Re: Script suggestions - execute multiple commands...

RCordova · ‎2021-10-30

I have a need to enter multiple expert mode commands (basically adding objects) to about 20 or so R80.40 firewalls. I have direct access to the firewalls via SSH from a jump server. Looking for suggestions to script the following:

- ssh to firewall

-run expert mode commands

- exit

- ssh to next firewall

-run expert mode commands

- etc

From what I have read it sounds like I could create a script in the repository and run it on each firewall from Smartconsole (ie: right click, run script) but I am looking for a more automated way to do it. Ansible looks like it may be what I need. Just looking for suggestions.

Note - I do not want to have to install any special software on the management station or endpoints. Just looking for a simple solution if possible.

Thanks

Danny · ‎2021-10-30

The one-liner below can be run in expert mode on your management server to execute EXPERT_MODE_COMMANDS on all your centrally managed gateways:

echo; for i in `grep 'sic_name\|ipaddr' $FWDIR/conf/objects.C|grep -A1 sic_name|grep 'ipaddr '|tr -d ':ipadr ()\t'`; do cprid_util -server $i -verbose rexec -rcmd /bin/bash -c "EXPERT_MODE_COMMANDS"; done

Pro:

no additional software / expertise required
utilizes Check Point's native cprid_util (sk101047)
can be run as cronjob
can be added to SmartConsole's script repository to manually run the one-liner from there
can be easily adjusted to be executed for specific gateways only

RCordova · ‎2021-10-31

Thanks Danny. I think I'd like more control. Meaning, I'd like to do a few endpoints at a time by passing hosts to the command from a file.

Danny · ‎2021-10-31

Cool. Below is an example to read in the gateways's IP addresses from a file.txt:

echo; while read i; do cprid_util -server $i -verbose rexec -rcmd /bin/bash -c "EXPERT_MODE_COMMANDS"; done <file.txt

Boaz_Orshav · ‎2021-10-30

Hi

You can use the CDT to run the script on a pre-defined candidates list

The deployment plan shall be very simple and you can control the candidates list by simply editing a csv file

SK111158 provides details

RCordova · ‎2021-10-31

Thanks Boaz. I want to find a solution (if possible) where I don't have to install any software on the management station.

PhoneBoy · ‎2021-10-31

CDT is built in?

JaySon_2021 · ‎2021-10-31

Thanks PB. I assumed it wasn't installed by default as I didn't see a mention of that in the SK (sk111158).

JaySon_2021 · ‎2021-10-31

I did find this link from sk101047

https://community.checkpoint.com/t5/API-CLI-Discussion/Central-Script-to-run-command-on-multiple-gat...

It looks like it would solve most of what I need. Unfortunately you have to type the command in. Would like the ability to either paste multiple commands when it asks, or have the script reference a file for the commands (like it does for the gateway IP's)

Václav_Brožík · ‎2021-11-03

The script is a very simple and rough example of how to use cprid_util. I recommend you to learn basics of Unix shell first.

You can pass multiple shell commands separated by semicolons to the -c argument of bash. For example:

bash -c "echo 1 ; echo 2"

You can even have the commands in a file separated by newlines (like a regular shell script):

$ cat >tmpcmds.txt
echo 1
echo 2

$ bash -c "$(<tmpcmds.txt)"
1
2

The second one-liner from Danny is better suited for this task than the script you are referring to. Certainly first test anything on mostly harmless commands like echo. It is a good practice to first change the real commands to tests by prepending echo to them.

Are you a member of CheckMates?

Script suggestions - execute multiple commands to 20+ gateways - R80.40