This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
John_Lovinggood
Explorer
‎2018-02-24 02:53 PM
Jump to solution

Security Gateway Inventory

About 6 months ago, CP gave us a script to run from Provider 1 to grab all gateways and their corresponding model/software version. However, it was a very inconsistent result. Meaning that, some (active) gateways came back with just host name and IP and then some came back with host name/IP/OS Version/model number.

Anybody aware of a way to pull : Gateway Info that includes (Hostname/IP/OS-Version/Model)? I know  you can export a list through network objects, but I just want active count for inventory. Any such method/script? 

78 Replies
Kaspars_Zibarts
Employee Employee
Employee
‎2019-07-10 12:19 AM
In response to Maarten_Sjouw
Jump to solution 

#!/bin/bash
. /opt/CPshared/5.0/tmp/.CPprofile.sh

if [ -f logfile ]; then rm logfile; fi
echo '' > output.html
echo 'Gateway Versions' >> output.html
echo '' >> output.html

for CMA_NAME in $($MDSVERUTIL AllCMAs); do mdsenv $CMA_NAME; echo "CMA $CMA_NAME"; cpmiquerybin attr "" network_objects " (type='cluster_member' & vsx_cluster_member='true' & vs_cluster_member='true') | (type='cluster_member' & (! vs_cluster_member='true')) | (vsx_netobj='true') | (type='gateway'&cp_products_installed='true' & (! vs_netobj='true') & connection_state='communicating')" -a __name__,ipaddr; done 1>> logfile 2>> logfile


while read line; do

        if [ `echo "$line" | grep -c ^CMA` -gt 0 ]; then

                CMA_NAME=`echo "$line" | awk '{print $2}'`
                mdsenv $CMA_NAME

        else
                GW=`echo "$line" | awk '{print $1}'`
                IP=`echo "$line" | awk '{print $2}'`

                MODEL=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd /bin/clish -s -c 'show asset system' | grep ^Model | awk -F: '{print $2}' | sed  's/ Check Point //'`
                # Fix for chassis
                if [ "x$MODEL" = "x" ]; then MODEL=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "dmiparse System Product"`; if [ "x$MODEL" = "xA-40" ]; then MODEL="41000"; fi; fi

                TAKE=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "grep 'was installed successfully' /opt/CPInstLog/DA_UI.log" | egrep "Image|Jumbo|Upgrade|Bundle_T" | tail -1 | sed 's/Take/#/' | sed 's/was/#/' | sed 's/)//' | awk -F# '{print "Take"$2}' | xargs`
                # Fix for earlier releases or when take cannot be read from DA logs
                if [ "x$TAKE" = "x" ]; then TAKE=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "cpinfo -y FW1" | grep HOTFIX | tail -1 | awk '{print $1}'`; fi

                # Fix for manually imported package installations
                if [ `echo $TAKE | wc -w` -gt 2 ]; then  TAKE=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "grep 'was installed successfully' /opt/CPInstLog/DA_UI.log" | egrep "Bundle_T" | tail -1 | sed 's/_T/#T/' | awk -F# '{print $2}' | sed 's/_/ /' | sed 's/T//' |awk '{print "Take "$1}'`; fi

                MAJOR=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "fw ver" |  sed 's/This is Check Point VPN-1(TM) & FireWall-1(R) //' | sed "s/This is Check Point's software version //" | awk '{print $1}'`

                MAC=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "ifconfig -a" | egrep "Mgmt|Internal|eth0" | head -1 | awk '{print $5}'`

                echo "$GW;$IP;$MODEL;$MAJOR;$TAKE;$MAC"
                echo "" >> output.html

        fi

done < logfile

echo 'GWIPMODELMAJORTAKEMAC$GW$IP$MODEL$MAJOR$TAKE$MAC
' >> output.html
Danny
Champion Champion
Champion
‎2019-12-31 06:07 PM
In response to Kaspars_Zibarts
Jump to solution

While reviewing Kaspars' code for my CPX 2020 presentation 'CheckMates - Best of Code Hub Contributions' in Vienna on February 5th, 2020 (14:00 - 14:30) I noticed that both versions posted here weren't working. So I fixed the code, added some more checks and tricks and posting my version here for you to review.

