Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
John_Lovinggood
Explorer

Security Gateway Inventory

Jump to solution

About 6 months ago, CP gave us a script to run from Provider 1 to grab all gateways and their corresponding model/software version. However, it was a very inconsistent result. Meaning that, some (active) gateways came back with just host name and IP and then some came back with host name/IP/OS Version/model number.

Anybody aware of a way to pull : Gateway Info that includes (Hostname/IP/OS-Version/Model)? I know  you can export a list through network objects, but I just want active count for inventory. Any such method/script? 

74 Replies
Kaspars_Zibarts
Authority
Authority
Hehe, glad to see it's still alive! 😉
Kaspars_Zibarts
Authority
Authority
Just run on my MDS and noticed that it failed on cluster that was previously converted from single gateway and also on cluster where member's main IP was changed recently. So I'll need to dig into that
0 Kudos
Maarten_Sjouw
Champion
Champion
Get some weird results from the last version, halfway the output it shows:
Script;started;;;;
And above and below this line is a complete set of all gateways. Do keep in mind I have a set of 3 MDS servers and each domain only has 1 CMA on 1 of the 3 servers.
I found before that strange things happen when a CMA is checked that does not run on that server.
Regards, Maarten
0 Kudos
Whatcha_McCallu
Employee
Employee

 

C-19 version in case you wanted a similar way to capture your IPSEC Tunnel counts

#!/bin/bash
#
# Security Gateway Inventory - Bash script for Check Point Multi-Domain Servers (MDS)
#
# Script Author : Kaspars Zibarts
# Script Source : https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Security-Gateway-Inventory/td-p/32547

if [[ -e /etc/profile.d/CP.sh ]]; then source /etc/profile.d/CP.sh; else echo "Unsupported Environment"; exit 1; fi
if ! [[ `echo $MDSDIR | grep mds` ]]; then echo "Not a Multi-Domain Server (MDS)!"; exit 1; fi

echo 'Script started on '$(date "+%Y-%m-%d @ %H:%M") >> logfile
if [[ -f output.html ]]; then mv output.html output_$(date -r output.html "+%Y-%m-%d_%H-%M-%S").html; fi
echo '<!DOCTYPE html>' > output.html
echo '<html lang="en"><head><title>Gateway Versions - '$(date "+%Y-%m-%d @ %H:%M")'</title></head><body><font size="-1"><table style="text-align: left; width: 100%; font-family: Helvetica,Arial,sans-serif;" border="1" cellpadding="5" cellspacing="2"><tbody>' >> output.html
echo '<tr style="font-weight: bold; background-color: rgb(0, 0, 102); color: white;"><td>GW</td><td>IP</td><td>MODEL</td><td>MAJOR</td><td>TAKE</td><td>MAC</td><td>RAUSERS</td><td>MAXRAUSERS</td></tr>' >> output.html

for CMA_NAME in $($MDSVERUTIL AllCMAs); do
	mdsenv $CMA_NAME; echo "CMA $CMA_NAME"; cpmiquerybin attr "" network_objects " (type='cluster_member' & vsx_cluster_member='true' & vs_cluster_member='true') | (type='cluster_member' & (! vs_cluster_member='true')) | (vsx_netobj='true') | (type='gateway'&cp_products_installed='true' & (! vs_netobj='true') & connection_state='communicating')" -a __name__,ipaddr;
done 1>> logfile 2>> logfile
	
while read line; do
	if [ `echo "$line" | grep -c ^CMA` -gt 0 ]; then
		CMA_NAME=`echo "$line" | awk '{print $2}'`
		mdsenv $CMA_NAME
	else
		GW=`echo "$line" | awk '{print $1}'`
		IP=`echo "$line" | awk '{print $2}'`
		MODEL=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd /bin/clish -s -c 'show asset system' | grep ^Model | awk -F: '{print $2}' | sed  's/ Check Point //'`
		# Fix for chassis
		if [ "x$MODEL" = "x" ]; then
			MODEL=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "dmiparse System Product"`
			if [ "x$MODEL" = "xA-40" ]; then MODEL="41000"; fi
		fi
		TAKE=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "grep 'was installed successfully' /opt/CPInstLog/DA_UI.log" | egrep "Image|Jumbo|Upgrade|Bundle_T" | tail -1 | sed 's/Take/#/' | sed 's/was/#/' | sed 's/)//' | awk -F# '{print "Take"$2}' | xargs`
		# Fix for earlier releases or when take cannot be read from DA logs
		if [ "x$TAKE" = "x" ]; then TAKE=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "cpinfo -y FW1" | grep HOTFIX | tail -1 | awk '{print $1}'`; fi
		# Fix for manually imported package installations
		if [ `echo $TAKE | wc -w` -gt 2 ]; then TAKE=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "grep 'was installed successfully' /opt/CPInstLog/DA_UI.log" | egrep "Bundle_T" | tail -1 | sed 's/_T/#T/' | awk -F# '{print $2}' | sed 's/_/ /' | sed 's/T//' |awk '{print "Take "$1}'`; fi
		MAJOR=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "fw ver" |  sed 's/This is Check Point VPN-1(TM) & FireWall-1(R) //' | sed "s/This is Check Point's software version //" | awk '{print $1}'`
		MAC=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "ifconfig -a" | egrep "Mgmt|Internal|eth0" | head -1 | awk '{print $5}'`
                RAUSERS=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "cpstat vpn -f ipsec" | grep "IPsec number of VPN-1 peers:" | awk '{print $6}'`
                MAXRAUSERS=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "cpstat vpn -f ipsec" | grep "IPsec maximum number of VPN-1 peers:" | awk '{print $7}'`

		echo "$GW;$IP;$MODEL;$MAJOR;$TAKE;$MAC;$RAUSERS;$MAXRAUSERS"
		echo "<tr><td>$GW</td><td>$IP</td><td>$MODEL</td><td>$MAJOR</td><td>$TAKE</td><td>$MAC</td><td>$RAUSERS</td><td>$MAXRAUSERS</td></tr>" >> output.html
	fi
done < logfile

echo '</tbody></table><br></body></html>' >> output.html‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍
echo 'Done. HTML output saved in output.html'
exit 0

 


 

0 Kudos
Martin_Stolz
Participant
Hi,
Wouldn't identify the Take by grepping  /opt/CPInstLog/DA_UI.log for "was installed succesfully".
In case of TAKE was uninstalled for some reason - the script is still reporting the higher uninstalled version.
 
Why not trusting cpinfo?
I'm running the script only with the Fix for earlier releases by checking the "cpinfo -y FW1" output, and changed print $1 to print $3.

TAKE=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "cpinfo -y FW1" | grep HOTFIX | tail -1 | awk '{print $3}'`
 

Ciao Martin
0 Kudos
Kaspars_Zibarts
Authority
Authority

Hi! I wrote this many moons ago and from vague memory cpinfo was not always easy to read if you had custom fixes installed on top of regular Take. But by all means - use whatever works best for you 🙂

0 Kudos
Nico
Explorer

Hi,
I really do like this little script! Thank you so much! I’m currently getting started with writing scripts so please bear with me 😃

Currently trying to add the information whether it is a Cluster or Single Gateway.
If possible, I don't want to realise this via "TYPE= `$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd...`" because if one of the gateways is unreachable, I won’t get valid information.

My question:
Is it possible to get the TYPE from the MDS even if the gateway is not reachable?

0 Kudos
Nico
Explorer

I was thinking about adding following:

mdsenv $CMA_NAME; echo "CMA $CMA_NAME"; cpmiquerybin attr "" network_objects " (type='cluster_member' & vsx_cluster_member='true' & vs_cluster_member='true') | (type='cluster_member' & (! vs_cluster_member='true')) | (vsx_netobj='true') | (type='gateway'&cp_products_installed='true' & (! vs_netobj='true') & connection_state='communicating')" -a __name__,ipaddr,type;

and then just add:

GW_Name=`echo "$line" | awk '{print $1}'`
IP=`echo "$line" | awk '{print $2}'`
TYP=`echo "$line" | awk '{print $3}'`

but apparently it does not work like this...

And yes, I added "<td>TYP</td>",  "$TYP" and "<td>$TYP</td>" so that it is also written in the output file.

0 Kudos
Sebastien_Rho
Employee Alumnus
Employee Alumnus

Danny, 

Is there a way to adapt to Security Management (no MDS), probably comment out the CMA section?

0 Kudos
Kaspars_Zibarts
Authority
Authority
Not really as cpmiquerybin is only supported on MDS, but I'm sure there is an easy way to fetch all GW name - IP pairs from SMS. Then most of the script would remain the same. I don't have any SMS to test it with I'm afraid
0 Kudos
Danzaroonie
Explorer

Great script  we have added a few modification to also pull the Blade and Memory information. 

 

TOTALMEM=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd /bin/clish -s -c 'show asset all' | grep 'Total Memory' | awk '{print $3}'`

BLADES=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "enabled_blades"`

Which we also sent the output information to a txt file

echo "$GW;$IP;$MODEL;$MAJOR;$TAKE;$MAC;$TOTALMEM;$BLADES" >> output.txt

0 Kudos
Kaspars_Zibarts
Authority
Authority

If anyone is still reading this thread.. 🙂 I noticed that Take version was not fetched by the script when using Blink image upgrades. Therefore I have amended lines that fetch Take info

 

# Get Take version
TAKE=`egrep 'was installed successfully|completed successfully' /opt/CPInstLog/DA_UI.log | egrep "Image|Jumbo|Upgrade|Bundle_T" | tail -1 | sed 's/Take/#/' | sed 's/)//' |  sed 's/JHF T/# /' |  awk -F# '{print $2}' | awk '{print "Take "$1}'`

# Fix for earlier releases or when take cannot be read from DA logs
if [ "$TAKE" = "Take " ]; then TAKE=`cpinfo -y FW1 | grep Take | tail -1 | awk '{print "Take "$3}'`; fi
S_E_
Advisor


Hi

tried the c19 version from Whatcha_McCallu on a MDS R8040
I recognized that some

- DMS are added to gateway list
DMS-01;1.2.3.4;(NULL BUF);(NULL;;;;

- vsx has some strange output
vsx;1.1.1.1;(NULL BUF);(NULL;;;;

- output in general
firewall_1;1.2.3.6;;;;;;
firewall_2;1.2.3.7;;;;;;

However, it is very useful compared to the counters in SmartConsole (red/yellow/green dots)
They seem to count everything: gateways, DMS, standby DMS, CheckPoint Host objects...
Regards

 

0 Kudos
Kaspars_Zibarts
Authority
Authority

Hi

(NULL BUF) most likely indicates that CPRID connectivity from mgmt to gw  is not working on port 18208

try manually and make sure it works

nc -znvs <cma-ip> -w 3 <gw-ip> 18208 

 

0 Kudos
S_E_
Advisor

Hi

Thanks for tip. Yes, 18208 is missing to the VSX gateways.

Regards

0 Kudos