topic Find security gateways IPs through CLI on SMS in API / CLI Discussion

Find security gateways IPs through CLI on SMS

Diyaa3791 — Thu, 06 Jul 2023 04:41:53 GMT

Hello everyone,

I am wondering if there is a way to find the IP address of every single security gateway connected to it through a CLI command and store them in variables? I am trying to automate some tasks with bash scripts!

I tried this, but it didn't give me any IPs at all.

mgmt_cli -r true -f json show gateways-and-servers | jq -r '.objects[] | select(.type == "CpmiGateway") | .ipv4-address'

Thank you,

Re: Find security gateways IPs through CLI on SMS

Tal_Paz-Fridman — Thu, 06 Jul 2023 06:52:22 GMT

You would also need the to see full details output by adding:

-details-level full

Based on this output modify your command

Re: Find security gateways IPs through CLI on SMS

PhoneBoy — Thu, 06 Jul 2023 15:37:08 GMT

You may want to check out a similar script posted to our Toolbox.

Re: Find security gateways IPs through CLI on SMS

Diyaa3791 — Mon, 11 Sep 2023 19:20:58 GMT

Hello PhoneBoy,

Thank you for your help and I am very sorry for my late reply. I did find a command from the script you referenced.

Re: Find security gateways IPs through CLI on SMS

Diyaa3791 — Mon, 11 Sep 2023 19:23:00 GMT

Thank you for your reply.

This didn't work, but I found another command that is simpler than this.

Re: Find security gateways IPs through CLI on SMS

Bob_Zimmerman — Mon, 11 Sep 2023 20:00:26 GMT

Note that a grep through objects.C mostly works, but sometimes fails in really bizarre and inscrutable ways. For example, it could catch an IP address from some other object. I would recommend instead 'mgmt_cli -f json -r true show gateways-and-servers limit 500 details-level full' like how you started, then filtering down based on the types of gateway you want. For example, to run things on physical members (e.g, a version check), you want to discard the cluster objects:

portNumber=$(api status | grep "APACHE Gaia Port" | awk '{print $NF}') mgmt_cli -f json \ --port "${portNumber}" \ -d "${cmaAddress}" \ -r true \ show gateways-and-servers \ limit 500 \ details-level full \ | jq -c '.objects[]|{name:.name,type:.type,address:."ipv4-address"}' \ | grep -v CpmiGatewayCluster \ | grep -v CpmiVsClusterNetobj \ | grep -v CpmiVsxClusterNetobj \ | grep -v "checkpoint-host"

cmaAddress should be the IP of the CMA you want to check in a multi-domain environment. With a single management server, you can just leave it unset and the script as written above should still work. Note that since each cluster member and each VS consumes an item slot, 500 items only covers a max of 166 two-member clusters. If you have over 500 items in the management domain, you'll have to run it multiple times with an offset to get all of the items.

Tweak the 'grep -v' lines as needed. Once you have it down to just the items you want, pipe it through a final jq -c '.address' and you have a list of only the addresses, one per line. Perfect for xargs.

Re: Find security gateways IPs through CLI on SMS

Diyaa3791 — Mon, 11 Sep 2023 21:15:15 GMT

I do remember getting a value of "(NULL BUF)" when trying to get the hostname of a gateway using

G_HostName=$(cprid_util -timeout 5 -server ${G_address} -verbose rexec -rcmd clish -c "show hostname")

My work around was to check if the returned hostname of an IP fetched from objects.C is "(NULL BUF)". I would skip that IP.

if [ "${G_HostName}" != "(NULL BUF)" ]; then # logging log 'info' "Backing up the configuration of Gateway: ${G_HostName} - ${G_address}" # backup the configuration of each gateway into a file while iterating through the loop cprid_util -server ${G_address} -verbose rexec -rcmd clish -c "show configuration" > "${BACKUP_DIR}/${G_HostName}_${G_address}_${CP_TIME}.clish" # logging log 'info' "Backup of ${G_HostName} - ${G_address} is completed." else log 'info' "The following gateway didn't backup: ${G_address} - This could be because it has an invalid gateway object." fi

Re: Find security gateways IPs through CLI on SMS

Bob_Zimmerman — Mon, 11 Sep 2023 21:41:05 GMT

So that's also not necessarily a safe assumption. "(NULL BUF)" just means CPRID isn't working from the management to that IP. It doesn't necessarily mean the IP is wrong. Maybe there's some issue between them, like a firewall from another vendor which isn't configured to allow CPRID.