#!/bin/bash
#
# Security Gateway Inventory - Bash script for Check Point Multi-Domain Servers (MDS)
#
# Script Author : Kaspars Zibarts
# Script Source : https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Security-Gateway-Inventory/td-p/32547

if [[ -e /etc/profile.d/CP.sh ]]; then source /etc/profile.d/CP.sh; else echo "Unsupported Environment"; exit 1; fi
if ! [[ `echo $MDSDIR | grep mds` ]]; then echo "Not a Multi-Domain Server (MDS)!"; exit 1; fi

echo 'Script started on '$(date "+%Y-%m-%d @ %H:%M") >> logfile
if [[ -f output.html ]]; then mv output.html output_$(date -r output.html "+%Y-%m-%d_%H-%M-%S").html; fi
echo '<!DOCTYPE html>' > output.html
echo '<html lang="en"><head><title>Gateway Versions - '$(date "+%Y-%m-%d @ %H:%M")'</title></head><body><font size="-1"><table style="text-align: left; width: 100%; font-family: Helvetica,Arial,sans-serif;" border="1" cellpadding="5" cellspacing="2"><tbody>' >> output.html
echo '<tr style="font-weight: bold; background-color: rgb(0, 0, 102); color: white;"><td>GW</td><td>IP</td><td>MODEL</td><td>MAJOR</td><td>TAKE</td><td>MAC</td></tr>' >> output.html

for CMA_NAME in $($MDSVERUTIL AllCMAs); do
	mdsenv $CMA_NAME; echo "CMA $CMA_NAME"; cpmiquerybin attr "" network_objects " (type='cluster_member' & vsx_cluster_member='true' & vs_cluster_member='true') | (type='cluster_member' & (! vs_cluster_member='true')) | (vsx_netobj='true') | (type='gateway'&cp_products_installed='true' & (! vs_netobj='true') & connection_state='communicating')" -a __name__,ipaddr;
done 1>> logfile 2>> logfile
	
while read line; do
	if [ `echo "$line" | grep -c ^CMA` -gt 0 ]; then
		CMA_NAME=`echo "$line" | awk '{print $2}'`
		mdsenv $CMA_NAME
	else
		GW=`echo "$line" | awk '{print $1}'`
		IP=`echo "$line" | awk '{print $2}'`
		MODEL=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd /bin/clish -s -c 'show asset system' | grep ^Model | awk -F: '{print $2}' | sed  's/ Check Point //'`
		# Fix for chassis
		if [ "x$MODEL" = "x" ]; then
			MODEL=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "dmiparse System Product"`
			if [ "x$MODEL" = "xA-40" ]; then MODEL="41000"; fi
		fi
		TAKE=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "grep 'was installed successfully' /opt/CPInstLog/DA_UI.log" | egrep "Image|Jumbo|Upgrade|Bundle_T" | tail -1 | sed 's/Take/#/' | sed 's/was/#/' | sed 's/)//' | awk -F# '{print "Take"$2}' | xargs`
		# Fix for earlier releases or when take cannot be read from DA logs
		if [ "x$TAKE" = "x" ]; then TAKE=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "cpinfo -y FW1" | grep HOTFIX | tail -1 | awk '{print $1}'`; fi
		# Fix for manually imported package installations
		if [ `echo $TAKE | wc -w` -gt 2 ]; then TAKE=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "grep 'was installed successfully' /opt/CPInstLog/DA_UI.log" | egrep "Bundle_T" | tail -1 | sed 's/_T/#T/' | awk -F# '{print $2}' | sed 's/_/ /' | sed 's/T//' |awk '{print "Take "$1}'`; fi
		MAJOR=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "fw ver" |  sed 's/This is Check Point VPN-1(TM) & FireWall-1(R) //' | sed "s/This is Check Point's software version //" | awk '{print $1}'`
		MAC=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "ifconfig -a" | egrep "Mgmt|Internal|eth0" | head -1 | awk '{print $5}'`
		echo "$GW;$IP;$MODEL;$MAJOR;$TAKE;$MAC"
		echo "<tr><td>$GW</td><td>$IP</td><td>$MODEL</td><td>$MAJOR</td><td>$TAKE</td><td>$MAC</td></tr>" >> output.html
	fi
done < logfile

echo '</tbody></table><br></body></html>' >> output.html‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍
echo 'Done. HTML output saved in output.html'
exit 0

 

Maarten_Sjouw
Champion
Champion
‎2020-01-02 01:50 AM
In response to Danny
Jump to solution

