cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

GAIA - Easy execute CLI commands from management on gateways!

Now you can use the new command "g_bash" and "g_cli" to execute bash or clish commands on gateway from the management server. All you have to do is copy and paste the above lines to the management server. After that you have two new commands on the management server. Here you can now centrally execute simple commands on all gateways which are connected via SIC with the management.

g_cli1.png

You only need to enter the IP address of the gateways and the command will be executed there.

Cppy and paste this lines to the management server or download the script "new_commands.sh" and execute the script.

 

echo "echo Gateways configured in policy:" > /usr/local/bin/g_show
echo "more $FWDIR/conf/objects.C |grep -A 20 -B 1  ':type (gateway)' | grep ipaddr | sed 's/^[ \t]*//' | sed 's/\:ipaddr (//' |sed 's/)//'" >> /usr/local/bin/g_show
chmod 777 /usr/local/bin/g_show

echo '#!/bin/bash' > /usr/local/bin/g_bash
echo "more $FWDIR/conf/objects.C |grep -A 20 -B 1  ':type (gateway)' | grep ipaddr | sed 's/^[ \t]*//' | sed 's/\:ipaddr (//' |sed 's/)//' > /var/log/g_gateway.txt" >> /usr/local/bin/g_bash
echo 'HAtest="$2 $3 $4 $5 $6 $7 $8 $9"' >> /usr/local/bin/g_bash
echo 'if grep -xq $1 /var/log/g_gateway.txt; then' >> /usr/local/bin/g_bash 
echo "echo \$HAtest > /var/log/g_command.txt;"  >> /usr/local/bin/g_bash
echo "\$CPDIR/bin/cprid_util -server \$1 putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;" >> /usr/local/bin/g_bash
echo "\$CPDIR/bin/cprid_util -server \$1 -verbose rexec -rcmd /bin/bash -f /var/log/g_command.txt;" >> /usr/local/bin/g_bash
echo "else" >> /usr/local/bin/g_bash
echo "echo This is not a gateway IP. Use an IP of following list:;" >> /usr/local/bin/g_bash
echo "more /var/log/g_gateway.txt" >> /usr/local/bin/g_bash
echo "fi" >> /usr/local/bin/g_bash
chmod 777 /usr/local/bin/g_bash

echo '#!/bin/bash' > /usr/local/bin/g_cli
echo "more $FWDIR/conf/objects.C |grep -A 20 -B 1  ':type (gateway)' | grep ipaddr | sed 's/^[ \t]*//' | sed 's/\:ipaddr (//' |sed 's/)//' > /var/log/g_gateway.txt" >> /usr/local/bin/g_cli
echo 'HAtest="$2 $3 $4 $5 $6 $7 $8 $9"' >> /usr/local/bin/g_cli
echo 'if grep -xq $1 /var/log/g_gateway.txt; then' >> /usr/local/bin/g_cli 
echo "echo \$HAtest > /var/log/g_command.txt;"  >> /usr/local/bin/g_cli
echo "\$CPDIR/bin/cprid_util -server \$1 putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;" >> /usr/local/bin/g_cli
echo "\$CPDIR/bin/cprid_util -server \$1 -verbose rexec -rcmd /bin/clish -f /var/log/g_command.txt;" >> /usr/local/bin/g_cli
echo "else" >> /usr/local/bin/g_cli
echo "echo This is not a gateway IP. Use an IP of following list:;" >> /usr/local/bin/g_cli
echo "more /var/log/g_gateway.txt" >> /usr/local/bin/g_cli
echo "fi" >> /usr/local/bin/g_cli
chmod 777 /usr/local/bin/g_cli

 

Command syntax:

Command Description
# g_show show all gateway IP addresses
# g_bash <gateway IP> <command>  execute expert mode command on gateway
# g_cli <gateway IP> <command> execute clish command on gateway


An example!

You want to see the configuration of the gateway with IP 1.2.3.4 from the management.
So you only have to enter the following command:

Management# g_cli 1.2.3.4 show configuration


Now the command "show configuration" is executed on the gateway and the output is displayed on the management server.

The same also works for the expert mode. For example:

Management# g_bash 1.2.3.4 cphaprob stat


Show all gateway IP addresses. For example:

Management# g_show

Show all gateways configured in policy:

1.2.3.4
1.2.3.5
1.1.1.1


Video tutorial:

(view in My Videos)

 

 

 

Copyright by Heiko Ankenbrand 1996-2019

25 Replies
Danny
Pearl

Re: NEW - Easy execute commands from management on gateways!

So it‘s basically just a wrapper for cprid_util?

0 Kudos

Re: NEW - Easy execute commands from management on gateways!

Hi @Danny 

Yes!

It has always bothered me that I have to jump between the systems via ssh when I debugging. So I built this little script on the basis of cprid_util.

Regards

Heiko

 
Tags (1)

Re: NEW - Easy execute commands from management on gateways!

Hi @HeikoAnkenbrand 

That's a good idea!

Thanks

 

Re: NEW - Easy execute commands from management on gateways!

I gave this a try.

 

Created the scripts as defined.  When I attempt to run a command I either get a prompt or I get a [NULL] returned.

 

Do you have to set your MDS environment to the CMA that has the SIC with the target firewall?

Re: NEW - Easy execute commands from management on gateways!

Hi@Tommy_Forrest 

I have added the two new commands as installation script.

Regards

Heiko

Tags (1)

Re: NEW - Easy execute commands from management on gateways!

Thanks Heiko.

I gave your new script a try.  I am in a Multi-Domain environment on 80.10.

I mdsenv to one of my CMA's and run ./g_show. 

"Gateways configured in policy:" is all that is returned (there are lots of gateways here).

I try ./g_cli 10.1.1.1 show version os edition and I get:

"This is not a gateway IP.  Use an IP of following list:" - nothing is returned.

10.1.1.1 is a very valid gateway IP.

0 Kudos

Re: NEW - Easy execute commands from management on gateways!

Hi @Tommy_Forrest 

You would have to insert the CMA for the MDS environment. Here the script still a little bit adapt:-)

 

Tags (1)
Admin
Admin

Re: NEW - Easy execute commands from management on gateways!

Interesting.
I moved this into the Gaia space, though, as it seems more appropriate there.

Re: NEW - Easy execute commands from management on gateways!

Here a small tutorial video:

(view in My Videos)
 
Tags (1)
JozkoMrkvicka
Platinum

Re: NEW - Easy execute commands from management on gateways!

 

Is port tcp_18208 enabled by default via Implied Rules? In case of no, there is a need to have this port enabled at first:

image.png

In case you are using MDS, you need to be inside CMA where the gateway is managed from.

Support for VSX would be really great 🙂

There is a very similar script already mentioned:

How to manage Security Gateway using the "cprid_util" tool

Kind regards,
Jozko Mrkvicka
0 Kudos
Highlighted

Re: NEW - Easy execute commands from management on gateways!

Hi @JozkoMrkvicka 

TCP 18208 (FW1_CPRID) is always included in inplied rules between management and gateway

Regards

Heiko

Tags (1)

Re: NEW - Easy execute commands from management on gateways!

Hi @JozkoMrkvicka 

More infos to implied rules can you found here in a other article from me:

R80.x Ports Used for Communication by Various Check Point Modules

Regards

Heiko

Tags (1)

Re: NEW - Easy execute commands from management on gateways!

I just tested it in a vsx environment. Works also😃!

# g_bash 1.1.1.1 vsenv3; cphaprob stat

 

Tags (1)

Re: NEW - Easy execute commands from management on gateways!

> # g_bash 1.1.1.1 vsenv3; cphaprob stat

 

This won't work. This line concist of two commands:

The first command will run g_bash with 1.1.1.1 and vsenv3 as parameters.

The second command will run cphaprob stat locally, not through the g_bash script.

 

0 Kudos

Re: NEW - Easy execute CLI commands from management on gateways!

Hello @HeikoAnkenbrand 

there is a typo in your command:

CUT>>>

# g_clish <gateway IP> <command>      --> for clish commands

<<CUT 

That's how it should be:

# g_cli <gateway IP> <command>      --> for clish commands

 

Works perfectly for me.
And thank you very much!

Re: NEW - Easy execute CLI commands from management on gateways!

I changed it.

Thanks

Heiko

 

 

Tags (1)

Re: NEW - Easy execute CLI commands from management on gateways!

If I execute this command I become a NULL.

0 Kudos

Re: NEW - Easy execute CLI commands from management on gateways!

If you become a NULL it is not a valid gateway IP address.

Tags (1)
JozkoMrkvicka
Platinum

Re: NEW - Easy execute CLI commands from management on gateways!

Maybe in future updates, you can include checks if provided IP is valid IP of any of managed gateways ?

The original script can be slightly modified, but the core logic can be found:

How to get a list of all managed Security Gateways from Multi-Domain Management Server

For SMS, it can be a little bit tricky, as there is only a tool "query" with no option to print the needed parameters (like IP).

Kind regards,
Jozko Mrkvicka
0 Kudos

Re: NEW - Easy execute CLI commands from management on gateways!

Hi @JozkoMrkvicka,

Yes, I still have some ideas what you can change in this script.

- Check gateway IP's

- Copy files to and from all gateways. For example copy all "/var/log/messages" to the management server.


I still have some crazy ideas. They will follow in the next days.

Tags (1)
0 Kudos

Re: NEW - Easy execute CLI commands from management on gateways!

I also used $FWDIR here so it would work under all versions.

echo "more $FWDIR/conf/objects.C |grep -B 30  "sic_name" |grep ipaddr |sed 's/^ \t//' |sed s/:ipaddr/'Gateway IP: '/ | sed s/\(// | sed s/\)//" > /usr/local/bin/g_show
chmod 777 /usr/local/bin/g_show

 

Tags (1)
JozkoMrkvicka
Platinum

Re: NEW - Easy execute CLI commands from management on gateways!

What an elegant solution!

It is possible to use also Cluster VIP in order to connect directly to the active node ?

Kind regards,
Jozko Mrkvicka
0 Kudos

Re: NEW - Easy execute CLI commands from management on gateways!

Hi @JozkoMrkvicka 

I intercepted the error with NULL and now you see the possible gateway ip's.

I will post a new article with a crazy version in one hour:-)

Regards

Heiko

Tags (1)

Re: NEW - Easy execute CLI commands from management on gateways!

Tags (1)

Re: NEW - Easy execute CLI commands from management on gateways!

The other script for many Gatewas is a very interesting solution. I tested it today and it saves a lot of work.

Thank you.

0 Kudos