Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

Security Gateway Inventory

Jump to solution

About 6 months ago, CP gave us a script to run from Provider 1 to grab all gateways and their corresponding model/software version. However, it was a very inconsistent result. Meaning that, some (active) gateways came back with just host name and IP and then some came back with host name/IP/OS Version/model number.

Anybody aware of a way to pull : Gateway Info that includes (Hostname/IP/OS-Version/Model)? I know  you can export a list through network objects, but I just want active count for inventory. Any such method/script? 

69 Replies
Authority
Authority

Smiley Happy you will need to get to R80.10 first then. API is not supported in R77.30

0 Kudos
Reply
Admin
Admin

However, the script you provided above should work on R77.30 MDM.

If you're not on MDM, then it probably needs some modification since there isn't a cpmiquerybin binary to get the list of managed gateways.

0 Kudos
Reply
Collaborator

Got it. Thanks

0 Kudos
Reply
Admin
Admin

Please be aware when you respond via email, your signature may be included in the public response that gets posted to CheckMates.

I've removed this information from a couple of posts on this thread as I assume you don't want it out there Smiley Happy

0 Kudos
Reply
Collaborator

Thanks, I did not realize that.

0 Kudos
Reply
Collaborator

I have a script SK85621 that does some of the inventory collection but it does not tell you the specific model for each firewall.  I have looked at the attributes and when you use "appliance type" but I would like the specific platform from each individual ( we have a variety). Which attributes gives me that output. I see a list of attributes but not sure which one would do that (since it is not obvious to me in the list of attributes).

0 Kudos
Reply
Admin
Admin

The script that Kaspars Zibarts‌ provided as part of this thread should give you this information.

It should be a little easier to find now that I've marked it as "correct." Smiley Happy

0 Kudos
Reply
Collaborator

When I try to run the script i get this error "  ./inventoryscriptcheckmates091818.sh: /bin/bash^M: bad interpreter: No such file or directory", any thoughts on how to fix it? I have not tried the corrected one but will now and let you know if I have any issues.

0 Kudos
Reply
Collaborator

Wait, I got it to work, i used the dos2unix command and it is now runnin.

0 Kudos
Reply
Collaborator

I ran the script after converting it. It is running perfectly. 

I could not get the output to come out in HTML though. It came out in semicolon delimited format. It's

 not a big deal because it is working but just thought it would be cool to have the HTML output. Thank for all of the help and feedback.

0 Kudos
Reply
Authority
Authority

HTML is faced in the output.html file in the same directory as script itself. In order to see it copy to a webbserver or your laptop and open it there. 

0 Kudos
Reply
Participant

If I want to pull, serial number, memory, hardisk space, cpu level, sic status, hastatus...how can I achieve it.

0 Kudos
Reply
Participant

#!/bin/bash
. /opt/CPshared/5.0/tmp/.CPprofile.sh

IP='xxxx'
MAC=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "ifconfig -a" | egrep "Mgmt|Internal|eth0" | head -1 | awk '{print $5}'`
echo $MAC

I am just trying to test this on a specific fw gateway, but it is not returning any value. Did I miss anything?

0 Kudos
Reply
Authority
Authority

You can't execute cprid commands on gateways, it runs only on management. So if you want to do it on firewall itself then run

MAC=`ifconfig -a | egrep "Mgmt|Internal|eth0" | head -1 | awk '{print $5}'`

0 Kudos
Reply
Participant

sorry for the confusion. I tested this script on management, and I specified which gateway I want to pull the info from, but it did not return any value. Any idea on what could cause it?

0 Kudos
Reply
Authority
Authority

Hi

check that cprid is running on the gateway, I have noticed that sometimes it may die

ps aux|grep cprid

and it's listening on port 18208

[Expert@fw2:0]# netstat -an|grep 18208
tcp 0 0 0.0.0.0:18208 0.0.0.0:* LISTEN

0 Kudos
Reply
Participant

checked that.. it is running and listening on that port.

[Expert@xxxx]# ps aux|grep cprid
admin    29498  0.0  0.0   1736   520 pts/2    S+   11:31   0:00 grep cprid
[Expert@xxx]# netstat -an | grep 18208
tcp        0      0 10.15.207.11:18208          0.0.0.0:*                   LISTEN

0 Kudos
Reply
Authority
Authority

Can you run cprid without script? I.e.

$CPDIR/bin/cprid_util -server x.x.x.x -verbose rexec -rcmd bash -c ifconfig -a

Do you see output of ifconfig from gateway?

Do you have any firewalls in the path that can stop port 18208?

Also it doesn't count with any Gaia Embbedded boxes.