Small request, can you add the CMA name in the output as a first field?
Regards, Maarten
0 Kudos
Kaspars_Zibarts
Employee Employee
Employee
‎2020-01-03 02:30 AM
In response to Maarten_Sjouw
Jump to solution

Just add CMA_NAME var

echo '<tr style="font-weight: bold; background-color: rgb(0, 0, 102); color: white;"><td>CMA</td><td>GW</td><td>IP</td><td>MODEL</td><td>MAJOR</td><td>TAKE</td><td>MAC</td></tr>' >> output.html

echo "$CMA_NAME;$GW;$IP;$MODEL;$MAJOR;$TAKE;$MAC"
echo "<tr><td>$CMA_NAME</td><td>$GW</td><td>$IP</td><td>$MODEL</td><td>$MAJOR</td><td>$TAKE</td><td>$MAC</td></tr>" >> output.html

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee
‎2020-01-03 02:23 AM
In response to Danny
Jump to solution

Hehe, glad to see it's still alive! 😉
Kaspars_Zibarts
Employee Employee
Employee
‎2020-01-03 03:05 AM
In response to Danny
Jump to solution

Just run on my MDS and noticed that it failed on cluster that was previously converted from single gateway and also on cluster where member's main IP was changed recently. So I'll need to dig into that
0 Kudos
Maarten_Sjouw
Champion
Champion
‎2020-01-03 10:22 AM
In response to Kaspars_Zibarts
Jump to solution

Get some weird results from the last version, halfway the output it shows:
Script;started;;;;
And above and below this line is a complete set of all gateways. Do keep in mind I have a set of 3 MDS servers and each domain only has 1 CMA on 1 of the 3 servers.
I found before that strange things happen when a CMA is checked that does not run on that server.
Regards, Maarten
0 Kudos
Whatcha_McCallu
Employee
Employee
‎2020-03-12 01:27 PM
In response to Danny
Jump to solution

 

C-19 version in case you wanted a similar way to capture your IPSEC Tunnel counts

#!/bin/bash
#
# Security Gateway Inventory - Bash script for Check Point Multi-Domain Servers (MDS)
#
# Script Author : Kaspars Zibarts
# Script Source : https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Security-Gateway-Inventory/td-p/32547

if [[ -e /etc/profile.d/CP.sh ]]; then source /etc/profile.d/CP.sh; else echo "Unsupported Environment"; exit 1; fi
if ! [[ `echo $MDSDIR | grep mds` ]]; then echo "Not a Multi-Domain Server (MDS)!"; exit 1; fi

echo 'Script started on '$(date "+%Y-%m-%d @ %H:%M") >> logfile
if [[ -f output.html ]]; then mv output.html output_$(date -r output.html "+%Y-%m-%d_%H-%M-%S").html; fi
echo '<!DOCTYPE html>' > output.html
echo '<html lang="en"><head><title>Gateway Versions - '$(date "+%Y-%m-%d @ %H:%M")'</title></head><body><font size="-1"><table style="text-align: left; width: 100%; font-family: Helvetica,Arial,sans-serif;" border="1" cellpadding="5" cellspacing="2"><tbody>' >> output.html
echo '<tr style="font-weight: bold; background-color: rgb(0, 0, 102); color: white;"><td>GW</td><td>IP</td><td>MODEL</td><td>MAJOR</td><td>TAKE</td><td>MAC</td><td>RAUSERS</td><td>MAXRAUSERS</td></tr>' >> output.html

for CMA_NAME in $($MDSVERUTIL AllCMAs); do
	mdsenv $CMA_NAME; echo "CMA $CMA_NAME"; cpmiquerybin attr "" network_objects " (type='cluster_member' & vsx_cluster_member='true' & vs_cluster_member='true') | (type='cluster_member' & (! vs_cluster_member='true')) | (vsx_netobj='true') | (type='gateway'&cp_products_installed='true' & (! vs_netobj='true') & connection_state='communicating')" -a __name__,ipaddr;
done 1>> logfile 2>> logfile
	
