Re: SmartConsole Scripts Repository use cases and ...

Sven_Glock · ‎2018-10-16

Hi Community,

this week I recognized that I never have checked if there is a benefit in using SmartConsole's Scripts repository.

After reading https://community.checkpoint.com/community/secure-knowledge/blog/2018/10/01/article-of-the-week-chec... I decided to implement my first script which could be helpful on daily basis. It is calling the Packet Injector via SmartConsole and shows the result directly in the GUI without opening a dedicated ssh session.

Now I am interested to see which usecases you found for using the Scripts Repository in SmartConsole.

Please share your experience, your usecases or your code.

Thanks for sharing.

Cheers

Sven

Sven_Glock · ‎2018-10-16

My Experience:

Generally I like the possibility to run scripts from the GUI.

But to be honest, I am not 100% happy with the implementation.

The way adding jobs to the "recent tasks list" makes it a bit uncomfortable to find the results.

I would like to see the results directly after executing the job.

Additionally there is some kind of time lag between the finish time of the job and the time when you can see the result.

I often click in the result and it is not showing what I expect to see. A few seconds later, the result shows my expected output.

More over I don't like the need to close the repository window before you are able to open the "recent tasks list" and check the results or selecting a different gateway to run the selected script on.

Why not implementing the repository window like the object explorer where you can click things in the background - like the "recent tasks list" - while the window remains opened.

Let me share my first two scripts:

PINJ Installer - A script to install Packet Injector to a R80 gateway

#!/bin/bash
curl_cli -o /home/admin/pinj.tgz ftp://someressources/pinj_v1.4.6_R80.10.tgz
tar -zxvf /home/admin/pinj.tgz
rpm -ihv CPPinj-R80-00.i386.rpm
echo "export PATH=$PATH:/opt/CPPinj-R80/" >> /home/admin/.bashrc
rm /home/admin/pinj.tgz CPPinj-R80-00.i386.rpm‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

PINJ Executor NON-VSX - A script to execure packet injector on a non-vsx gateway

##################################
#Arguments: <SRC-IP> <DST-IP> <dport> <tcp|udp>
##################################
#!/bin/bash
interface=$(ip route get $1 | head -1 | rev | cut -d " " -f 5 | rev)
sp=$(( RANDOM % (65535 - 1025 + 1 ) + 1025 ))
echo "Command: /opt/CPPinj-R80/pinj --sport $sp --dport $3 --protocol $4 -I $interface $1 $2"
/opt/CPPinj-R80/pinj --sport $sp --dport $3 --protocol $4 -I $interface $1 $2 2>/dev/null‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Since I start trying more complex scripts like a "Deployment agent offline updater" I experience some problems with timeouts or something like this.

But I have to dig deeper before getting more concrete.

Ari_Heber · ‎2018-10-20

Hi Sven,

Thank you for your feedback, I'm taking your note into my attention.

As for the timeout, currently this is set to 2 minutes. I will continue to watch this thread in order to improve this feature.

Sven_Glock · ‎2020-02-20

@Ari_HeberAre there already plans for improvements?

Sven_Glock · ‎2020-11-27

@Ari_Heber : Are you still responsible for Smart Console Script Repository?
If yes: Please join our discussion 😎
If no: Can you say who is responsible now?

Thanks in advance,

Sven

HristoGrigorov · ‎2018-11-24

Agree with Sven. Great idea with a bit fuzzy implementation. I hope CheckPoint elaborates on this and improves it in the future. I would start with more detailed execution logs, integrated job scheduler, mail reports, revisions...

Sven_Glock · ‎2019-03-14

Today I tried to add the healthcheck script from sk121447 to the script repository.

Running this script on cli gives a nice quick overview about the health of the system.

Executing this script from the repository the output is like this:

Readable, but not nice.

So as an improvement: It would be nice if you could support colors and other font attributes.

VENKAT_S_P · ‎2019-04-30

I am exactly trying the same thing with the healthcheck script, nice to know that the format is not similar to the one we like to see and this saved some time by seeing your output.

Henrik_Noerr1 · ‎2019-05-03

How is healthcheck working for you? There is a max script size limit of 8kb. (in r80.10)

Healthcheck is +300kb

/Henrik

Sven_Glock · ‎2019-05-03

Pretty simple. You have to copy the script locally on the relevant machine (gateway, management, etc.)

The script in the repository is just executing the script locally on the relevant machine.

Henrik_Noerr1 · ‎2019-05-06

ofcourse! - Thanks

Sven_Glock · ‎2020-03-09

Hi Checkmates,

I found an other usecase.

I wanted to have CPPCAP (Link to relevant discussion about CPPCAP ) on all my gateways.

As it is not part of the installation until R80.40 you have to install it manually after every fresh installtion.
So I created a short script for my repository:

#!/bin/bash
checkfile="/sbin/cppcap"
if [ -f "$checkfile" ]; then
echo "CPPCAP already installed"

else
HOST='FTPHOST'
USER='user'
PASSWD='somepass'
ftpdir='remotedir'
dir='localdir'

#version check
version=$(fw ver | awk '{print $7}')
file='Check_point_'$version'_cp_pcap_sk141412.rpm'

ftp -n $HOST <<END_SCRIPT
quote USER $USER
quote PASS $PASSWD
cd $ftpdir
bin
lcd $dir
get $file
quit
END_SCRIPT


rpm -ivh --force --nodeps $dir/$file
/etc/init.d/start_cppcap start

rm $dir/$file

echo "$file successfully installed"

fi

The script is checking if CPPCAP is already installed, if not it checks the GAiA version to install the correct RPM for the specific version running on the gateway.
All you need is a ftp-server which hosts the relevant versions of CPPCAP. The rpm-files shoud have the same name, just the version related to the value in "fw ver" should be different.

Cheers
Sven

Sven_Glock · ‎2020-03-10

Bye the way: Have you guys noticed that you can have global scripts in a multi-domanain-management? 😎

Luis_Miguel_Mig · ‎2020-11-25

I see two user cases of the repository scripts:
- improve efficiency of checkpoint administrators

- allow checkpoint administrators to hand over operational tasks to other teams in the company

For the second case, I miss tighter access controls. I would be nice if you could define in the permission profiles what scripts is an user permitted to run. Also running scripts from the repository script requires super-user rights, it would be great if the scripts could be run with as little rights as possible.

Alex- · ‎2023-01-16

The timeout is still present.

I made a script which uses mgmt_cli to make API calls for a large number of policies (25+) in a given SMS, then publish and install each policy, check for the installation and so on.

I have noticed that the task still times out after a couple of minutes while the script completes everything it should do.

So, users see a failed task when everything is actually completed. Increasing or allowing a custom task timer would be welcome.

Robin_H · ‎2024-02-21

Hello!

This post is rather old but especially regarding the script repository, I basically couldn´t find any other related discussion.

I just recently discovered the possibility of running scripts via SmartConsole.

My first application was initiating a snapshot on all devices prior to JHF installation.

clish -c "add snapshot 2024_01_15 desc prior_Take130"

Second use case was creation of an additional local user.

clish -c 'add user USR uid 0 homedir /home/USR'
clish -c 'add rba user USR roles adminRole'
clish -c 'set user USR shell /bin/bash'
clish -c 'set user USR realname "XYZ"'
clish -c 'set user USR newpass PW'

Especially here, I´d like to work with the arguments you can give prior to actually running the script but the manual is really sparse on how to use it. Will it just attach one argument to whatever command you have in the script or can you use variables?

Sven_Glock · ‎2024-02-23

Using arguments is not a big deal:

I hope this is anwering your question.

Cheers

Sven

Are you a member of CheckMates?

SmartConsole Scripts Repository use cases and experience