Check : installation target of multiple policy packages

XavierBens — Fri, 09 Feb 2018 21:39:47 GMT

Hi,

I've created a script which can check if you have firewall(s) configured as installation target of multiple policy-package (based on real story ...).

It uses dbedit and should be useful if you are dealing with many firewalls and some/many policy packages.

#!/bin/sh
echo "###############"
echo "##"
echo "# dbedit script"
echo "# To find : if a firewall is the installation target of multiple Policy Packages"
echo "#"
echo "# Usage :"
echo "#    [Expert@mySMS:0]# ./dbedit_extractNotUniqueTargetForPolicies.sh"
echo "#"

#
# Changelog:
# AAAA-MM-JJ      AUTEUR                       DESCRIPTION
# ----------      ---------------------------  ---------------------------------------------
# 2018-02-09      Xavier Bensemhoun (Victrix)  Initial version
# 2018-02-11      Xavier Bensemhoun (Victrix)  Adding comments and publishing
#
#
echo "#"

# Command is:
#    echo -e "query policies_collections, name='*'\n-q\n" | dbedit -local
# in order to retreive all policy packages details
#
# From the result, we will filter as:
#  1) grep installable_targets
#     > In order to retreive only lines with targets (firewalls)
#  2) sed 's/Name\: //g;' | sed 's/ (Table\: network_objects)//g;' ... and later sed 's/installable_targets\://g;'
#     > delete some words
#  3) sed -e 's/[[:blank:]]\+/\n/g'
#     > replace spaces with new lines (firewalls names cannot have space on their names
echo -e "query policies_collections, name='*'\n-q\n" | dbedit -local | grep installable_targets | sed 's/Name\: //g;' | sed 's/ (Table\: network_objects)//g;' | sed -e 's/[[:blank:]]\+/\n/g' | sed 's/installable_targets\://g;' > dbedit_extractNotUniqueTargetForPolicies.log

#  Then we will copy no-empty lines into a new file
files="dbedit_extractNotUniqueTargetForPolicies.log"
for i in $files
do
  sed '/^$/d' $i > $i.out
  #mv  $i.out $i
done

#  Then we will count unique firewall names ; from this list, we will copy non-unique list into a new file
sort  $files.out  | uniq -c | sed '/  1 /d;' > $files.out.unique

#  Then, for each non-unique target, we will find policy packages for which it's the target using whereused dbedit command
if [ -s $files.out.unique ]
then
  echo "Ouch ! The following firewall(s) are installation target for multiple policy packages:"
  # we will open this last file and then execute following commands line-by-line
  while IFS='' read -r line || [[ -n "$line" ]]; do
    # Explode each line in a array :
    #  ${arrIN[0]} is the number of policy packages for which the firewall is the installation target
    #  ${arrIN[1]} is the name of the firewall 
    arrIN=(${line// / })
    echo "${arrIN[1]}, ${arrIN[0]} times"

    # Command is:
    #    echo -e "whereused network_objects ${arrIN[1]}\n-q\n" | dbedit -local
    # in order to execute the whereused search for a specific firewall network objects
    #
    # From the result, we will filter as:
    #  1) grep "policies_collections"
    #     > In order to retreive only the list of policy packages for which is the installation target
    #  2) sed 's/referral_obj\: Name/Policy/g;' | sed 's/ (Table\: policies_collections)//g;'
    #     > delete some words
    echo -e "whereused network_objects ${arrIN[1]}\n-q\n" | dbedit -local | grep policies_collections | sed 's/referral_obj\: Name/Policy/g;' | sed 's/ (Table\: policies_collections)//g;'
  done < "$files.out.unique"
else
  echo "Perfect: there is no firewall as installation target of multiple policy packages"
fi

#  You can delete or keep temporary files if you need
rm dbedit_extractNotUniqueTargetForPolicies.log*‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

You'll be able to launch this script without argument.

Something like:

[Expert@mySMS:0]# ./dbedit_extractNotUniqueTargetForPolicies.sh

Enjoy

Re: Check : installation target of multiple policy packages

Robert_Decker — Sun, 11 Feb 2018 15:13:21 GMT

Nice work!

You can accomplish the same on R80.X Management using Management API commands -

https://community.checkpoint.com/message/11148-re-extract-policy-target-details-across-an-mds?commentID=11148#comment-11…

Robert.

topic Check : installation target of multiple policy packages in API / CLI Discussion

Check : installation target of multiple policy packages

Re: Check : installation target of multiple policy packages