while read line; do
	if [ `echo "$line" | grep -c ^CMA` -gt 0 ]; then
		CMA_NAME=`echo "$line" | awk '{print $2}'`
		mdsenv $CMA_NAME
	else
		GW=`echo "$line" | awk '{print $1}'`
		IP=`echo "$line" | awk '{print $2}'`
		MODEL=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd /bin/clish -s -c 'show asset system' | grep ^Model | awk -F: '{print $2}' | sed  's/ Check Point //'`
		# Fix for chassis
		if [ "x$MODEL" = "x" ]; then
			MODEL=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "dmiparse System Product"`
			if [ "x$MODEL" = "xA-40" ]; then MODEL="41000"; fi
		fi
		TAKE=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "grep 'was installed successfully' /opt/CPInstLog/DA_UI.log" | egrep "Image|Jumbo|Upgrade|Bundle_T" | tail -1 | sed 's/Take/#/' | sed 's/was/#/' | sed 's/)//' | awk -F# '{print "Take"$2}' | xargs`
		# Fix for earlier releases or when take cannot be read from DA logs
		if [ "x$TAKE" = "x" ]; then TAKE=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "cpinfo -y FW1" | grep HOTFIX | tail -1 | awk '{print $1}'`; fi
		# Fix for manually imported package installations
		if [ `echo $TAKE | wc -w` -gt 2 ]; then TAKE=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "grep 'was installed successfully' /opt/CPInstLog/DA_UI.log" | egrep "Bundle_T" | tail -1 | sed 's/_T/#T/' | awk -F# '{print $2}' | sed 's/_/ /' | sed 's/T//' |awk '{print "Take "$1}'`; fi
		MAJOR=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "fw ver" |  sed 's/This is Check Point VPN-1(TM) & FireWall-1(R) //' | sed "s/This is Check Point's software version //" | awk '{print $1}'`
		MAC=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "ifconfig -a" | egrep "Mgmt|Internal|eth0" | head -1 | awk '{print $5}'`
                RAUSERS=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "cpstat vpn -f ipsec" | grep "IPsec number of VPN-1 peers:" | awk '{print $6}'`
                MAXRAUSERS=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "cpstat vpn -f ipsec" | grep "IPsec maximum number of VPN-1 peers:" | awk '{print $7}'`

		echo "$GW;$IP;$MODEL;$MAJOR;$TAKE;$MAC;$RAUSERS;$MAXRAUSERS"
		echo "<tr><td>$GW</td><td>$IP</td><td>$MODEL</td><td>$MAJOR</td><td>$TAKE</td><td>$MAC</td><td>$RAUSERS</td><td>$MAXRAUSERS</td></tr>" >> output.html
	fi
done < logfile

echo '</tbody></table><br></body></html>' >> output.html‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍
echo 'Done. HTML output saved in output.html'
exit 0

 

 

0 Kudos
Martin_Stolz
Participant
‎2020-05-05 09:34 AM
In response to Whatcha_McCallu
Jump to solution

Hi,
Wouldn't identify the Take by grepping  /opt/CPInstLog/DA_UI.log for "was installed succesfully".
In case of TAKE was uninstalled for some reason - the script is still reporting the higher uninstalled version.
 
Why not trusting cpinfo?
I'm running the script only with the Fix for earlier releases by checking the "cpinfo -y FW1" output, and changed print $1 to print $3.

TAKE=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "cpinfo -y FW1" | grep HOTFIX | tail -1 | awk '{print $3}'`
 
Ciao Martin
0 Kudos
Kaspars_Zibarts
Employee Employee
Employee
‎2020-05-05 11:09 PM
In response to Martin_Stolz
Jump to solution

Hi! I wrote this many moons ago and from vague memory cpinfo was not always easy to read if you had custom fixes installed on top of regular Take. But by all means - use whatever works best for you 🙂

0 Kudos
Nico
Explorer
‎2020-05-08 12:52 AM
In response to Kaspars_Zibarts
Jump to solution

Hi,
I really do like this little script! Thank you so much! I’m currently getting started with writing scripts so please bear with me 😃

Currently trying to add the information whether it is a Cluster or Single Gateway.
If possible, I don't want to realise this via "TYPE= `$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd...`" because if one of the gateways is unreachable, I won’t get valid information.

My question:
Is it possible to get the TYPE from the MDS even if the gateway is not reachable?

0 Kudos
Nico
Explorer
‎2020-05-12 07:01 AM
In response to Nico
Jump to solution

I was thinking about adding following:

mdsenv $CMA_NAME; echo "CMA $CMA_NAME"; cpmiquerybin attr "" network_objects " (type='cluster_member' & vsx_cluster_member='true' & vs_cluster_member='true') | (type='cluster_member' & (! vs_cluster_member='true')) | (vsx_netobj='true') | (type='gateway'&cp_products_installed='true' & (! vs_netobj='true') & connection_state='communicating')" -a __name__,ipaddr,type;

and then just add:

GW_Name=`echo "$line" | awk '{print $1}'`
IP=`echo "$line" | awk '{print $2}'`
TYP=`echo "$line" | awk '{print $3}'`

but apparently it does not work like this...

And yes, I added "<td>TYP</td>",  "$TYP" and "<td>$TYP</td>" so that it is also written in the output file.

0 Kudos
Sebastien_Rho
Employee Alumnus
Employee Alumnus
‎2020-06-18 12:55 PM
In response to Danny
Jump to solution

Danny, 

Is there a way to adapt to Security Management (no MDS), probably comment out the CMA section?

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee
‎2020-06-22 02:38 AM
In response to Sebastien_Rho
Jump to solution

Not really as cpmiquerybin is only supported on MDS, but I'm sure there is an easy way to fetch all GW name - IP pairs from SMS. Then most of the script would remain the same. I don't have any SMS to test it with I'm afraid
0 Kudos
Danzaroonie
Explorer
‎2020-07-07 09:16 AM
In response to Kaspars_Zibarts
Jump to solution

Great script  we have added a few modification to also pull the Blade and Memory information. 

 

TOTALMEM=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd /bin/clish -s -c 'show asset all' | grep 'Total Memory' | awk '{print $3}'`

BLADES=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "enabled_blades"`

Which we also sent the output information to a txt file

echo "$GW;$IP;$MODEL;$MAJOR;$TAKE;$MAC;$TOTALMEM;$BLADES" >> output.txt

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee
‎2021-02-16 01:53 AM
Jump to solution

If anyone is still reading this thread.. 🙂 I noticed that Take version was not fetched by the script when using Blink image upgrades. Therefore I have amended lines that fetch Take info

 

# Get Take version
TAKE=`egrep 'was installed successfully|completed successfully' /opt/CPInstLog/DA_UI.log | egrep "Image|Jumbo|Upgrade|Bundle_T" | tail -1 | sed 's/Take/#/' | sed 's/)//' |  sed 's/JHF T/# /' |  awk -F# '{print $2}' | awk '{print "Take "$1}'`

# Fix for earlier releases or when take cannot be read from DA logs
if [ "$TAKE" = "Take " ]; then TAKE=`cpinfo -y FW1 | grep Take | tail -1 | awk '{print "Take "$3}'`; fi
S_E_
Advisor
‎2021-05-18 06:43 AM
In response to Kaspars_Zibarts
Jump to solution


Hi

tried the c19 version from Whatcha_McCallu on a MDS R8040
I recognized that some

- DMS are added to gateway list
DMS-01;1.2.3.4;(NULL BUF);(NULL;;;;

- vsx has some strange output
vsx;1.1.1.1;(NULL BUF);(NULL;;;;

- output in general
firewall_1;1.2.3.6;;;;;;
firewall_2;1.2.3.7;;;;;;

However, it is very useful compared to the counters in SmartConsole (red/yellow/green dots)
They seem to count everything: gateways, DMS, standby DMS, CheckPoint Host objects...
Regards

 

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee
‎2021-05-18 07:35 AM
In response to S_E_
Jump to solution

Hi

(NULL BUF) most likely indicates that CPRID connectivity from mgmt to gw  is not working on port 18208

try manually and make sure it works

nc -znvs <cma-ip> -w 3 <gw-ip> 18208 

 

0 Kudos
S_E_
Advisor
‎2021-05-18 11:13 PM
In response to Kaspars_Zibarts
Jump to solution

Hi

Thanks for tip. Yes, 18208 is missing to the VSX gateways.

Regards

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    In-Person

    Tue 25 Mar 2025 @ 09:00 AM (EDT)

    Canada In-Person Cloud Security with Hands-On CloudGuard Workshops!
    In-Person

    Tue 25 Mar 2025 @ 12:00 PM (MDT)

    Salt Lake City: CPX 2025 Recap
    In-Person

    Tue 08 Apr 2025 @ 12:00 PM (MDT)

    Denver: CPX 2025 Recap
    CheckMates Events
    Top