Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
RCordova
Participant

Script suggestions - execute multiple commands to 20+ gateways - R80.40

I have a need to enter multiple expert mode commands (basically adding objects) to about 20 or so R80.40 firewalls. I have direct access to the firewalls via SSH from a jump server. Looking for suggestions to script the following:

 

- ssh to firewall

-run expert mode commands

- exit

- ssh to next firewall

-run expert mode commands

- etc

From what I have read it sounds like I could create a script in the repository and run it on each firewall from Smartconsole (ie: right click, run script) but I am looking for a more automated way to do it. Ansible looks like it may be what I need. Just looking for suggestions.

Note - I do not want to have to install any special software on the management station or endpoints. Just looking for a simple solution if possible.

 

Thanks

0 Kudos
9 Replies
Danny
Champion
Champion

The one-liner below can be run in expert mode on your management server to execute EXPERT_MODE_COMMANDS on all your centrally managed gateways:

echo; for i in `grep 'sic_name\|ipaddr' $FWDIR/conf/objects.C|grep -A1 sic_name|grep 'ipaddr '|tr -d ':ipadr ()\t'`; do cprid_util -server $i -verbose rexec -rcmd /bin/bash -c "EXPERT_MODE_COMMANDS"; done

Pro:

  • no additional software / expertise required
  • utilizes Check Point's native cprid_util (sk101047)
  • can be run as cronjob
  • can be added to SmartConsole's script repository to manually run the one-liner from there
  • can be easily adjusted to be executed for specific gateways only
0 Kudos
RCordova
Participant

Thanks Danny. I think I'd like more control. Meaning, I'd like to do a few endpoints at a time by passing hosts to the command from a file.

0 Kudos
Danny
Champion
Champion

Cool. Below is an example to read in the gateways's IP addresses from a file.txt:

echo; while read i; do cprid_util -server $i -verbose rexec -rcmd /bin/bash -c "EXPERT_MODE_COMMANDS"; done <file.txt

Boaz_Orshav
Employee
Employee

Hi

  You can use the CDT to run the script on a pre-defined candidates list

  The deployment plan shall be very simple and you can control the candidates list by simply editing a csv file

  SK111158 provides details

RCordova
Participant

Thanks Boaz. I want to find a solution (if possible) where I don't have to install any software on the management station.

0 Kudos
PhoneBoy
Admin
Admin

CDT is built in?

JaySon_2021
Participant

Thanks PB. I assumed it wasn't installed by default as I didn't see a mention of that in the SK (sk111158).

0 Kudos
JaySon_2021
Participant

I did find this link from sk101047

https://community.checkpoint.com/t5/API-CLI-Discussion/Central-Script-to-run-command-on-multiple-gat...

It looks like it would solve most of what I need. Unfortunately you have to type the command in. Would like the ability to either paste multiple commands when it asks, or have the script reference a file for the commands  (like it does for the gateway IP's)

0 Kudos
Václav_Brožík
Collaborator

The script is a very simple and rough example of how to use cprid_util. I recommend you to learn basics of Unix shell first. 

You can pass multiple shell commands separated by semicolons to the -c argument of bash. For example:

 

bash -c "echo 1 ; echo 2"

 

You can even have the commands in a file separated by newlines (like a regular shell script):

 

$ cat >tmpcmds.txt
echo 1
echo 2

$ bash -c "$(<tmpcmds.txt)"
1
2

 

The second one-liner from Danny is better suited for this task than the script you are referring to. Certainly first test anything on mostly harmless commands like echo. It is a good practice to first change the real commands to tests by prepending echo to them.

0 Kudos