topic Re: Global Expert Mode Commands in Hyperscale Firewall (Maestro)

Global Expert Mode Commands

Simon_Macpherso — Fri, 18 Mar 2022 05:13:24 GMT

Hello,

Other than the global expert mode commands specified in the R80.30 SP documentation, it it possible to run a custom global command in expert mode? I want to run a mgmt_cli command in the gaia api context to create user accounts on all SGMs. This needs to be run in expert mode.

Is this supported?

Regards,

Simon

Re: Global Expert Mode Commands

Danny — Mon, 21 Mar 2022 08:16:33 GMT

Just put a g_all or gexec in front of your command to run it globally on all SGMs of your security group.

Re: Global Expert Mode Commands

Simon_Macpherso — Fri, 18 Mar 2022 06:13:38 GMT

Unfortunately this only works for the mgmt_cli login command.

The sid.txt is created but only on the local SGM its running on.

When I try to run the second mgm_cli command with g_all

1_01:

Failed to open login output file [sid.txt]

1_02:

code: generic_err_session_expired

errors: Unauthorized sid, session may have expired

message: Session expired

1_03:

Failed to open login output file [sid.txt]

Not sure why the message for SGM2 specified unauthorized sid. There is no existing sid in the home folder of the account Im authorizing with.

I noticed when I create the accounts in the SMO webui, the accounts are replicate to the other SGMs. However when I try to create them in the gaia api context using mgmt_cli add user, the accounts are not replicated.

Re: Global Expert Mode Commands

_Val_ — Fri, 18 Mar 2022 09:27:46 GMT

I do not think you can run a single mgmt_cli command on all SGMs at once, as each one of them needs a separate authorisation for the API session. Please do scripting instead, sending commands to each SGM separately, including authentication.

Re: Global Expert Mode Commands

Simon_Macpherso — Fri, 18 Mar 2022 10:30:10 GMT

The authenticated session ID for each SGMs is in the sid.txt on SGM1. Seems the sid.txt is only created on SGM1, even though the mgmt_cli login command is being run on all SGMs with g_all. I would expect a copy of the sid.txt to be created in the /home folder of the account I'm using to authenticate with on each SGM It seems when the command is run on each SGM, its expectedly looking for the file locally and not being able to locate it. Odd though that it can't find the file for SGM 1_01, as that is where the sid.txt is being created.

Re: Global Expert Mode Commands

Simon_Macpherso — Mon, 21 Mar 2022 02:28:06 GMT

Do you know how to change SGM members in a bash script without the script terminating?

When I try to change members, the script terminates after the change is performed.

Re: Global Expert Mode Commands

_Val_ — Mon, 21 Mar 2022 07:38:05 GMT

@Anatoly can you comment please?

Re: Global Expert Mode Commands

Anatoly — Mon, 21 Mar 2022 07:59:23 GMT

I would try using gexec command and execute it on remote SGM

Re: Global Expert Mode Commands

Danny — Mon, 21 Mar 2022 08:18:07 GMT

@Simon_Macpherso, you seem to be interested in creating Gaia user accounts globally on all SGMs, so I suggest to use gClish or an expert command / script that executes commands in gClish context. Commands exectuted in gClish are replicated to all SGMs automatically, just as you described for SMO WebUI changes.

Re: Global Expert Mode Commands

Simon_Macpherso — Mon, 28 Mar 2022 00:11:09 GMT

Hi @Anatoly

This worked for 2 x 2 gw Maestro clusters.

I'm having an issue with a 3rd cluster we recently deployed.

When I run the script on this 3 member cluster, it only runs on member 2 and fails to parse the sid.txt on the other gateways (note the accounts already exist on member 2 from when the script first ran against the cluster).

[1_01]Failed to parse login output file [sid.txt]
[1_01]Failed to parse login output file [sid.txt]
[1_01]Failed to parse login output file [sid.txt]
[1_01]Failed to parse login output file [sid.txt]
[1_01]Failed to parse login output file [sid.txt]
[1_01]Failed to parse login output file [sid.txt]
[1_01]Failed to parse login output file [sid.txt]
[1_01]Failed to parse login output file [sid.txt]
[1_01]Failed to parse login output file [sid.txt]
[1_01]Failed to parse login output file [sid.txt]
[1_01]Failed to parse login output file [sid.txt]
[1_01]Failed to parse login output file [sid.txt]
[1_02]code: object_already_exist
[1_02]errors: User already exists
[1_02]message: Object Already Exist
[1_02]
[1_02]code: object_already_exist
[1_02]errors: User already exists
[1_02]message: Object Already Exist
[1_02]
[1_02]code: object_already_exist
[1_02]errors: User already exists
[1_02]message: Object Already Exist
[1_02]
[1_02]code: object_already_exist
[1_02]errors: User already exists
[1_02]message: Object Already Exist
[1_02]
[1_02]code: object_already_exist
[1_02]errors: User already exists
[1_02]message: Object Already Exist
[1_02]
[1_02]code: object_already_exist
[1_02]errors: User already exists
[1_02]message: Object Already Exist
[1_02]
[1_02]code: object_already_exist
[1_02]errors: User already exists
[1_02]message: Object Already Exist
[1_02]
[1_02]code: object_already_exist
[1_02]errors: User already exists
[1_02]message: Object Already Exist
[1_02]
[1_02]code: object_already_exist
[1_02]errors: User already exists
[1_02]message: Object Already Exist
[1_02]
[1_02]code: object_already_exist
[1_02]errors: User already exists
[1_02]message: Object Already Exist
[1_02]
[1_02]code: object_already_exist
[1_02]errors: User already exists
[1_02]message: Object Already Exist
[1_02]
[1_02]message: OK
[1_02]
[1_03]Failed to parse login output file [sid.txt]
[1_03]Failed to parse login output file [sid.txt]
[1_03]Failed to parse login output file [sid.txt]
[1_03]Failed to parse login output file [sid.txt]
[1_03]Failed to parse login output file [sid.txt]
[1_03]Failed to parse login output file [sid.txt]
[1_03]Failed to parse login output file [sid.txt]
[1_03]Failed to parse login output file [sid.txt]
[1_03]Failed to parse login output file [sid.txt]
[1_03]Failed to parse login output file [sid.txt]
[1_03]Failed to parse login output file [sid.txt]
[1_03]Failed to parse login output file [sid.txt]

I also notice when I ssh to this cluster, I'm connected to member 3 instead of the SMO member 1. On the other clusters, I'm always connected to the SMO which is member 1.

asg stat -i tasks output on 3 member cluster.

--------------------------------------------------------------------------------
| Task (Task ID) | Chassis 1 |
--------------------------------------------------------------------------------
| SMO (0) | 1 |
| General (1) | 1 |
| LACP (2) | 1 |
| CH Monitor (3) | 1 |
| DR Manager (4) | 1 |
| UIPC (5) | 1 |
| Alert (6) | 1 |
--------------------------------------------------------------------------------

Re: Global Expert Mode Commands

Simon_Macpherso — Fri, 01 Apr 2022 01:05:48 GMT

Any ideas? I'll also log a TAC case.