topic Re: IPS Update check per domain R77.30 in Firewall and Security Management

IPS Update check per domain R77.30

Maarten_Sjouw — Thu, 28 Jun 2018 20:42:15 GMT

Hi, I´m looking for a way to run a script that will check each domain on a MDS if there was a IPS update scheduled and what is the latest date of the update.

The frame for running the script over all domains is available, but I need to find which files to check per domain and what command to run to see this information.

Re: IPS Update check per domain R77.30

Alejandro_Mont1 — Fri, 29 Jun 2018 18:02:49 GMT

I am not sure of a specific CheckPoint command that can be run to check the IPS update stats and can't help with the script, however I believe the info you're looking for is in the $FWDIR/conf directory of each domain- specifically the asm.C file. In it there are a bunch of lines that show "asm_last_update_time", the last of which lists the last time protections were updated in epoch format. The line "asm_update_version_vpn1" shows the current protection version.

If you'd like to look at the IPS update schedule, note the name of the IPS time object (click on Edit Schedule and note the name). Search the objects_5_0.C file for that string and its attributes will be below.

Re: IPS Update check per domain R77.30

Maarten_Sjouw — Fri, 29 Jun 2018 20:53:39 GMT

What I have been able to take from that file asm.C is that the value on the field asm_update_version_vpn1 is the loaded version on that specific CMA/Domain.

With the aid of SK93392 I knoew how to convert this version number into a package date, this is what I can use!

I will rework my script to list all domains with their package number and it's date.

If there is any interest in the script, please let me know and I will post it here.

Re: IPS Update check per domain R77.30

PhoneBoy — Mon, 02 Jul 2018 22:44:27 GMT

As far as I know, there is no CLI command to check that.

Sounds like you can parse it from asm.C, though (which I had forgotten about ).

Re: IPS Update check per domain R77.30

Arne_Boettger — Thu, 12 Jul 2018 07:38:58 GMT

Hello,

take a look at sk120437 - How to obtain IPS Database version via CLI on Security Management Server .

Would you mind sharing your script once it is complete? I could use it, too 😉

regards, Arne

Re: IPS Update check per domain R77.30

Maarten_Sjouw — Mon, 16 Jul 2018 21:27:40 GMT

So far the script will collect the domain in 1 rule and the next rule will hold some text and the version number. I have no scripting skills to get this reworked to list a Domain name, package number and date.

What it does allow me to do is put this info in an email per MDS, from there it is simply a text find and replace and a move to excel where some simple formulas will give you the right output, be this part manual but it works.

We use a separate file called FWLib which sets the variables used in the different scripts we have:

#!/bin/sh
#-----------------------------------------------------------
# FWlib - library holds common libraries for FW*
# script files
#-----------------------------------------------------------

# Set Script constants ...
SCRIPT=`basename $0`
BASEDIR=/backup

SCRIPTDIR=$BASEDIR/scripts
LOG=$SCRIPTDIR/$SCRIPT.log
BCK=$SCRIPTDIR/$SCRIPT.bck

# Set MDS constants ...
MDS_CPDIR=/opt/CPshrd-R77 # needed if script is run from cronjob
# Set FW logfiles constants ...
LOGDIR=/var/log/Our-log
LOGBCK=$BASEDIR/log.bck
TMPDIR=/var/log/Our-logtmp
EXPORT=/var/log/Our-export

# Set MAIL constants ...
readonly MAILSVR=<IP-Address Mailserver>
readonly MAILFROM=`uname -n`@aaa.com
readonly MAILTO=admin@aaa.com
readonly MAILCHK=admin@aaa.com
readonly MAILERROR=admin@aaa.com

# Include Check Point MDS commands and variables ...
source $MDS_CPDIR/tmp/.CPprofile.sh

# aplications
GREP=/bin/grep

function timestamp {
# ---------------------------------------------------------------------------
# Write entry to logfile
# ---------------------------------------------------------------------------
echo `date --utc +%H:%M` "$*"

}

The actual script FWIPSverto run through all Domains on the MDS it is run from:

#!/bin/sh
#-----------------------------------------------------------
# FWIPSver - collects info from all Domains about the actual version
# of the IPS database.
#-----------------------------------------------------------
# If the script is called with one or more Domain names on
# the command line, these Domains are processed. Otherwise
# the script iterates over the entire Multi Domain
# installation
#-----------------------------------------------------------

# Link additional constants and functions library ...
source `dirname $0`/FWlib

# Declare other variables
declare -a CMAs
# Assign CMAs from the commandline (if any) ...
CMAs=( $* )

#---------------------------------------------------------

# Determine date to be used in filenames
#---------------------------------------------------------
DT=`date --utc +%Y%m%d`

#---------------------------------------------------------
# Initialize Logfile and output file and keep the previous as .bck
#---------------------------------------------------------
# Backup old logfile ...
[ -e $BCK ] && rm $BCK
[ -e $LOG ] && mv $LOG $BCK

# Backup old logfile ...
[ -e data.bck ] && rm data.bck
[ -e data.txt ] && mv data.txt data.bck

# Backup and create new logdir ...
[ -d $LOGDIR ] && rm -R $LOGDIR
[ ! -d $LOGDIR ] && mkdir $LOGDIR

# Remove and create new tmpdir ...
[ ! -d $TMPDIR ] && mkdir $TMPDIR

# Create new logfile ...
echo '**************************************' >$LOG
echo 'Collect IPS versions of all Domains ... ' >>$LOG
echo '**************************************' >>$LOG
echo 'Provider-1 server: '`uname -n` >>$LOG
echo 'Current date : '`date --utc +%d-%m-%Y` >>$LOG
echo 'Current time : '`date --utc +%H:%M` >>$LOG
echo >>$LOG

#---------------------------------------------------------
# Find all Domains
#---------------------------------------------------------

# Set environment to the MDS environment ...
mdsenv

if [ ${#CMAs[@]} = 0 ]; then
# Get all CMA names ...
j=0
for i in `mdsquerydb CMAs`; do
CMAs[j++]=`expr $i : '$.*$_\._\._'`
done
fi

#---------------------------------------------------------
for CMA in ${CMAs[@]}; do
echo '============================================' >>$LOG
echo 'Determining IPS Version on CMA: '$CMA >>$LOG
echo '============================================' >>$LOG

# Switch environment to CMA ...
mdsenv $CMA >>NULL
if [ "$?" = "0" ]; then
echo $CMA >>data.txt
cat $FWDIR/conf/asm.C | grep asm_update_version_vpn >>$LOG
cat $FWDIR/conf/asm.C | grep asm_update_version_vpn >>data.txt
echo >>$LOG
else
echo "CMA does not live on this machine" >>$LOG
fi

done
# End of script; close logfile ...
echo >>$LOG
echo '--------------------------------------------' >>$LOG
timestamp 'End of FWIPSver script ... ' >>$LOG
echo '--------------------------------------------' >>$LOG

# Send resulting log file to mail group ...
/opt/CPsuite-R77/fw1/bin/sendmail -t $MAILSVR -s "FW IPS Version check results" -f $MAILFROM $MAILTO <$LOG

/opt/CPsuite-R77/fw1/bin/sendmail -t $MAILSVR -s "FW IPS Version check results" -f $MAILFROM $MAILTO <data.txt

That is all there is to it.

If anyone knows of a simple way to collect just the version number and convert this on the MDS itself before we mail it out that would really help.

Re: IPS Update check per domain R77.30

Arne_Boettger — Tue, 17 Jul 2018 07:31:35 GMT

Hello,

Thanks a lot for sharing - I was curious about how you got to the list of CMAs.

I changed it so that it produces a CSV file with CMA Name and Version in one Line. Also, I changed it so I look for the version number according to sk120437. Now, you can sort it by version with the command

sort -t ";" -k 2 -n data.txt

My diff:

--- FWIPSverto.orig 2018-07-17 07:30:32.000000000 +0200
+++ FWIPSverto 2018-07-17 08:15:57.000000000 +0200
@@ -60,9 +60,11 @@
# Switch environment to CMA ...
mdsenv $CMA >>NULL
if [ "$?" = "0" ]; then
-echo $CMA >>data.txt
-cat $FWDIR/conf/asm.C | grep asm_update_version_vpn >>$LOG
-cat $FWDIR/conf/asm.C | grep asm_update_version_vpn >>data.txt
+echo -n "$CMA;" >>data.txt
+IPSver=$(cat $FWDIR/conf/asm.C | grep -A20 ASMPostInstallProcedures | grep "asm_update_version " | awk '{print $2}')
+IPSver=${IPSver#(}
+IPSver=${IPSver%)}
+echo $IPSver | tee -a $LOG >>data.txt
echo >>$LOG
else
echo "CMA does not live on this machine" >>$LOG

Re: IPS Update check per domain R77.30

Maarten_Sjouw — Tue, 17 Jul 2018 15:37:28 GMT

Thanks Arne, this was the missing bit to make it useful.