Share your Cyber Security Insights
On-Stage at CPX 2025
Simplifying Zero Trust Security
with Infinity Identity!
CheckMates Toolbox Contest 2024
Make Your Submission for a Chance to WIN up to $300 Gift Card!
CheckMates Go:
What's New in R82
HeikoAnkenbrand
| Introduction |
|---|
| Description |
|---|
If you execute the script via "copy and past" on the management server or start the auto install script, a new CLI command "sclic" is created. Afterwards you can use this command to display all licenses in an overview. If you give this CLI command "sclic" the IP address of the gateway, the current data of the gateway will be read. You have to use the IP address of the gateway from the topology. All available gateways from the topology can be displayed with the option -g.
Note:
- Eval licenses are not displayed.
- It doesn't currently work with VSX systems but I am working on it.
- Please note that the execution of the command may take a few seconds. This is a normal behaviour.
| Syntax | Description |
| sclic -g | The option -g shows all possible remote gateways from the topology (for option <remote gateway ip address>) |
| sclic - s <remote gateway ip address> | The option -s shows the number of logged in users and the peak value of the gateway for Secure Client, SSLVPN, Mobile Access Portal. Furthermore, existing licenses on the management server are displayed for Secure Client and SSLVPN. IP address of the gateway from the topology (which is used to connect the gateway from/to the management) |
| sclic -r <remote gateway ip address> |
The option -r shows the full license informations from a remote gateway. |
| sclic -m | The option -m shows the full license informations from the SMS |
| sclic | Shows the available Secure Client, SSL VPN and Mobile Access Portal licenses summary on the management server. |
| Example |
|---|
# sclic - s 192.168.1.1
# sclic -g
# sclic -r 192.168.1.2
| Install this script |
|---|
Use this auto installer script on the management server as CLI command:
curl_cli -k http://www.ankenbrand24.de/inst_sclic > /tmp/inst_sclic && chmod 770 /tmp/inst_sclic && /tmp/inst_sclicOr "copy and past" the following script block to your management server:
cat <<EOT > /usr/local/bin/sclic
#!/bin/bash
printf '%.s-' {1..78};echo;
echo '- Mobile User License Tool v1.0 - Copyright Heiko Ankenbrand 2020 -';
printf '%.s-' {1..78};echo;
SHOW_SUM="1";
mSITIONAL=()
while [[ \$# -gt 0 ]]
do
key="\$1"
case \$key in
-g|--gateways)
shift # past argument
echo;echo 'Gateways from topology:';echo;
mgmt_cli -r true show gateways-and-servers details-level full --format json | \$CPDIR/jq/jq -r '.objects[] | select(.type | contains("Member","simple-gateway")) | ."ipv4-address",."name" ' |xargs -n 2 | grep -v 0.0.0. | awk '{print \$1 "\t\t" \$2}' ;
echo;printf '%.s-' {1..78};echo;
SHOW_SUM="0";
;;
-m|--management)
shift # past argument
echo;echo "Licenses on management server:";echo;
cplic print;
printf '%.s-' {1..78};echo;
SHOW_SUM="0";
;;
-r|--remote)
REMOTEIP="\$2"
shift # past argument
shift # past value
$CPDIR/bin/cprid_util -server \$REMOTEIP -verbose rexec -rcmd bash -c 'cplic print' > /tmp/cplic_print_lic.txt ;
if [ ! -s /tmp/cplic_print_lic.txt ]
then
echo;echo 'This IP is not from a gateway. Use the option "sclic -g" to show all gateways.';echo;
else
