Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

GAIA - Easy execute CLI commands on all gateways simultaneously

Jump to solution

Now you can use the new command "gw_mbash" and "g_mclish" to execute bash or clish commands on all gateway simultaneously from the management server. All you have to do is copy and paste the above lines to the management server. After that you have two new commands on the management server. Here you can now centrally execute simple commands on all gateways which are connected via SIC with the management.

multibash1.png

 

Attention!

You can quickly destroy your gateways if you enter the wrong commands!

Command syntax:

Command Description

# gw_detect

# gw_detect80

Detect all your gateways that support from this tool. This command only needs to be executed once or when gateways changed in topology.

All founded gateways are stored as IP address in this file /var/log/g_gateway.txt. All added IP addresses will be used later to execute commands on these gateways. The file can also be edit manually to add gateway IP adressess.

The execution of this command may take a few minutes.

Use this command on R80.x gateways "gw_detect80" is a little bit faster.

Use this command on R77.x gateways "gw_detect".

# gw_mbash <command>  Execute expert mode command on all gateway

 simultaneously

# gw_mclish <command> Execute clish command on all gateway

 simultaneously


An example!

You want see the version of all gateway they are defined in the topology.

Management# gw_detect                                                   -> start this command fist to detect all your supported gateways or "gw_detect80" on R80.x gateways
Management# gw_mclish show version os edition        -> execute this command on all gateways

  multibash4.PNG


Now the command "show version os edition" is executed on all gateways and the output is displayed on the management server sorted according to the ip addresses of the gateways in the firewall topologie.

The same also works for the expert mode. For example:

Management# gw_detect                                                   -> start this command fist to detect all your supported gateways or "gw_detect80" on R80.x gateways
Management# gw_mbash fw ver                                      -> execute this command on all gateways

multibash3.PNG

 

Tip 1

Use this command to backup your clish configs from all gateways.

Management# gw_mclish show configuration > backup_clish_all_gateways.txt

This can also be start as simply cronjob😀.

 

Tip 2

Check central performance settings for all gateways:

Management# gw_mbash fw tab -t connections -s                         -> show state table for all gateways

Management# gw_mbash fwaccel stat                                              -> show  fwaccel state's for all gateways

Management# gw_mbash ips stat                                                       -> check on witch gateway ips is enabled

...


Cppy and paste this lines to the management server or download the script "new_multi_commands.sh" and execute the script.

 

echo '#!/bin/bash' > /usr/local/bin/gw_mbash
echo 'if [ ! -f /var/log/g_gateway.txt ]; then' >> /usr/local/bin/gw_mbash
echo 'echo "First start \"gw_detect\" and\or edit the file \var\log\gw_gateway.txt manually. Add here all your gateway IP addresses."' >> /usr/local/bin/gw_mbash
echo 'else' >> /usr/local/bin/gw_mbash
echo 'HAtest="$@"' >> /usr/local/bin/gw_mbash
echo 'echo $HAtest > /var/log/g_command.txt;' >> /usr/local/bin/gw_mbash
echo 'while read line' >> /usr/local/bin/gw_mbash
echo 'do' >> /usr/local/bin/gw_mbash
echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_mbash
echo 'then' >> /usr/local/bin/gw_mbash
echo 'echo "--------- GAIA $line execute command: $HAtest"' >> /usr/local/bin/gw_mbash
echo '$CPDIR/bin/cprid_util -server $line putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;' >> /usr/local/bin/gw_mbash
echo '$CPDIR/bin/cprid_util -server $line -verbose rexec -rcmd /bin/bash -f /var/log/g_command.txt' >> /usr/local/bin/gw_mbash
echo 'else' >> /usr/local/bin/gw_mbash
echo 'echo "--------- STOP $line Error:  no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_mbash
echo 'fi' >> /usr/local/bin/gw_mbash
echo 'done < /var/log/g_gateway.txt' >> /usr/local/bin/gw_mbash
echo 'fi' >> /usr/local/bin/gw_mbash
chmod +x /usr/local/bin/gw_mbash

echo '#!/bin/bash' > /usr/local/bin/gw_mclish
echo 'if [ ! -f /var/log/g_gateway.txt ]; then' >> /usr/local/bin/gw_mclish
echo 'echo "First start \"gw_detect\" and\or edit the file \var\log\gw_gateway.txt manually. Add here all your gateway IP addresses."' >> /usr/local/bin/gw_mclish
echo 'else' >> /usr/local/bin/gw_mclish
echo 'HAtest="$@"' >> /usr/local/bin/gw_mclish
echo 'echo $HAtest > /var/log/g_command.txt;' >> /usr/local/bin/gw_mclish
echo 'while read line' >> /usr/local/bin/gw_mclish
echo 'do' >> /usr/local/bin/gw_mclish
echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_mclish
echo 'then' >> /usr/local/bin/gw_mclish
echo 'echo "--------- GAIA $line execute command: $HAtest"' >> /usr/local/bin/gw_mclish
echo '$CPDIR/bin/cprid_util -server $line putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;' >> /usr/local/bin/gw_mclish
echo '$CPDIR/bin/cprid_util -server $line -verbose rexec -rcmd /bin/clish -f /var/log/g_command.txt' >> /usr/local/bin/gw_mclish
echo 'else' >> /usr/local/bin/gw_mclish
echo 'echo "--------- STOP $line Error:  no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_mclish
echo 'fi' >> /usr/local/bin/gw_mclish
echo 'done < /var/log/g_gateway.txt' >> /usr/local/bin/gw_mclish
echo 'fi' >> /usr/local/bin/gw_mclish
chmod +x /usr/local/bin/gw_mclish

echo '#!/bin/bash' > /usr/local/bin/gw_detect
echo 'echo -n > /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect
echo "more $FWDIR/conf/objects.C |grep -A 500 -B 1  ':type (gateway)'| sed -n '/gateway/,/:ipaddr (/p' | grep 'ipaddr (' | sed 's/^[ \t]*//' | sed 's/\:ipaddr (//' |sed 's/)//' > /var/log/g_gwl.txt" >> /usr/local/bin/gw_detect
echo 'while read line' >> /usr/local/bin/gw_detect
echo 'do' >> /usr/local/bin/gw_detect
echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_detect
echo 'then' >> /usr/local/bin/gw_detect
echo 'echo "--------- GAIA $line "' >> /usr/local/bin/gw_detect
echo 'echo "$line" >> /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect
echo 'else' >> /usr/local/bin/gw_detect
echo 'echo "--------- STOP no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_detect
echo 'fi' >> /usr/local/bin/gw_detect
echo 'done < /var/log/g_gwl.txt' >> /usr/local/bin/gw_detect
chmod +x /usr/local/bin/gw_detect

echo '#!/bin/bash' > /usr/local/bin/gw_detect80
echo 'echo -n > /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect80
echo "mgmt_cli -r true show gateways-and-servers details-level full --format json | $CPDIR/jq/jq -r '.objects[] | select(.type | contains(\"Member\",\"simple-gateway\")) | .\"ipv4-address\"' |grep -v null|grep -v 0.0. > /var/log/g_gwl.txt" >> /usr/local/bin/gw_detect80
echo 'while read line' >> /usr/local/bin/gw_detect80
echo 'do' >> /usr/local/bin/gw_detect80
echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_detect80
echo 'then' >> /usr/local/bin/gw_detect80
echo 'echo "--------- GAIA $line "' >> /usr/local/bin/gw_detect80
echo 'echo "$line" >> /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect80
echo 'else' >> /usr/local/bin/gw_detect80
echo 'echo "--------- STOP no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_detect80
echo 'fi' >> /usr/local/bin/gw_detect80
echo 'done < /var/log/g_gwl.txt' >> /usr/local/bin/gw_detect80
chmod +x /usr/local/bin/gw_detect80

 