0 Kudos
Reply
Collaborator

Good morning 

we have MDSs that In “stopping “, I have cleared  CPMIcache, reboot the MDS, stop and start the MDS and still they are in that state. It is preventing us from assigning policy and making use of the CMA for troublehooting purposes and still nothing works. We have 3 MDSs and the main one works but the secondary ones do not. Would the issue be because the service has stopped? I am going to check it with the command you listed above. Thanks 

0 Kudos
Reply
Authority
Authority

Sorry, but this article is nothing to do with MDS stopping. It simply collects gateway information using cprid. You better start new conversation and add more information about what's actually wrong

0 Kudos
Reply
Collaborator

Oh shoot, not sure why I did that. My apologize All. I blame it on sleep.

0 Kudos
Reply
Participant

I am getting error when running this script.

[Expert@Manager:0]# ./Gateway.sh
sed: -e expression #1, char 6: unterminated `s' command
./Gateway.sh:;line;;;;
[Expert@Manager:0]#

 

I am running r80.20 on my manager. 

0 Kudos
Reply
Authority
Authority
Haven't upgraded to R80.20 yet in our env 🙂 coming soon
0 Kudos
Reply
Champion
Champion
Kaspars, can you paste the script again with the correct formatting? Carriage returns got eaten by the conversion to the new forum...
Regards, Maarten
0 Kudos
Reply
Authority
Authority
#!/bin/bash
. /opt/CPshared/5.0/tmp/.CPprofile.sh

if [ -f logfile ]; then rm logfile; fi
echo '' > output.html
echo 'Gateway Versions' >> output.html
echo '' >> output.html

for CMA_NAME in $($MDSVERUTIL AllCMAs); do mdsenv $CMA_NAME; echo "CMA $CMA_NAME"; cpmiquerybin attr "" network_objects " (type='cluster_member' & vsx_cluster_member='true' & vs_cluster_member='true') | (type='cluster_member' & (! vs_cluster_member='true')) | (vsx_netobj='true') | (type='gateway'&cp_products_installed='true' & (! vs_netobj='true') & connection_state='communicating')" -a __name__,ipaddr; done 1>> logfile 2>> logfile


while read line; do

        if [ `echo "$line" | grep -c ^CMA` -gt 0 ]; then

                CMA_NAME=`echo "$line" | awk '{print $2}'`
                mdsenv $CMA_NAME

        else
                GW=`echo "$line" | awk '{print $1}'`
                IP=`echo "$line" | awk '{print $2}'`

                MODEL=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd /bin/clish -s -c 'show asset system' | grep ^Model | awk -F: '{print $2}' | sed  's/ Check Point //'`
                # Fix for chassis
                if [ "x$MODEL" = "x" ]; then MODEL=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "dmiparse System Product"`; if [ "x$MODEL" = "xA-40" ]; then MODEL="41000"; fi; fi

                TAKE=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "grep 'was installed successfully' /opt/CPInstLog/DA_UI.log" | egrep "Image|Jumbo|Upgrade|Bundle_T" | tail -1 | sed 's/Take/#/' | sed 's/was/#/' | sed 's/)//' | awk -F# '{print "Take"$2}' | xargs`
                # Fix for earlier releases or when take cannot be read from DA logs
                if [ "x$TAKE" = "x" ]; then TAKE=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "cpinfo -y FW1" | grep HOTFIX | tail -1 | awk '{print $1}'`; fi

                # Fix for manually imported package installations
                if [ `echo $TAKE | wc -w` -gt 2 ]; then  TAKE=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "grep 'was installed successfully' /opt/CPInstLog/DA_UI.log" | egrep "Bundle_T" | tail -1 | sed 's/_T/#T/' | awk -F# '{print $2}' | sed 's/_/ /' | sed 's/T//' |awk '{print "Take "$1}'`; fi

                MAJOR=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "fw ver" |  sed 's/This is Check Point VPN-1(TM) & FireWall-1(R) //' | sed "s/This is Check Point's software version //" | awk '{print $1}'`

                MAC=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "ifconfig -a" | egrep "Mgmt|Internal|eth0" | head -1 | awk '{print $5}'`

                echo "$GW;$IP;$MODEL;$MAJOR;$TAKE;$MAC"
                echo "" >> output.html

        fi

done < logfile

echo 'GWIPMODELMAJORTAKEMAC$GW$IP$MODEL$MAJOR$TAKE$MAC
' >> output.html
Champion
Champion

While reviewing Kaspars' code for my CPX 2020 presentation 'CheckMates - Best of Code Hub Contributions' in Vienna on February 5th, 2020 (14:00 - 14:30) I noticed that both versions posted here weren't working. So I fixed the code, added some more checks and tricks and posting my version here for you to review.

#!/bin/bash
#
# Security Gateway Inventory - Bash script for Check Point Multi-Domain Servers (MDS)
#
# Script Author : Kaspars Zibarts
# Script Source : https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Security-Gateway-Inventory/td-p/32547

if [[ -e /etc/profile.d/CP.sh ]]; then source /etc/profile.d/CP.sh; else echo "Unsupported Environment"; exit 1; fi
if ! [[ `echo $MDSDIR | grep mds` ]]; then echo "Not a Multi-Domain Server (MDS)!"; exit 1; fi

echo 'Script started on '$(date "+%Y-%m-%d @ %H:%M") >> logfile
if [[ -f output.html ]]; then mv output.html output_$(date -r output.html "+%Y-%m-%d_%H-%M-%S").html; fi
echo '<!DOCTYPE html>' > output.html
echo '<html lang="en"><head><title>Gateway Versions - '$(date "+%Y-%m-%d @ %H:%M")'</title></head><body><font size="-1"><table style="text-align: left; width: 100%; font-family: Helvetica,Arial,sans-serif;" border="1" cellpadding="5" cellspacing="2"><tbody>' >> output.html
echo '<tr style="font-weight: bold; background-color: rgb(0, 0, 102); color: white;"><td>GW</td><td>IP</td><td>MODEL</td><td>MAJOR</td><td>TAKE</td><td>MAC</td></tr>' >> output.html

for CMA_NAME in $($MDSVERUTIL AllCMAs); do
	mdsenv $CMA_NAME; echo "CMA $CMA_NAME"; cpmiquerybin attr "" network_objects " (type='cluster_member' & vsx_cluster_member='true' & vs_cluster_member='true') | (type='cluster_member' & (! vs_cluster_member='true')) | (vsx_netobj='true') | (type='gateway'&cp_products_installed='true' & (! vs_netobj='true') & connection_state='communicating')" -a __name__,ipaddr;
done 1>> logfile 2>> logfile
	
while read line; do
	if [ `echo "$line" | grep -c ^CMA` -gt 0 ]; then
		CMA_NAME=`echo "$line" | awk '{print $2}'`
		mdsenv $CMA_NAME
	else
		GW=`echo "$line" | awk '{print $1}'`
		IP=`echo "$line" | awk '{print $2}'`
		MODEL=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd /bin/clish -s -c 'show asset system' | grep ^Model | awk -F: '{print $2}' | sed  's/ Check Point //'`
		# Fix for chassis
		if [ "x$MODEL" = "x" ]; then
			MODEL=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "dmiparse System Product"`
			if [ "x$MODEL" = "xA-40" ]; then MODEL="41000"; fi
		fi
		TAKE=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "grep 'was installed successfully' /opt/CPInstLog/DA_UI.log" | egrep "Image|Jumbo|Upgrade|Bundle_T" | tail -1 | sed 's/Take/#/' | sed 's/was/#/' | sed 's/)//' | awk -F# '{print "Take"$2}' | xargs`
		# Fix for earlier releases or when take cannot be read from DA logs
		if [ "x$TAKE" = "x" ]; then TAKE=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "cpinfo -y FW1" | grep HOTFIX | tail -1 | awk '{print $1}'`; fi
		# Fix for manually imported package installations
		if [ `echo $TAKE | wc -w` -gt 2 ]; then TAKE=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "grep 'was installed successfully' /opt/CPInstLog/DA_UI.log" | egrep "Bundle_T" | tail -1 | sed 's/_T/#T/' | awk -F# '{print $2}' | sed 's/_/ /' | sed 's/T//' |awk '{print "Take "$1}'`; fi
		MAJOR=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "fw ver" |  sed 's/This is Check Point VPN-1(TM) & FireWall-1(R) //' | sed "s/This is Check Point's software version //" | awk '{print $1}'`
		MAC=`$CPDIR/bin/cprid_util -server $IP -verbose rexec -rcmd bash -c "ifconfig -a" | egrep "Mgmt|Internal|eth0" | head -1 | awk '{print $5}'`
		echo "$GW;$IP;$MODEL;$MAJOR;$TAKE;$MAC"
		echo "<tr><td>$GW</td><td>$IP</td><td>$MODEL</td><td>$MAJOR</td><td>$TAKE</td><td>$MAC</td></tr>" >> output.html
	fi
done < logfile

echo '</tbody></table><br></body></html>' >> output.html‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍
echo 'Done. HTML output saved in output.html'
exit 0

 

Champion
Champion
Small request, can you add the CMA name in the output as a first field?
Regards, Maarten
0 Kudos
Reply
Authority
Authority

Just add CMA_NAME var

echo '<tr style="font-weight: bold; background-color: rgb(0, 0, 102); color: white;"><td>CMA</td><td>GW</td><td>IP</td><td>MODEL</td><td>MAJOR</td><td>TAKE</td><td>MAC</td></tr>' >> output.html

echo "$CMA_NAME;$GW;$IP;$MODEL;$MAJOR;$TAKE;$MAC"
echo "<tr><td>$CMA_NAME</td><td>$GW</td><td>$IP</td><td>$MODEL</td><td>$MAJOR</td><td>$TAKE</td><td>$MAC</td></tr>" >> output.html

0 Kudos
Reply
Authority
Authority
Hehe, glad to see it's still alive! 😉