topic Re: Script suggestions - execute multiple commands to 20+ gateways - R80.40 in API / CLI Discussion

Script suggestions - execute multiple commands to 20+ gateways - R80.40

RCordova — Sat, 30 Oct 2021 19:36:09 GMT

I have a need to enter multiple expert mode commands (basically adding objects) to about 20 or so R80.40 firewalls. I have direct access to the firewalls via SSH from a jump server. Looking for suggestions to script the following:

- ssh to firewall

-run expert mode commands

- exit

- ssh to next firewall

-run expert mode commands

- etc

From what I have read it sounds like I could create a script in the repository and run it on each firewall from Smartconsole (ie: right click, run script) but I am looking for a more automated way to do it. Ansible looks like it may be what I need. Just looking for suggestions.

Note - I do not want to have to install any special software on the management station or endpoints. Just looking for a simple solution if possible.

Thanks

Re: Script suggestions - execute multiple commands to 20+ gateways - R80.40

Danny — Sun, 31 Oct 2021 15:48:21 GMT

The one-liner below can be run in expert mode on your management server to execute EXPERT_MODE_COMMANDS on all your centrally managed gateways:

echo; for i in `grep 'sic_name\|ipaddr' $FWDIR/conf/objects.C|grep -A1 sic_name|grep 'ipaddr '|tr -d ':ipadr ()\t'`; do cprid_util -server $i -verbose rexec -rcmd /bin/bash -c "EXPERT_MODE_COMMANDS"; done

Pro:

no additional software / expertise required
utilizes Check Point's native cprid_util (sk101047)
can be run as cronjob
can be added to SmartConsole's script repository to manually run the one-liner from there
can be easily adjusted to be executed for specific gateways only

Re: Script suggestions - execute multiple commands to 20+ gateways - R80.40

Boaz_Orshav — Sun, 31 Oct 2021 04:48:15 GMT

You can use the CDT to run the script on a pre-defined candidates list

The deployment plan shall be very simple and you can control the candidates list by simply editing a csv file

SK111158 provides details

Re: Script suggestions - execute multiple commands to 20+ gateways - R80.40

RCordova — Sun, 31 Oct 2021 13:32:29 GMT

Thanks Danny. I think I'd like more control. Meaning, I'd like to do a few endpoints at a time by passing hosts to the command from a file.

Re: Script suggestions - execute multiple commands to 20+ gateways - R80.40

RCordova — Sun, 31 Oct 2021 13:32:09 GMT

Thanks Boaz. I want to find a solution (if possible) where I don't have to install any software on the management station.

Re: Script suggestions - execute multiple commands to 20+ gateways - R80.40

JaySon_2021 — Sun, 31 Oct 2021 13:59:45 GMT

I did find this link from sk101047

https://community.checkpoint.com/t5/API-CLI-Discussion/Central-Script-to-run-command-on-multiple-gateways/td-p/38948

It looks like it would solve most of what I need. Unfortunately you have to type the command in. Would like the ability to either paste multiple commands when it asks, or have the script reference a file for the commands (like it does for the gateway IP's)

Re: Script suggestions - execute multiple commands to 20+ gateways - R80.40

Danny — Sun, 31 Oct 2021 15:56:05 GMT

Cool. Below is an example to read in the gateways's IP addresses from a file.txt:

echo; while read i; do cprid_util -server $i -verbose rexec -rcmd /bin/bash -c "EXPERT_MODE_COMMANDS"; done <file.txt

Re: Script suggestions - execute multiple commands to 20+ gateways - R80.40

PhoneBoy — Sun, 31 Oct 2021 16:39:32 GMT

CDT is built in?

Re: Script suggestions - execute multiple commands to 20+ gateways - R80.40

JaySon_2021 — Sun, 31 Oct 2021 21:39:42 GMT

Thanks PB. I assumed it wasn't installed by default as I didn't see a mention of that in the SK (sk111158).

Re: Script suggestions - execute multiple commands to 20+ gateways - R80.40

Václav_Brožík — Wed, 03 Nov 2021 10:34:32 GMT

The script is a very simple and rough example of how to use cprid_util. I recommend you to learn basics of Unix shell first.

You can pass multiple shell commands separated by semicolons to the -c argument of bash. For example:

bash -c "echo 1 ; echo 2"

You can even have the commands in a file separated by newlines (like a regular shell script):

$ cat >tmpcmds.txt echo 1 echo 2 $ bash -c "$(<tmpcmds.txt)" 1 2

The second one-liner from Danny is better suited for this task than the script you are referring to. Certainly first test anything on mostly harmless commands like echo. It is a good practice to first change the real commands to tests by prepending echo to them.