this? The following command should do the job, but how do I aim at the specific domain. Bear in mind that I want to run this from the MDS to loop across all domains.

mgmt_cli show-package name Standard --root true --format json
{
  "code" : "generic_err_object_not_found",
  "message" : "Requested object [Standard] not found"
}

Even including the management server in the call doesn't seem to work:

 mgmt_cli show-packages -u <UID> -p <PW> -m <IP> --format json
{
  "packages" : [ ],
  "total" : 0
}

If this is a Multi-Domain environment then you also need to provide the relevant domain name or IP address which holds policy packages. The default domain, MDS, does not have policy packages.

Thanks Tomer - this is what I did in the 2nd example above, using the -m argument with the IP of the domain management server, but the result was the same (I have hidden the credentials & IPs):

mgmt_cli show-packages -u <UID> -p <PW> -m <IP> --format json
{
  "packages" : [ ],
  "total" : 0
}

OK. So apparently in Multi-Domain environments the -m switch must be the MDS IP, and the -d needs to be provided with the domain name or IP address. 

If you use the mgmt_cli command already inside the MGMT server, then you don't need to provide the -m parameter. This parameter is mostly for remote calls.

The fact that providing an IP of a server which is not the MDS is a bug and will be fixed in a later update of the API engine.

tl;dr you should have used this:

mgmt_cli show-packages -u <UID> -p <PW> -d <IP> --format json

or when calling from a remote host:

mgmt_cli show-packages -u <UID> -p <PW> -m <MDS IP>-d <IP> --format json

Alex, have you succeeded with this?

Ace!

Thanks Brian, I now have this working in a very similar way to your suggestion above. I am not currently using any session management, however. This reduces it to a single command:

mgmt_cli show-package name ${POLICY_NAME} -d $CMA --root true --format json

In terms of filtering the policy, there is a very handy 'filter' argument to 'show-access-rulebase'. In theory, I should be able to simply put my requirements into this filter in the same way that I would in SmartDashboard. Unfortunately, there are currently problems with this, and it doesn't work (I've raised an S/R for this). I have therefore had to find another way to do this. I'm nearly there with it, but it's a bit clunky.

We carry out a number of pre-install checks, and it is quite challenging translating these to R80, with the implementation of multiple layers etc.

elaborate on the part of the filter that doesn't work please?

Please be careful without using session management.  You can reach the maximum number of allowed WEB_API slots and you won't be able to log in (I've been there).  I strongly encourage using read-only or session management to discard your active session.

With R80.10 GA, the logout call should clear the session. So unless the script crashed or unless you ran it without logout during development, your session should be cleared.

Brian, the max sessions lockout is kind of the "API initiation ceremony". This means that you checked your stuff during development enough times to reach this problem

Either way this is the max sessions fixer: "You have reached the maximum number of active sessions" error in SmartConsole 

‌

All the commands I am running (so far) are 'show', therefore shouldn't be creating sessions (I don't see any sessions building up on the console). I can see this being a real consideration when running updates, though, so thanks for the heads-up.

login creates a session while logout clears a session if everything was published or discard prior to logout.

There is no need to call the "discard" commad if there are no changes, just "logout" command.

Robert.

I have some old code which does this by parsing the $MDSDIR/customers/*.. conf/ .. rulebases_5_0.fws etc files and looking for matches (of any / any etc). It ran in cron, I won't post it here because it's not supported and some people will get their knickers in a twist over that. PM me and i'll send it across (it's in perl). 

There is for sure a better way of doing that nowadays.. probably using mgmt_cli (but I'll need to have a closer look at the new rule handling) to figure out a good way to do it. For sure there's a better way of handling it now in R80.10.

Hi Alex, if you can share your steps with the API we might be able to assist you, it seems you are close to getting what you were looking for...