This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
pgestido
Explorer
‎2024-11-19 01:49 PM
Jump to solution

Newbie question about mgmt_cli on windows

Hi:

I am trying to use mgmt_cli on Windows to connect to Smart1 Cloud

I am trying to use 

 

mgmt_cli -m mydomain.maas.checkpoint.com --context <context-id>/web_api login api-key <my_api_key> > id.txt

this generate the id.txt like 

uid: "my_uid"
sid: "my_sid"
url: "https://127.0.0.1:443/web_api"
session-timeout: 600
last-login-was-at:
posix: 1732049229199
iso-8601: "2024-11-19T20:47+0000"
api-server-version: "1.9.1"
user-name: "admin-api"
user-uid: "my_user-uid"

next, I try

mgmt_cli -m mydomain.maas.checkpoint.com --context <context-id>/web_api show networks --session-file id.txt

and get the following error:

Couldn't connect to server
If you need to use a proxy server, add the '--proxy' parameter

But if I execute 

mgmt_cli -m mydomain.maas.checkpoint.com --context <context-id>/web_api show networks --session-id "my_sid"

this works fine.

All examples I found on the web are done like the first option.

What am I doing wrong?

Regards,

Pablo

 

 

1 Solution

Accepted Solutions
Duane_Toler
Advisor
‎2024-11-21 02:17 PM
In response to PhoneBoy
Jump to solution

Hmm ..he might have a point here.  I tried the same thing to a customer's Smart-1 Cloud and got what he got.  When using -s for a session file with Smart-1 Cloud, the URL is to localhost and that breaks it.  This only for S1C, tho.

 

@pgestido: You'll need use get the "sid" string from that session file and set that to your environment variable named MGMT_CLI_SESSION_ID.

 

With Smart-1 Cloud, preferably you would use an API key for authentication.  You can set that with MGMT_CLI_API_KEY=<api key string>.  But if you are using a username/password and it works, then you can do that.

You also need to set a few more:

MGMT_CLI_MANAGEMENT=mydomain.maas.checkpoint.com

MGMT_CLI_CONTEXT=<context-id>/web_api

From here, you can do "mgmt_cli login" (no other parameters needed, if you use the environment variables) .  You can add --unsafe-auto-accept true to avoid having to accept the fingerprint manually.  After you login, copy the "sid" string and set that to the variable:

MGMT_CLI_SESSION_ID=<sid string>

Next, you need to un-set the MGMT_CLI_API_KEY variable.  From here on out, the session ID string holds the link to the login session.

When you're done, you can do "mgmt_cli logout", then destroy all those variables.  I don't quite remember all of the incantations to do this on Windows, but you can take it from here.

Let us know if you still need help.

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

View solution in original post

0 Kudos
9 Replies
PhoneBoy
Admin
Admin
‎2024-11-20 07:19 AM
Jump to solution

My understanding is that you do not need -m or --context if you are using a session file, as all of the necessary information should be included.

0 Kudos
pgestido
Explorer
‎2024-11-21 02:05 PM
In response to PhoneBoy
Jump to solution

Hi:

I tried without -m and -s and still having the same issue (previously generated a new session file)

mgmt_cli show networks -s id.txt
Couldn't connect to server
If you need to use a proxy server, add the '--proxy' parameter

is it that in "id.txt" the url points to localhost (127.0.0.1) 

 

 

0 Kudos
Duane_Toler
Advisor
‎2024-11-21 02:17 PM
In response to PhoneBoy
Jump to solution

Hmm ..he might have a point here.  I tried the same thing to a customer's Smart-1 Cloud and got what he got.  When using -s for a session file with Smart-1 Cloud, the URL is to localhost and that breaks it.  This only for S1C, tho.

 

@pgestido: You'll need use get the "sid" string from that session file and set that to your environment variable named MGMT_CLI_SESSION_ID.

 

With Smart-1 Cloud, preferably you would use an API key for authentication.  You can set that with MGMT_CLI_API_KEY=<api key string>.  But if you are using a username/password and it works, then you can do that.

You also need to set a few more:

MGMT_CLI_MANAGEMENT=mydomain.maas.checkpoint.com

MGMT_CLI_CONTEXT=<context-id>/web_api

From here, you can do "mgmt_cli login" (no other parameters needed, if you use the environment variables) .  You can add --unsafe-auto-accept true to avoid having to accept the fingerprint manually.  After you login, copy the "sid" string and set that to the variable:

MGMT_CLI_SESSION_ID=<sid string>

Next, you need to un-set the MGMT_CLI_API_KEY variable.  From here on out, the session ID string holds the link to the login session.

When you're done, you can do "mgmt_cli logout", then destroy all those variables.  I don't quite remember all of the incantations to do this on Windows, but you can take it from here.

Let us know if you still need help.

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos
pgestido
Explorer
‎2025-05-25 09:03 PM
In response to Duane_Toler
Jump to solution

Thanks @Duane_Toler this worked fine.

They key is unsetting the MGMT_CLI_API_KEY var, then setting the MGMT_CLI_SESSION_ID var (with the help of jq for Windows)

I am developing a .bat script with this info. I will share it once it is finished.

Regards,

Pablo

0 Kudos
pgestido
Explorer
‎2025-05-26 08:04 PM
In response to Duane_Toler
Jump to solution

After taking Tim Hall's CCAS (and with your help) I managed to write a small (.bat) piece of code where you can insert your own code.

I had the challenge to (sometimes) apply policy in about 40 Gws.

With this script I can do it

Thanks @Duane_Toler  and @PhoneBoy 

Just rename the file as .bat and run it.

Enjoy !!!!

0 Kudos
pgestido
Explorer
‎2025-05-26 08:06 PM
In response to pgestido
Jump to solution

 
API-BAT-CK.zip
0 Kudos
Duane_Toler
Advisor
‎2025-05-29 07:36 AM
In response to pgestido
Jump to solution

Yep, that's it.  BTW - You should look into building yourself a container image to run Ansible if you have that many gateways.  It's more scalable, more consistent, and easier tracking [for compliance and evidence trail].  You can run Docker on Windows and map your Windows folders to volumes inside the container.  You might need to run dos2unix on the files, however, or else things can get "weird" unexpectedly.

 

[Shameless plug]  Check the series in my sig line to get you started.  I have an episode on getting started with Docker and git, along with a link to the Dockerfile I used to build my container.  I also dedicated one episode to building the inventory for various types of management servers.  Hope it helps!

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos
pgestido
Explorer
‎2025-05-29 06:05 PM
In response to Duane_Toler
Jump to solution

Hi Duane I made the script for "academic reasons", just to get to know how easy /difficult is to build this kind of scripts and also to try to get some help with repetitive task. Since my team manages about 40 Checkpoint, just imagine the work that is to change one object and having to appliy policies in all the Gws .......

I have started to watch your video series .... I am on the third video ..... good work.

Regards,

Pablo

0 Kudos
Duane_Toler
Advisor
‎2025-05-30 06:02 AM
In response to pgestido
Jump to solution

Thanks!

 

You definitely will want that type academic info!  You can still use that knowledge to build yourself some custom scripts for some targeted cases like giving yourself a quick way to search for, and show, objects or access rules or logs, ... lots of things.  Keep at it! My needs for SmartConsole continue dwindling by the day and I'm not sad about that. 🙂

Check out the API commands like "show-hosts" and "show-networks" with the option "filter ...".

mgmt_cli show-hosts filter "domain controller"
mgmt_cli show-networks filter "some comment substring"

Another tip: In your script, you can use "set MGMT_CLI_FORMAT=json" and not have to always use "-f json"  [or "--format json"] on each command.

FYI, if you don't know yet, the JQ documentation is available at https://jqlang.org/.  Be sure to select the version that you have on your host (which is likely NOT the same as the one on the management server).

Keep up the work and experimentation!

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events