More "Easy Tools":

- Easy Backup Tool - (migrate export + all GAIA configs)                   -> Easy backup of all gateway GAIA configs + migrate export with one CLI command.
- Easy execute CLI commands on all gateways simultaneously        ->  Now you can use the new command to execute bash or clish commands on all gateway simultaneously.
- Easy execute CLI commands from management on gateways        -> Easy execute CLI commands from management on gateways
- Mobile User License Tool - replaced "dtps lic"                                   -> It displays all Secure Client, SSL VPN and Mobile Access Portal licenses in total (sum) on the SMS.
- Easy View Tool - (system infos from all gateways simultaneously) -> This toll shows you quickly an overview of status information of all your gateways with only one CLI command.

Versions:
v0.1 - 04-14-2019 - gw_multi_commands_v0.1.sh -> beta
v0.2 - 04-16-2019 - gw_multi_commands_v0.2.sh -> remove bugs
v0.3 - 04-17-2019 - gw_multi_commands_v0.3.sh -> split to two commands (gw_detect and the old commands)
v0.4 - 05-05-2019 - gw_multi_commands_v0.4.sh -> add command "gw_detect80"

Video tutorial:

 

Copyright by Heiko Ankenbrand 1996-2019

1 Solution

Accepted Solutions
Highlighted

Hi @G_W_Albrecht 

I've split the command in two.

gw_detect -> Writes all IP addresses of the gateways to the file /var/log/g_gateway.txt

gw_mclish or gw_mbash ->  Executes the command remotely only now.

Now you can edit the file /var/log/g_gateway.txt twith the gateway IP addresses.

Regards

Heiko

 

 

 

View solution in original post

Tags (1)
60 Replies
Highlighted
Explorer

Is it possible to add backup jobs over the clish for all gateways?

Highlighted

Yes, exactly for such purposes I created this script.

 

Tags (1)
Highlighted

Hi @Y__Bakisli 

For example you can backup all GAIA gateway clish configs with "g_multicli show configuratinon > config_backup.txt" to the management server.

😀

Regards

Heiko

 

Tags (1)
Highlighted
Collaborator
brilliant.but destroy faster.hahah...
Highlighted
Participant

We have 70 firewalls worldwide and I have to back up the clish configuration weekly.

That's a brilliant solution.

Thanks

Dan

 

 

Highlighted

Here a other interresting version:

Easy execute CLI commands from management on gateways!

Tags (1)
Highlighted
Champion
Champion
Heiko,
This really is a very useful add-on to the cprid_util, Is there a way to differentiate between SMB and normal GAIA gateways?
Command structure is quit a bit different.
I know that we can continue that path with versions etc, but this distinction would be a great add-on.
Regards, Maarten
Highlighted
Explorer

This is a very great script.

I have started a local snapshot at all gateways without to do this on 30 appliances manually.

# g_multicli add snapshot R80.10_20190415

Thanks

 

Highlighted
Champion
Champion

Nice script, but SMB GWs are an issue here: File with GW IPs only contains the SMB GW encountered first, so only an error for the SMB GW is displayed, as no other GW got listed...

Highlighted

Hi @G_W_Albrecht 

I'll see how I can fix this bug. 

I need to find a parameter in objects.C that can be used to identify SMB appliances.

Thanks

Heiko

Tags (1)
Highlighted
Champion
Champion

You can discriminate SMB GWs in Objects.C by the parameter

:slim_fw_hardware_type

that is not present in GAiA GWs. Values can be e.g. ("1430/1450") as slected in Dashboard or (CIP) for 1200R.

Highlighted

Hi @G_W_Albrecht,

I already tested with this parameter. Unfortunately it is not set at all SMB appliances.

I need a parameter that is unique on real gateway. I must find it with grep.

I compared  with diff  gateway objects 3 hours on the weekend  . I didn't find any parameter:-(

Regards

Heiko

Tags (1)
Highlighted

I am sure that dbedit or cpmiquerybin can help in this case 🙂 I will have a look on that over the weekend.

Kind regards,
Jozko Mrkvicka
Highlighted

I have found another solution and I check now that gaia works on the gateways.

 
Tags (1)
Highlighted
Participant

I tested it today and it saves a lot of work.

Nice, nice, nice!

Thank you.

0 Kudos
Highlighted
Participant

Check Point should include the commands in R80.30:-)

 

Highlighted
Admin
Admin

I see two issues with this suggestion:

 

1. g_ sintax is reserved for multi-SGM commands on Scalable Platforms and Maestro

2. R80.30 is closed now 🙂

0 Kudos
Highlighted

 

Hi @_Val_

You're right the g_ syntax is used with 64k/61k/44k/41k and maestro.

I'll change this to gw_ in the next few days.

Regards

Heiko

Tags (1)
Highlighted
Admin
Admin

@HeikoAnkenbrand Fine we me 🙂

Highlighted

Hi @_Val_ 

I have renamed the commands as follows:

gw_mbash

gw_mclish

Regards

Heiko

Tags (1)
Highlighted

Hi @Saleme_Sabaj 
Hi @_Val_ 

Maybe with the version R80.40:-)

Tags (1)
Highlighted
Explorer

nice script

outstanding work as usual , thanks , there is a way that this can be used in a multi domain environment?

Highlighted
Champion
Champion

Now it works with SMB GWs present, too - only that gw_multi_commands.sh had issues:

First try, script stopped because of \r found in line 17 - after removing this line, it stopped with:

chmod: cannot access '/usr/local/bin/gw_mclish': No such file or directory

After adding Return/LF to the chmod line, issue was resolved.


[Expert@SMS8010:0]# gw_mbash fw ver
--------- STOP 172.27.39.126 Error: no SIC to gateway or no compatible gateway

#### a 730 SMB

--------- GAIA 172.27.39.190 execute command: fw ver
This is Check Point's software version R80.20 - Build 077

--------- STOP :ipaddr6 ("2a00:1628:11:2000:21c:7fff:fe72:2118" Error: no SIC to gateway or no compatible gateway

#### same 730 SMBs IP6 IP

--------- STOP 172.28.8.177 Error: no SIC to gateway or no compatible gateway

#### a 1200R SMB

--------- GAIA 192.168.80.8 execute command: fw ver
This is Check Point's software version R80.20 - Build 077

--------- GAIA 172.27.39.192 execute command: fw ver
This is Check Point's software version R77.30 - Build 161

--------- STOP 172.27.39.126 Error: no SIC to gateway or no compatible gateway

#### duplicate object with IP from 730 SMB
--------- STOP 172.27.39.1 Error: no SIC to gateway or no compatible gateway

#### This is a Brocade Switch....

But what is missing from g_gateway.txt is my TE100X 172.27.39.191 - or is it just somehow shortening 172.27.39.191  to 172.27.39.1 by mistake ?

Highlighted
Champion
Champion

RFE: It is nice to automatically generate the g_gateway.txt file, but a bit too much that it is generated anew with every gw_mbash call ! A user editable g_gateway.txt file could:

- leave out SMB GWs

- leave out GWs that better are not included here 😉

- help to workaround issues

Highlighted

Hi @G_W_Albrecht ,

You're right, it's all a little too much.

Tags (1)
Highlighted

Hi @G_W_Albrecht 

I've split the command in two.

gw_detect -> Writes all IP addresses of the gateways to the file /var/log/g_gateway.txt

gw_mclish or gw_mbash ->  Executes the command remotely only now.

Now you can edit the file /var/log/g_gateway.txt twith the gateway IP addresses.

Regards

Heiko

 

 

 

View solution in original post

Tags (1)
Highlighted

I also fixed the issue with the IPv6 addresses.

Tags (1)
Highlighted
Champion
Champion

A tip on the top of my head for Heiko 😉

Now it will be very nice to handle, and i can addd my TX100 that still is not found manually !

gw_detect.png