Solved: Re: Security Gateway Inventory - Page 2

John_Lovinggood · ‎2018-02-24

About 6 months ago, CP gave us a script to run from Provider 1 to grab all gateways and their corresponding model/software version. However, it was a very inconsistent result. Meaning that, some (active) gateways came back with just host name and IP and then some came back with host name/IP/OS Version/model number.

Anybody aware of a way to pull : Gateway Info that includes (Hostname/IP/OS-Version/Model)? I know you can export a list through network objects, but I just want active count for inventory. Any such method/script?

Kaspars_Zibarts · ‎2018-09-14

you will need to get to R80.10 first then. API is not supported in R77.30

PhoneBoy · ‎2018-09-14

However, the script you provided above should work on R77.30 MDM.

If you're not on MDM, then it probably needs some modification since there isn't a cpmiquerybin binary to get the list of managed gateways.

Etheldra_Freder · ‎2018-09-14

Got it. Thanks

PhoneBoy · ‎2018-09-14

Please be aware when you respond via email, your signature may be included in the public response that gets posted to CheckMates.

I've removed this information from a couple of posts on this thread as I assume you don't want it out there

Etheldra_Freder · ‎2018-09-14

Thanks, I did not realize that.

Etheldra_Freder · ‎2018-09-14

I have a script SK85621 that does some of the inventory collection but it does not tell you the specific model for each firewall. I have looked at the attributes and when you use "appliance type" but I would like the specific platform from each individual ( we have a variety). Which attributes gives me that output. I see a list of attributes but not sure which one would do that (since it is not obvious to me in the list of attributes).

PhoneBoy · ‎2018-09-14

The script that Kaspars Zibarts‌ provided as part of this thread should give you this information.

It should be a little easier to find now that I've marked it as "correct."

Etheldra_Freder · ‎2018-09-16

When I try to run the script i get this error " ./inventoryscriptcheckmates091818.sh: /bin/bash^M: bad interpreter: No such file or directory", any thoughts on how to fix it? I have not tried the corrected one but will now and let you know if I have any issues.

Etheldra_Freder · ‎2018-09-16

Wait, I got it to work, i used the dos2unix command and it is now runnin.

Etheldra_Freder · ‎2018-09-16

I ran the script after converting it. It is running perfectly.

I could not get the output to come out in HTML though. It came out in semicolon delimited format. It's

not a big deal because it is working but just thought it would be cool to have the HTML output. Thank for all of the help and feedback.

Kaspars_Zibarts · ‎2018-09-16

HTML is faced in the output.html file in the same directory as script itself. In order to see it copy to a webbserver or your laptop and open it there.

Weiwei_Miao · ‎2018-10-24

If I want to pull, serial number, memory, hardisk space, cpu level, sic status, hastatus...how can I achieve it.

Weiwei_Miao · ‎2018-10-24

#!/bin/bash
. /opt/CPshared/5.0/tmp/.CPprofile.sh

IP='xxxx'
MAC=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "ifconfig -a" | egrep "Mgmt|Internal|eth0" | head -1 | awk '{print $5}'`
echo $MAC

I am just trying to test this on a specific fw gateway, but it is not returning any value. Did I miss anything?

Kaspars_Zibarts · ‎2018-10-24

You can't execute cprid commands on gateways, it runs only on management. So if you want to do it on firewall itself then run

MAC=`ifconfig -a | egrep "Mgmt|Internal|eth0" | head -1 | awk '{print $5}'`

Weiwei_Miao · ‎2018-10-25

sorry for the confusion. I tested this script on management, and I specified which gateway I want to pull the info from, but it did not return any value. Any idea on what could cause it?

Kaspars_Zibarts · ‎2018-10-25

Hi

check that cprid is running on the gateway, I have noticed that sometimes it may die

ps aux|grep cprid

and it's listening on port 18208

[Expert@fw2:0]# netstat -an|grep 18208
tcp 0 0 0.0.0.0:18208 0.0.0.0:* LISTEN

Weiwei_Miao · ‎2018-10-26

checked that.. it is running and listening on that port.

[Expert@xxxx]# ps aux|grep cprid
admin 29498 0.0 0.0 1736 520 pts/2 S+ 11:31 0:00 grep cprid
[Expert@xxx]# netstat -an | grep 18208
tcp 0 0 10.15.207.11:18208 0.0.0.0:* LISTEN

Kaspars_Zibarts · ‎2018-10-26

Can you run cprid without script? I.e.

$CPDIR/bin/cprid_util -server x.x.x.x -verbose rexec -rcmd bash -c ifconfig -a

Do you see output of ifconfig from gateway?

Do you have any firewalls in the path that can stop port 18208?

Martin_Valenta · ‎2020-01-02

Also it doesn't count with any Gaia Embbedded boxes.

Etheldra_Freder · ‎2018-10-26

Good morning

we have MDSs that In “stopping “, I have cleared CPMIcache, reboot the MDS, stop and start the MDS and still they are in that state. It is preventing us from assigning policy and making use of the CMA for troublehooting purposes and still nothing works. We have 3 MDSs and the main one works but the secondary ones do not. Would the issue be because the service has stopped? I am going to check it with the command you listed above. Thanks

Kaspars_Zibarts · ‎2018-10-26

Sorry, but this article is nothing to do with MDS stopping. It simply collects gateway information using cprid. You better start new conversation and add more information about what's actually wrong

Etheldra_Freder · ‎2018-10-26

Oh shoot, not sure why I did that. My apologize All. I blame it on sleep.

Greg_Galowitz · ‎2019-07-05

I am getting error when running this script.

[Expert@Manager:0]# ./Gateway.sh
sed: -e expression #1, char 6: unterminated `s' command
./Gateway.sh:;line;;;;
[Expert@Manager:0]#

I am running r80.20 on my manager.

Kaspars_Zibarts · ‎2019-07-05

Haven't upgraded to R80.20 yet in our env 🙂 coming soon

Maarten_Sjouw · ‎2019-07-09

Kaspars, can you paste the script again with the correct formatting? Carriage returns got eaten by the conversion to the new forum...

Regards, Maarten

Kaspars_Zibarts · ‎2019-07-10

#!/bin/bash
. /opt/CPshared/5.0/tmp/.CPprofile.sh

if [ -f logfile ]; then rm logfile; fi
echo '' > output.html
echo 'Gateway Versions' >> output.html
echo '' >> output.html

for CMA_NAME in $($MDSVERUTIL AllCMAs); do mdsenv $CMA_NAME; echo "CMA $CMA_NAME"; cpmiquerybin attr "" network_objects " (type='cluster_member' & vsx_cluster_member='true' & vs_cluster_member='true') | (type='cluster_member' & (! vs_cluster_member='true')) | (vsx_netobj='true') | (type='gateway'&cp_products_installed='true' & (! vs_netobj='true') & connection_state='communicating')" -a __name__,ipaddr; done 1>> logfile 2>> logfile


while read line; do

        if [ `echo "$line" | grep -c ^CMA` -gt 0 ]; then

                CMA_NAME=`echo "$line" | awk '{print $2}'`
                mdsenv $CMA_NAME

        else
                GW=`echo "$line" | awk '{print $1}'`
                IP=`echo "$line" | awk '{print $2}'`

                MODEL=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd /bin/clish -s -c 'show asset system' | grep ^Model | awk -F: '{print $2}' | sed  's/ Check Point //'`
                # Fix for chassis
                if [ "x$MODEL" = "x" ]; then MODEL=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "dmiparse System Product"`; if [ "x$MODEL" = "xA-40" ]; then MODEL="41000"; fi; fi

                TAKE=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "grep 'was installed successfully' /opt/CPInstLog/DA_UI.log" | egrep "Image|Jumbo|Upgrade|Bundle_T" | tail -1 | sed 's/Take/#/' | sed 's/was/#/' | sed 's/)//' | awk -F# '{print "Take"$2}' | xargs`
                # Fix for earlier releases or when take cannot be read from DA logs
                if [ "x$TAKE" = "x" ]; then TAKE=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "cpinfo -y FW1" | grep HOTFIX | tail -1 | awk '{print $1}'`; fi

                # Fix for manually imported package installations
                if [ `echo $TAKE | wc -w` -gt 2 ]; then  TAKE=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "grep 'was installed successfully' /opt/CPInstLog/DA_UI.log" | egrep "Bundle_T" | tail -1 | sed 's/_T/#T/' | awk -F# '{print $2}' | sed 's/_/ /' | sed 's/T//' |awk '{print "Take "$1}'`; fi

                MAJOR=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "fw ver" |  sed 's/This is Check Point VPN-1(TM) & FireWall-1(R) //' | sed "s/This is Check Point's software version //" | awk '{print $1}'`

                MAC=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "ifconfig -a" | egrep "Mgmt|Internal|eth0" | head -1 | awk '{print $5}'`

                echo "$GW;$IP;$MODEL;$MAJOR;$TAKE;$MAC"
                echo "" >> output.html

        fi

done < logfile

echo 'GWIPMODELMAJORTAKEMAC$GW$IP$MODEL$MAJOR$TAKE$MAC
' >> output.html

Danny · ‎2019-12-31

While reviewing Kaspars' code for my CPX 2020 presentation 'CheckMates - Best of Code Hub Contributions' in Vienna on February 5th, 2020 (14:00 - 14:30) I noticed that both versions posted here weren't working. So I fixed the code, added some more checks and tricks and posting my version here for you to review.

#!/bin/bash
#
# Security Gateway Inventory - Bash script for Check Point Multi-Domain Servers (MDS)
#
# Script Author : Kaspars Zibarts
# Script Source : https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Security-Gateway-Inventory/td-p/32547

if [[ -e /etc/profile.d/CP.sh ]]; then source /etc/profile.d/CP.sh; else echo "Unsupported Environment"; exit 1; fi
if ! [[ `echo $MDSDIR | grep mds` ]]; then echo "Not a Multi-Domain Server (MDS)!"; exit 1; fi

echo 'Script started on '$(date "+%Y-%m-%d @ %H:%M") >> logfile
if [[ -f output.html ]]; then mv output.html output_$(date -r output.html "+%Y-%m-%d_%H-%M-%S").html; fi
echo '<!DOCTYPE html>' > output.html
echo '<html lang="en"><head><title>Gateway Versions - '$(date "+%Y-%m-%d @ %H:%M")'</title></head><body><font size="-1"><table style="text-align: left; width: 100%; font-family: Helvetica,Arial,sans-serif;" border="1" cellpadding="5" cellspacing="2"><tbody>' >> output.html
echo '<tr style="font-weight: bold; background-color: rgb(0, 0, 102); color: white;"><td>GW</td><td>IP</td><td>MODEL</td><td>MAJOR</td><td>TAKE</td><td>MAC</td></tr>' >> output.html

for CMA_NAME in $($MDSVERUTIL AllCMAs); do
	mdsenv $CMA_NAME; echo "CMA $CMA_NAME"; cpmiquerybin attr "" network_objects " (type='cluster_member' & vsx_cluster_member='true' & vs_cluster_member='true') | (type='cluster_member' & (! vs_cluster_member='true')) | (vsx_netobj='true') | (type='gateway'&cp_products_installed='true' & (! vs_netobj='true') & connection_state='communicating')" -a __name__,ipaddr;
done 1>> logfile 2>> logfile
	
while read line; do
	if [ `echo "$line" | grep -c ^CMA` -gt 0 ]; then
		CMA_NAME=`echo "$line" | awk '{print $2}'`
		mdsenv $CMA_NAME
	else
		GW=`echo "$line" | awk '{print $1}'`
		IP=`echo "$line" | awk '{print $2}'`
		MODEL=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd /bin/clish -s -c 'show asset system' | grep ^Model | awk -F: '{print $2}' | sed  's/ Check Point //'`
		# Fix for chassis
		if [ "x$MODEL" = "x" ]; then
			MODEL=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "dmiparse System Product"`
			if [ "x$MODEL" = "xA-40" ]; then MODEL="41000"; fi
		fi
		TAKE=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "grep 'was installed successfully' /opt/CPInstLog/DA_UI.log" | egrep "Image|Jumbo|Upgrade|Bundle_T" | tail -1 | sed 's/Take/#/' | sed 's/was/#/' | sed 's/)//' | awk -F# '{print "Take"$2}' | xargs`
		# Fix for earlier releases or when take cannot be read from DA logs
		if [ "x$TAKE" = "x" ]; then TAKE=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "cpinfo -y FW1" | grep HOTFIX | tail -1 | awk '{print $1}'`; fi
		# Fix for manually imported package installations
		if [ `echo $TAKE | wc -w` -gt 2 ]; then TAKE=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "grep 'was installed successfully' /opt/CPInstLog/DA_UI.log" | egrep "Bundle_T" | tail -1 | sed 's/_T/#T/' | awk -F# '{print $2}' | sed 's/_/ /' | sed 's/T//' |awk '{print "Take "$1}'`; fi
		MAJOR=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "fw ver" |  sed 's/This is Check Point VPN-1(TM) & FireWall-1(R) //' | sed "s/This is Check Point's software version //" | awk '{print $1}'`
		MAC=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "ifconfig -a" | egrep "Mgmt|Internal|eth0" | head -1 | awk '{print $5}'`
		echo "$GW;$IP;$MODEL;$MAJOR;$TAKE;$MAC"
		echo "<tr><td>$GW</td><td>$IP</td><td>$MODEL</td><td>$MAJOR</td><td>$TAKE</td><td>$MAC</td></tr>" >> output.html
	fi
done < logfile

echo '</tbody></table><br></body></html>' >> output.html‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍
echo 'Done. HTML output saved in output.html'
exit 0

Maarten_Sjouw · ‎2020-01-02

Small request, can you add the CMA name in the output as a first field?

Regards, Maarten

Kaspars_Zibarts · ‎2020-01-03

Just add CMA_NAME var

echo '<tr style="font-weight: bold; background-color: rgb(0, 0, 102); color: white;"><td>CMA</td><td>GW</td><td>IP</td><td>MODEL</td><td>MAJOR</td><td>TAKE</td><td>MAC</td></tr>' >> output.html

echo "$CMA_NAME;$GW;$IP;$MODEL;$MAJOR;$TAKE;$MAC"
echo "<tr><td>$CMA_NAME</td><td>$GW</td><td>$IP</td><td>$MODEL</td><td>$MAJOR</td><td>$TAKE</td><td>$MAC</td></tr>" >> output.html

Kaspars_Zibarts · ‎2020-01-03

Hehe, glad to see it's still alive! 😉