cpwiki.net - User contributions [en]

cpuse deployment agent

2026-03-29T02:23:08Z

Nighthawk:

==checking current version==
# clish -c "show installer status build"
Build number: 2084 (agent build is up to date)

==downloading the latest cpuse deployment agent==

a download link to the latest cpuse is found in [https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk92449&partition=General&product=All%22 sk92449] on the user center

==check currently installed version==

cpvinfo $DADIR/bin/DAService | grep Build

==how do perform and offline upgrades==

# download the latest cpuse
# uninstall cpuse
[Expert@chkpmds1:0]# '''rpm -e CPda-00-00'''
/opt/CPshrd-R77/bin/cpwd_admin del -name DASERVICE
cpwd_admin:
successful Del operation

# install new cpuse

Expert@chkpmds1:0]# '''rpm -ivh ./CPda-00-00.i386.rpm'''
Preparing... ########################################### [100%]
cpwd_admin:
Process DASERVICE isn't monitored by cpWatchDog. Stop request aborts
Trying to stop DAService for 60 seconds - please wait...
Error: DAService is not running.
 Waiting for DAService to stop...
Error: DAService is not running.

*** note: it is typical to see the above message many times

== restarting clishd==

To Stop [Expert@HostName]# '''tellpm process:clishd'''
 To Start [Expert@HostName]# '''tellpm process:clishd t'''

start agent

# clish -c "installer agent start"

upgrade should be completed.

growing root partition

2025-10-25T02:21:56Z

Nighthawk: /* Solution */

== Problem ==

insufficient disk space in /opt to apply an upgrade.

O.S. : secure platform (splat) or gaia

Check Point versions: multiple

== Solution ==

Use available, unallocated disk space. Newer Check Point version use LVM. Check Point often doesn't allocate it all. This not a bad thing. It is a common, best practice with LVM. This allows admins to easily grow partitions as needed using the free disk space. If you allocated it all up front, but needed one partition bigger, you would have to shrink one to grow another. This is more complicated. With root, it can't be shrunk while the system is running(it can be grown as we are about to see).

'''Example'''

[Expert@chkpfw1:0]# '''df -h'''
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg_splat-lv_current
4.9G 3.6G 1.1G 77% / <<< root does't have enough space for my 77.30 upgrade :(
/dev/hda1 289M 24M 251M 9% /boot
tmpfs 217M 0 217M 0% /dev/shm
/dev/mapper/vg_splat-lv_log
6.8G 3.7G 2.9G 57% /var/log

Check the volumn groups for Free space

[Expert@chkpfw2:0]# '''vgdisplay | grep -i size'''
VG Size 18.69 GB
PE Size 32.00 MB
Alloc PE / Size 384 / 12.00 GB
Free PE / Size 214 / 6.69 GB <<< yay! I have some!

adding/growing the logical volume "container"

[Expert@chkpfw2:0]# '''lvresize -L +6.69GB vg_splat/lv_current'''
Rounding up size to full physical extent 6.72 GB
Extending logical volume lv_current to 11.72 GB
Insufficient free space: 215 extents needed, but only 214 available

that failed... specifying the increase in GB is less precise. So, lets use "extents"

[Expert@chkpfw2:0]# '''lvresize -l +214 vg_splat/lv_current'''
Extending logical volume lv_current to 11.69 GB
Logical volume lv_current successfully resized

verifying new volume group size

[Expert@chkpfw2:0]# vgdisplay | grep -i -E "name|size"
VG Name vg_splat
VG Size 18.69 GB
PE Size 32.00 MB
Alloc PE / Size 598 / 18.69 GB
Free PE / Size 0 / 0

growing the file system to fill the "container"

[Expert@chkpfw2:0]# '''resize2fs /dev/mapper/vg_splat-lv_current'''
resize2fs 1.39 (29-May-2006)
Filesystem at /dev/mapper/vg_splat-lv_current is mounted on /; on-line resizing required
Performing an on-line resize of /dev/mapper/vg_splat-lv_current to 3063808 (4k) blocks.
The filesystem on /dev/mapper/vg_splat-lv_current is now 3063808 blocks long.

newer Gaia O.S. implementations utilize xfs file systems. resize2fs won't work. use xfs_growfw instead

[Expert@chkpfw2:0]# '''xfs_growfs /dev/mapper/vg_splat-lv_current'''
meta-data=/dev/mapper/vg_splat-lv_log isize=512 agcount=4, agsize=2097152 blks
= sectsz=512 attr=2, projid32bit=1
= crc=1 finobt=0 spinodes=0
data = bsize=4096 blocks=8388608, imaxpct=25
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0 ftype=1
log =internal bsize=4096 blocks=4096, version=2
= sectsz=512 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
data blocks changed from 8388608 to 31981568

viewing newly allocated disk space

[Expert@chkpfw2:0]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg_splat-lv_current
12G 3.6G 7.2G 33% /
/dev/hda1 289M 24M 251M 9% /boot
tmpfs 217M 0 217M 0% /dev/shm
/dev/mapper/vg_splat-lv_log
6.8G 2.2G 4.3G 34% /var/log

So, we grew root while the system had it mounted and was running from it. Thank you LVM!

growing root partition

2025-10-25T02:21:23Z

Nighthawk: /* Solution */

First time config "wizard" via CLI mode

2025-10-24T14:26:10Z

Nighthawk: Created page with " == Creating a configuration file == # '''config_system -t <File Name>''' === configuration file validation === # config_system --config-file <File Name> --dry-run == run..."

== Creating a configuration file ==
# '''config_system -t <File Name>'''

=== configuration file validation ===
# config_system --config-file <File Name> --dry-run

== running config with template file ==
# config_system -f <File Name>

fortinet CLI notes

2025-10-14T15:17:35Z

Nighthawk: /* logging */

==vdom==
entering editing a vdom

# config vdom
(vdom) # edit myvdom
(myvdom) #

==interface commands==
===configure===
example
# config system interface
# edit port1
# set mode static
# set ip 10.1.1.1 255.255.255.0
# next
# end

===get info==
for admin status, link stat, speeds, counters...
# config global
# get hardware nic <interface name>

==routes==
# config router static
# edit <route_index>
# set device "<interface_name>"
# set dst "<destination_ip>"
# set gateway "<router_ip>"

for default gw..
# set dst 0.0.0.0 0.0.0.0
or just leave the line out.

HA status
# config global
# get sys ha status

HA failover to highest priority (if it is not currently Master)
on current master run...
# config global
# diagnose sys ha reset-uptime

get admin hash password
# config global
# config sys admin
# show

uptime
# config global
# get system perf status | grep -i uptime

shutdown/reboot

# execute shutdown
or
# execute reboot

==firewall==
# show firewall policy

==packet capture==

# diagnose sniffer packet <interface|any> '<tcpdump-filter>' <verbosity> <count> <time-format>

verbosity of 4 will show the port name

where if count = 0, then unlimited

example:
fotinet1 # '''diagnose sniffer packet port1 'icmp'''' 4 2 l
interfaces=[port1]
filters=[icmp]
2022-08-25 13:16:52.397609 port1 -- 192.168.169.76 -> 192.168.169.31: icmp: echo request
2022-08-25 13:16:52.397673 port1 -- 192.168.169.31 -> 192.168.169.76: icmp: echo reply

==misc==

check if fortigate has fortimanager central-management setting
$ show full-configuration | grep "set fmg "

==default login==

VM images = admin / (empty password)

==logging==
[https://community.fortinet.com/t5/FortiGate/Technical-Tip-Displaying-logs-via-FortiGate-s-CLI/ta-p/193027 Displaying logs via FortiGate's CLI]

set log filter to view category with traffic logs
execute log filter category 0
set log filter to view logs from local disk
execute log filter device 0
view log filter settings
execute log filter dump
reset log filter
execute log filter reset
example..

execute log filter category 0
execute log filter device 0
execute log filter field srcip 10.0.0.10
execute log filter field dstip 192.168.1.1
execute log display

[[category:fortinet]]

fortinet CLI notes

2025-08-13T17:29:20Z

Nighthawk:

==vdom==
entering editing a vdom

# config vdom
(vdom) # edit myvdom
(myvdom) #

==interface commands==
===configure===
example
# config system interface
# edit port1
# set mode static
# set ip 10.1.1.1 255.255.255.0
# next
# end

===get info==
for admin status, link stat, speeds, counters...
# config global
# get hardware nic <interface name>

==routes==
# config router static
# edit <route_index>
# set device "<interface_name>"
# set dst "<destination_ip>"
# set gateway "<router_ip>"

for default gw..
# set dst 0.0.0.0 0.0.0.0
or just leave the line out.

HA status
# config global
# get sys ha status

HA failover to highest priority (if it is not currently Master)
on current master run...
# config global
# diagnose sys ha reset-uptime

get admin hash password
# config global
# config sys admin
# show

uptime
# config global
# get system perf status | grep -i uptime

shutdown/reboot

# execute shutdown
or
# execute reboot

==firewall==
# show firewall policy

==packet capture==

# diagnose sniffer packet <interface|any> '<tcpdump-filter>' <verbosity> <count> <time-format>

verbosity of 4 will show the port name

where if count = 0, then unlimited

example:
fotinet1 # '''diagnose sniffer packet port1 'icmp'''' 4 2 l
interfaces=[port1]
filters=[icmp]
2022-08-25 13:16:52.397609 port1 -- 192.168.169.76 -> 192.168.169.31: icmp: echo request
2022-08-25 13:16:52.397673 port1 -- 192.168.169.31 -> 192.168.169.76: icmp: echo reply

==misc==

check if fortigate has fortimanager central-management setting
$ show full-configuration | grep "set fmg "

==default login==

VM images = admin / (empty password)

==logging==
[https://community.fortinet.com/t5/FortiGate/Technical-Tip-Displaying-logs-via-FortiGate-s-CLI/ta-p/193027 Displaying logs via FortiGate's CLI]

set log filter to view category with traffic logs
execute log filter category 0
set log filter to view logs from local disk
execute log filter device 0
view log filter settings
execute log filter dump
reset log filter
execute log filter reset
example..

execute log filter category 0
execute log filter device 0
execute log filter srcip 10.0.0.10
execute log filter dstip 192.168.1.1
execute log display

[[category:fortinet]]

big-ip notes

2025-05-13T16:20:59Z

Nighthawk:

get pool membership by node IP via CLI
# '''tmsh -q -c "cd /; list ltm pool one-line recursive" | grep <ip address>'''

==links==

[https://community.f5.com/kb/codeshare/big-ip-upgrade-procedure-using-cli-vcmp-guest--host/280685 BIG-IP Upgrade Procedure Using CLI (vCMP Guest & Host)]

[https://networkproguide.com/f5-big-ip-cli-commands-cheat-sheet/ Big-ip cheat sheet]
[[category:f5]]

fortinet create api user via CLI

2025-04-28T17:20:15Z

Nighthawk: Created page with " To create a REST API administrator in the CLI: config system api-user edit "api-admin" set comments <string> set api-key ************ set acc..."

To create a REST API administrator in the CLI:

config system api-user
edit "api-admin"
set comments <string>
set api-key ************
set accprofile "API profile"
set vdom "root"
set peer-auth enable
set peer-group <group>
config trusthost
edit 1
set ipv4-trusthost <class_ip&net_netmask>
next
...
end
next
end

Generate the API token:

# execute api-user generate-key <API username>

[[category:fortinet]]

fortinet downloads

2025-04-21T21:48:27Z

Nighthawk:

https://support.fortinet.com/Download/FirmwareImages.aspx

[[category: fortinet]]

2025-03-26T22:35:54Z

Nighthawk: Created page with " mgmt_cli show-logs new-query.filter product:<product name> new-query.time-frame <time-frame> new-query.max-logs-per-request <limit> filter - The filter as entered in SmartC..."

big-ip notes

2024-12-09T17:55:37Z

Nighthawk:

==links==

[https://community.f5.com/kb/codeshare/big-ip-upgrade-procedure-using-cli-vcmp-guest--host/280685 BIG-IP Upgrade Procedure Using CLI (vCMP Guest & Host)]

[https://networkproguide.com/f5-big-ip-cli-commands-cheat-sheet/ Big-ip cheat sheet]
[[category:f5]]

big-ip notes

2024-10-04T19:06:57Z

Nighthawk: Created page with "==links== [https://community.f5.com/kb/codeshare/big-ip-upgrade-procedure-using-cli-vcmp-guest--host/280685 BIG-IP Upgrade Procedure Using CLI (vCMP Guest & Host)] category..."

==links==

[https://community.f5.com/kb/codeshare/big-ip-upgrade-procedure-using-cli-vcmp-guest--host/280685 BIG-IP Upgrade Procedure Using CLI (vCMP Guest & Host)]
[[category:f5]]

snmp

2024-07-08T20:56:55Z

Nighthawk:

mib files location on check point device
$CPDIR/lib/snmp/

==mib descriptions and OID of interest==

appliance model
"svnApplianceProductName" "1.3.6.1.4.1.2620.1.6.16.7"

get check point version
"svnVersion" "1.3.6.1.4.1.2620.1.6.4.1"

example:
[Expert@chkpfw1:0]# '''snmpget -v2c -c public localhost 1.3.6.1.4.1.2620.1.6.4.1.0'''
SNMPv2-SMI::enterprises.2620.1.6.4.1.0 = STRING: "R80.20"

firewall connections
$ '''snmptranslate -Tz -m CHECKPOINT-MIB | grep -i fwnumconn'''
"fwNumConn" "1.3.6.1.4.1.2620.1.1.25.3"

$ '''snmpget -v 2c -c public 10.0.0.254 1.3.6.1.4.1.2620.1.1.25.3.0'''
SNMPv2-SMI::enterprises.2620.1.1.25.3.0 = Gauge32: 3310

[[category:snmp]]
[[category:monitoring]]

2024-06-20T04:41:25Z

Nighthawk:

cisco asa notes

2024-06-20T03:16:13Z

Nighthawk: Created page with "==Getting Started== Accessing the Appliance Command-Line Interface This following prompt indicates that you are in user EXEC mode. Only basic commands are available from user..."

==Getting Started==
Accessing the Appliance Command-Line Interface

This following prompt indicates that you are in user EXEC mode. Only basic commands are available from user EXEC mode.
hostname>

To access privileged EXEC mode, enter the following command:
hostname> '''enable'''

The prompt changes to the following:
hostname#

To exit privileged mode, enter the disable, exit, or quit command.

access global configuration mode
hostname# '''configure terminal'''

The prompt changes to the following:
hostname(config)#

r80 api notes

2024-06-09T07:05:30Z

Nighthawk:

==Management server API setup==
===enabling for remote IPs===
done the smartconsole

[[file:cp_mgmt_api_enable_all_IPs.png]]

it can also be enabled via mgmt_cli under "set api-settings"

===status check===

[Expert@chmkmgr1:0]# '''api status'''
 API Settings:
 <nowiki>-----------------</nowiki>
 Accessibility: Require all granted
 Automatic Start: Enabled
 Processes:
 Name State PID More Information
 <nowiki>-------------------------------------------------</nowiki>
 API Started 10763
 CPM Started 10460 Check Point Security Management Server is running and ready
 FWM Started 10007
 Port Details:
 <nowiki>----------------</nowiki>
 JETTY Internal Port: 50276
 APACHE Gaia Port: 443
 <nowiki>-------------------------------------------------</nowiki>
 Overall API Status: Started
 <nowiki>-------------------------------------------------</nowiki>
 API readiness test SUCCESSFUL. The server is up and ready to receive connections

==examples==
===logging in===
login and redirect session info to a file for reuse
# mgmt_cli login user admin > id.txt

same but read only
# mgmt_cli login user admin read-only true > id.txt

===search existing object===
search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range.
# mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}'

return only objects with the EXACT ip

# mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name'

*** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object)

===access rules===
====notes before you begin====
when using the parameter "name" to refer to a particular package, it appears to require the following...
<package name> <layer name>

as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules.

What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands...

for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with

| jq '.rulebase[]'

if you DO HAVE headers, to output the rules you need

| jq '.rulebase[] | .rulebase[]'

====show access layers?====
[Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name'
"dropall Network"'''
"Network"

where "Network" represents the default policy package Standard

====examples====
show number of rules in policy
mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json limit 1 | jq '.total'

display rule with uid = xxx

# '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"'''

display src/dst/service from rule with uid
for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done

alternate(inferior) way with jq
mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"'
1

display rule number with comment containing a string haha
mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}'

====adding rules====

mgmt_cli -s id.txt add access-rule layer xxad70c9-b4c6-4e64-9bfd-d57ac91289f3 name new_rule

mgmt_cli -s id.txt add access-rule layer xx70adc9-b4c6-4e64-9bfd-d57ac91289f3 position top name new_rule

mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" action "Accept" service add "https"

mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" service.add "https"

===mds / domain===

get list of domains,objects(management and firewalls),object type
mgmt_cli.exe -s id.txt show gateways-and-servers --format json limit 500 | jq '.objects.nat,.name,.type' | xargs -n3

===log queries===
mgmt_cli -s id.txt show-logs new-query.filter "src:10.0.0.11 and service:https" new-query.time-frame last-hour new-query.max-logs-per-request 1 --format json | jq '.logs[] | {time: .time,fw: .orig,log_server: .orig_log_server,policy: .policy_name,action: .action,source: .src,dest: .dst,service: .service}'

{
"time": "2023-06-09T06:20:20Z",
"fw": "my_cp_fw1",
"log_server": "192.168.1.88",
"policy": "super_secure",
"action": "Accept",
"source": "10.0.0.11",
"dest": "204.79.197.203",
"service": "443"
}

==jq==
compound jq select using and/or (note: contains returns true/false)

| jq '.rulebase[] | .rulebase[] | select (.comments | (contains("hahaha") or contains("lol")) | not ) | {ruleUID: .uid, comments: .comments} '

and another one...
| jq '.rulebase[] | .rulebase[] | select ((.comments | (contains("hahah") or contains("lol") | not )) and (.enabled == true)) | {enabled: .enabled, rulenum: ."rule-number", ruleUID: .uid, comments: .comments} '

filter objects dictary for uid for accept action
jq '."objects-dictionary"[] | select (.name == "Accept") | .uid'

get cluster member policy installation targets

| jq -c '."installation-targets-revision"[] | ."cluster-members-revision"[] | ."target-name"' | tr -d '"' | tr '\n' ' '

get values without keys

example

with keys...
'''| jq '.objects[] | {name: .name,type: .type}''''
{
"name": chkp-fw",
"type": "simple-gateway"
}
{
"name": "chkp-mgmt",
"type": "checkpoint-host"
}

without keys, change from curly {} to square [] brackets and drop key references
'''| jq '.objects[] | [.name, .type]''''
[
"chkp-fw",
"simple-gateway"
]
[
"chkp-mgmt",
"checkpoint-host"
]

print all values on the same line, comma separated
'''| jq '.objects[] | [.name, .type] | join (",")'''
"chkp-fw simple-gateway"
"chkp-mgmt,checkpoint-host"

==curl==

curl -X POST -H "Content-Type: application/json" -d '{"userId": 5, "title": "Post Title", "body": "Post content."}'

curl -X -H POST -H "Content-Type: application/json" -d '{"user" : "jsmith", "password" : "abc123"}' 192.168.1.10:443/login

$ '''curl --insecure -X POST -H "Content-Type: application/json" -d '{"user" : "jsmith", "password" : "abc123"}' https://192.168.1.10:443/web_api/login'''
{
"uid" : "46a11170-e554-4e58-a5fc-65ff9e38d8cb",
"sid" : "dfq6sI1MxMT1qUhXQ7tafQduKAfJxYkqXCEjaQKjres",
"url" : "https://192.168.1.10:443/web_api",
"session-timeout" : 600,
"last-login-was-at" : {
"posix" : 1707413218074,
"iso-8601" : "2024-02-08T10:26-0700"
},
"api-server-version" : "1.8.1",
"user-name" : "jsmith",
"user-uid" : "c1109c35-d741-7jg8-98e3-36669b7047a2"

$ '''curl --insecure -X POST -H "Content-Type: application/json" -H "X-chkp-sid: dfq6sI1MxMT1qUhXQ7tafQduKAfJxYkqXCEjaQKjres" -d '{ }' https://192.168.1.10:443/web_api/keepalive'''
{
"message" : "OK"
}

==links==
[https://community.checkpoint.com/t5/General-Management-Topics/What-s-new-with-R80-20M1-Management-API/td-p/39522 What's new with R80.20M1 Management API]

[https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.4%20 r80 api reference]

[https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api]

parsing json return output
[https://stedolan.github.io/jq/ jq]

[https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli]

[https://devqa.io/curl-sending-api-requests/ How to Use CURL to Send API Requests]

r80 api notes

2024-06-09T07:04:51Z

Nighthawk:

==Management server API setup==
===enabling for remote IPs===
done the smartconsole

[[file:cp_mgmt_api_enable_all_IPs.png]]

it can also be enabled via mgmt_cli under "set api-settings"

===status check===

[Expert@chmkmgr1:0]# '''api status'''
 API Settings:
 <nowiki>-----------------</nowiki>
 Accessibility: Require all granted
 Automatic Start: Enabled
 Processes:
 Name State PID More Information
 <nowiki>-------------------------------------------------</nowiki>
 API Started 10763
 CPM Started 10460 Check Point Security Management Server is running and ready
 FWM Started 10007
 Port Details:
 <nowiki>----------------</nowiki>
 JETTY Internal Port: 50276
 APACHE Gaia Port: 443
 <nowiki>-------------------------------------------------</nowiki>
 Overall API Status: Started
 <nowiki>-------------------------------------------------</nowiki>
 API readiness test SUCCESSFUL. The server is up and ready to receive connections

==examples==
===logging in===
login and redirect session info to a file for reuse
# mgmt_cli login user admin > id.txt

same but read only
# mgmt_cli login user admin read-only true > id.txt

===search existing object===
search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range.
# mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}'

return only objects with the EXACT ip

# mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name'

*** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object)

===access rules===
====notes before you begin====
when using the parameter "name" to refer to a particular package, it appears to require the following...
<package name> <layer name>

as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules.

What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands...

for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with

| jq '.rulebase[]'

if you DO HAVE headers, to output the rules you need

| jq '.rulebase[] | .rulebase[]'

====show access layers?====
[Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name'
"dropall Network"'''
"Network"

where "Network" represents the default policy package Standard

====examples====
show number of rules in policy
mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json limit 1 | jq '.total'

display rule with uid = xxx

# '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"'''

display src/dst/service from rule with uid
for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done

alternate(inferior) way with jq
mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"'
1

display rule number with comment containing a string haha
mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}'

====adding rules====

mgmt_cli -s id.txt add access-rule layer xxad70c9-b4c6-4e64-9bfd-d57ac91289f3 name new_rule

mgmt_cli -s id.txt add access-rule layer xx70adc9-b4c6-4e64-9bfd-d57ac91289f3 position top name new_rule

mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" action "Accept" service add "https"

mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" service.add "https"

===mds / domain===

get list of domains,objects(management and firewalls),object type
mgmt_cli.exe -s id.txt show gateways-and-servers --format json limit 500 | jq '.objects.nat,.name,.type' | xargs -n3

===log queries===
mgmt_cli -s id.txt show-logs new-query.filter "src:10.0.0.11 and service:https" new-query.time-frame last-hour new-query.max-logs-per-request 1 --format json | jq '.logs[] | {time: .time,fw: .orig,log_server: .orig_log_server,policy: .policy_name,action: .action,source: .src,dest: .dst,service: .service}'

{
"time": "2023-06-09T06:20:20Z",
"fw": "my_cp_fw1",
"log_server": "192.168.1.88",
"policy": "super_secure",
"action": "Accept",
"source": "10.0.0.11",
"dest": "204.79.197.203",
"service": "443"
}

===jq===
compound jq select using and/or (note: contains returns true/false)

| jq '.rulebase[] | .rulebase[] | select (.comments | (contains("hahaha") or contains("lol")) | not ) | {ruleUID: .uid, comments: .comments} '

and another one...
| jq '.rulebase[] | .rulebase[] | select ((.comments | (contains("hahah") or contains("lol") | not )) and (.enabled == true)) | {enabled: .enabled, rulenum: ."rule-number", ruleUID: .uid, comments: .comments} '

filter objects dictary for uid for accept action
jq '."objects-dictionary"[] | select (.name == "Accept") | .uid'

get cluster member policy installation targets

| jq -c '."installation-targets-revision"[] | ."cluster-members-revision"[] | ."target-name"' | tr -d '"' | tr '\n' ' '

get values without keys

example

with keys...
'''| jq '.objects[] | {name: .name,type: .type}''''
{
"name": chkp-fw",
"type": "simple-gateway"
}
{
"name": "chkp-mgmt",
"type": "checkpoint-host"
}

without keys, change from curly {} to square [] brackets and drop key references
'''| jq '.objects[] | [.name, .type]''''
[
"chkp-fw",
"simple-gateway"
]
[
"chkp-mgmt",
"checkpoint-host"
]

print all values on the same line, comma separated
'''| jq '.objects[] | [.name, .type] | join (",")'''
"chkp-fw simple-gateway"
"chkp-mgmt,checkpoint-host"

===curl===

curl -X POST -H "Content-Type: application/json" -d '{"userId": 5, "title": "Post Title", "body": "Post content."}'

curl -X -H POST -H "Content-Type: application/json" -d '{"user" : "jsmith", "password" : "abc123"}' 192.168.1.10:443/login

$ '''curl --insecure -X POST -H "Content-Type: application/json" -d '{"user" : "jsmith", "password" : "abc123"}' https://192.168.1.10:443/web_api/login'''
{
"uid" : "46a11170-e554-4e58-a5fc-65ff9e38d8cb",
"sid" : "dfq6sI1MxMT1qUhXQ7tafQduKAfJxYkqXCEjaQKjres",
"url" : "https://192.168.1.10:443/web_api",
"session-timeout" : 600,
"last-login-was-at" : {
"posix" : 1707413218074,
"iso-8601" : "2024-02-08T10:26-0700"
},
"api-server-version" : "1.8.1",
"user-name" : "jsmith",
"user-uid" : "c1109c35-d741-7jg8-98e3-36669b7047a2"

$ '''curl --insecure -X POST -H "Content-Type: application/json" -H "X-chkp-sid: dfq6sI1MxMT1qUhXQ7tafQduKAfJxYkqXCEjaQKjres" -d '{ }' https://192.168.1.10:443/web_api/keepalive'''
{
"message" : "OK"
}

==links==
[https://community.checkpoint.com/t5/General-Management-Topics/What-s-new-with-R80-20M1-Management-API/td-p/39522 What's new with R80.20M1 Management API]

[https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.4%20 r80 api reference]

[https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api]

parsing json return output
[https://stedolan.github.io/jq/ jq]

[https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli]

[https://devqa.io/curl-sending-api-requests/ How to Use CURL to Send API Requests]

maestro reference

2024-05-13T16:39:23Z

Nighthawk:

==security groups==
Single Management Object (SMO) handles all management tasks, such as Security Gateway configuration, policy installation, remote connections, and logging. The Active Security Group Member with the lowest ID number is automatically assigned to be the SMO.

identify the SMO and tasks
# asg stat -i tasks

===policy installation===
Management ServerClosed installs the policy on the SMO Master and then it is copied to the other UP members. Use [[asg policy - command|asg policy]] to verify or unload a policy.
===Synchronizing Policy and Configuration Between Security Group Members===

synchronize the policies manually to a SG member
asg_blade_config pull_config

==Managing Security Groups==
===Connecting to a Specific Security Group Member ===
# member <Member ID>
or
# m <Member ID>

connecting to member in specific SG
# m <Security Group ID> <Member ID>

==HA==
clusterXL_admin up

==orchestrator==

get port transiever typoe
> show maestro port x optic info

fortinet CLI notes

2024-05-07T19:47:12Z

Nighthawk:

2024-02-16T16:22:45Z

Nighthawk:

==Management server API setup==
===enabling for remote IPs===
done the smartconsole

[[file:cp_mgmt_api_enable_all_IPs.png]]

it can also be enabled via mgmt_cli under "set api-settings"

===status check===

[Expert@chmkmgr1:0]# '''api status'''
 API Settings:
 <nowiki>-----------------</nowiki>
 Accessibility: Require all granted
 Automatic Start: Enabled
 Processes:
 Name State PID More Information
 <nowiki>-------------------------------------------------</nowiki>
 API Started 10763
 CPM Started 10460 Check Point Security Management Server is running and ready
 FWM Started 10007
 Port Details:
 <nowiki>----------------</nowiki>
 JETTY Internal Port: 50276
 APACHE Gaia Port: 443
 <nowiki>-------------------------------------------------</nowiki>
 Overall API Status: Started
 <nowiki>-------------------------------------------------</nowiki>
 API readiness test SUCCESSFUL. The server is up and ready to receive connections

==examples==
===logging in===
login and redirect session info to a file for reuse
# mgmt_cli login user admin > id.txt

same but read only
# mgmt_cli login user admin read-only true > id.txt

===search existing object===
search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range.
# mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}'

return only objects with the EXACT ip

# mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name'

*** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object)

==access rules==
===notes before you begin===
when using the parameter "name" to refer to a particular package, it appears to require the following...
<package name> <layer name>

as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules.

What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands...

for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with

| jq '.rulebase[]'

if you DO HAVE headers, to output the rules you need

| jq '.rulebase[] | .rulebase[]'

====rule numbers====

===show access layers?===
[Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name'
"dropall Network"'''
"Network"

where "Network" represents the default policy package Standard

===examples===
show number of rules in policy
mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json limit 1 | jq '.total'

display rule with uid = xxx

# '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"'''

display src/dst/service from rule with uid
for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done

alternate(inferior) way with jq
mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"'
1

display rule number with comment containing a string haha
mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}'

===adding rules===

mgmt_cli -s id.txt add access-rule layer xxad70c9-b4c6-4e64-9bfd-d57ac91289f3 name new_rule

mgmt_cli -s id.txt add access-rule layer xx70adc9-b4c6-4e64-9bfd-d57ac91289f3 position top name new_rule

mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" action "Accept" service add "https"

mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" service.add "https"

===mds / domain===

get list of domains,objects(management and firewalls),object type
mgmt_cli.exe -s id.txt show gateways-and-servers --format json limit 500 | jq '.objects.nat,.name,.type' | xargs -n3

==jq examples==

compound jq select using and/or (note: contains returns true/false)

| jq '.rulebase[] | .rulebase[] | select (.comments | (contains("hahaha") or contains("lol")) | not ) | {ruleUID: .uid, comments: .comments} '

and another one...
| jq '.rulebase[] | .rulebase[] | select ((.comments | (contains("hahah") or contains("lol") | not )) and (.enabled == true)) | {enabled: .enabled, rulenum: ."rule-number", ruleUID: .uid, comments: .comments} '

filter objects dictary for uid for accept action
jq '."objects-dictionary"[] | select (.name == "Accept") | .uid'

get cluster member policy installation targets

| jq -c '."installation-targets-revision"[] | ."cluster-members-revision"[] | ."target-name"' | tr -d '"' | tr '\n' ' '

"rulenum": 1,
 "comment": "hahahlol"

==links==
[https://community.checkpoint.com/t5/General-Management-Topics/What-s-new-with-R80-20M1-Management-API/td-p/39522 What's new with R80.20M1 Management API]

[https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.4%20 r80 api reference]

[https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api]

parsing json return output
[https://stedolan.github.io/jq/ jq]

[https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli]

[https://devqa.io/curl-sending-api-requests/ How to Use CURL to Send API Requests]