Solved: Re: R80.x - Mobile User License Tool - Replace... - Page 2

HeikoAnkenbrand

Introduction

In the past days I have been working on a CLI script that can display all Secure Client, SSL VPN and Mobile Access Portal license information centrally. This script creates a new command on the management server to read the licenses. It displays all Secure Client, SSL VPN and Mobile Access Portal licenses in total (sum). Furthermore if a connection to the gateway can be established, it can read out the currently used user counters and peaks on the gateway. It replaces the old "dtps lic" tool.

This tool checks the following licenses and user counters central on the SMS:

- Secure Client

- SSL VPN

- Mobile Access Portal

Or use this one-liner to show quick and easy a summary of all available licensses on the management server: One-liner for Remote Access VPN License Summary

Description

If you execute the script via "copy and past" on the management server or start the auto install script, a new CLI command "sclic" is created. Afterwards you can use this command to display all licenses in an overview. If you give this CLI command "sclic" the IP address of the gateway, the current data of the gateway will be read. You have to use the IP address of the gateway from the topology. All available gateways from the topology can be displayed with the option -g.

Note:
- Eval licenses are not displayed.
- It doesn't currently work with VSX systems but I am working on it.
- Please note that the execution of the command may take a few seconds. This is a normal behaviour.

Syntax	Description
sclic -g	The option -g shows all possible remote gateways from the topology (for option <remote gateway ip address>)
sclic - s <remote gateway ip address>	The option -s shows the number of logged in users and the peak value of the gateway for Secure Client, SSLVPN, Mobile Access Portal. Furthermore, existing licenses on the management server are displayed for Secure Client and SSLVPN. IP address of the gateway from the topology (which is used to connect the gateway from/to the management)
sclic -r <remote gateway ip address>	The option -r shows the full license informations from a remote gateway.
sclic -m	The option -m shows the full license informations from the SMS
sclic	Shows the available Secure Client, SSL VPN and Mobile Access Portal licenses summary on the management server.

Example

# sclic - s 192.168.1.1

# sclic -g

# sclic -r 192.168.1.2

Install this script

Use this auto installer script on the management server as CLI command:

curl_cli -k http://www.ankenbrand24.de/inst_sclic > /tmp/inst_sclic && chmod 770 /tmp/inst_sclic && /tmp/inst_sclic

Or "copy and past" the following script block to your management server:

cat <<EOT > /usr/local/bin/sclic
#!/bin/bash
printf '%.s-' {1..78};echo;
echo '- Mobile User License Tool v1.0            - Copyright Heiko Ankenbrand 2020 -';
printf '%.s-' {1..78};echo;
SHOW_SUM="1";

mSITIONAL=()
while [[ \$# -gt 0 ]]
do
key="\$1"
case \$key in
    -g|--gateways)
       shift # past argument
       echo;echo 'Gateways from topology:';echo;
       mgmt_cli -r true show gateways-and-servers details-level full --format json | \$CPDIR/jq/jq -r '.objects[] | select(.type | contains("Member","simple-gateway")) | ."ipv4-address",."name"  ' |xargs -n 2 | grep -v 0.0.0. | awk '{print \$1 "\t\t" \$2}' ;
       echo;printf '%.s-' {1..78};echo;
       SHOW_SUM="0";
    ;;

    -m|--management)
       shift # past argument
       echo;echo "Licenses on management server:";echo;
       cplic print;
       printf '%.s-' {1..78};echo;
       SHOW_SUM="0";
    ;;


    -r|--remote)
       REMOTEIP="\$2"
       shift # past argument
       shift # past value
       $CPDIR/bin/cprid_util -server \$REMOTEIP -verbose rexec -rcmd bash -c 'cplic print' > /tmp/cplic_print_lic.txt ;
       if [ ! -s /tmp/cplic_print_lic.txt ]
       then
       echo;echo 'This IP is not from a gateway. Use the option "sclic -g" to show all gateways.';echo;
       else
       echo; echo -n "Licenses on gateway "; echo -n \$REMOTEIP;echo ":";echo;
       more /tmp/cplic_print_lic.txt
       echo;
       fi
       printf '%.s-' {1..78};echo;
       SHOW_SUM="0";
    ;;

    -s|--summary)
       REMOTEIP="\$2"
       shift # past argument
       shift # past value       
       $CPDIR/bin/cprid_util -server \$REMOTEIP -verbose rexec -rcmd bash -c 'fw tab -t userc_users -s' |grep localhost > /tmp/sclic.txt ;
       if [ ! -s /tmp/sclic.txt ]
       then
       echo;echo 'This IP is not from a gateway. Use the option "sclic -g" to show all gateways.';
       else
       $CPDIR/bin/cprid_util -server \$REMOTEIP -verbose rexec -rcmd bash -c 'fw tab -t sslt_om_ip_params -s' |grep localhost > /tmp/snxlic.txt ;
       $CPDIR/bin/cprid_util -server \$REMOTEIP -verbose rexec -rcmd bash -c 'fw tab -t cvpn_session -s' |grep localhost > /tmp/moblic.txt ;
       echo;
       echo; echo -n "User counters on gateway "; echo -n \$REMOTEIP;echo ":";echo;
       echo -n '  Endpoint Security VPN (SecureClient) now on the gateway    : ';
       more /tmp/sclic.txt | awk {'print \$4'};
       echo -n '  Endpoint Security VPN users on the gateway (peak)          : ';
       more /tmp/sclic.txt | awk {'print \$5'};
       fi
       if [ ! -s /tmp/snxlic.txt ]
       then
       echo -n '';
       else
       echo -n '  SNX (SSL VPN not MOB) users now on the gateway             : ';
       more /tmp/snxlic.txt | awk {'print \$4'};
       echo -n '  SNX (SSLVPN not MOB) users on the gateway (peak)           : ';
       more /tmp/snxlic.txt | awk {'print \$5'};
       fi
       if [ ! -s /tmp/moblic.txt ]
       then
       echo -n '';
       else
       echo -n '  Mobile Access Portal users now on the gateway              : ';
       more /tmp/moblic.txt | awk {'print \$4'};
       echo -n '  Mobile Access Portal users on the gateway (peak)           : ';
       more /tmp/moblic.txt | awk {'print \$5'};
       fi
       echo;
       printf '%.s-' {1..78};echo;
       SHOW_SUM="1";
    ;;


    *)    # unknown option
    #echo "Unbekannt"
    POSITIONAL+=("\$1") # save it in an array for later
    shift # past argument
    SHOW_SUM="1";
    ;;

esac
done


if [ \$SHOW_SUM == "1" ] 
then
    echo;echo  'Remote Access Licenses on SMS:';echo;
    echo -n '  Endpoint Security VPN (SecureClient)  (CPVP-VSC-5-NGX-XXX) : ';
    cplic print |grep never | grep -o -E 'CPVP-VSC-5-NGX\+.*' |sed 's/CPVP-VSC-5-NGX+//g' |awk '{ total = total + \$1 } END { print total }';
    echo -n '  Endpoint Security VPN (SecureClient)  (CPVP-VSC-XXX-NGX)   : ';
    cplic print |grep never |grep -v 'CPVP-VSC-5-NGX\+' |grep -o -E 'CPVP-VSC-.*NGX' | sed 's/CPVP-VSC-//g' | sed 's/-NGX//g' | awk '{ total = total+ \$1 } END { print total }'
    echo -n '  SNX (not MOB)                         (CPVP-SNX-XXX-NGX)   : ';
    cplic print |grep never | grep SNX | sed 's/.*\sCPVP\-SNX\-//' | sed 's/\-NGX.*//' |awk '{ total2 = total2 + \$1 } END { print total2 }'
    echo -n '  Mobile Access Blade                   (CPSB-SSLVPN-XXX)    : ';
    cplic print |grep never | grep SSLVPN | sed 's/.*\sCPSB\-SSLVPN\-//' | awk '{ total3 = total3 + \$1 } END { print total3 }'
    # printf '%.s-' {1..78};echo;
    echo;echo 'User Center keys: ';echo;
    echo '  Endpoint Security VPN (SecureClient): ';
    cplic print |grep never | grep 'CPVP-VSC-' | grep -o -E 'SWB CK-............'| awk '{print \$2}' |sed 's/CK-//g' | awk '{print "    " \$1}'; 
    echo '  SNX: '; 
    cplic print |grep never | grep 'CPVP-SNX-' | sed 's/.*\sCK-//' | awk '{print "    " \$1}'; 
    echo '  MOB: ';
    cplic print |grep never | grep 'CPSB-SSLVPN-' | sed 's/.*\sCK-//' | awk '{print "    " \$1}'; 
    echo;printf '%.s-' {1..78};echo;
fi

EOT
chmod 770 /usr/local/bin/sclic

More "Easy Tools"

- Easy Backup Tool - (migrate export + all GAIA configs)                   -> Easy backup of all gateway GAIA configs + migrate export with one CLI command.
- Easy execute CLI commands on all gateways simultaneously        -> Now you can use the new command to execute bash or clish commands on all gateway simultaneously.
- Easy execute CLI commands from management on gateways        -> Easy execute CLI commands from management on gateways
- Mobile User License Tool - replaced "dtps lic"                                   -> It displays all Secure Client, SSL VPN and Mobile Access Portal licenses in total (sum) on the SMS.
- Easy View Tool - (system infos from all gateways simultaneously) -> This toll shows you quickly an overview of status information of all your gateways with only one CLI command.

Version

0.1 03-15-2020 - oneliner to show Secure Client licenses
0.2 03-17-2020 - create "sclic" tool as script
0.3 03-19-2020 - add remote user check on the gateway
0.4 03-20-2020 - add SNX licenses and MOB licenses, renamed to "Mobile User License Tool"
0.5 03-21-2020 - option -g shows all gateways from topology
         03-22-2020    -      add auto installer one-liner
0.6    03-23-2020    -      add parameters -m, -s, -r, -g;
                                         option -r show full remote gateway licenses
                                         option -m show full SMS licenses
                                         option -g shows remote IP and gateway name from topology

1.0 03-29-2020 - bug fixed

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Hug_for_my_Bug · ‎2020-04-03

Hello,

How does one update or delete this script. Is just replacing/deleting the file is enough?

Regards,
Jev

Priess · ‎2022-12-02

I have the same problem, the auto install has worked, but the command does not work.

I copied the script also, but same result.

[Expert@em01r002:0]# curl_cli -k http://www.ankenbrand24.de/inst_sclic > /tmp/inst_sclic && chmod 770 /tmp/inst_sclic && /tmp/inst_sclic
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 5046 100 5046 0 0 5820 0 --:--:-- --:--:-- --:--:-- 10173

AndrewSidwell · ‎2020-04-09

Hi Heiko -

Endpoint Security licences usually include two 'Features':

CPSB-VPN - displays as Version: 'NGX / R70' in SmartUpdate; Feature Names of the form CPVP-VSC...
CPSB-FW - displays as Version: 'SoftwareBlades' in SmartUpdate; Feature Names of the form CPEP-C1...

Your script only appears to count seats in the old-style 'NGX /R70' licences. However 'dtps lic' counts seats in the new 'SoftwareBlades' licences. The two are usually the same because most licences include both features, however if you have licences with only one feature or the other then your script and 'dtps lic' give different counts. I don't know which is more valid but I would assume that 'SoftwareBlades' licences are what matter because they are more recent.

Best regards -

Andrew Sidwell

UK Research and Innovation Network Team

dankline · ‎2020-04-09

Heiko,

Thank you for this tool. I was trying to understand how exactly to install and execute this tool on my CP management server.

Regards,

DK

HeikoAnkenbrand · ‎2020-04-10

More "Easy Tools"

- Easy Backup Tool - (migrate export + all GAIA configs)                   -> Easy backup of all gateway GAIA configs + migrate export with one CLI command.
- Easy execute CLI commands on all gateways simultaneously        -> Now you can use the new command to execute bash or clish commands on all gateway simultaneously.
- Easy execute CLI commands from management on gateways        -> Easy execute CLI commands from management on gateways
- Mobile User License Tool - replaced "dtps lic"                                   -> It displays all Secure Client, SSL VPN and Mobile Access Portal licenses in total (sum) on the SMS.
- Easy View Tool - (system infos from all gateways simultaneously) -> This toll shows you quickly an overview of status information of all your gateways with only one CLI command.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

mk2 · ‎2020-04-20

Hello Heiko,

thanks for this nice tool! Valeri from Check Point found out that it is currently not counting "CPEP endpoint licenses", which are found in cplic as CPEP-C-1+ entries. Could you please implement counting those too?

Thank you very much!
Marco

_Daniel_ · ‎2021-10-25

Thank you Heiko, as always a great script.

A note worth mentioning, in case any is getting the error "jq: error: Cannot iterate over null" then most probably it's related for APACHE Port not being the default (443). Just check it using the command api status and then edit the script inserting --port <portid>

In our case we're using port 4434 for APACHE Gaia Port, so the script is modified as folowing: mgmt_cli --port 4434-r true show gateways-and-servers

leijin · ‎2022-04-13

Thank you very much for sharing the command.

I had a question about Capasule connect/Capasule VPN. Tested some users from capasule connect client from our Android and IOS devices, the connection peak is 8. How many capasule VPN users does below devices support? It should not be Mobile Access users.

Try run that command and the information below:

REMOTE ACCESS VPN STATS - Current
----------------------------------------------------------------------
Assigned OfficeMode IPs : 1 (Peak: 10)
Capsule/Endpoint VPN Users : 1 (Peak: 8) using Visitor Mode: 0
Capsule Workspace Users : 0 (Peak: 0)
MAB Portal Users : 0 (Peak: 0)
L2TP Users : 0 (Peak: 1)
SNX Users : 0 (Peak: 4)

LICENSES
----------------------------------------------------------------------
SecuRemote Users : 500
Endpoint Connect Users : 0
Mobile Access Users : 5
SNX Users : 5

leijin · ‎2022-04-13

Thank you very much.

I had a question about Capsule Connect/Capsule VPN. How many Capsule VPN users support on below users?

we tested peak is 8, it should not be Mobile Access Users.

REMOTE ACCESS VPN STATS - Current
----------------------------------------------------------------------
Assigned OfficeMode IPs : 1 (Peak: 10)
Capsule/Endpoint VPN Users : 1 (Peak: 8 using Visitor Mode: 0
Capsule Workspace Users : 0 (Peak: 0)
MAB Portal Users : 0 (Peak: 0)
L2TP Users : 0 (Peak: 1)
SNX Users : 0 (Peak: 4)

LICENSES
----------------------------------------------------------------------
SecuRemote Users : 500
Endpoint Connect Users : 0
Mobile Access Users : 5
SNX Users : 5

Suhofruct · ‎2023-05-23

Hi!
Have next question.

I'am using now license CPEP-ACCESS-P per each user, for mobile users remote access VPN.
But this type of license attached to MAC of users device. If I need change device MAC of mobile user, how I can do it?

PhoneBoy · ‎2023-05-23

If the device is not seen by the gateway for 30 days, the "license" will be released.
We don't provide a documented way to remove this license beforehand, but it's possible TAC has a procedure to clean this database.

Filters

Sort By

Categories

Easy Mobile User License Tool - Replaces "dtps lic"

Disclaimer: Check Point does not provide maintenance services or technical or customer support for third party content provided on this Site, including in CheckMates Toolbox. See also our Third Party Software Disclaimer.