Solved: Easy Mobile User License Tool - Replaces "dtps... - Page 2

HeikoAnkenbrand

Introduction

In the past days I have been working on a CLI script that can display all Secure Client, SSL VPN and Mobile Access Portal license information centrally. This script creates a new command on the management server to read the licenses. It displays all Secure Client, SSL VPN and Mobile Access Portal licenses in total (sum). Furthermore if a connection to the gateway can be established, it can read out the currently used user counters and peaks on the gateway. It replaces the old "dtps lic" tool.

This tool checks the following licenses and user counters central on the SMS:

- Secure Client

- SSL VPN

- Mobile Access Portal

Or use this one-liner to show quick and easy a summary of all available licensses on the management server: One-liner for Remote Access VPN License Summary

Description

If you execute the script via "copy and past" on the management server or start the auto install script, a new CLI command "sclic" is created. Afterwards you can use this command to display all licenses in an overview. If you give this CLI command "sclic" the IP address of the gateway, the current data of the gateway will be read. You have to use the IP address of the gateway from the topology. All available gateways from the topology can be displayed with the option -g.

Note:
- Eval licenses are not displayed.
- It doesn't currently work with VSX systems but I am working on it.
- Please note that the execution of the command may take a few seconds. This is a normal behaviour.

Syntax	Description
sclic -g	The option -g shows all possible remote gateways from the topology (for option <remote gateway ip address>)
sclic - s <remote gateway ip address>	The option -s shows the number of logged in users and the peak value of the gateway for Secure Client, SSLVPN, Mobile Access Portal. Furthermore, existing licenses on the management server are displayed for Secure Client and SSLVPN. IP address of the gateway from the topology (which is used to connect the gateway from/to the management)
sclic -r <remote gateway ip address>	The option -r shows the full license informations from a remote gateway.
sclic -m	The option -m shows the full license informations from the SMS
sclic	Shows the available Secure Client, SSL VPN and Mobile Access Portal licenses summary on the management server.

Example

# sclic - s 192.168.1.1

# sclic -g

# sclic -r 192.168.1.2

Install this script

Use this auto installer script on the management server as CLI command:

curl_cli -k http://www.ankenbrand24.de/inst_sclic > /tmp/inst_sclic && chmod 770 /tmp/inst_sclic && /tmp/inst_sclic

Or "copy and past" the following script block to your management server:

cat <<EOT > /usr/local/bin/sclic
#!/bin/bash
printf '%.s-' {1..78};echo;
echo '- Mobile User License Tool v1.0            - Copyright Heiko Ankenbrand 2020 -';
printf '%.s-' {1..78};echo;
SHOW_SUM="1";

mSITIONAL=()
while [[ \$# -gt 0 ]]
do
key="\$1"
case \$key in
    -g|--gateways)
       shift # past argument
       echo;echo 'Gateways from topology:';echo;
       mgmt_cli -r true show gateways-and-servers details-level full --format json | \$CPDIR/jq/jq -r '.objects[] | select(.type | contains("Member","simple-gateway")) | ."ipv4-address",."name"  ' |xargs -n 2 | grep -v 0.0.0. | awk '{print \$1 "\t\t" \$2}' ;
       echo;printf '%.s-' {1..78};echo;
       SHOW_SUM="0";
    ;;

    -m|--management)
       shift # past argument
       echo;echo "Licenses on management server:";echo;
       cplic print;
       printf '%.s-' {1..78};echo;
       SHOW_SUM="0";
    ;;


    -r|--remote)
       REMOTEIP="\$2"
       shift # past argument
       shift # past value
       $CPDIR/bin/cprid_util -server \$REMOTEIP -verbose rexec -rcmd bash -c 'cplic print' > /tmp/cplic_print_lic.txt ;
       if [ ! -s /tmp/cplic_print_lic.txt ]
       then
       echo;echo 'This IP is not from a gateway. Use the option "sclic -g" to show all gateways.';echo;
       else
       echo; echo -n "Licenses on gateway "; echo -n \$REMOTEIP;echo ":";echo;
       more /tmp/cplic_print_lic.txt
       echo;
       fi
       printf '%.s-' {1..78};echo;
       SHOW_SUM="0";
    ;;

    -s|--summary)
       REMOTEIP="\$2"
       shift # past argument
       shift # past value       
       $CPDIR/bin/cprid_util -server \$REMOTEIP -verbose rexec -rcmd bash -c 'fw tab -t userc_users -s' |grep localhost > /tmp/sclic.txt ;
       if [ ! -s /tmp/sclic.txt ]
       then
       echo;echo 'This IP is not from a gateway. Use the option "sclic -g" to show all gateways.';
       else
       $CPDIR/bin/cprid_util -server \$REMOTEIP -verbose rexec -rcmd bash -c 'fw tab -t sslt_om_ip_params -s' |grep localhost > /tmp/snxlic.txt ;
       $CPDIR/bin/cprid_util -server \$REMOTEIP -verbose rexec -rcmd bash -c 'fw tab -t cvpn_session -s' |grep localhost > /tmp/moblic.txt ;
       echo;
       echo; echo -n "User counters on gateway "; echo -n \$REMOTEIP;echo ":";echo;
       echo -n '  Endpoint Security VPN (SecureClient) now on the gateway    : ';
       more /tmp/sclic.txt | awk {'print \$4'};
       echo -n '  Endpoint Security VPN users on the gateway (peak)          : ';
       more /tmp/sclic.txt | awk {'print \$5'};
       fi
       if [ ! -s /tmp/snxlic.txt ]
       then
       echo -n '';
       else
       echo -n '  SNX (SSL VPN not MOB) users now on the gateway             : ';
       more /tmp/snxlic.txt | awk {'print \$4'};
       echo -n '  SNX (SSLVPN not MOB) users on the gateway (peak)           : ';
       more /tmp/snxlic.txt | awk {'print \$5'};
       fi
       if [ ! -s /tmp/moblic.txt ]
       then
       echo -n '';
       else
       echo -n '  Mobile Access Portal users now on the gateway              : ';
       more /tmp/moblic.txt | awk {'print \$4'};
       echo -n '  Mobile Access Portal users on the gateway (peak)           : ';
       more /tmp/moblic.txt | awk {'print \$5'};
       fi
       echo;
       printf '%.s-' {1..78};echo;
       SHOW_SUM="1";
    ;;


    *)    # unknown option
    #echo "Unbekannt"
    POSITIONAL+=("\$1") # save it in an array for later
    shift # past argument
    SHOW_SUM="1";
    ;;

esac
done


if [ \$SHOW_SUM == "1" ] 
then
    echo;echo  'Remote Access Licenses on SMS:';echo;
    echo -n '  Endpoint Security VPN (SecureClient)  (CPVP-VSC-5-NGX-XXX) : ';
    cplic print |grep never | grep -o -E 'CPVP-VSC-5-NGX\+.*' |sed 's/CPVP-VSC-5-NGX+//g' |awk '{ total = total + \$1 } END { print total }';
    echo -n '  Endpoint Security VPN (SecureClient)  (CPVP-VSC-XXX-NGX)   : ';
    cplic print |grep never |grep -v 'CPVP-VSC-5-NGX\+' |grep -o -E 'CPVP-VSC-.*NGX' | sed 's/CPVP-VSC-//g' | sed 's/-NGX//g' | awk '{ total = total+ \$1 } END { print total }'
    echo -n '  SNX (not MOB)                         (CPVP-SNX-XXX-NGX)   : ';
    cplic print |grep never | grep SNX | sed 's/.*\sCPVP\-SNX\-//' | sed 's/\-NGX.*//' |awk '{ total2 = total2 + \$1 } END { print total2 }'
    echo -n '  Mobile Access Blade                   (CPSB-SSLVPN-XXX)    : ';
    cplic print |grep never | grep SSLVPN | sed 's/.*\sCPSB\-SSLVPN\-//' | awk '{ total3 = total3 + \$1 } END { print total3 }'
    # printf '%.s-' {1..78};echo;
    echo;echo 'User Center keys: ';echo;
    echo '  Endpoint Security VPN (SecureClient): ';
    cplic print |grep never | grep 'CPVP-VSC-' | grep -o -E 'SWB CK-............'| awk '{print \$2}' |sed 's/CK-//g' | awk '{print "    " \$1}'; 
    echo '  SNX: '; 
    cplic print |grep never | grep 'CPVP-SNX-' | sed 's/.*\sCK-//' | awk '{print "    " \$1}'; 
    echo '  MOB: ';
    cplic print |grep never | grep 'CPSB-SSLVPN-' | sed 's/.*\sCK-//' | awk '{print "    " \$1}'; 
    echo;printf '%.s-' {1..78};echo;
fi

EOT
chmod 770 /usr/local/bin/sclic

More "Easy Tools"

- Easy Backup Tool - (migrate export + all GAIA configs)                   -> Easy backup of all gateway GAIA configs + migrate export with one CLI command.
- Easy execute CLI commands on all gateways simultaneously        -> Now you can use the new command to execute bash or clish commands on all gateway simultaneously.
- Easy execute CLI commands from management on gateways        -> Easy execute CLI commands from management on gateways
- Mobile User License Tool - replaced "dtps lic"                                   -> It displays all Secure Client, SSL VPN and Mobile Access Portal licenses in total (sum) on the SMS.
- Easy View Tool - (system infos from all gateways simultaneously) -> This toll shows you quickly an overview of status information of all your gateways with only one CLI command.

Version

0.1 03-15-2020 - oneliner to show Secure Client licenses
0.2 03-17-2020 - create "sclic" tool as script
0.3 03-19-2020 - add remote user check on the gateway
0.4 03-20-2020 - add SNX licenses and MOB licenses, renamed to "Mobile User License Tool"
0.5 03-21-2020 - option -g shows all gateways from topology
         03-22-2020    -      add auto installer one-liner
0.6    03-23-2020    -      add parameters -m, -s, -r, -g;
                                         option -r show full remote gateway licenses
                                         option -m show full SMS licenses
                                         option -g shows remote IP and gateway name from topology

1.0 03-29-2020 - bug fixed

AndrewSidwell · ‎2020-04-09

Hi Heiko -

Endpoint Security licences usually include two 'Features':

CPSB-VPN - displays as Version: 'NGX / R70' in SmartUpdate; Feature Names of the form CPVP-VSC...
CPSB-FW - displays as Version: 'SoftwareBlades' in SmartUpdate; Feature Names of the form CPEP-C1...

Your script only appears to count seats in the old-style 'NGX /R70' licences. However 'dtps lic' counts seats in the new 'SoftwareBlades' licences. The two are usually the same because most licences include both features, however if you have licences with only one feature or the other then your script and 'dtps lic' give different counts. I don't know which is more valid but I would assume that 'SoftwareBlades' licences are what matter because they are more recent.

Best regards -

Andrew Sidwell

UK Research and Innovation Network Team

dankline · ‎2020-04-09

Heiko,

Thank you for this tool. I was trying to understand how exactly to install and execute this tool on my CP management server.

Regards,

DK

HeikoAnkenbrand · ‎2020-04-10

More "Easy Tools"

- Easy Backup Tool - (migrate export + all GAIA configs)                   -> Easy backup of all gateway GAIA configs + migrate export with one CLI command.
- Easy execute CLI commands on all gateways simultaneously        -> Now you can use the new command to execute bash or clish commands on all gateway simultaneously.
- Easy execute CLI commands from management on gateways        -> Easy execute CLI commands from management on gateways
- Mobile User License Tool - replaced "dtps lic"                                   -> It displays all Secure Client, SSL VPN and Mobile Access Portal licenses in total (sum) on the SMS.
- Easy View Tool - (system infos from all gateways simultaneously) -> This toll shows you quickly an overview of status information of all your gateways with only one CLI command.

mk2 · ‎2020-04-20

Hello Heiko,

thanks for this nice tool! Valeri from Check Point found out that it is currently not counting "CPEP endpoint licenses", which are found in cplic as CPEP-C-1+ entries. Could you please implement counting those too?

Thank you very much!
Marco

Filters

Categories

Easy Mobile User License Tool - Replaces "dtps lic"