Export security gateway items from MDS

T0r_Lak · ‎2023-12-12

Hi all!

Need to export from our MDS a compiled list of all of our firewalls including:

hostnames
serial numbers
management IPs

This is so we can update our corporate infrastructure inventory.

A simple CSV export from MDS > Gateways & Servers outputs too much irrelevant and unstructured cell data and I'm no Excel expert, hence I was thinking more in terms of extracting that data from a central database hosted on the MDS and parse only those relevant fields mentioned above.

Could anyone advise if that might be possible via API calls or do I have to approach this directly via the GuiDBEdit.exe tool or maybe on Linux level to interact with the management database, please?

For starters - what's the Linux file path to the db holding such data, please?

Best regards.

Vincent_Bacher · ‎2023-12-12

Hi,

hostnames and main IPs (management IPs) can be exported using management API or Check Point module for Ansible.
However, serial numbers are not saved in the object and therefore no way to be exported from management.
Should look somewhat like this when mgmt_cli is used (can be wrong in syntax, cannot test atm)

mgmt_cli -r true show gateways-and-servers details-level full --format json | jq -r '.objects[] | select(.type == "simple-gateway" or .type == "CpmiClusterMember") | "\(.name),\(.ipv4-address)"'

For serial number, you might include a function in the script which performs ssh to the gateway to remotely issue the command "show asset all" and to extract the S/N from the line "Serial Number: *******" and to enrich your table using this.

If ssh to the gateway does not work, this would also work via cprid_util, which can send commands to the gateway via SIC.

Would not recommend to search for db files to snoop around in it 😉

best regards

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite

Bob_Zimmerman · ‎2023-12-12

The management server doesn't know the hostname of the firewalls or any uniquely identifying information about the hardware.

Rather than serial number, you should track the boxes by the MAC address listed on the same label. The license is to the MAC address, as is the support contract.

You can use this script to find all of the physical cluster members and physical VSX gateways reporting to a management (up to 120 clusters or so, maybe fewer if you use a lot of VSs), then use CPRID to run commands on each:

portNumber=$(api status | grep "APACHE Gaia Port" | awk '{print $NF}')
unset cmaList
. /etc/profile.d/CP.sh
cmaList=$(mgmt_cli --port "${portNumber}" -f json -r true show domains limit 500 details-level full \
| jq -c '.objects[]|{name:.name,server:.servers[]|{host:."multi-domain-server",ipAddress:."ipv4-address"}}' \
| grep $(hostname) \
| jq -c '[.name,.server.ipAddress]')
if [ ${#cmaList} -eq 0 ];then cmaList=("[\"$(hostname)\",\"\"]");fi
for cmaRow in $cmaList; do
cmaName=$(echo "${cmaRow}" | jq '.[0]' | sed 's#"##g')
cmaAddress=$(echo "${cmaRow}" | jq '.[1]' | sed 's#"##g')
mdsenv "${cmaAddress}" 2>/dev/null
firewallList=$(mgmt_cli --port "${portNumber}" -f json -d "${cmaAddress}" -r true show gateways-and-servers limit 500 details-level full \
| jq -c '.objects[]|{type:.type,address:."ipv4-address"}' \
| grep -v CpmiGatewayCluster \
| grep -v CpmiVsClusterNetobj \
| grep -v CpmiVsxClusterNetobj \
| grep -v "checkpoint-host" \
| jq -c '.address' \
| sed 's#"##g')
for firewall in $firewallList; do
printf "%15s %15s: " "${cmaName}" "${firewall}"
cprid_util -verbose -server "${firewall}" rexec -rcmd sh -c '
########################################
### Script to run on each firewall goes here.
########################################
'
done
done

As an example of the kind of script you can run on each firewall, I use this periodically to get hostname, hardware, major version, jumbo, and uptime:

printf "%-25s %-5s %-6s %3s  " \
$(hostname) \
$(clish -c "show asset system" | egrep -q "^Model";if [ $? -eq 0 ];then clish -c "show asset system" | egrep "^Model" | awk "{print $NF}";else clish -c "show asset system" | egrep "^Platform" | cut -d" " -f2 | cut -c 1-5;fi) \
$(fw ver | awk "{print $7}") \
$(cpinfo -y fw1 2>/dev/null | grep Take | awk "{print $NF}")
echo -n $(uptime | cut -d, -f1)

I wanted a table, so I used printf. If you want CSV, change all of the format specifiers to "%s" (instead of "%-25s", for example) and replace all the spaces with commas.

Bob_Zimmerman · ‎2023-12-12

I was dealing with a system failure earlier and forgot to elaborate on a few things. When I say the management doesn't know about the hostname of the firewall, I mean the object name in the management and the hostname on the firewall may not match. If you definitely need the hostname, you need to get it from the firewall.

This script depends on CPRID connectivity from the management to the firewalls. This is the same connectivity used by CDT to update and upgrade firewalls, so if you use CDT to maintain your software versions, the connectivity is already working.

If you don't use CDT, you may find some intervening traffic filtering prevents the script from getting information from some or all of your firewalls. If you see "(NULL BUF)" in the output, this means the management could not talk to that firewall via CPRID. The first printf (under "for firewall in $firewallList; do") tells you a bit about which firewall it wasn't able to talk to, so you can find the problem or collect the data manually.

Quoting and escaping in the script to run on each firewall can be a little fussy. It may take some trial and error to figure out the right way to deal with them. The exact script I provided definitely works on my systems. I use it about once a week to dump all my software versions for inventory purposes.

I don't use LSM/SmartProvisioning. The script won't find any information about the gateways assigned to an LSM profile, and I think it will ignore the profile itself. It may fail in some other way, though.

Are you a member of CheckMates?

Export security gateway items from MDS