echo; echo -n "Licenses on gateway "; echo -n \$REMOTEIP;echo ":";echo;
more /tmp/cplic_print_lic.txt
echo;
fi
printf '%.s-' {1..78};echo;
SHOW_SUM="0";
;;
-s|--summary)
REMOTEIP="\$2"
shift # past argument
shift # past value
$CPDIR/bin/cprid_util -server \$REMOTEIP -verbose rexec -rcmd bash -c 'fw tab -t userc_users -s' |grep localhost > /tmp/sclic.txt ;
if [ ! -s /tmp/sclic.txt ]
then
echo;echo 'This IP is not from a gateway. Use the option "sclic -g" to show all gateways.';
else
$CPDIR/bin/cprid_util -server \$REMOTEIP -verbose rexec -rcmd bash -c 'fw tab -t sslt_om_ip_params -s' |grep localhost > /tmp/snxlic.txt ;
$CPDIR/bin/cprid_util -server \$REMOTEIP -verbose rexec -rcmd bash -c 'fw tab -t cvpn_session -s' |grep localhost > /tmp/moblic.txt ;
echo;
echo; echo -n "User counters on gateway "; echo -n \$REMOTEIP;echo ":";echo;
echo -n ' Endpoint Security VPN (SecureClient) now on the gateway : ';
more /tmp/sclic.txt | awk {'print \$4'};
echo -n ' Endpoint Security VPN users on the gateway (peak) : ';
more /tmp/sclic.txt | awk {'print \$5'};
fi
if [ ! -s /tmp/snxlic.txt ]
then
echo -n '';
else
echo -n ' SNX (SSL VPN not MOB) users now on the gateway : ';
more /tmp/snxlic.txt | awk {'print \$4'};
echo -n ' SNX (SSLVPN not MOB) users on the gateway (peak) : ';
more /tmp/snxlic.txt | awk {'print \$5'};
fi
if [ ! -s /tmp/moblic.txt ]
then
echo -n '';
else
echo -n ' Mobile Access Portal users now on the gateway : ';
more /tmp/moblic.txt | awk {'print \$4'};
echo -n ' Mobile Access Portal users on the gateway (peak) : ';
more /tmp/moblic.txt | awk {'print \$5'};
fi
echo;
printf '%.s-' {1..78};echo;
SHOW_SUM="1";
;;
*) # unknown option
#echo "Unbekannt"
POSITIONAL+=("\$1") # save it in an array for later
shift # past argument
SHOW_SUM="1";
;;
esac
done
if [ \$SHOW_SUM == "1" ]
then
echo;echo 'Remote Access Licenses on SMS:';echo;
echo -n ' Endpoint Security VPN (SecureClient) (CPVP-VSC-5-NGX-XXX) : ';
cplic print |grep never | grep -o -E 'CPVP-VSC-5-NGX\+.*' |sed 's/CPVP-VSC-5-NGX+//g' |awk '{ total = total + \$1 } END { print total }';
echo -n ' Endpoint Security VPN (SecureClient) (CPVP-VSC-XXX-NGX) : ';
cplic print |grep never |grep -v 'CPVP-VSC-5-NGX\+' |grep -o -E 'CPVP-VSC-.*NGX' | sed 's/CPVP-VSC-//g' | sed 's/-NGX//g' | awk '{ total = total+ \$1 } END { print total }'
echo -n ' SNX (not MOB) (CPVP-SNX-XXX-NGX) : ';
cplic print |grep never | grep SNX | sed 's/.*\sCPVP\-SNX\-//' | sed 's/\-NGX.*//' |awk '{ total2 = total2 + \$1 } END { print total2 }'
echo -n ' Mobile Access Blade (CPSB-SSLVPN-XXX) : ';
cplic print |grep never | grep SSLVPN | sed 's/.*\sCPSB\-SSLVPN\-//' | awk '{ total3 = total3 + \$1 } END { print total3 }'
# printf '%.s-' {1..78};echo;
echo;echo 'User Center keys: ';echo;
echo ' Endpoint Security VPN (SecureClient): ';
cplic print |grep never | grep 'CPVP-VSC-' | grep -o -E 'SWB CK-............'| awk '{print \$2}' |sed 's/CK-//g' | awk '{print " " \$1}';
echo ' SNX: ';
cplic print |grep never | grep 'CPVP-SNX-' | sed 's/.*\sCK-//' | awk '{print " " \$1}';
echo ' MOB: ';
cplic print |grep never | grep 'CPSB-SSLVPN-' | sed 's/.*\sCK-//' | awk '{print " " \$1}';
echo;printf '%.s-' {1..78};echo;
fi
EOT
chmod 770 /usr/local/bin/sclic| More "Easy Tools" |
|---|
- Easy Backup Tool - (migrate export + all GAIA configs) -> Easy backup of all gateway GAIA configs + migrate export with one CLI command.
- Easy execute CLI commands on all gateways simultaneously -> Now you can use the new command to execute bash or clish commands on all gateway simultaneously.
- Easy execute CLI commands from management on gateways -> Easy execute CLI commands from management on gateways
- Mobile User License Tool - replaced "dtps lic" -> It displays all Secure Client, SSL VPN and Mobile Access Portal licenses in total (sum) on the SMS.
- Easy View Tool - (system infos from all gateways simultaneously) -> This toll shows you quickly an overview of status information of all your gateways with only one CLI command.
| Version |
|---|
0.1 03-15-2020 - oneliner to show Secure Client licenses
0.2 03-17-2020 - create "sclic" tool as script
0.3 03-19-2020 - add remote user check on the gateway
0.4 03-20-2020 - add SNX licenses and MOB licenses, renamed to "Mobile User License Tool"
0.5 03-21-2020 - option -g shows all gateways from topology
03-22-2020 - add auto installer one-liner
0.6 03-23-2020 - add parameters -m, -s, -r, -g;
option -r show full remote gateway licenses
option -m show full SMS licenses
option -g shows remote IP and gateway name from topology
1.0 03-29-2020 - bug fixed
| Introduction |
|---|
I have the same problem, the auto install has worked, but the command does not work.
I copied the script also, but same result.
[Expert@em01r002:0]# curl_cli -k http://www.ankenbrand24.de/inst_sclic > /tmp/inst_sclic && chmod 770 /tmp/inst_sclic && /tmp/inst_sclic
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 5046 100 5046 0 0 5820 0 --:--:-- --:--:-- --:--:-- 10173
I have the same problem, the auto install has worked, but the command does not work.
I copied the script also, but same result.
[Expert@em01r002:0]# curl_cli -k http://www.ankenbrand24.de/inst_sclic > /tmp/inst_sclic && chmod 770 /tmp/inst_sclic && /tmp/inst_sclic
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 5046 100 5046 0 0 5820 0 --:--:-- --:--:-- --:--:-- 10173
Hi Heiko -
Endpoint Security licences usually include two 'Features':
Your script only appears to count seats in the old-style 'NGX /R70' licences. However 'dtps lic' counts seats in the new 'SoftwareBlades' licences. The two are usually the same because most licences include both features, however if you have licences with only one feature or the other then your script and 'dtps lic' give different counts. I don't know which is more valid but I would assume that 'SoftwareBlades' licences are what matter because they are more recent.
Best regards -
Andrew Sidwell
UK Research and Innovation Network Team
Hi Heiko -
Endpoint Security licences usually include two 'Features':
Your script only appears to count seats in the old-style 'NGX /R70' licences. However 'dtps lic' counts seats in the new 'SoftwareBlades' licences. The two are usually the same because most licences include
...;
dankline
Heiko,
Thank you for this tool. I was trying to understand how exactly to install and execute this tool on my CP management server.
Regards,
DK
HeikoAnkenbrand
| More "Easy Tools" |
|---|
- Easy Backup Tool - (migrate export + all GAIA configs) -> Easy backup of all gateway GAIA configs + migrate export with one CLI command.
- Easy execute CLI commands on all gateways simultaneously -> Now you can use the new command to execute bash or clish commands on all gateway simultaneously.
- Easy execute CLI commands from management on gateways -> Easy execute CLI commands from management on gateways
- Mobile User License Tool - replaced "dtps lic" -> It displays all Secure Client, SSL VPN and Mobile Access Portal licenses in total (sum) on the SMS.
- Easy View Tool - (system infos from all gateways simultaneously) -> This toll shows you quickly an overview of status information of all your gateways with only one CLI command.
| More "Easy Tools" |
|---|
- Easy Backup Tool - (migrate export + all GAIA configs) -> Easy backup of all gateway GAIA configs + migrate export with one CLI command.
- Easy execute CLI commands on all gateways simultaneously -> Now you can use the new command to execute bash or clish commands on all gateway simultaneously.
- Easy execute CLI commands from management on gateways -> Easy execute CLI commands from management on g
Hello Heiko,
thanks for this nice tool! Valeri from Check Point found out that it is currently not counting "CPEP endpoint licenses", which are found in cplic as CPEP-C-1+ entries. Could you please implement counting those too?
