cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

GAIA - Easy execute CLI commands on all gateways simultaneously

Jump to solution

Now you can use the new command "gw_mbash" and "g_mclish" to execute bash or clish commands on all gateway simultaneously from the management server. All you have to do is copy and paste the above lines to the management server. After that you have two new commands on the management server. Here you can now centrally execute simple commands on all gateways which are connected via SIC with the management.

multibash1.png

 

Attention!

You can quickly destroy your gateways if you enter the wrong commands!

Command syntax:

Command Description

# gw_detect

# gw_detect80

Detect all your gateways that support from this tool. This command only needs to be executed once or when gateways changed in topology.

All founded gateways are stored as IP address in this file /var/log/g_gateway.txt. All added IP addresses will be used later to execute commands on these gateways. The file can also be edit manually to add gateway IP adressess.

The execution of this command may take a few minutes.

Use this command on R80.x gateways "gw_detect80" is a little bit faster.

Use this command on R77.x gateways "gw_detect".

# gw_mbash <command>  Execute expert mode command on all gateway

 simultaneously

# gw_mclish <command> Execute clish command on all gateway

 simultaneously


An example!

You want see the version of all gateway they are defined in the topology.

Management# gw_detect                                                   -> start this command fist to detect all your supported gateways or "gw_detect80" on R80.x gateways
Management# gw_mclish show version os edition        -> execute this command on all gateways

  multibash4.PNG


Now the command "show version os edition" is executed on all gateways and the output is displayed on the management server sorted according to the ip addresses of the gateways in the firewall topologie.

The same also works for the expert mode. For example:

Management# gw_detect                                                   -> start this command fist to detect all your supported gateways or "gw_detect80" on R80.x gateways
Management# gw_mbash fw ver                                      -> execute this command on all gateways

multibash3.PNG

 

Tip 1

Use this command to backup your clish configs from all gateways.

Management# gw_mclish show configuration > backup_clish_all_gateways.txt

This can also be start as simply cronjob😀.

 

Tip 2

Check central performance settings for all gateways:

Management# gw_mbash fw tab -t connections -s                         -> show state table for all gateways

Management# gw_mbash fwaccel stat                                              -> show  fwaccel state's for all gateways

Management# gw_mbash ips stat                                                       -> check on witch gateway ips is enabled

...


Cppy and paste this lines to the management server or download the script "new_multi_commands.sh" and execute the script.

 

 

echo '#!/bin/bash' > /usr/local/bin/gw_mbash
echo 'if [ ! -f /var/log/g_gateway.txt ]; then' >> /usr/local/bin/gw_mbash
echo 'echo "First start \"gw_detect\" and\or edit the file \var\log\gw_gateway.txt manually. Add here all your gateway IP addresses."' >> /usr/local/bin/gw_mbash
echo 'else' >> /usr/local/bin/gw_mbash
echo 'HAtest="$@"' >> /usr/local/bin/gw_mbash
echo 'echo $HAtest > /var/log/g_command.txt;' >> /usr/local/bin/gw_mbash
echo 'while read line' >> /usr/local/bin/gw_mbash
echo 'do' >> /usr/local/bin/gw_mbash
echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_mbash
echo 'then' >> /usr/local/bin/gw_mbash
echo 'echo "--------- GAIA $line execute command: $HAtest"' >> /usr/local/bin/gw_mbash
echo '$CPDIR/bin/cprid_util -server $line putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;' >> /usr/local/bin/gw_mbash
echo '$CPDIR/bin/cprid_util -server $line -verbose rexec -rcmd /bin/bash -f /var/log/g_command.txt' >> /usr/local/bin/gw_mbash
echo 'else' >> /usr/local/bin/gw_mbash
echo 'echo "--------- STOP $line Error:  no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_mbash
echo 'fi' >> /usr/local/bin/gw_mbash
echo 'done < /var/log/g_gateway.txt' >> /usr/local/bin/gw_mbash
echo 'fi' >> /usr/local/bin/gw_mbash
chmod +x /usr/local/bin/gw_mbash

echo '#!/bin/bash' > /usr/local/bin/gw_mclish
echo 'if [ ! -f /var/log/g_gateway.txt ]; then' >> /usr/local/bin/gw_mclish
echo 'echo "First start \"gw_detect\" and\or edit the file \var\log\gw_gateway.txt manually. Add here all your gateway IP addresses."' >> /usr/local/bin/gw_mclish
echo 'else' >> /usr/local/bin/gw_mclish
echo 'HAtest="$@"' >> /usr/local/bin/gw_mclish
echo 'echo $HAtest > /var/log/g_command.txt;' >> /usr/local/bin/gw_mclish
echo 'while read line' >> /usr/local/bin/gw_mclish
echo 'do' >> /usr/local/bin/gw_mclish
echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_mclish
echo 'then' >> /usr/local/bin/gw_mclish
echo 'echo "--------- GAIA $line execute command: $HAtest"' >> /usr/local/bin/gw_mclish
echo '$CPDIR/bin/cprid_util -server $line putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;' >> /usr/local/bin/gw_mclish
echo '$CPDIR/bin/cprid_util -server $line -verbose rexec -rcmd /bin/clish -f /var/log/g_command.txt' >> /usr/local/bin/gw_mclish
echo 'else' >> /usr/local/bin/gw_mclish
echo 'echo "--------- STOP $line Error:  no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_mclish
echo 'fi' >> /usr/local/bin/gw_mclish
echo 'done < /var/log/g_gateway.txt' >> /usr/local/bin/gw_mclish
echo 'fi' >> /usr/local/bin/gw_mclish
chmod +x /usr/local/bin/gw_mclish

echo '#!/bin/bash' > /usr/local/bin/gw_detect
echo 'echo -n > /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect
echo "more $FWDIR/conf/objects.C |grep -A 500 -B 1  ':type (gateway)'| sed -n '/gateway/,/:ipaddr (/p' | grep 'ipaddr (' | sed 's/^[ \t]*//' | sed 's/\:ipaddr (//' |sed 's/)//' > /var/log/g_gwl.txt" >> /usr/local/bin/gw_detect
echo 'while read line' >> /usr/local/bin/gw_detect
echo 'do' >> /usr/local/bin/gw_detect
echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_detect
echo 'then' >> /usr/local/bin/gw_detect
echo 'echo "--------- GAIA $line "' >> /usr/local/bin/gw_detect
echo 'echo "$line" >> /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect
echo 'else' >> /usr/local/bin/gw_detect
echo 'echo "--------- STOP no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_detect
echo 'fi' >> /usr/local/bin/gw_detect
echo 'done < /var/log/g_gwl.txt' >> /usr/local/bin/gw_detect
chmod +x /usr/local/bin/gw_detect

echo '#!/bin/bash' > /usr/local/bin/gw_detect80
echo 'echo -n > /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect80
echo "mgmt_cli -r true show gateways-and-servers details-level full --format json | $CPDIR/jq/jq -r '.objects[] | select(.type | contains(\"Member\",\"simple-gateway\")) | .\"ipv4-address\"' |grep -v null|grep -v 0.0. > /var/log/g_gwl.txt" >> /usr/local/bin/gw_detect80
echo 'while read line' >> /usr/local/bin/gw_detect80
echo 'do' >> /usr/local/bin/gw_detect80
echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_detect80
echo 'then' >> /usr/local/bin/gw_detect80
echo 'echo "--------- GAIA $line "' >> /usr/local/bin/gw_detect80
echo 'echo "$line" >> /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect80
echo 'else' >> /usr/local/bin/gw_detect80
echo 'echo "--------- STOP no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_detect80
echo 'fi' >> /usr/local/bin/gw_detect80
echo 'done < /var/log/g_gwl.txt' >> /usr/local/bin/gw_detect80
chmod +x /usr/local/bin/gw_detect80

 

Versions:
v0.1 - 04-14-2019 - gw_multi_commands_v0.1.sh -> beta
v0.2 - 04-16-2019 - gw_multi_commands_v0.2.sh -> remove bugs
v0.3 - 04-17-2019 - gw_multi_commands_v0.3.sh -> split to two commands (gw_detect and the old commands)
v0.4 - 05-05-2019 - gw_multi_commands_v0.4.sh -> add command "gw_detect80"

Video tutorial:

(view in My Videos)
 

Copyright by Heiko Ankenbrand 1996-2019

1 Solution

Accepted Solutions

Re: GAIA - Easy execute CLI commands on all gateways simultaneously

Jump to solution

Hi @G_W_Albrecht 

I've split the command in two.

gw_detect -> Writes all IP addresses of the gateways to the file /var/log/g_gateway.txt

gw_mclish or gw_mbash ->  Executes the command remotely only now.

Now you can edit the file /var/log/g_gateway.txt twith the gateway IP addresses.

Regards

Heiko

 

 

 

View solution in original post

Tags (1)
56 Replies

Re: NEW - Easy execute CLI commands on all gateways simultaneously

Jump to solution

Is it possible to add backup jobs over the clish for all gateways?

Re: NEW - Easy execute CLI commands on all gateways simultaneously

Jump to solution

Yes, exactly for such purposes I created this script.

 

Tags (1)

Re: NEW - Easy execute CLI commands on all gateways simultaneously

Jump to solution

Hi @Y__Bakisli 

For example you can backup all GAIA gateway clish configs with "g_multicli show configuratinon > config_backup.txt" to the management server.

😀

Regards

Heiko

 

Tags (1)
Dawei_Ye
Copper

Re: NEW - Easy execute CLI commands on all gateways simultaneously

Jump to solution
brilliant.but destroy faster.hahah...

Re: NEW - Easy execute CLI commands on all gateways simultaneously

Jump to solution

We have 70 firewalls worldwide and I have to back up the clish configuration weekly.

That's a brilliant solution.

Thanks

Dan

 

 

Re: NEW - Easy execute CLI commands on all gateways simultaneously

Jump to solution

Here a other interresting version:

Easy execute CLI commands from management on gateways!

Tags (1)

Re: NEW - Easy execute CLI commands on all gateways simultaneously

Jump to solution
Heiko,
This really is a very useful add-on to the cprid_util, Is there a way to differentiate between SMB and normal GAIA gateways?
Command structure is quit a bit different.
I know that we can continue that path with versions etc, but this distinction would be a great add-on.
Regards, Maarten

Re: NEW - Easy execute CLI commands on all gateways simultaneously

Jump to solution

This is a very great script.

I have started a local snapshot at all gateways without to do this on 30 appliances manually.

# g_multicli add snapshot R80.10_20190415

Thanks

 

Re: NEW - Easy execute CLI commands on all gateways simultaneously

Jump to solution

Nice script, but SMB GWs are an issue here: File with GW IPs only contains the SMB GW encountered first, so only an error for the SMB GW is displayed, as no other GW got listed...

Highlighted

Re: NEW - Easy execute CLI commands on all gateways simultaneously

Jump to solution

Hi @G_W_Albrecht 

I'll see how I can fix this bug. 

I need to find a parameter in objects.C that can be used to identify SMB appliances.

Thanks

Heiko

Tags (1)

Re: NEW - Easy execute CLI commands on all gateways simultaneously

Jump to solution

You can discriminate SMB GWs in Objects.C by the parameter

:slim_fw_hardware_type

that is not present in GAiA GWs. Values can be e.g. ("1430/1450") as slected in Dashboard or (CIP) for 1200R.

Re: NEW - Easy execute CLI commands on all gateways simultaneously

Jump to solution

Hi @G_W_Albrecht,

I already tested with this parameter. Unfortunately it is not set at all SMB appliances.

I need a parameter that is unique on real gateway. I must find it with grep.

I compared  with diff  gateway objects 3 hours on the weekend  . I didn't find any parameter:-(

Regards

Heiko

Tags (1)
JozkoMrkvicka
Platinum

Re: NEW - Easy execute CLI commands on all gateways simultaneously

Jump to solution

I am sure that dbedit or cpmiquerybin can help in this case 🙂 I will have a look on that over the weekend.

Kind regards,
Jozko Mrkvicka

Re: NEW - Easy execute CLI commands on all gateways simultaneously

Jump to solution

I have found another solution and I check now that gaia works on the gateways.

 
Tags (1)

Re: NEW - Easy execute CLI commands on all gateways simultaneously

Jump to solution

I tested it today and it saves a lot of work.

Nice, nice, nice!

Thank you.

0 Kudos

Re: NEW - Easy execute CLI commands on all gateways simultaneously

Jump to solution

Check Point should include the commands in R80.30:-)

 

Re: NEW - Easy execute CLI commands on all gateways simultaneously

Jump to solution

I see two issues with this suggestion:

 

1. g_ sintax is reserved for multi-SGM commands on Scalable Platforms and Maestro

2. R80.30 is closed now 🙂

0 Kudos

Re: NEW - Easy execute CLI commands on all gateways simultaneously

Jump to solution

 

Hi @Val_Loukine

You're right the g_ syntax is used with 64k/61k/44k/41k and maestro.

I'll change this to gw_ in the next few days.

Regards

Heiko

Tags (1)

Re: NEW - Easy execute CLI commands on all gateways simultaneously

Jump to solution

@HeikoAnkenbrand Fine we me 🙂

Re: NEW - Easy execute CLI commands on all gateways simultaneously

Jump to solution

Hi @Val_Loukine 

I have renamed the commands as follows:

gw_mbash

gw_mclish

Regards

Heiko

Tags (1)

Re: NEW - Easy execute CLI commands on all gateways simultaneously

Jump to solution

Hi @Saleme_Sabaj 
Hi @Val_Loukine 

Maybe with the version R80.40:-)

Tags (1)

Re: GAIA - Easy execute CLI commands on all gateways simultaneously

Jump to solution

nice script

Re: GAIA - Easy execute CLI commands on all gateways simultaneously

Jump to solution

outstanding work as usual , thanks , there is a way that this can be used in a multi domain environment?

Re: GAIA - Easy execute CLI commands on all gateways simultaneously

Jump to solution

Now it works with SMB GWs present, too - only that gw_multi_commands.sh had issues:

First try, script stopped because of \r found in line 17 - after removing this line, it stopped with:

chmod: cannot access '/usr/local/bin/gw_mclish': No such file or directory

After adding Return/LF to the chmod line, issue was resolved.


[Expert@SMS8010:0]# gw_mbash fw ver
--------- STOP 172.27.39.126 Error: no SIC to gateway or no compatible gateway

#### a 730 SMB

--------- GAIA 172.27.39.190 execute command: fw ver
This is Check Point's software version R80.20 - Build 077

--------- STOP :ipaddr6 ("2a00:1628:11:2000:21c:7fff:fe72:2118" Error: no SIC to gateway or no compatible gateway

#### same 730 SMBs IP6 IP

--------- STOP 172.28.8.177 Error: no SIC to gateway or no compatible gateway

#### a 1200R SMB

--------- GAIA 192.168.80.8 execute command: fw ver
This is Check Point's software version R80.20 - Build 077

--------- GAIA 172.27.39.192 execute command: fw ver
This is Check Point's software version R77.30 - Build 161

--------- STOP 172.27.39.126 Error: no SIC to gateway or no compatible gateway

#### duplicate object with IP from 730 SMB
--------- STOP 172.27.39.1 Error: no SIC to gateway or no compatible gateway

#### This is a Brocade Switch....

But what is missing from g_gateway.txt is my TE100X 172.27.39.191 - or is it just somehow shortening 172.27.39.191  to 172.27.39.1 by mistake ?

Re: GAIA - Easy execute CLI commands on all gateways simultaneously

Jump to solution

RFE: It is nice to automatically generate the g_gateway.txt file, but a bit too much that it is generated anew with every gw_mbash call ! A user editable g_gateway.txt file could:

- leave out SMB GWs

- leave out GWs that better are not included here 😉

- help to workaround issues

Re: GAIA - Easy execute CLI commands on all gateways simultaneously

Jump to solution

Hi @G_W_Albrecht ,

You're right, it's all a little too much.

Tags (1)

Re: GAIA - Easy execute CLI commands on all gateways simultaneously

Jump to solution

Hi @G_W_Albrecht 

I've split the command in two.

gw_detect -> Writes all IP addresses of the gateways to the file /var/log/g_gateway.txt

gw_mclish or gw_mbash ->  Executes the command remotely only now.

Now you can edit the file /var/log/g_gateway.txt twith the gateway IP addresses.

Regards

Heiko

 

 

 

View solution in original post

Tags (1)

Re: GAIA - Easy execute CLI commands on all gateways simultaneously

Jump to solution

I also fixed the issue with the IPv6 addresses.

Tags (1)

Re: GAIA - Easy execute CLI commands on all gateways simultaneously

Jump to solution

A tip on the top of my head for Heiko 😉

Now it will be very nice to handle, and i can addd my TX100 that still is not found manually !

gw_detect.png