Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

GAIA - Easy execute CLI commands on all gateways simultaneously

Jump to solution

Now you can use the new command "gw_mbash" and "g_mclish" to execute bash or clish commands on all gateway simultaneously from the management server. All you have to do is copy and paste the above lines to the management server. After that you have two new commands on the management server. Here you can now centrally execute simple commands on all gateways which are connected via SIC with the management.

multibash1.png

 

Attention!

You can quickly destroy your gateways if you enter the wrong commands!

Command syntax:

Command Description

# gw_detect

# gw_detect80

Detect all your gateways that support from this tool. This command only needs to be executed once or when gateways changed in topology.

All founded gateways are stored as IP address in this file /var/log/g_gateway.txt. All added IP addresses will be used later to execute commands on these gateways. The file can also be edit manually to add gateway IP adressess.

The execution of this command may take a few minutes.

Use this command on R80.x gateways "gw_detect80" is a little bit faster.

Use this command on R77.x gateways "gw_detect".

# gw_mbash <command>  Execute expert mode command on all gateway

 simultaneously

# gw_mclish <command> Execute clish command on all gateway

 simultaneously


An example!

You want see the version of all gateway they are defined in the topology.

Management# gw_detect                                                   -> start this command fist to detect all your supported gateways or "gw_detect80" on R80.x gateways
Management# gw_mclish show version os edition        -> execute this command on all gateways

  multibash4.PNG


Now the command "show version os edition" is executed on all gateways and the output is displayed on the management server sorted according to the ip addresses of the gateways in the firewall topologie.

The same also works for the expert mode. For example:

Management# gw_detect                                                   -> start this command fist to detect all your supported gateways or "gw_detect80" on R80.x gateways
Management# gw_mbash fw ver                                      -> execute this command on all gateways

multibash3.PNG

 

Tip 1

Use this command to backup your clish configs from all gateways.

Management# gw_mclish show configuration > backup_clish_all_gateways.txt

This can also be start as simply cronjob😀.

 

Tip 2

Check central performance settings for all gateways:

Management# gw_mbash fw tab -t connections -s                         -> show state table for all gateways

Management# gw_mbash fwaccel stat                                              -> show  fwaccel state's for all gateways

Management# gw_mbash ips stat                                                       -> check on witch gateway ips is enabled

...


Cppy and paste this lines to the management server or download the script "new_multi_commands.sh" and execute the script.

 

echo '#!/bin/bash' > /usr/local/bin/gw_mbash
echo 'if [ ! -f /var/log/g_gateway.txt ]; then' >> /usr/local/bin/gw_mbash
echo 'echo "First start \"gw_detect\" and\or edit the file \var\log\gw_gateway.txt manually. Add here all your gateway IP addresses."' >> /usr/local/bin/gw_mbash
echo 'else' >> /usr/local/bin/gw_mbash
echo 'HAtest="$@"' >> /usr/local/bin/gw_mbash
echo 'echo $HAtest > /var/log/g_command.txt;' >> /usr/local/bin/gw_mbash
echo 'while read line' >> /usr/local/bin/gw_mbash
echo 'do' >> /usr/local/bin/gw_mbash
echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_mbash
echo 'then' >> /usr/local/bin/gw_mbash
echo 'echo "--------- GAIA $line execute command: $HAtest"' >> /usr/local/bin/gw_mbash
echo '$CPDIR/bin/cprid_util -server $line putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;' >> /usr/local/bin/gw_mbash
echo '$CPDIR/bin/cprid_util -server $line -verbose rexec -rcmd /bin/bash -f /var/log/g_command.txt' >> /usr/local/bin/gw_mbash
echo 'else' >> /usr/local/bin/gw_mbash
echo 'echo "--------- STOP $line Error:  no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_mbash
echo 'fi' >> /usr/local/bin/gw_mbash
echo 'done < /var/log/g_gateway.txt' >> /usr/local/bin/gw_mbash
echo 'fi' >> /usr/local/bin/gw_mbash
chmod +x /usr/local/bin/gw_mbash

