Mastering Compliance
Unveiling the power of Compliance Blade
SASE Masters:
Deploying Harmony SASE for a 6,000-Strong Workforce
in a Single Weekend
May the 4th (+4)
Navigating Paradigm Shifts in Cyber
CPX 2024 Content
is Here!
Harmony SaaS
The most advanced prevention
for SaaS-based threats
CheckMates Go:
CPX 2024 Recap
All changes in the management-server's database follow this flow:
1) Login - Create a "session"
2) Perform changes
3) Publish - After this step:
a) The next policy-install will include the changes in the session.
b) All the changes in the session will become visible to all other admins.
c) Objects that were changed in this session were locked for other admins. 'Publish' removes these locks.
4) Logout
Where steps #2 and #3 can occur multiple times in one session.
This flow is applicable to the REST APIs, SmartConsole CLI, mgmt_cli and Gaia's CLI as well.
When making a SmartConsole CLI, the login step already took place when you launched SmartConsole and passed the login dialog.
Changes that you perform using the CLI join the other changes that you perform using the GUI and they are all published together.
When you run a 'mgmt_cli' command and you don't provide any session information, the tool follows the steps above: it logs-in, makes the change, publish it and logs out.
For example, in:
mgmt_cli add host name myHost ip-address 192.168.0.1
There's nothing to associate this command with a previous login command (a session), without a session mgmt_cli cannot add the host to the database.
mgmt_cli creates a session for you by asking for credentials and logging-in. Then it adds the host, publish the changes and logs out.
When creating many commands this becomes inefficient.
A more effective way would be to login once, make many changes and publish all the changes just once.
when calling the "mgmt_cli login <optional params>" command, a typical output would look like this:
uid: "0d3cdfea-44a5-4ddc-979a-3c7aac97e5ef"
sid: "EUPuch5QkG7hPAeo1nFA8817MJ4xDpj9mm896jFzONU"
url: "https://127.0.0.1:443/web_api"
session-timeout: 600
last-login-was-at:
posix: 1490026351887
iso-8601: "2017-03-20T18:12+0200"
Note the session-id (sid) token in the response.
If I now run:
mgmt_cli add host name myHost2 ip-address 192.168.0.1 --session-id EUPuch5QkG7hPAeo1nFA8817MJ4xDpj9mm896jFzONU
The host will not be published automatically.
I can run other mgmt_cli commands, pass the session-id token to them and accumulate the changes in one session.
When I'm done, I need to call the 'publish' command. Like this:
mgmt_cli publish --session-id EUPuch5QkG7hPAeo1nFA8817MJ4xDpj9mm896jFzONU
mgmt_cli logout --session-id EUPuch5QkG7hPAeo1nFA8817MJ4xDpj9mm896jFzONU
Fortunaly, there's a way that can simplify this process and save you the trouble of having to parse the output of the login command.
The mgmt_cli tool can read the output of a login command and extract the "sid" field for you.
For example:
mgmt_cli login <optional parameters> > id.txt
mgmt_cli add host name myhost3 ip-address 192.168.0.3 -s id.txt
mgmt_cli add host name myhost4 ip-address 192.168.0.4 -s id.txt
mgmt_cli add host name myhost5 ip-address 192.168.0.5 -s id.txt
mgmt_cli add host name myhost6 ip-address 192.168.0.6 -s id.txt
mgmt_cli publish -s id.txt
mgmt_cli logout -s id.txt
In the above example, the output of the login command is redirected to a file (id.txt).
All other commands read this file and extracted the session-id token from it.
Note:
If you want to create thousands of objects, I recommend to perform a 'publish' command every 100 changes and not to accumulate too many changes and publish all of then at once.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY
