- Products
- Learn
- Local User Groups
- Partners
-
More
Celebrate the New Year
With CheckMates!
Value of Security
Vendor Self-Awareness
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
Mobile Security
Buyer's Guide Out Now
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Introduction |
---|
Description |
---|
If you execute the script via "copy and past" on the management server or start the auto install script, a new CLI command "sclic" is created. Afterwards you can use this command to display all licenses in an overview. If you give this CLI command "sclic" the IP address of the gateway, the current data of the gateway will be read. You have to use the IP address of the gateway from the topology. All available gateways from the topology can be displayed with the option -g.
Note:
- Eval licenses are not displayed.
- It doesn't currently work with VSX systems but I am working on it.
- Please note that the execution of the command may take a few seconds. This is a normal behaviour.
Syntax | Description |
sclic -g | The option -g shows all possible remote gateways from the topology (for option <remote gateway ip address>) |
sclic - s <remote gateway ip address> | The option -s shows the number of logged in users and the peak value of the gateway for Secure Client, SSLVPN, Mobile Access Portal. Furthermore, existing licenses on the management server are displayed for Secure Client and SSLVPN. IP address of the gateway from the topology (which is used to connect the gateway from/to the management) |
sclic -r <remote gateway ip address> |
The option -r shows the full license informations from a remote gateway. |
sclic -m | The option -m shows the full license informations from the SMS |
sclic | Shows the available Secure Client, SSL VPN and Mobile Access Portal licenses summary on the management server. |
Example |
---|
# sclic - s 192.168.1.1
# sclic -g
# sclic -r 192.168.1.2
Install this script |
---|
Use this auto installer script on the management server as CLI command:
curl_cli -k http://www.ankenbrand24.de/inst_sclic > /tmp/inst_sclic && chmod 770 /tmp/inst_sclic && /tmp/inst_sclic
Or "copy and past" the following script block to your management server:
cat <<EOT > /usr/local/bin/sclic
#!/bin/bash
printf '%.s-' {1..78};echo;
echo '- Mobile User License Tool v1.0 - Copyright Heiko Ankenbrand 2020 -';
printf '%.s-' {1..78};echo;
SHOW_SUM="1";
mSITIONAL=()
while [[ \$# -gt 0 ]]
do
key="\$1"
case \$key in
-g|--gateways)
shift # past argument
echo;echo 'Gateways from topology:';echo;
mgmt_cli -r true show gateways-and-servers details-level full --format json | \$CPDIR/jq/jq -r '.objects[] | select(.type | contains("Member","simple-gateway")) | ."ipv4-address",."name" ' |xargs -n 2 | grep -v 0.0.0. | awk '{print \$1 "\t\t" \$2}' ;
echo;printf '%.s-' {1..78};echo;
SHOW_SUM="0";
;;
-m|--management)
shift # past argument
echo;echo "Licenses on management server:";echo;
cplic print;
printf '%.s-' {1..78};echo;
SHOW_SUM="0";
;;
-r|--remote)
REMOTEIP="\$2"
shift # past argument
shift # past value
$CPDIR/bin/cprid_util -server \$REMOTEIP -verbose rexec -rcmd bash -c 'cplic print' > /tmp/cplic_print_lic.txt ;
if [ ! -s /tmp/cplic_print_lic.txt ]
then
echo;echo 'This IP is not from a gateway. Use the option "sclic -g" to show all gateways.';echo;
else
