Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

GAIA - Easy execute CLI commands from management on gateways!

Now you can use the new command "g_bash" and "g_cli" to execute bash or clish commands on gateway from the management server. All you have to do is copy and paste the above lines to the management server. After that you have two new commands on the management server. Here you can now centrally execute simple commands on all gateways which are connected via SIC with the management.

g_cli1.png

You only need to enter the IP address of the gateways and the command will be executed there.

Cppy and paste this lines to the management server or download the script "new_commands.sh" and execute the script.

 

echo "echo Gateways configured in policy:" > /usr/local/bin/g_show
echo "more $FWDIR/conf/objects.C |grep -A 20 -B 1  ':type (gateway)' | grep ipaddr | sed 's/^[ \t]*//' | sed 's/\:ipaddr (//' |sed 's/)//'" >> /usr/local/bin/g_show
chmod 777 /usr/local/bin/g_show

echo '#!/bin/bash' > /usr/local/bin/g_bash
echo "more $FWDIR/conf/objects.C |grep -A 20 -B 1  ':type (gateway)' | grep ipaddr | sed 's/^[ \t]*//' | sed 's/\:ipaddr (//' |sed 's/)//' > /var/log/g_gateway.txt" >> /usr/local/bin/g_bash
echo 'HAtest="$2 $3 $4 $5 $6 $7 $8 $9"' >> /usr/local/bin/g_bash
echo 'if grep -xq $1 /var/log/g_gateway.txt; then' >> /usr/local/bin/g_bash 
echo "echo \$HAtest > /var/log/g_command.txt;"  >> /usr/local/bin/g_bash
echo "\$CPDIR/bin/cprid_util -server \$1 putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;" >> /usr/local/bin/g_bash
echo "\$CPDIR/bin/cprid_util -server \$1 -verbose rexec -rcmd /bin/bash -f /var/log/g_command.txt;" >> /usr/local/bin/g_bash
echo "else" >> /usr/local/bin/g_bash
echo "echo This is not a gateway IP. Use an IP of following list:;" >> /usr/local/bin/g_bash
echo "more /var/log/g_gateway.txt" >> /usr/local/bin/g_bash
echo "fi" >> /usr/local/bin/g_bash
chmod 777 /usr/local/bin/g_bash

echo '#!/bin/bash' > /usr/local/bin/g_cli
echo "more $FWDIR/conf/objects.C |grep -A 20 -B 1  ':type (gateway)' | grep ipaddr | sed 's/^[ \t]*//' | sed 's/\:ipaddr (//' |sed 's/)//' > /var/log/g_gateway.txt" >> /usr/local/bin/g_cli
echo 'HAtest="$2 $3 $4 $5 $6 $7 $8 $9"' >> /usr/local/bin/g_cli
echo 'if grep -xq $1 /var/log/g_gateway.txt; then' >> /usr/local/bin/g_cli 
echo "echo \$HAtest > /var/log/g_command.txt;"  >> /usr/local/bin/g_cli
echo "\$CPDIR/bin/cprid_util -server \$1 putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;" >> /usr/local/bin/g_cli
echo "\$CPDIR/bin/cprid_util -server \$1 -verbose rexec -rcmd /bin/clish -f /var/log/g_command.txt;" >> /usr/local/bin/g_cli
echo "else" >> /usr/local/bin/g_cli
echo "echo This is not a gateway IP. Use an IP of following list:;" >> /usr/local/bin/g_cli
echo "more /var/log/g_gateway.txt" >> /usr/local/bin/g_cli
echo "fi" >> /usr/local/bin/g_cli
chmod 777 /usr/local/bin/g_cli

 

Command syntax:

Command Description
# g_show show all gateway IP addresses
# g_bash <gateway IP> <command>  execute expert mode command on gateway
# g_cli <gateway IP> <command> execute clish command on gateway


An example!

You want to see the configuration of the gateway with IP 1.2.3.4 from the management.
So you only have to enter the following command:

Management# g_cli 1.2.3.4 show configuration


Now the command "show configuration" is executed on the gateway and the output is displayed on the management server.

The same also works for the expert mode. For example:

Management# g_bash 1.2.3.4 cphaprob stat


Show all gateway IP addresses. For example:

Management# g_show

Show all gateways configured in policy:

1.2.3.4
1.2.3.5
1.1.1.1


More "Easy Tools":

- Easy Backup Tool - (migrate export + all GAIA configs)                   -> Easy backup of all gateway GAIA configs + migrate export with one CLI command.
- Easy execute CLI commands on all gateways simultaneously        ->  Now you can use the new command to execute bash or clish commands on all gateway simultaneously.
- Easy execute CLI commands from management on gateways        -> Easy execute CLI commands from management on gateways
- Mobile User License Tool - replaced "dtps lic"                                   -> It displays all Secure Client, SSL VPN and Mobile Access Portal licenses in total (sum) on the SMS.
- Easy View Tool - (system infos from all gateways simultaneously) -> This toll shows you quickly an overview of status information of all your gateways with only one CLI command.

Video tutorial:

 

 

 

 

 

 

 

 

 

 

 

Copyright by Heiko Ankenbrand 1996-2019

29 Replies
Highlighted
Pearl

So it‘s basically just a wrapper for cprid_util?

0 Kudos
Highlighted

Hi @Danny 

Yes!

It has always bothered me that I have to jump between the systems via ssh when I debugging. So I built this little script on the basis of cprid_util.

Regards

Heiko

 
Tags (1)
Highlighted

Hi @HeikoAnkenbrand 

That's a good idea!

Thanks

 

Highlighted

I gave this a try.

 

Created the scripts as defined.  When I attempt to run a command I either get a prompt or I get a [NULL] returned.

 

Do you have to set your MDS environment to the CMA that has the SIC with the target firewall?

Highlighted

Hi@Tommy_Forrest 

I have added the two new commands as installation script.

Regards

Heiko

Tags (1)
Highlighted

Thanks Heiko.

I gave your new script a try.  I am in a Multi-Domain environment on 80.10.

I mdsenv to one of my CMA's and run ./g_show. 

"Gateways configured in policy:" is all that is returned (there are lots of gateways here).

I try ./g_cli 10.1.1.1 show version os edition and I get:

"This is not a gateway IP.  Use an IP of following list:" - nothing is returned.

10.1.1.1 is a very valid gateway IP.

0 Kudos
Highlighted

Hi @Tommy_Forrest 

You would have to insert the CMA for the MDS environment. Here the script still a little bit adapt:-)

 

Tags (1)
Highlighted
Admin
Admin

Interesting.
I moved this into the Gaia space, though, as it seems more appropriate there.
Highlighted

Here a small tutorial video:

 
Tags (1)
Highlighted
Platinum

 

Is port tcp_18208 enabled by default via Implied Rules? In case of no, there is a need to have this port enabled at first:

image.png

In case you are using MDS, you need to be inside CMA where the gateway is managed from.

Support for VSX would be really great 🙂

There is a very similar script already mentioned:

How to manage Security Gateway using the "cprid_util" tool

Kind regards,
Jozko Mrkvicka
0 Kudos
Highlighted

Hi @JozkoMrkvicka 

TCP 18208 (FW1_CPRID) is always included in inplied rules between management and gateway

Regards

Heiko

Tags (1)
Highlighted

Hi @JozkoMrkvicka 

More infos to implied rules can you found here in a other article from me:

R80.x Ports Used for Communication by Various Check Point Modules

Regards

Heiko

Tags (1)
Highlighted

I just tested it in a vsx environment. Works also😃!

# g_bash 1.1.1.1 vsenv3; cphaprob stat

 

Tags (1)
Highlighted

> # g_bash 1.1.1.1 vsenv3; cphaprob stat

 

This won't work. This line concist of two commands:

The first command will run g_bash with 1.1.1.1 and vsenv3 as parameters.

The second command will run cphaprob stat locally, not through the g_bash script.

 

Highlighted

Hello @HeikoAnkenbrand 

there is a typo in your command:

CUT>>>

# g_clish <gateway IP> <command>      --> for clish commands

<<CUT 

That's how it should be:

# g_cli <gateway IP> <command>      --> for clish commands

 

Works perfectly for me.
And thank you very much!

Highlighted

I changed it.

Thanks

Heiko

 

 

Tags (1)
Highlighted

If I execute this command I become a NULL.

0 Kudos
Highlighted

If you become a NULL it is not a valid gateway IP address.

Tags (1)
Highlighted
Platinum

Maybe in future updates, you can include checks if provided IP is valid IP of any of managed gateways ?

The original script can be slightly modified, but the core logic can be found:

How to get a list of all managed Security Gateways from Multi-Domain Management Server

For SMS, it can be a little bit tricky, as there is only a tool "query" with no option to print the needed parameters (like IP).

Kind regards,
Jozko Mrkvicka
Highlighted

Hi @JozkoMrkvicka,

Yes, I still have some ideas what you can change in this script.

- Check gateway IP's

- Copy files to and from all gateways. For example copy all "/var/log/messages" to the management server.


I still have some crazy ideas. They will follow in the next days.

Tags (1)
Highlighted

I also used $FWDIR here so it would work under all versions.

echo "more $FWDIR/conf/objects.C |grep -B 30  "sic_name" |grep ipaddr |sed 's/^ \t//' |sed s/:ipaddr/'Gateway IP: '/ | sed s/\(// | sed s/\)//" > /usr/local/bin/g_show
chmod 777 /usr/local/bin/g_show

 

Tags (1)
Highlighted
Platinum

What an elegant solution!

It is possible to use also Cluster VIP in order to connect directly to the active node ?

Kind regards,
Jozko Mrkvicka
0 Kudos
Highlighted

Hi @JozkoMrkvicka 

I intercepted the error with NULL and now you see the possible gateway ip's.

I will post a new article with a crazy version in one hour:-)

Regards

Heiko

Tags (1)
Highlighted

Tags (1)
Highlighted

The other script for many Gatewas is a very interesting solution. I tested it today and it saves a lot of work.

Thank you.

0 Kudos
Highlighted
Nickel

I have some installations, where gw_detect80.sh also puts the ip-address of the smartcenter in the gateways list. I found out that in this installations the command

 

mgmt_cli -r true show gateways-and-servers details-level full --format json | 
  "$CPDIR/jq/jq" -r '.objects[] | [."name", ."ipv4-address", ."type"] | '

 

returns type "simple-gateway" for the smartcenter instead of "CpmiHostCkp".

"fw stat" on these installations tells me "Local host is not a FireWall-1 module"

Any idea where this comes from? (Upgrades? Migrations?)
And how to fix this? (where is this information stored?)

kr, Bernhard

0 Kudos
Highlighted
Nickel

Instead

HAtest="$2 $3 $4 $5 $6 $7 $8 $9"

 better use

HAtest="${@:2}"

because may be more than 9 arguments in some cases

0 Kudos
Highlighted

The fetching of the gateway IPs is not working in my lab environment (R80.40).

But the issue is a simple one. There are more lines needed for the grep of objects.C to find the ip-addresses.

I think there should be a better way to fetch them. Best would be to do the same as in your other script for gw_detect80.

 

And another minor thing:

clish command "show hostname" is not returning anything, as I assume you filter out lines starting with the hostname from the output.

0 Kudos
Highlighted

Nice and easy tool:-)

THX

0 Kudos