Solved: Get routes from virtual systems via API

czinu · ‎2022-07-07

Hello,

Ref. https://community.checkpoint.com/t5/API-CLI-Discussion/How-to-get-virtual-system-router-dynamic-rout...

there is quite some old topic regarding my questions, but we have issues with this approach and it is also pretty ugly. We have been using

sh -c 'printf "set virtual-system 4\nshow route\nexit\n" | clish'

but it randomly worked on R80 and it is failing all the way on R81 (after recent upgrade)

This is what we get in the logs on GW itself.

Jul 6 14:56:53 2022 Gateway01 xpand[27931]: admin localhost t +volatile:clish:admin:23304 t
Jul 6 14:56:54 2022 Gateway01 clish[23304]: User admin logged in with ReadWrite permission
Jul 6 14:56:54 2022 Gateway01 clish[23304]: Failed to get terminal settings.
Jul 6 14:56:54 2022 Gateway01 xpand[27931]: admin localhost t -volatile:clish:admin:23304
Jul 6 14:56:54 2022 Gateway01 clish[23304]: User admin logged out due to an error from CLI shell

Is there any other way to get routing information via API including virtual systems?

Thanks in advance.

Danny · ‎2022-07-13

I recommend to load the CP environment first:

. /etc/profile.d/CP.sh;‍‍. /etc/profile.d/vsenv.sh;‍‍vsenv 4;netstat -rn

View solution in original post

Alex- · ‎2022-07-07

Try the following script on your VSX. It will need to create a couple of local files to generate a clish dictionary that will be pushed with the -f flag. Output will be printed on screen and in routes_output.txt

#!/bin/bash

#Import the vsenv shell to run vsenv commands
source /etc/profile.d/vsenv.sh

#Check if this is a VSX system, if not exit with error code 1.
vsenv 2&> /dev/null
if [[ ! "$? -eq 0" ]]; then
echo "This is not a VSX system, exiting."
exit 1
fi

#System variable definitions
#---------------------------

array_offset=1  #Since arrays begin with an index of 0 but VS count starts at 1
array_index=0   #Base array index is 0


#Read the output of vsx stat -v and search for virtual systems
readarray -t vs_index < <(vsx stat -v | awk '{if ($3 == "S") print $1}')
declare -p vs_index &>/dev/null

#Routing ile initialization
if test -f "./routefile"; then
        rm routefile; echo "File inialized"
fi

#Iterate array and create route dictionary
for i in ${vs_index[@]}
do
evaluator=$(($array_index+1))

#Verify if there is not a gap in VS index

if [[ ! " $evaluator -eq  $array_index " ]]; then
array_index=$(($array_index + 2))
fi

echo -e "set virtual-system $i\nshow route" >> routefile
clish -o pretty -f routefile > routes_output.txt

done
cat routes_output.txt
echo -e "-------------------------------------------------------------\n"
echo "VS routes saved to routes_output.txt"
exit 0

czinu · ‎2022-07-07

This is even more dirty. We cannot create files on customer boxes, so this is not viable for us. Thanks anyways, maybe it will be useful for someone.

Anyone else where we can do this actually via API without dirty hacks? It is a bit shame that something that basic like routing has not been taken into account to have separate call.

Bob_Zimmerman · ‎2022-07-08

At this point, you should take the command you're pushing and try running it locally. Does it still fail? Might give a more useful error message.

czinu · ‎2022-07-11

Directly on the cli I get what you see below. I think is obvious as I am using clish to access it in the first place.

[Expert@Gateway01:0]# printf "set virtual-system 4\nshow route\nexit\n" | clish
CLINFR0479 You can't start interactive session from another interactive session

When I try from Smatconsole CLI on CMA I get what you can see in the attachment. Looks like problem might be with piping clish command. What do you think?

Bob_Zimmerman · ‎2022-07-11

Yes, you would need to set your login shell to BASH to be able to test the command effectively on the command line.

Bob_Zimmerman · ‎2022-08-22

It looks like in versions with the 3.10 kernel, clish no longer accepts piped input at all. Confirmed this is a problem on R80.40, R81, and R81.10.

clish has always been a pain, but now it's just shockingly bad for dealing with VSX.

PhoneBoy · ‎2022-07-08

There is a Gaia API, but not sure you can use it to fetch routes for a given VS.
Possibly you can run the above command (or a similar one) via run-script.
You can also use run-script via the regular management API.
See: https://sc1.checkpoint.com/documents/latest/GaiaAPIs/#api_access~v1.6%20

stallwoodj · ‎2022-07-12

I remember having to pull these out of vs_slot_objects in the old days..!

With the funky new database, the same data is retrievable via:

PAGER="" psql_client -t -c "select fwset from dleobjectderef_data where name='vFW-NAME' and objclass='com.checkpoint.objects.vsx_classes.dummy.CpmiVsSlotObj' and dlesession=0;" cpm postgres|sed 's/[+]$//'

One could potentially do something clever with the routes_installed and interfaces_installed collections therein?

czinu · ‎2022-07-13

Definitely not something that we are looking for, but once again maybe someone will come across this topic and it fits into ones solution. Thanks for your input!

Danny · ‎2022-07-13

I recommend to load the CP environment first:

. /etc/profile.d/CP.sh;‍‍. /etc/profile.d/vsenv.sh;‍‍vsenv 4;netstat -rn

czinu · ‎2022-07-13

This did the trick. Thanks a lot Danny for your time and efforts!

Final script looks like this if someone needs this:

run-script script-name "show routes" script "source /etc/profile.d/CP.sh;source /etc/profile.d/vsenv.sh;vsenv x;netstat -rn" targets.1 "VSX_GATEWAY_NAME" --format json

'vsenv x' where x is the vs number.

Take into account netstat -rn limitations which were mentioned in other posts (will not show loadbalanced nexthops)

Are you a member of CheckMates?

Get routes from virtual systems via API