echo '#!/bin/bash' > /usr/local/bin/gw_mclish
echo 'if [ ! -f /var/log/g_gateway.txt ]; then' >> /usr/local/bin/gw_mclish
echo 'echo "First start \"gw_detect\" and\or edit the file \var\log\gw_gateway.txt manually. Add here all your gateway IP addresses."' >> /usr/local/bin/gw_mclish
echo 'else' >> /usr/local/bin/gw_mclish
echo 'HAtest="$@"' >> /usr/local/bin/gw_mclish
echo 'echo $HAtest > /var/log/g_command.txt;' >> /usr/local/bin/gw_mclish
echo 'while read line' >> /usr/local/bin/gw_mclish
echo 'do' >> /usr/local/bin/gw_mclish
echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_mclish
echo 'then' >> /usr/local/bin/gw_mclish
echo 'echo "--------- GAIA $line execute command: $HAtest"' >> /usr/local/bin/gw_mclish
echo '$CPDIR/bin/cprid_util -server $line putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;' >> /usr/local/bin/gw_mclish
echo '$CPDIR/bin/cprid_util -server $line -verbose rexec -rcmd /bin/clish -f /var/log/g_command.txt' >> /usr/local/bin/gw_mclish
echo 'else' >> /usr/local/bin/gw_mclish
echo 'echo "--------- STOP $line Error:  no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_mclish
echo 'fi' >> /usr/local/bin/gw_mclish
echo 'done < /var/log/g_gateway.txt' >> /usr/local/bin/gw_mclish
echo 'fi' >> /usr/local/bin/gw_mclish
chmod +x /usr/local/bin/gw_mclish

echo '#!/bin/bash' > /usr/local/bin/gw_detect
echo 'echo -n > /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect
echo "more $FWDIR/conf/objects.C |grep -A 500 -B 1  ':type (gateway)'| sed -n '/gateway/,/:ipaddr (/p' | grep 'ipaddr (' | sed 's/^[ \t]*//' | sed 's/\:ipaddr (//' |sed 's/)//' > /var/log/g_gwl.txt" >> /usr/local/bin/gw_detect
echo 'while read line' >> /usr/local/bin/gw_detect
echo 'do' >> /usr/local/bin/gw_detect
echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_detect
echo 'then' >> /usr/local/bin/gw_detect
echo 'echo "--------- GAIA $line "' >> /usr/local/bin/gw_detect
echo 'echo "$line" >> /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect
echo 'else' >> /usr/local/bin/gw_detect
echo 'echo "--------- STOP no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_detect
echo 'fi' >> /usr/local/bin/gw_detect
echo 'done < /var/log/g_gwl.txt' >> /usr/local/bin/gw_detect
chmod +x /usr/local/bin/gw_detect

echo '#!/bin/bash' > /usr/local/bin/gw_detect80
echo 'echo -n > /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect80
echo "mgmt_cli -r true show gateways-and-servers details-level full --format json | $CPDIR/jq/jq -r '.objects[] | select(.type | contains(\"Member\",\"simple-gateway\")) | .\"ipv4-address\"' |grep -v null|grep -v 0.0. > /var/log/g_gwl.txt" >> /usr/local/bin/gw_detect80
echo 'while read line' >> /usr/local/bin/gw_detect80
echo 'do' >> /usr/local/bin/gw_detect80
echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_detect80
echo 'then' >> /usr/local/bin/gw_detect80
echo 'echo "--------- GAIA $line "' >> /usr/local/bin/gw_detect80
echo 'echo "$line" >> /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect80
echo 'else' >> /usr/local/bin/gw_detect80
echo 'echo "--------- STOP no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_detect80
echo 'fi' >> /usr/local/bin/gw_detect80
echo 'done < /var/log/g_gwl.txt' >> /usr/local/bin/gw_detect80
chmod +x /usr/local/bin/gw_detect80

 

More "Easy Tools":

- Easy Backup Tool - (migrate export + all GAIA configs)                   -> Easy backup of all gateway GAIA configs + migrate export with one CLI command.
- Easy execute CLI commands on all gateways simultaneously        ->  Now you can use the new command to execute bash or clish commands on all gateway simultaneously.
- Easy execute CLI commands from management on gateways        -> Easy execute CLI commands from management on gateways
- Mobile User License Tool - replaced "dtps lic"                                   -> It displays all Secure Client, SSL VPN and Mobile Access Portal licenses in total (sum) on the SMS.
- Easy View Tool - (system infos from all gateways simultaneously) -> This toll shows you quickly an overview of status information of all your gateways with only one CLI command.

Versions:
v0.1 - 04-14-2019 - gw_multi_commands_v0.1.sh -> beta
v0.2 - 04-16-2019 - gw_multi_commands_v0.2.sh -> remove bugs
v0.3 - 04-17-2019 - gw_multi_commands_v0.3.sh -> split to two commands (gw_detect and the old commands)
v0.4 - 05-05-2019 - gw_multi_commands_v0.4.sh -> add command "gw_detect80"

Video tutorial:

 

Copyright by Heiko Ankenbrand 1996-2019

60 Replies
Highlighted

 

Hi @G_W_Albrecht 

Unfortunately I don't have a TX applinace in the LAB to test it. Could you send me the first lines from objects.C to TX appliance?  I search via grep for :gateway. Maybe it's a little different with the TX appliance.

Tags (1)
Highlighted
Sapphire
: (TXer
:type (host)
:custom_fields (
: (
:custom_field_id (ReferenceObject
:Uid ("{739B70D5-7B76-48D2-96CC-FB647074F524}")
:Name ("Contact Details")
:Table (NO_CPMI_TABLE)
)
)
: (
:custom_field_id (ReferenceObject
:Uid ("{E07938DB-1EB1-461A-A78D-36EE34A8CC5D}")
:Name (Name)
:Table (NO_CPMI_TABLE)
)
)
)
:fw_clamp_tcp_mss_control (false)
:UA_WebAccess (false)
:cpver (9.0)
:appfw_limit_chunk_size_factor (2)
:av_integrated (false)
:Everest (false)
:enable_identity_logging (false)
:clp_override_global_config (false)
:appfw_limit_low_threshold_factor (80)
:traditional_av_deactivation_time (never)
:log_indexer (false)
:enable_auto_contracts_update (false)
:user_dir_blade (false)
:eps_remoteHelp (false)
:asm_synatk_timeout (5)
:use_loggers_and_masters (true)
:smartevent_intro (false)
:gtp_fg_context_timeout (300)
:allow_send_logs (false)
:capsule_docs_consumer (false)
:gtp_rate_limit (2048)
:addr_type_indication (IPv4)
:gtp_tunnels_hashsize (65536)
:sam_policy_max_reqs (20000)
:device_settings_module (not-installed)
:Enable_CPSyslogD (false)
:MetaIP_UAT (false)
:uf_integrated (false)
:cp_suite_type (pro)
:supports_tcp_ike (use_site_default)
:management (false)
:WAM (false)
:capsule_docs_blade (not-installed)
:integrity_server (false)
:primary_stand_alone_web_ui_port (443)
:asm_synatk_active_mode (1)
:support_ip_pool_nat (false)
:ike_support_crash_recovery_sr (true)
:exportable (false)
:active_conn_view (false)
:MetaIP_DNS_Server (false)
:sam_allow_remote_request (false)
:connectra (false)
:enable_rtm_traffic_report_per_connection (false)
:capsule_docs_web_viewer (false)
:ips_event_correlator (false)
:fwfrag_timeout_log_interval (60)
:ca_wait_mode (false)
:ssl_inspection_enabled (false)
:gtp_pending_hashsize (65536)
:threat_emulation_blade (installed)
:sc_portal (false)
:abacus_server (false)
:integrity_server_port (443)
:data_awareness_blade (not-installed)
:SD_profile (ReferenceObject
:Name (TE100X_6c401f8c5eb9aa9a)
:Table (profiles)
:Uid ("{0196C658-3664-764D-B357-A55204EDF502}")
)
:threat_engine_mode (by_policy)
:MetaIP_DHCP_Server (false)
:gtp_paths_timeout (600)
:used_globaly (false)
:connection_state (communicating)
:primary_management (false)
:appfw_referrer_inspect_on (true)
:high_memory_watermark (90)
:default_track (alert)
:appfw_web_browsing_logging (global)
:antispam_integrated (false)
:svn_build_num (992000000)
:ips_update_policy (unknown)
:management_type (3_Blades_Basic)
:gtp_sam_close_upon_delete (false)
:send_to_checkpoint (true)
:low_memory_watermark (70)
:ipaddr (172.27.39.191)
:enforce_gtp_rate_limit (false)
:sam_enable_purge_history_file (false)
:is_bypass_sd_under_load (false)
:mta_enabled (false)
:cdm_module (not-installed)
:enable_application_control_usercheck_agent (false)
:gtp_ldap_cache_timeout (90)
:radius_server (ReferenceObject
Highlighted

Hi @G_W_Albrecht ,

Thanks for objects.C output.

I thought so! The TX Appliances has the type ":type (host)" and not ":type (gateway)"

Tags (1)
Highlighted

I search with grep for the following:

grep -A 500 -B 1  ':type (gateway)'

 

I'll have to take a closer look in the next few days.

Regards

Heiko

 

Tags (1)
Highlighted

Hello  @HeikoAnkenbrand 

I can confirm that the TE appliance is not recognized.

 

Highlighted

Hi @G_W_Albrecht 

I had found an other way to parse gateways on R80:

 

mgmt_cli -r true show gateways-and-servers details-level full --format json | $CPDIR/jq/jq -r '.objects[] | select(.type | contains("Member","simple-gateway")) | ."ipv4-address"'

 

 

I will add this after Easter holidays.

Tags (1)
Highlighted

If necessary I have to adjust the filter a little bit.

Tags (1)
Highlighted

 

Hello @HeikoAnkenbrand 

This solution only works on R80 and above, doesn't it?

Highlighted
Sapphire

Yes, this works very good ! Also gets the TE  appliance...

Highlighted
Iron

Great new commands😁

Highlighted

Is the command name g_mclish or gw_mclish?

 

Highlighted

gw_mclish is the correct command.

Tags (1)
Highlighted

The new commands are very great.

Thanks
Caytana

 

0 Kudos
Highlighted

Hello @HeikoAnkenbrand,

The command gw_detect80 works very fast and well. TE applicances are not recognized.

Regards

0 Kudos
Highlighted

The new version 0.4 with the command gw_detect80 is available.

Tags (1)
Highlighted

SMB Appliances are not recognized. Can you please change that?

Highlighted

Hi @HeikoAnkenbrand 

We have over 100 gateways in use worldwide. That makes life easier for me with many things. I can finally execute commands centrally on the gateways.

It's a great idea.

Thank you

0 Kudos
Highlighted

Is this a R80.30 command?

0 Kudos
Highlighted

Can I use this tool under R80.30?

0 Kudos
Highlighted
Employee
Employee

Interesting script, I would suggest that the resulting scripts made be put into "/usr/bin" instead of "/usr/local/bin", I checked the PATH variable and found that "/usr/local/bin" is not included for some users.

0 Kudos
Highlighted

Thanks @Frank_Allen 

I check this in the next few days.

0 Kudos
Highlighted

Very nice command extension.

 

0 Kudos
Highlighted

Great tool.

0 Kudos
Highlighted

Great job!

Is it in roadmap to add support for MDS as well? 🙂 

0 Kudos
Highlighted

Here is a quick and dirty mod for MDS R77.30 

 

#!/bin/bash

#  mds_gw_detect (R77)

 

# export all Check Point environment variables
. /opt/CPshared/5.0/tmp/.CPprofile.sh

# go to MDS context
mdsenv
mcd

if [[ -f /var/log/g_mds_gws.txt ]]; then
rm /var/log/g_mds_gws.txt
fi
# iterate over the customers
for CMA_NAME in `$MDSVERUTIL AllCMAs`
do
mdsenv $CMA_NAME
echo Searching thru $CMA_NAME
$MDSDIR/bin/cpmiquerybin attr "" network_objects "class='gateway_ckp'|class='cluster_member'|class='vsx_netobj'|class='vsx_cluster_member'" -a ipaddr |awk -v svar="$CMA_NAME" '{ print svar ";" $1 }' >> /var/log/g_mds_gws.txt
done
echo " Start less. enter to proceed. Hit q to quit from less"
read ans
less /var/log/g_mds_gws.txt
exit

