cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Security Gateway Inventory

Jump to solution

About 6 months ago, CP gave us a script to run from Provider 1 to grab all gateways and their corresponding model/software version. However, it was a very inconsistent result. Meaning that, some (active) gateways came back with just host name and IP and then some came back with host name/IP/OS Version/model number.

Anybody aware of a way to pull : Gateway Info that includes (Hostname/IP/OS-Version/Model)? I know  you can export a list through network objects, but I just want active count for inventory. Any such method/script? 

1 Solution

Accepted Solutions
Highlighted

Re: Security Gateway Inventory

Jump to solution

Small update 27th Sep 2018 - added MAC address of Mgmt interface as requested 

I got little curious since no one replied Smiley Happy 

I have only tested it with R77.30, R80.10 and R76 (chassis ver) and CP appliances... 

You get semicolon separated text like this - you can format it better if you need to

You run it on MDS - it's fairly slow but I wanted to keep it as simple as possible. 

Script will use cpmiquerybin to fetch all physical gateways from all CMAs and then cprid_util to run some commands to collect numbers, so it's fully autonomos - does not need any input nor extra usernames/port openings etc

I've added ugly HTML version now too in output.html

#!/bin/bash
. /opt/CPshared/5.0/tmp/.CPprofile.sh

if [ -f logfile ]; then rm logfile; fi
echo '<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">' > output.html
echo '<html><head><title>Gateway Versions</title></head><body><font size="-1"><table style="text-align: left; width: 100%; font-family: Helvetica,Arial,sans-serif;" border="1" cellpadding="5" cellspacing="2"><tbody>' >> output.html
echo '<tr style="font-weight: bold; background-color: rgb(0, 0, 102); color: white;"><td>GW</td><td>IP</td><td>MODEL</td><td>MAJOR</td><td>TAKE</td><td>MAC</td></tr>' >> output.html

for CMA_NAME in $($MDSVERUTIL AllCMAs); do mdsenv $CMA_NAME; echo "CMA $CMA_NAME"; cpmiquerybin attr "" network_objects " (type='cluster_member' & vsx_cluster_member='true' & vs_cluster_member='true') | (type='cluster_member' & (! vs_cluster_member='true')) | (vsx_netobj='true') | (type='gateway'&cp_products_installed='true' & (! vs_netobj='true') & connection_state='communicating')" -a __name__,ipaddr; done 1>> logfile 2>> logfile


while read line; do

        if [ `echo "$line" | grep -c ^CMA` -gt 0 ]; then

                CMA_NAME=`echo "$line" | awk '{print $2}'`
                mdsenv $CMA_NAME

        else
                GW=`echo "$line" | awk '{print $1}'`
                IP=`echo "$line" | awk '{print $2}'`

                MODEL=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd /bin/clish -s -c 'show asset system' | grep ^Model | awk -F: '{print $2}' | sed  's/ Check Point //'`
                # Fix for chassis
                if [ "x$MODEL" = "x" ]; then MODEL=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "dmiparse System Product"`; if [ "x$MODEL" = "xA-40" ]; then MODEL="41000"; fi; fi

                TAKE=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "grep 'was installed successfully' /opt/CPInstLog/DA_UI.log" | egrep "Image|Jumbo|Upgrade|Bundle_T" | tail -1 | sed 's/Take/#/' | sed 's/was/#/' | sed 's/)//' | awk -F# '{print "Take"$2}' | xargs`
                # Fix for earlier releases or when take cannot be read from DA logs
                if [ "x$TAKE" = "x" ]; then TAKE=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "cpinfo -y FW1" | grep HOTFIX | tail -1 | awk '{print $1}'`; fi

                # Fix for manually imported package installations
                if [ `echo $TAKE | wc -w` -gt 2 ]; then  TAKE=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "grep 'was installed successfully' /opt/CPInstLog/DA_UI.log" | egrep "Bundle_T" | tail -1 | sed 's/_T/#T/' | awk -F# '{print $2}' | sed 's/_/ /' | sed 's/T//' |awk '{print "Take "$1}'`; fi

                MAJOR=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "fw ver" |  sed 's/This is Check Point VPN-1(TM) & FireWall-1(R) //' | sed "s/This is Check Point's software version //" | awk '{print $1}'`

                MAC=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "ifconfig -a" | egrep "Mgmt|Internal|eth0" | head -1 | awk '{print $5}'`

                echo "$GW;$IP;$MODEL;$MAJOR;$TAKE;$MAC"
                echo "<tr><td>$GW</td><td>$IP</td><td>$MODEL</td><td>$MAJOR</td><td>$TAKE</td><td>$MAC</td></tr>" >> output.html

        fi

done < logfile

echo '</tbody></table><br></body></html>' >> output.html

View solution in original post

44 Replies
Highlighted

Re: Security Gateway Inventory

Jump to solution

Small update 27th Sep 2018 - added MAC address of Mgmt interface as requested 

I got little curious since no one replied Smiley Happy 

I have only tested it with R77.30, R80.10 and R76 (chassis ver) and CP appliances... 

You get semicolon separated text like this - you can format it better if you need to

You run it on MDS - it's fairly slow but I wanted to keep it as simple as possible. 

Script will use cpmiquerybin to fetch all physical gateways from all CMAs and then cprid_util to run some commands to collect numbers, so it's fully autonomos - does not need any input nor extra usernames/port openings etc

I've added ugly HTML version now too in output.html

#!/bin/bash
. /opt/CPshared/5.0/tmp/.CPprofile.sh

if [ -f logfile ]; then rm logfile; fi
echo '<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">' > output.html
echo '<html><head><title>Gateway Versions</title></head><body><font size="-1"><table style="text-align: left; width: 100%; font-family: Helvetica,Arial,sans-serif;" border="1" cellpadding="5" cellspacing="2"><tbody>' >> output.html
echo '<tr style="font-weight: bold; background-color: rgb(0, 0, 102); color: white;"><td>GW</td><td>IP</td><td>MODEL</td><td>MAJOR</td><td>TAKE</td><td>MAC</td></tr>' >> output.html

for CMA_NAME in $($MDSVERUTIL AllCMAs); do mdsenv $CMA_NAME; echo "CMA $CMA_NAME"; cpmiquerybin attr "" network_objects " (type='cluster_member' & vsx_cluster_member='true' & vs_cluster_member='true') | (type='cluster_member' & (! vs_cluster_member='true')) | (vsx_netobj='true') | (type='gateway'&cp_products_installed='true' & (! vs_netobj='true') & connection_state='communicating')" -a __name__,ipaddr; done 1>> logfile 2>> logfile


while read line; do

        if [ `echo "$line" | grep -c ^CMA` -gt 0 ]; then

                CMA_NAME=`echo "$line" | awk '{print $2}'`
                mdsenv $CMA_NAME

        else
                GW=`echo "$line" | awk '{print $1}'`
                IP=`echo "$line" | awk '{print $2}'`

                MODEL=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd /bin/clish -s -c 'show asset system' | grep ^Model | awk -F: '{print $2}' | sed  's/ Check Point //'`
                # Fix for chassis
                if [ "x$MODEL" = "x" ]; then MODEL=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "dmiparse System Product"`; if [ "x$MODEL" = "xA-40" ]; then MODEL="41000"; fi; fi

                TAKE=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "grep 'was installed successfully' /opt/CPInstLog/DA_UI.log" | egrep "Image|Jumbo|Upgrade|Bundle_T" | tail -1 | sed 's/Take/#/' | sed 's/was/#/' | sed 's/)//' | awk -F# '{print "Take"$2}' | xargs`
                # Fix for earlier releases or when take cannot be read from DA logs
                if [ "x$TAKE" = "x" ]; then TAKE=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "cpinfo -y FW1" | grep HOTFIX | tail -1 | awk '{print $1}'`; fi

                # Fix for manually imported package installations
                if [ `echo $TAKE | wc -w` -gt 2 ]; then  TAKE=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "grep 'was installed successfully' /opt/CPInstLog/DA_UI.log" | egrep "Bundle_T" | tail -1 | sed 's/_T/#T/' | awk -F# '{print $2}' | sed 's/_/ /' | sed 's/T//' |awk '{print "Take "$1}'`; fi

                MAJOR=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "fw ver" |  sed 's/This is Check Point VPN-1(TM) & FireWall-1(R) //' | sed "s/This is Check Point's software version //" | awk '{print $1}'`

                MAC=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "ifconfig -a" | egrep "Mgmt|Internal|eth0" | head -1 | awk '{print $5}'`

                echo "$GW;$IP;$MODEL;$MAJOR;$TAKE;$MAC"
                echo "<tr><td>$GW</td><td>$IP</td><td>$MODEL</td><td>$MAJOR</td><td>$TAKE</td><td>$MAC</td></tr>" >> output.html

        fi

done < logfile

echo '</tbody></table><br></body></html>' >> output.html

View solution in original post

Re: Security Gateway Inventory

Jump to solution

Hello Kaspars,

Was this script supposed to be ran in a special way? When attempting to run this I kept receiving an error regarding the command " AllCMAs".  Is this specific command on a certain version of hotfix or a special add in etc?  I am new to the Check Point scripting world so forgive me if the question is a little newbish.

0 Kudos

Re: Security Gateway Inventory

Jump to solution

Are you running MDS or regular management server? That command and script itself is meant for MDS type management. 

0 Kudos
Admin
Admin

Re: Security Gateway Inventory

Jump to solution
0 Kudos

Re: Security Gateway Inventory

Jump to solution

Updated script to process manually imported jumbo hotfix packages

Re: Security Gateway Inventory

Jump to solution

Thank you Kaspars.

Re: Security Gateway Inventory

Jump to solution

I tried to run your script on my MDS , getting the following error's

get_detail_list_of_gw_from_provider.sh:;line;;;;
get_detail_list_of_gw_from_provider.sh: line 14: mdsenv: command not found
get_detail_list_of_gw_from_provider.sh:;line;;;;
get_detail_list_of_gw_from_provider.sh: line 14: mdsenv: command not found
get_detail_list_of_gw_from_provider.sh:;line;;;;
get_detail_list_of_gw_from_provider.sh: line 14: mdsenv: command not found
get_detail_list_of_gw_from_provider.sh:;line;;;;
get_detail_list_of_gw_from_provider.sh: line 14: mdsenv: command not found
get_detail_list_of_gw_from_provider.sh:;line;;;;
get_detail_list_of_gw_from_provider.sh: line 14: mdsenv: command not found
get_detail_list_of_gw_from_provider.sh:;line;;;;
get_detail_list_of_gw_from_provider.sh: line 14: mdsenv: command not found
get_detail_list_of_gw_from_provider.sh:;line;;;;
get_detail_list_of_gw_from_provider.sh: line 14: mdsenv: command not found
get_detail_list_of_gw_from_provider.sh:;line;;;;
get_detail_list_of_gw_from_provider.sh: line 14: mdsenv: command not found
get_detail_list_of_gw_from_provider.sh:;line;;;;
get_detail_list_of_gw_from_provider.sh: line 14: mdsenv: command not found
get_detail_list_of_gw_from_provider.sh:;line;;;;
get_detail_list_of_gw_from_provider.sh: line 14: mdsenv: command not found
get_detail_list_of_gw_from_provider.sh:;line;;;;
get_detail_list_of_gw_from_provider.sh: line 14: mdsenv: command not found
get_detail_list_of_gw_from_provider.sh:;line;;;;
get_detail_list_of_gw_from_provider.sh: line 14: mdsenv: command not found

file

 more get_detail_list_of_gw_from_provider.sh
if [ -f logfile ]; then rm logfile; fi
echo '<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">' > output.html
echo '<html><head><title>Gateway Versions</title></head><body><font size="-1"><table style="text-align: left; width: 100%; font-family: Helvetica,Arial,sans-serif;" border="1" cellpadding="5" cellspacing="2"><tbody>' >> output.html
echo '<tr style="font-weight: bold; background-color: rgb(0, 0, 102); color: white;"><td>GW</td><td>IP</td><td>MODEL</td><td>MAJOR</td><td>TAKE</td><td>MAC</td></tr>' >> output.html

for CMA_NAME in $($MDSVERUTIL AllCMAs); do mdsenv $CMA_NAME; echo "CMA $CMA_NAME"; cpmiquerybin attr "" network_objects " (type='cluster_member' & vsx_cluster_member='true' & vs_cluster_member='true') | (type='cluster_member' & (! vs_clus
ter_member='true')) | (vsx_netobj='true') | (type='gateway'&cp_products_installed='true' & (! vs_netobj='true') & connection_state='communicating')" -a __name__,ipaddr; done 1>> logfile 2>> logfile


while read line; do

        if [ `echo "$line" | grep -c ^CMA` -gt 0 ]; then

                CMA_NAME=`echo "$line" | awk '{print $2}'`
                mdsenv $CMA_NAME

        else
                GW=`echo "$line" | awk '{print $1}'`
                IP=`echo "$line" | awk '{print $2}'`

                MODEL=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd /bin/clish -s -c 'show asset system' | grep ^Model | awk -F: '{print $2}' | sed  's/ Check Point //'`
                # Fix for chassis
                if [ "x$MODEL" = "x" ]; then MODEL=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "dmiparse System Product"`; if [ "x$MODEL" = "xA-40" ]; then MODEL="41000"; fi; fi

                TAKE=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "grep 'was installed successfully' /opt/CPInstLog/DA_UI.log" | egrep "Image|Jumbo|Upgrade|Bundle_T" | tail -1 | sed 's/Take/#/' | sed 's/was/#/' | sed 's
/)//' | awk -F# '{print "Take"$2}' | xargs`
                # Fix for earlier releases or when take cannot be read from DA logs
                if [ "x$TAKE" = "x" ]; then TAKE=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "cpinfo -y FW1" | grep HOTFIX | tail -1 | awk '{print $1}'`; fi

                # Fix for manually imported package installations
                if [ `echo $TAKE | wc -w` -gt 2 ]; then  TAKE=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "grep 'was installed successfully' /opt/CPInstLog/DA_UI.log" | egrep "Bundle_T" | tail -1 | sed 's/_T/#T/' | awk
 -F# '{print $2}' | sed 's/_/ /' | sed 's/T//' |awk '{print "Take "$1}'`; fi

                MAJOR=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "fw ver" |  sed 's/This is Check Point VPN-1(TM) & FireWall-1(R) //' | sed "s/This is Check Point's software version //" | awk '{print $1}'`

                MAC=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "ifconfig -a" | egrep "Mgmt|Internal|eth0" | head -1 | awk '{print $5}'`

                echo "$GW;$IP;$MODEL;$MAJOR;$TAKE;$MAC"
                echo "<tr><td>$GW</td><td>$IP</td><td>$MODEL</td><td>$MAJOR</td><td>$TAKE</td><td>$MAC</td></tr>" >> output.html

        fi

done < logfile

echo '</tbody></table><br></body></html>' >> output.html

any ideals why?

0 Kudos

Re: Security Gateway Inventory

Jump to solution

What is the output of 

$MDSVERUTIL AllCMAs

?

Re: Security Gateway Inventory

Jump to solution

We have created a bunch of scripts that we use to check all kinds of stuff on our managed gateways, but provide our script with a list of hosts to use instead of collecting the systems from a management-server.

To gather the information, we use SSH with certificates to access the devices. It gets the following information from the systems:

Hostname, CP-version (major & minor), cluster-status, secureXL status, uptime, if DNS and NTP are working and if the time is set correctly, if stateful inspection is on or off, the age of the AntiBot/AntiVirus/IPS/Appl/URLf-databases, the size of /var/log/messages (if this is still the default size, it will set it to 10x2MB), if the system is 32 or 64-bit, CPUSE-version, if the box is licensed, the model and the serial number.

The scripts are rather ugly put together, but get the job done and are run on a nightly basis.

The gathered intel is written to a file, so it can be read by other processes and can be used with information we gathered from other vendors' equipment that we manage for customers.

This is combined with information of the expiration-date of VPN-certificates and the version-database we compiled ourselves and this is presented on a web-server, so we have a full overview of (almost) all systems we manage and can do this without the use of SNMP.

The use of SSH  that runs over a list of systems to check is a more general way of gathering information about the systems we manage, but a lot quicker than cprid_util (which we do use, but only to gather info on SMB-devices that don't do scripts).

Re: Security Gateway Inventory

Jump to solution

We run everything using bash scripts and SSH 

+ Key login ourselves. This suggestion was just a simple solution if you have neither in place. Not the fastest but works without installing SSH keys or adding rules for SSH access.  

Re: Security Gateway Inventory

Jump to solution

I give you 100 points for this script.

Nice!

Thanks

Heiko

Tags (1)

Re: Security Gateway Inventory

Jump to solution
mgmt_cli show gateways-and-servers details-level "full" 

 Check Point - Management API reference 

{
"from": 1,
"to": 2,
"total": 2,
"objects": [{
"uid": "302bcc2c-b3f1-405b-93dc-a5884288e499",
"name": "gw_192.0.2.14",
"type": "simple-gateway",
"ipv4-address": "192.0.2.14",
"operating-system": "Gaia",
"hardware": "Open server",
"version": "R80",
"sic-status": "communicating",
"interfaces": [{
"interface-name": "eth0",
"ipv4-address": "192.0.2.201",
"ipv4-network-mask": "255.255.255.0",
"ipv4-mask-length": 24,
"topology": {
"security-zone": {
"uid": "237a4cbc-7fb6-4d50-872a-4904468271c4",
"name": "ExternalZone",
"type": "security-zone",
"domain": {
"uid": "a0bbbc99-adef-4ef8-bb6d-defdefdefdef",
"name": "Check Point Data",
"domain-type": "data domain"
}
},
"leads-to-internet": true
},
"dynamic-ip": false
}
],
}

another option would be:

mgmt_cli run-script script-name "show configuration" script "show configuration" targets.1 "corporate-gateway" 

Re: Security Gateway Inventory

Jump to solution

Good points Tomer. The reason why I'm pulling info from gateways is that ultimately they have the "correct" information themselves about the model, SW version and take number. Else you really rely on the fact that info in the gateway object in mgmt is 100% accurate that can be misleading sometimes after upgrades when people forget to update it.. Smiley Happy As they say - best to hear from horses mouth Smiley Happy 

https://community.checkpoint.com/people/tomera5b2e7f3-09aa-32f8-96c2-f0f5bfa2988b Can you get take number of the gateway from mgmt server btw?

0 Kudos

Re: Security Gateway Inventory

Jump to solution

First of all this is good feedback for us. Consistency between gateway values defined at the Management server and the values on the gateways themselves is something we will try to emphasize better in our next releases. 

You can can pull the take number by running “mgmt_cli run script” on the Management server for the script “clish -C ver” on the selected gateway targets. 

0 Kudos

Re: Security Gateway Inventory

Jump to solution

Where you run this command or is it related to the script? How do you run it?When I run the "mgmt._cli ...." I get an error that the command is not found.

0 Kudos
Admin
Admin

Re: Security Gateway Inventory

Jump to solution

mgmt_cli is run from the management (R80 and above).

If you're on an earlier release, that command won't be available.

0 Kudos

Re: Security Gateway Inventory

Jump to solution

Thanks for that clarification. I tried using the command but I got an error back that the command was not found.

0 Kudos

Re: Security Gateway Inventory

Jump to solution

Can you share the screenshot? Smiley Happy You are logged into expert mode? As in bash shell?

0 Kudos

Re: Security Gateway Inventory

Jump to solution

Yes, I am.

Also we are on 77:30

0 Kudos

Re: Security Gateway Inventory

Jump to solution

Smiley Happy you will need to get to R80.10 first then. API is not supported in R77.30

0 Kudos
Admin
Admin

Re: Security Gateway Inventory

Jump to solution

However, the script you provided above should work on R77.30 MDM.

If you're not on MDM, then it probably needs some modification since there isn't a cpmiquerybin binary to get the list of managed gateways.

0 Kudos

Re: Security Gateway Inventory

Jump to solution

Got it. Thanks

0 Kudos
Admin
Admin

Re: Security Gateway Inventory

Jump to solution

Please be aware when you respond via email, your signature may be included in the public response that gets posted to CheckMates.

I've removed this information from a couple of posts on this thread as I assume you don't want it out there Smiley Happy

0 Kudos

Re: Security Gateway Inventory

Jump to solution

Thanks, I did not realize that.

0 Kudos

Re: Security Gateway Inventory

Jump to solution

I have a script SK85621 that does some of the inventory collection but it does not tell you the specific model for each firewall.  I have looked at the attributes and when you use "appliance type" but I would like the specific platform from each individual ( we have a variety). Which attributes gives me that output. I see a list of attributes but not sure which one would do that (since it is not obvious to me in the list of attributes).

0 Kudos
Admin
Admin

Re: Security Gateway Inventory

Jump to solution

The script that Kaspars Zibarts‌ provided as part of this thread should give you this information.

It should be a little easier to find now that I've marked it as "correct." Smiley Happy

0 Kudos

Re: Security Gateway Inventory

Jump to solution

When I try to run the script i get this error "  ./inventoryscriptcheckmates091818.sh: /bin/bash^M: bad interpreter: No such file or directory", any thoughts on how to fix it? I have not tried the corrected one but will now and let you know if I have any issues.

0 Kudos

Re: Security Gateway Inventory

Jump to solution

Wait, I got it to work, i used the dos2unix command and it is now runnin.

0 Kudos

Re: Security Gateway Inventory

Jump to solution

I ran the script after converting it. It is running perfectly. 

I could not get the output to come out in HTML though. It came out in semicolon delimited format. It's

 not a big deal because it is working but just thought it would be cool to have the HTML output. Thank for all of the help and feedback.

0 Kudos