Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sven_Glock
Advisor

SmartConsole Scripts Repository use cases and experience

Hi Community,

this week I recognized that I never have checked if there is a benefit in using SmartConsole's Scripts repository.

After reading https://community.checkpoint.com/community/secure-knowledge/blog/2018/10/01/article-of-the-week-chec... I decided to implement my first script which could be helpful on daily basis. It is calling the Packet Injector via SmartConsole and shows the result directly in the GUI without opening a dedicated ssh session.

Now I am interested to see which usecases you found for using the Scripts Repository in SmartConsole.

Please share your experience, your usecases or your code.

Thanks for sharing.

Cheers

Sven

16 Replies
Sven_Glock
Advisor

My Experience:

Generally I like the possibility to run scripts from the GUI.

But to be honest, I am not 100% happy with the implementation.

The way adding jobs to the "recent tasks list" makes it a bit uncomfortable to find the results.

I would like to see the results directly after executing the job.

Additionally there is some kind of time lag between the finish time of the job and the time when you can see the result.

I often click in the result and it is not showing what I expect to see. A few seconds later, the result shows my expected output.

More over I don't like  the need to close the repository window before you are able to open the "recent tasks list" and check the results or selecting a different gateway to run the selected script on.

Why not implementing the repository window like the object explorer where you can click things in the background - like the "recent tasks list" - while the window remains opened.

Let me share my first two scripts:

PINJ Installer - A script to install Packet Injector to a R80 gateway

#!/bin/bash
curl_cli -o /home/admin/pinj.tgz ftp://someressources/pinj_v1.4.6_R80.10.tgz
tar -zxvf /home/admin/pinj.tgz
rpm -ihv CPPinj-R80-00.i386.rpm
echo "export PATH=$PATH:/opt/CPPinj-R80/" >> /home/admin/.bashrc
rm /home/admin/pinj.tgz CPPinj-R80-00.i386.rpm‍‍‍‍‍‍‍‍‍‍‍

PINJ Executor NON-VSX - A script to execure packet injector on a non-vsx gateway

##################################
#Arguments: <SRC-IP> <DST-IP> <dport> <tcp|udp>
##################################
#!/bin/bash
interface=$(ip route get $1 | head -1 | rev | cut -d " " -f 5 | rev)
sp=$(( RANDOM % (65535 - 1025 + 1 ) + 1025 ))
echo "Command: /opt/CPPinj-R80/pinj --sport $sp --dport $3 --protocol $4 -I $interface $1 $2"
/opt/CPPinj-R80/pinj --sport $sp --dport $3 --protocol $4 -I $interface $1 $2 2>/dev/null‍‍‍‍‍‍‍‍

Since I start trying more complex scripts like a "Deployment agent offline updater" I experience some problems with timeouts or something like this.

But I have to dig deeper before getting more concrete.

Ari_Heber
Employee Alumnus
Employee Alumnus

Hi Sven,

Thank you for your feedback, I'm taking your note into my attention.

As for the timeout, currently this is set to 2 minutes. I will continue to watch this thread in order to improve this feature.

0 Kudos
Sven_Glock
Advisor

@Ari_HeberAre there already plans for improvements?

0 Kudos
Sven_Glock
Advisor

@Ari_Heber :  Are you  still responsible  for  Smart  Console Script Repository?
If  yes:  Please join  our discussion 😎
If no: Can you say who  is  responsible  now?

Thanks in advance,

Sven 

0 Kudos
HristoGrigorov

Agree with Sven. Great idea with a bit fuzzy implementation. I hope CheckPoint elaborates on this and improves it in the future. I would start with more detailed execution logs, integrated job scheduler, mail reports, revisions... 

0 Kudos
Sven_Glock
Advisor

Today I tried to add the healthcheck script from sk121447 to the script repository.

Running this script on cli gives a nice quick overview about the health of the system.

Unbenannt.png

Executing this script from the repository the output is like this:

Unbenannt2.png

Readable, but not nice.

 

So as an improvement: It would be nice if you could support colors and other font attributes.

VENKAT_S_P
Collaborator

I am exactly trying the same thing with the healthcheck script, nice to know that the format is not similar to the one we like to see and this saved some time by seeing your output.

0 Kudos
Henrik_Noerr1
Advisor

How is healthcheck working for you? There is a max script size limit of 8kb. (in r80.10)

Healthcheck is +300kb

 

/Henrik

0 Kudos
Sven_Glock
Advisor

Pretty simple. You have to copy the script locally on the relevant machine (gateway, management, etc.)

The script in the repository is just executing the script locally on the relevant machine.

0 Kudos
Henrik_Noerr1
Advisor

ofcourse! - Thanks

0 Kudos
Sven_Glock
Advisor

Hi Checkmates,

I found an other usecase.

I wanted to have CPPCAP (Link to relevant discussion about CPPCAP ) on all my gateways.


As it is not part of the installation until R80.40 you have to install it manually after every fresh installtion.
So I created a short script for my repository:

 

 

 

#!/bin/bash
checkfile="/sbin/cppcap"
if [ -f "$checkfile" ]; then
echo "CPPCAP already installed"

else
HOST='FTPHOST'
USER='user'
PASSWD='somepass'
ftpdir='remotedir'
dir='localdir'

#version check
version=$(fw ver | awk '{print $7}')
file='Check_point_'$version'_cp_pcap_sk141412.rpm'

ftp -n $HOST <<END_SCRIPT
quote USER $USER
quote PASS $PASSWD
cd $ftpdir
bin
lcd $dir
get $file
quit
END_SCRIPT


rpm -ivh --force --nodeps $dir/$file
/etc/init.d/start_cppcap start

rm $dir/$file

echo "$file successfully installed"

fi

 

 

 

The script is checking if CPPCAP is already installed, if not it checks the GAiA version to install the correct RPM for the specific version running on the gateway.
All you need is a ftp-server which hosts the relevant versions of CPPCAP. The rpm-files shoud have the same name, just the version related to the value in "fw ver" should be different.

Cheers
Sven

0 Kudos
Sven_Glock
Advisor

Bye the way: Have you guys noticed that you can have global scripts in a multi-domanain-management? 😎

0 Kudos
Luis_Miguel_Mig
Advisor

I see two user cases of the repository scripts:
- improve efficiency of checkpoint administrators

- allow checkpoint administrators to hand over operational tasks to other teams in the company

For the second case, I miss tighter access controls. I would be nice if you could define in the permission profiles what scripts is an user permitted to run.  Also running scripts from the repository script requires super-user rights, it would be great if the scripts could be run with as little rights as possible.

Alex-
Leader Leader
Leader

The timeout is still present.

I made a script which uses mgmt_cli  to make API calls for a large number of policies (25+) in a given SMS, then publish and install each policy, check for the installation and so on.

I have noticed that the task still times out after a couple of minutes while the script completes everything it should do.

So, users see a failed task when everything is actually completed. Increasing or allowing a custom task timer would be welcome.

0 Kudos
Robin_H
Contributor

Hello!

This post is rather old but especially regarding the script repository, I basically couldn´t find any other related discussion.

I just recently discovered the possibility of running scripts via SmartConsole.

My first application was initiating a snapshot on all devices prior to JHF installation.

clish -c "add snapshot 2024_01_15 desc prior_Take130"

Second use case was creation of an additional local user.

clish -c 'add user USR uid 0 homedir /home/USR'
clish -c 'add rba user USR roles adminRole'
clish -c 'set user USR shell /bin/bash'
clish -c 'set user USR realname "XYZ"'
clish -c 'set user USR newpass PW'

Especially here, I´d like to work with the arguments you can give prior to actually running the script but the manual is really sparse on how to use it. Will it just attach one argument to whatever command you have in the script or can you use variables?

0 Kudos
Sven_Glock
Advisor

Using arguments is not a big deal:

script1.png

script2.png

I hope this is anwering your question.

Cheers

Sven

(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events