echo; echo -n "Licenses on gateway "; echo -n \$REMOTEIP;echo ":";echo;
more /tmp/cplic_print_lic.txt
echo;
fi
printf '%.s-' {1..78};echo;
SHOW_SUM="0";
;;
-s|--summary)
REMOTEIP="\$2"
shift # past argument
shift # past value
$CPDIR/bin/cprid_util -server \$REMOTEIP -verbose rexec -rcmd bash -c 'fw tab -t userc_users -s' |grep localhost > /tmp/sclic.txt ;
if [ ! -s /tmp/sclic.txt ]
then
echo;echo 'This IP is not from a gateway. Use the option "sclic -g" to show all gateways.';
else
$CPDIR/bin/cprid_util -server \$REMOTEIP -verbose rexec -rcmd bash -c 'fw tab -t sslt_om_ip_params -s' |grep localhost > /tmp/snxlic.txt ;
$CPDIR/bin/cprid_util -server \$REMOTEIP -verbose rexec -rcmd bash -c 'fw tab -t cvpn_session -s' |grep localhost > /tmp/moblic.txt ;
echo;
echo; echo -n "User counters on gateway "; echo -n \$REMOTEIP;echo ":";echo;
echo -n ' Endpoint Security VPN (SecureClient) now on the gateway : ';
more /tmp/sclic.txt | awk {'print \$4'};
echo -n ' Endpoint Security VPN users on the gateway (peak) : ';
more /tmp/sclic.txt | awk {'print \$5'};
fi
if [ ! -s /tmp/snxlic.txt ]
then
echo -n '';
else
echo -n ' SNX (SSL VPN not MOB) users now on the gateway : ';
more /tmp/snxlic.txt | awk {'print \$4'};
echo -n ' SNX (SSLVPN not MOB) users on the gateway (peak) : ';
more /tmp/snxlic.txt | awk {'print \$5'};
fi
if [ ! -s /tmp/moblic.txt ]
then
echo -n '';
else
echo -n ' Mobile Access Portal users now on the gateway : ';
more /tmp/moblic.txt | awk {'print \$4'};
echo -n ' Mobile Access Portal users on the gateway (peak) : ';
more /tmp/moblic.txt | awk {'print \$5'};
fi
echo;
printf '%.s-' {1..78};echo;
SHOW_SUM="1";
;;
*) # unknown option
#echo "Unbekannt"
POSITIONAL+=("\$1") # save it in an array for later
shift # past argument
SHOW_SUM="1";
;;
esac
done
if [ \$SHOW_SUM == "1" ]
then
echo;echo 'Remote Access Licenses on SMS:';echo;
echo -n ' Endpoint Security VPN (SecureClient) (CPVP-VSC-5-NGX-XXX) : ';
cplic print |grep never | grep -o -E 'CPVP-VSC-5-NGX\+.*' |sed 's/CPVP-VSC-5-NGX+//g' |awk '{ total = total + \$1 } END { print total }';
echo -n ' Endpoint Security VPN (SecureClient) (CPVP-VSC-XXX-NGX) : ';
cplic print |grep never |grep -v 'CPVP-VSC-5-NGX\+' |grep -o -E 'CPVP-VSC-.*NGX' | sed 's/CPVP-VSC-//g' | sed 's/-NGX//g' | awk '{ total = total+ \$1 } END { print total }'
echo -n ' SNX (not MOB) (CPVP-SNX-XXX-NGX) : ';
cplic print |grep never | grep SNX | sed 's/.*\sCPVP\-SNX\-//' | sed 's/\-NGX.*//' |awk '{ total2 = total2 + \$1 } END { print total2 }'
echo -n ' Mobile Access Blade (CPSB-SSLVPN-XXX) : ';
cplic print |grep never | grep SSLVPN | sed 's/.*\sCPSB\-SSLVPN\-//' | awk '{ total3 = total3 + \$1 } END { print total3 }'
# printf '%.s-' {1..78};echo;
echo;echo 'User Center keys: ';echo;
echo ' Endpoint Security VPN (SecureClient): ';
cplic print |grep never | grep 'CPVP-VSC-' | grep -o -E 'SWB CK-............'| awk '{print \$2}' |sed 's/CK-//g' | awk '{print " " \$1}';
echo ' SNX: ';
cplic print |grep never | grep 'CPVP-SNX-' | sed 's/.*\sCK-//' | awk '{print " " \$1}';
echo ' MOB: ';
cplic print |grep never | grep 'CPSB-SSLVPN-' | sed 's/.*\sCK-//' | awk '{print " " \$1}';
echo;printf '%.s-' {1..78};echo;
fi
EOT
chmod 770 /usr/local/bin/sclic
More "Easy Tools" |
---|
- Easy Backup Tool - (migrate export + all GAIA configs) -> Easy backup of all gateway GAIA configs + migrate export with one CLI command.
- Easy execute CLI commands on all gateways simultaneously -> Now you can use the new command to execute bash or clish commands on all gateway simultaneously.
- Easy execute CLI commands from management on gateways -> Easy execute CLI commands from management on gateways
- Mobile User License Tool - replaced "dtps lic" -> It displays all Secure Client, SSL VPN and Mobile Access Portal licenses in total (sum) on the SMS.
- Easy View Tool - (system infos from all gateways simultaneously) -> This toll shows you quickly an overview of status information of all your gateways with only one CLI command.
Version |
---|
0.1 03-15-2020 - oneliner to show Secure Client licenses
0.2 03-17-2020 - create "sclic" tool as script
0.3 03-19-2020 - add remote user check on the gateway
0.4 03-20-2020 - add SNX licenses and MOB licenses, renamed to "Mobile User License Tool"
0.5 03-21-2020 - option -g shows all gateways from topology
03-22-2020 - add auto installer one-liner
0.6 03-23-2020 - add parameters -m, -s, -r, -g;
option -r show full remote gateway licenses
option -m show full SMS licenses
option -g shows remote IP and gateway name from topology
1.0 03-29-2020 - bug fixed
Introduction |
---|
Hi Heiko -
Endpoint Security licences usually include two 'Features':
Your script only appears to count seats in the old-style 'NGX /R70' licences. However 'dtps lic' counts seats in the new 'SoftwareBlades' licences. The two are usually the same because most licences include both features, however if you have licences with only one feature or the other then your script and 'dtps lic' give different counts. I don't know which is more valid but I would assume that 'SoftwareBlades' licences are what matter because they are more recent.
Best regards -
Andrew Sidwell
UK Research and Innovation Network Team
Hi Heiko -
Endpoint Security licences usually include two 'Features':
Your script only appears to count seats in the old-style 'NGX /R70' licences. However 'dtps lic' counts seats in the new 'SoftwareBlades' licences. The two are usually the same because most licences include
...;Heiko,
Thank you for this tool. I was trying to understand how exactly to install and execute this tool on my CP management server.
Regards,
DK
More "Easy Tools" |
---|
- Easy Backup Tool - (migrate export + all GAIA configs) -> Easy backup of all gateway GAIA configs + migrate export with one CLI command.
- Easy execute CLI commands on all gateways simultaneously -> Now you can use the new command to execute bash or clish commands on all gateway simultaneously.
- Easy execute CLI commands from management on gateways -> Easy execute CLI commands from management on gateways
- Mobile User License Tool - replaced "dtps lic" -> It displays all Secure Client, SSL VPN and Mobile Access Portal licenses in total (sum) on the SMS.
- Easy View Tool - (system infos from all gateways simultaneously) -> This toll shows you quickly an overview of status information of all your gateways with only one CLI command.
More "Easy Tools" |
---|
- Easy Backup Tool - (migrate export + all GAIA configs) -> Easy backup of all gateway GAIA configs + migrate export with one CLI command.
- Easy execute CLI commands on all gateways simultaneously -> Now you can use the new command to execute bash or clish commands on all gateway simultaneously.
- Easy execute CLI commands from management on gateways -> Easy execute CLI commands from management on g
Hello Heiko,
thanks for this nice tool! Valeri from Check Point found out that it is currently not counting "CPEP endpoint licenses", which are found in cplic as CPEP-C-1+ entries. Could you please implement counting those too?
Thank you very much!
Marco
Hello Heiko,
thanks for this nice tool! Valeri from Check Point found out that it is currently not counting "CPEP endpoint licenses", which are found in cplic as CPEP-C-1+ entries. Could you please implement counting those too?
Thank you very much!
Marco
;
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY