Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
czinu
Contributor
Jump to solution

Get routes from virtual systems via API

Hello,

 

Ref. https://community.checkpoint.com/t5/API-CLI-Discussion/How-to-get-virtual-system-router-dynamic-rout...

there is quite some old topic regarding my questions, but we have issues with this approach and it is also pretty ugly. We have been using 

sh -c 'printf "set virtual-system 4\nshow route\nexit\n" | clish'

but it randomly worked on R80 and it is failing all the way on R81 (after recent upgrade)

This is what we get in the logs on GW itself.

 

Jul  6 14:56:53 2022 Gateway01 xpand[27931]: admin localhost t +volatile:clish:admin:23304 t
Jul  6 14:56:54 2022 Gateway01 clish[23304]: User admin logged in with ReadWrite permission
Jul  6 14:56:54 2022 Gateway01 clish[23304]: Failed to get terminal settings.
Jul  6 14:56:54 2022 Gateway01 xpand[27931]: admin localhost t -volatile:clish:admin:23304
Jul  6 14:56:54 2022 Gateway01 clish[23304]: User admin logged out due to an error from CLI shell

 

Is there any other way to get routing information via API including virtual systems?

 

Thanks in advance.

 

0 Kudos
1 Solution

Accepted Solutions
Danny
Champion Champion
Champion

I recommend to load the CP environment first:

. /etc/profile.d/CP.sh;‍‍. /etc/profile.d/vsenv.sh;‍‍vsenv 4;netstat -rn

View solution in original post

(1)
11 Replies
Alex-
Advisor
Advisor

Try the following script on your VSX. It will need to create a couple of local files to generate a clish dictionary that will be pushed with the -f flag. Output will be printed on screen and in routes_output.txt

 

 

 

 

#!/bin/bash

#Import the vsenv shell to run vsenv commands
source /etc/profile.d/vsenv.sh

#Check if this is a VSX system, if not exit with error code 1.
vsenv 2&> /dev/null
if [[ ! "$? -eq 0" ]]; then
echo "This is not a VSX system, exiting."
exit 1
fi

#System variable definitions
#---------------------------

array_offset=1  #Since arrays begin with an index of 0 but VS count starts at 1
array_index=0   #Base array index is 0


#Read the output of vsx stat -v and search for virtual systems
readarray -t vs_index < <(vsx stat -v | awk '{if ($3 == "S") print $1}')
declare -p vs_index &>/dev/null

#Routing ile initialization
if test -f "./routefile"; then
        rm routefile; echo "File inialized"
fi

#Iterate array and create route dictionary
for i in ${vs_index[@]}
do
evaluator=$(($array_index+1))

#Verify if there is not a gap in VS index

if [[ ! " $evaluator -eq  $array_index " ]]; then
array_index=$(($array_index + 2))
fi

echo -e "set virtual-system $i\nshow route" >> routefile
clish -o pretty -f routefile > routes_output.txt

done
cat routes_output.txt
echo -e "-------------------------------------------------------------\n"
echo "VS routes saved to routes_output.txt"
exit 0

 

 

 

 

 

czinu
Contributor

This is even more dirty. We cannot create files on customer boxes, so this is not viable for us. Thanks anyways, maybe it will be useful for someone. 

Anyone else where we can do this actually via API without dirty hacks? It is a bit shame that something that basic like routing has not been taken into account to have separate call.

0 Kudos
Bob_Zimmerman
Authority
Authority

At this point, you should take the command you're pushing and try running it locally. Does it still fail? Might give a more useful error message.

0 Kudos
czinu
Contributor

Directly on the cli I get what you see below. I think is obvious as I am using clish to access it in the first place.

[Expert@Gateway01:0]# printf "set virtual-system 4\nshow route\nexit\n" | clish
CLINFR0479  You can't start interactive session from another interactive session

When I try from Smatconsole CLI on CMA I get what you can see in the attachment. Looks like problem might be with piping clish command. What do you think?

0 Kudos
Bob_Zimmerman
Authority
Authority

Yes, you would need to set your login shell to BASH to be able to test the command effectively on the command line.

0 Kudos
Bob_Zimmerman
Authority
Authority

It looks like in versions with the 3.10 kernel, clish no longer accepts piped input at all. Confirmed this is a problem on R80.40, R81, and R81.10.

clish has always been a pain, but now it's just shockingly bad for dealing with VSX.

0 Kudos
PhoneBoy
Admin
Admin

There is a Gaia API, but not sure you can use it to fetch routes for a given VS.
Possibly you can run the above command (or a similar one) via run-script.
You can also use run-script via the regular management API.
See: https://sc1.checkpoint.com/documents/latest/GaiaAPIs/#api_access~v1.6%20 

0 Kudos
stallwoodj
Collaborator

I remember having to pull these out of vs_slot_objects in the old days..!

With the funky new database, the same data is retrievable via:

PAGER="" psql_client -t -c "select fwset from dleobjectderef_data where name='vFW-NAME' and objclass='com.checkpoint.objects.vsx_classes.dummy.CpmiVsSlotObj' and dlesession=0;" cpm postgres|sed 's/[+]$//'

One could potentially do something clever with the routes_installed and interfaces_installed collections therein?

czinu
Contributor

Definitely not something that we are looking for, but once again maybe someone will come across this topic and it fits into ones solution. Thanks for your input!

0 Kudos
Danny
Champion Champion
Champion

I recommend to load the CP environment first:

. /etc/profile.d/CP.sh;‍‍. /etc/profile.d/vsenv.sh;‍‍vsenv 4;netstat -rn
(1)
czinu
Contributor

This did the trick. Thanks a lot Danny for your time and efforts!

 

Final script looks like this if someone needs this:

 

run-script script-name "show routes" script "source /etc/profile.d/CP.sh;source /etc/profile.d/vsenv.sh;vsenv x;netstat -rn" targets.1 "VSX_GATEWAY_NAME" --format json

'vsenv x' where x is the vs number.

Take into account netstat -rn limitations which were mentioned in other posts (will not show loadbalanced nexthops)

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events