 

mbash for MDS

#!/bin/bash
# export all Check Point environment variables
#. /opt/CPshared/5.0/tmp/.CPprofile.sh
. $CPDIR/tmp/.CPprofile.sh

if [ ! -f /var/log/g_mds_gws.txt ]; then
echo "First start \"mds_gw_detect\" and\or edit the file /var/log/g_mds_gws.txt manually. Add here all your CMAs and gateway IP addresses."
else
HAtest="$@"
echo $HAtest > /var/log/g_command.txt;
OIFS=$IFS
IFS=";"
while read FILE
do
line=($FILE)
CMA=${line[0]}
GW=${line[1]}
echo CMA=$CMA GW=$GW
mdsenv $CMA
if $CPDIR/bin/cprid_util getarch -server $GW |grep "gaia" > /dev/null;
then
echo "--------- GAIA $GW execute command: $HAtest"
$CPDIR/bin/cprid_util -server $GW putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;
$CPDIR/bin/cprid_util -server $GW -verbose rexec -rcmd /bin/bash -f /var/log/g_command.txt
else
echo "--------- STOP $line Error: no SIC to gateway $GW or no compatible gateway or Rulebase drops FW_CPRID "
fi
done < /var/log/g_mds_gws.txt
IFS=$OIFS

fi

 

 

Give it a go.. 

Cheers 

Declan

Highlighted

Slightly modified and now works for me, just one CMA, where only one VS is connected is failing with the below error. Will need to look at it closer.

cma-XXX-p
cma-XXX-p Error: 'Failed
cma-XXX-p
cma-XXX-p Error: 'Session
cma-XXX-p
cma-XXX-p Usage:
cma-XXX-p cpmiquerybin <query
cma-XXX-p
cma-XXX-p Examples:
cma-XXX-p - print
cma-XXX-p cpmiquerybin object
cma-XXX-p - print
cma-XXX-p cpmiquerybin attr
cma-XXX-p

 

-----detect-----

#!/bin/bash
#export all Check Point environment variables
. /opt/CPshared/5.0/tmp/.CPprofile.sh

#go to MDS context
mdsenv
mcd

if [ -f /var/log/mds_gws ]; then rm /var/log/mds_gws; fi

for CMA_NAME in $($MDSVERUTIL AllCMAs);
do
mdsenv $CMA_NAME
echo "Searching through CMA $CMA_NAME" 
$MDSDIR/bin/cpmiquerybin attr "" network_objects " (type='cluster_member' & vsx_cluster_member='true' & vs_cluster_member='true') | (type='cluster_member' & (! vs_cluster_member='true')) | (vsx_netobj='true') | (type='gateway'&cp_products_installed='true' & (! vs_netobj='true') & connection_state='communicating')" -a __name__,ipaddr | awk -v svar="$CMA_NAME" '{print svar " " $1 " " $2}' >> /var/log/mds_gws
done
echo "Output is available in /var/log/mds_gws"
exit

 

-----gw_mbash for MDS-----
#!/bin/bash
#export all Check Point environment variables
#./opt/CPshared/5.0/tmp/.CPprofile.sh
.$CPDIR/tmp/.CPprofile.sh

if [ ! -f /var/log/mds_gws ]; then
echo "First start \"mds_gw_detect\" and\or edit the file /var/log/mds_gws manually. Add here all your CMAs and gateway IP addresses."
else
HAtest="$@"
echo $HAtest > /var/log/g_command.txt;

while read line
do

CMA=`echo "$line" | awk '{print $1}'`
GW_name=`echo "$line" | awk '{print $2}'`
GW_IP=`echo "$line" | awk '{print $3}'`

echo $CMA $GW_name ($GW_IP)
mdsenv $CMA

if $CPDIR/bin/cprid_util getarch -server $GW_IP |grep "gaia" > /dev/null;
then
echo "--------- GAIA $GW_IP execute command: $HAtest"
$CPDIR/bin/cprid_util -server $GW_IP putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;
$CPDIR/bin/cprid_util -server $GW_IP -verbose rexec -rcmd /bin/bash -f /var/log/g_command.txt
else
echo "--------- STOP $line Error: no SIC to gateway $GW or no compatible gateway or Rulebase drops FW_CPRID "
fi
done < /var/log/mds_gws
fi
chmod +x /usr/local/bin/gw_mbash

 

Highlighted

Top idea!

0 Kudos
Highlighted
Nickel

Nice! 

Thanks for the tips.

0 Kudos
Highlighted

The script is not taking into account if the Gaia WebUI port was changed from 443 to something different.

This should be either fetched from clish using "show web ssl-port" or by making it at least configureable by variable or a parameter.

0 Kudos
Highlighted

Hi,

I am having running this on R80.30 MDM, is it supported on Multi-Domain?

Thanks

Ben

0 Kudos