Solved: Need Help with Automating Device Information Gathe...

majorluk · ‎2024-10-17

Hi everyone!

I'm reaching out for some advice because I'm a bit stuck at the moment.

We have an MDS environment and are developing automation scripts for compliance checks and read/write operations. Currently, I need to list all devices across all domains and download their configurations using the MDS CLI. I then execute commands remotely on Gaia and Gaia Embedded appliances.

The challenge is that, as part of a central team, I don’t have direct access to the firewalls but still need to gather all their information (yes, I know, it’s a bit ironic given the situation!).

We’re using the API show-gateways-and-servers call to gather appliance information, but the output is quite limited. It’s missing important details like:

Serial number
MAC address
HA status (active/standby)
Exact model
Jumbo Hotfix (JHF) version
License details

I was thinking of using remote execution to gather this info manually, but with around 800-1500 gateways globally, it’s taking forever to go through them all.

Is there anything you can recommend to speed this up or make the process more efficient? Also, what specific commands can I run on Gaia, Gaia Embedded, or Gaia VM to extract all the necessary details?

Any help would be much appreciated—my brain is fried and I could really use a nudge in the right direction! 😅

Thanks a lot in advance!

majorluk · ‎2024-10-30

Nevermind! Found all flags here:

cpstat

Thanks a lot!!! Saved a lot of time!!

View solution in original post

Amir_Senn · ‎2024-10-20

Can you use GAIA API for the operation?

If you do, you can use run-script API to get the info you need: https://sc1.checkpoint.com/documents/latest/GaiaAPIs/index.html#web/run-script~v1.7%20

Kind regards, Amir Senn

Tal_Paz-Fridman · ‎2024-10-20

You can also use the older cpstat command with the -h flag to would with remote Security Gateways.

cpstat might have the flags to show what you are looking for (just type cpstat and it will give the usage).

For example cpstat os -f all -h <IP address> will retrieve the OS flags from the remote machine.

majorluk · ‎2024-10-30

Hi,

It looks like this is currently the easiest way to retrieve the data. Is there also a command available to check the Gateway cluster status and licensing? Since MDS stores that information in its database, there might be a way to access it, right?

Thanks so much!

majorluk · ‎2024-10-30

Nevermind! Found all flags here:

cpstat

Thanks a lot!!! Saved a lot of time!!

PhoneBoy · ‎2024-10-21

show-gateways-and-servers will only show you information in the Management about the object.
You might want to look into the following:

get-platform: https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/get-platform~v2%20

In the Gaia API (referenceable from the Management API), you also have:

show-license: https://sc1.checkpoint.com/documents/latest/GaiaAPIs/#web/show-licenses~v1.7%20
show-asset: https://sc1.checkpoint.com/documents/latest/GaiaAPIs/#web/show-asset~v1.7%20
show-cluster-state: https://sc1.checkpoint.com/documents/latest/GaiaAPIs/#web/show-cluster-state~v1.7%20

R82 has an additional APIs that will help as well:

show gateway-capabilities: https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/show-gateway-capabilities~v2%20

Hopefully that helps and will reduce your need to use run-script (also a possibility, of course).

Daniel_Kuhl1 · ‎2024-10-22

@PhoneBoy that's a great collection of API calls for this case.

@majorluk you can combine them in a Python script for example to build your own overview based on the outputs. You don't need access to the devices themselves. For MDS, make sure to have Multi-Domain Super User rights in SmartConsole. Then you can use the show-gateways-and-servers API call to get the uids of the gateways. Those uids can be used then with the API call gaia-api to gather the details from Gaia API using Management API. Like this:

> gaia-api/show-cluster-state target "69ab02a3-ee97-4be9-b818-adbffc51dc4e" --format json

{
"command-name" : "show-cluster-state",
"response-message" : {
"additional-info" : "",
"cluster-status" : "ok",
"message" : "Cluster Active",
"mode" : "virtual-system-load-sharing",
"other-cluster-members" : [ {
"load" : 0,
"name" : "A-VSX-02",
"peer-id" : 2,
"status" : "standby"
}, {
"load" : 0,
"name" : "A-VSX-03",
"peer-id" : 3,
"status" : "standby"
} ],
"this-cluster-member" : {
"load" : 100,
"name" : "A-VSX-01",
"peer-id" : 1,
"status" : "active"
}
}
}

This should work in my opinion. Let me know if you need an example in Python.

majorluk · ‎2024-10-29

Hi,

Thanks a lot for the feedback! GAIA doesn't seem to be an issue, but GAIA Embedded is a bit tricky. It doesn’t support those API calls, and the CLI commands differ from those on a typical GAIA system. 😕

majorluk · ‎2024-10-29

Hi,

Thanks a lot for the feedback! GAIA doesn't seem to be an issue, but GAIA Embedded is a bit tricky. It doesn’t support those API calls, and the CLI commands differ from those on a typical GAIA system.

PhoneBoy · ‎2024-10-29

Gaia Embedded has different CLI which can called via REST API.
The CLI commands that are probably most relevant (based on your original post) are:

show diag
fw ver
cplic print
show cluster-status

Are you a member of CheckMates?

Need Help with Automating Device Information Gathering in MDS Environment