Thank you very much!
Marco
Hello Heiko,
thanks for this nice tool! Valeri from Check Point found out that it is currently not counting "CPEP endpoint licenses", which are found in cplic as CPEP-C-1+ entries. Could you please implement counting those too?
Thank you very much!
Marco
;
Thank you Heiko, as always a great script.
A note worth mentioning, in case any is getting the error "jq: error: Cannot iterate over null" then most probably it's related for APACHE Port not being the default (443). Just check it using the command api status and then edit the script inserting --port <portid>
In our case we're using port 4434 for APACHE Gaia Port, so the script is modified as folowing: mgmt_cli --port 4434-r true show gateways-and-servers
Thank you Heiko, as always a great script.
A note worth mentioning, in case any is getting the error "jq: error: Cannot iterate over null" then most probably it's related for APACHE Port not being the default (443). Just check it using the command api status and then edit the script inserting --port <portid>
In our case we're using port 4434 for APACHE Gaia Port, so the script is modified as folowing: mgmt_cli --port 4434-r true show gateways-and-servers
;
Thank you very much for sharing the command.
I had a question about Capasule connect/Capasule VPN. Tested some users from capasule connect client from our Android and IOS devices, the connection peak is 8. How many capasule VPN users does below devices support? It should not be Mobile Access users.
Try run that command and the information below:
REMOTE ACCESS VPN STATS - Current
----------------------------------------------------------------------
Assigned OfficeMode IPs : 1 (Peak: 10)
Capsule/Endpoint VPN Users : 1 (Peak: 😎 using Visitor Mode: 0
Capsule Workspace Users : 0 (Peak: 0)
MAB Portal Users : 0 (Peak: 0)
L2TP Users : 0 (Peak: 1)
SNX Users : 0 (Peak: 4)
LICENSES
----------------------------------------------------------------------
SecuRemote Users : 500
Endpoint Connect Users : 0
Mobile Access Users : 5
SNX Users : 5
Thank you very much for sharing the command.
I had a question about Capasule connect/Capasule VPN. Tested some users from capasule connect client from our Android and IOS devices, the connection peak is 8. How many capasule VPN users does below devices support? It should not be Mobile Access users.
Try run that command and the information below:
REMOTE ACCESS VPN STATS - Current
----------------------------------------------------------------------
Assigned OfficeMode IPs : 1 (P
Thank you very much.
I had a question about Capsule Connect/Capsule VPN. How many Capsule VPN users support on below users?
we tested peak is 8, it should not be Mobile Access Users.
REMOTE ACCESS VPN STATS - Current
----------------------------------------------------------------------
Assigned OfficeMode IPs : 1 (Peak: 10)
Capsule/Endpoint VPN Users : 1 (Peak: 8 using Visitor Mode: 0
Capsule Workspace Users : 0 (Peak: 0)
MAB Portal Users : 0 (Peak: 0)
L2TP Users : 0 (Peak: 1)
SNX Users : 0 (Peak: 4)
LICENSES
----------------------------------------------------------------------
SecuRemote Users : 500
Endpoint Connect Users : 0
Mobile Access Users : 5
SNX Users : 5
Thank you very much.
I had a question about Capsule Connect/Capsule VPN. How many Capsule VPN users support on below users?
we tested peak is 8, it should not be Mobile Access Users.
REMOTE ACCESS VPN STATS - Current
----------------------------------------------------------------------
Assigned OfficeMode IPs : 1 (Peak: 10)
Capsule/Endpoint VPN Users : 1 (Peak: 8 using Visitor Mode: 0
Capsule Workspace Users : 0 (Peak: 0)
MAB Portal Users : 0 (Peak: 0)
L2TP Users : 0 (Peak: 1)
SNX Users
Hi!
Have next question.
I'am using now license CPEP-ACCESS-P per each user, for mobile users remote access VPN.
But this type of license attached to MAC of users device. If I need change device MAC of mobile user, how I can do it?
PhoneBoy
If the device is not seen by the gateway for 30 days, the "license" will be released.
We don't provide a documented way to remove this license beforehand, but it's possible TAC has a procedure to clean this database.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY