- CheckMates
- :
- CheckMates Toolbox
- :
- Scripts
- :
- Re: GAIA - Easy execute CLI commands from manageme...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
GAIA - Easy execute CLI commands from management on gateways!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Now you can use the new command "g_bash" and "g_cli" to execute bash or clish commands on gateway from the management server. All you have to do is copy and paste the above lines to the management server. After that you have two new commands on the management server. Here you can now centrally execute simple commands on all gateways which are connected via SIC with the management.
You only need to enter the IP address of the gateways and the command will be executed there.
Cppy and paste this lines to the management server or download the script "new_commands.sh" and execute the script.
echo "echo Gateways configured in policy:" > /usr/local/bin/g_show
echo "more $FWDIR/conf/objects.C |grep -A 20 -B 1 ':type (gateway)' | grep ipaddr | sed 's/^[ \t]*//' | sed 's/\:ipaddr (//' |sed 's/)//'" >> /usr/local/bin/g_show
chmod 777 /usr/local/bin/g_show
echo '#!/bin/bash' > /usr/local/bin/g_bash
echo "more $FWDIR/conf/objects.C |grep -A 20 -B 1 ':type (gateway)' | grep ipaddr | sed 's/^[ \t]*//' | sed 's/\:ipaddr (//' |sed 's/)//' > /var/log/g_gateway.txt" >> /usr/local/bin/g_bash
echo 'HAtest="$2 $3 $4 $5 $6 $7 $8 $9"' >> /usr/local/bin/g_bash
echo 'if grep -xq $1 /var/log/g_gateway.txt; then' >> /usr/local/bin/g_bash
echo "echo \$HAtest > /var/log/g_command.txt;" >> /usr/local/bin/g_bash
echo "\$CPDIR/bin/cprid_util -server \$1 putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;" >> /usr/local/bin/g_bash
echo "\$CPDIR/bin/cprid_util -server \$1 -verbose rexec -rcmd /bin/bash -f /var/log/g_command.txt;" >> /usr/local/bin/g_bash
echo "else" >> /usr/local/bin/g_bash
echo "echo This is not a gateway IP. Use an IP of following list:;" >> /usr/local/bin/g_bash
echo "more /var/log/g_gateway.txt" >> /usr/local/bin/g_bash
echo "fi" >> /usr/local/bin/g_bash
chmod 777 /usr/local/bin/g_bash
echo '#!/bin/bash' > /usr/local/bin/g_cli
echo "more $FWDIR/conf/objects.C |grep -A 20 -B 1 ':type (gateway)' | grep ipaddr | sed 's/^[ \t]*//' | sed 's/\:ipaddr (//' |sed 's/)//' > /var/log/g_gateway.txt" >> /usr/local/bin/g_cli
echo 'HAtest="$2 $3 $4 $5 $6 $7 $8 $9"' >> /usr/local/bin/g_cli
echo 'if grep -xq $1 /var/log/g_gateway.txt; then' >> /usr/local/bin/g_cli
echo "echo \$HAtest > /var/log/g_command.txt;" >> /usr/local/bin/g_cli
echo "\$CPDIR/bin/cprid_util -server \$1 putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;" >> /usr/local/bin/g_cli
echo "\$CPDIR/bin/cprid_util -server \$1 -verbose rexec -rcmd /bin/clish -f /var/log/g_command.txt;" >> /usr/local/bin/g_cli
echo "else" >> /usr/local/bin/g_cli
echo "echo This is not a gateway IP. Use an IP of following list:;" >> /usr/local/bin/g_cli
echo "more /var/log/g_gateway.txt" >> /usr/local/bin/g_cli
echo "fi" >> /usr/local/bin/g_cli
chmod 777 /usr/local/bin/g_cli
Command syntax:
Command | Description |
# g_show | show all gateway IP addresses |
# g_bash <gateway IP> <command> | execute expert mode command on gateway |
# g_cli <gateway IP> <command> | execute clish command on gateway |
An example!
You want to see the configuration of the gateway with IP 1.2.3.4 from the management.
So you only have to enter the following command:
Management# g_cli 1.2.3.4 show configuration |
Now the command "show configuration" is executed on the gateway and the output is displayed on the management server.
The same also works for the expert mode. For example:
Management# g_bash 1.2.3.4 cphaprob stat |
Show all gateway IP addresses. For example:
Management# g_show Show all gateways configured in policy: 1.2.3.4 |
More "Easy Tools":
- Easy Backup Tool - (migrate export + all GAIA configs) -> Easy backup of all gateway GAIA configs + migrate export with one CLI command.
- Easy execute CLI commands on all gateways simultaneously -> Now you can use the new command to execute bash or clish commands on all gateway simultaneously.
- Easy execute CLI commands from management on gateways -> Easy execute CLI commands from management on gateways
- Mobile User License Tool - replaced "dtps lic" -> It displays all Secure Client, SSL VPN and Mobile Access Portal licenses in total (sum) on the SMS.
- Easy View Tool - (system infos from all gateways simultaneously) -> This toll shows you quickly an overview of status information of all your gateways with only one CLI command.
Video tutorial:
|
Copyright by Heiko Ankenbrand 1996-2019
Now you can use the new command "g_bash" and "g_cli" to execute bash or clish commands on gateway from the management server. All you have to do is copy and paste the above lines to the management server. After that you have two new commands on the management server. Here you can now centrally execute simple commands on all gateways which are connected via SIC with the management.
You only need to enter the IP address of the gateways and the command will be executed there.
C
...;Disclaimer: Check Point does not provide maintenance services or technical or customer support for third party content provided on this Site, including in CheckMates Toolbox. See also our Third Party Software Disclaimer.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Found a bug in this that is resolved by not using 'more' command in this script, just replace it with 'cat'. The bug manifests when remotely executing this script on the mgmt server. I.e. [root@lab-netbox1 ~]# ssh scriptrunner@lab-cpmgmt-01 /usr/local/bin/g_cli 10.39.62.3 show route
The 'more' command just hangs, probably because it's trying to figure out the terminal height settings which doesn't exist, or something like that.
My changes also include the 'more than 9 arguments' support that some other person suggested in here, thanks for that.
I also grep for mgmt_ip instead of ipaddr which seems to work for me, so i don't have to modify my -A 20 to include more lines in the output of grep.
Can also confirm it works on R81.
Found a bug in this that is resolved by not using 'more' command in this script, just replace it with 'cat'. The bug manifests when remotely executing this script on the mgmt server. I.e. [root@lab-netbox1 ~]# ssh scriptrunner@lab-cpmgmt-01 /usr/local/bin/g_cli 10.39.62.3 show route
The 'more' command just hangs, probably because it's trying to figure out the terminal height settings which doesn't exist, or something like that.
My changes also include the 'more than 9 argumen
...;- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Heiko,
in my R80.40 mds enviorment it gives the below error
./new_commands.sh: line 4: $'\r': command not found
./new_commands.sh: line 17: $'\r': command not found
./new_commands.sh: line 30: $'\r': command not found
I have run this script from mdsenv .
Hello Heiko,
in my R80.40 mds enviorment it gives the below error
./new_commands.sh: line 4: $'\r': command not found
./new_commands.sh: line 17: $'\r': command not found
./new_commands.sh: line 30: $'\r': command not found
I have run this script from mdsenv .
;
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
These three lines are empty 😎 Convert the line ending to Unix, LF instead of CRLF, GAiA has the dos2unix command to convert the file:
dos2unix new_commands.sh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there @HeikoAnkenbrand . Loving the idea of this tool and your others. I'm looking to use it and the multi gateway versions to run backups of our show configuration from our management servers. We have a HA management setup, one at our prime site and the secondary at our DR site. I tried running this from the Secondary and even a g_show just comes back with a empty list of gateways in policy. Similarly if I use the g_cli it created the g_gateway.txt file with nothing in it. Would I be right in saying that because the Secondary (passive) manager is in read only mode it can't run the queries?
Ultimately I want to cron it on both managers so they they both have a copy of the gateway configs everyday as I can't seem to cron the cprid_util script.
Many thanks
Hi there @HeikoAnkenbrand . Loving the idea of this tool and your others. I'm looking to use it and the multi gateway versions to run backups of our show configuration from our management servers. We have a HA management setup, one at our prime site and the secondary at our DR site. I tried running this from the Secondary and even a g_show just comes back with a empty list of gateways in policy. Similarly if I use the g_cli it created the g_gateway.txt file with nothing in it. Would I
...;- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Better try this one that works very similar: Easy execute CLI commands on all gateways simultaneously
Difference is that you can use a manually edited list of GW IPs that will be raed in by the commands, so you can run it form all SMS...
Better try this one that works very similar: Easy execute CLI commands on all gateways simultaneously
Difference is that you can use a manually edited list of GW IPs that will be raed in by the commands, so you can run it form all SMS...
;- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@G_W_Albrecht Thanks for the quick response. I was building up to using that one once I'd satisfied myself I wasn't going to kill everything with the single one 🙂
----Update---
I have since # out the second line in g_cli that does the check for gateways and edited the g_gateway.txt file manually and its all good now on the Secondary. Many thanks
@G_W_Albrecht Thanks for the quick response. I was building up to using that one once I'd satisfied myself I wasn't going to kill everything with the single one 🙂
----Update---
I have since # out the second line in g_cli that does the check for gateways and edited the g_gateway.txt file manually and its all good now on the Secondary. Many thanks
;- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmm any geniuses out there...
So I note in the 'all gateway' link page it is mentioned the jobs can be cron'd so I'm assuming this should be able to as well.
I have tested the following commands and both worth at the cli of the SMS... (masked IP obviously)
/usr/local/bin/g_cli 10.x.x.x show configuration | tee ~/firewall01_config.txt
&
/usr/local/bin/g_cli 10.x.x.x show configuration > firewall01_config.txt
As expected, both create a file that contains the output of show configuration
However when I create a cron job using crontab -e (can't be done via the WebUI as the portal doesn't like some of the special characters)
the job runs and creates the file but it is blank.
The only think I note is when run manually it takes a couple of seconds to get the output and create the file but when I run it via a cron job I think the file is being created and closed instantly and therefore doesn't wait long enough to get the output.
Any thoughts on how to get round this? I'm soooo close!
Hmm any geniuses out there...
So I note in the 'all gateway' link page it is mentioned the jobs can be cron'd so I'm assuming this should be able to as well.
I have tested the following commands and both worth at the cli of the SMS... (masked IP obviously)
/usr/local/bin/g_cli 10.x.x.x show configuration | tee ~/firewall01_config.txt
&
/usr/local/bin/g_cli 10.x.x.x show configuration > firewall01_config.txt
As expected, both create a file that contains the output of show co
...;- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@bernhard_m thanks for the response. Forgive my inexperience. Surely if the command works at the cli then it would be the same command in the cronjob? Not sure where I'd even put your suggestion in the cronjob
@bernhard_m thanks for the response. Forgive my inexperience. Surely if the command works at the cli then it would be the same command in the cronjob? Not sure where I'd even put your suggestion in the cronjob
;- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have two Options:
1) Set $CPDIR directly in the cron line (without ; between var and cmd)
CPDIR=/opt/CPshrd-R80.40 /usr/local/bin/g_cli 10.x.x.x show configuration
2) Modify the g_cli script and source the environment (which adds some overhead if you use the script interactively)
#!/bin/bash
source /etc/profile.d/CP.sh
more /opt/CPsuite-R80.40/fw1/conf/objects.C | grep ...
You have two Options:
1) Set $CPDIR directly in the cron line (without ; between var and cmd)
CPDIR=/opt/CPshrd-R80.40 /usr/local/bin/g_cli 10.x.x.x show configuration
2) Modify the g_cli script and source the environment (which adds some overhead if you use the script interactively)
#!/bin/bash
source /etc/profile.d/CP.sh
more /opt/CPsuite-R80.40/fw1/conf/objects.C | grep ...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As @bernhard_m suggested, you are most probably missing the environment call. cron does not use the same environment as a bash admin, by default. "source" command should be placed at the beginning of the script you are running with cron. Also, you want to make sure bash is called.
In short, start your script with
#!/bin/bash
source /etc/profile.d/CP.sh
As
@bernhard_m suggested, you are most probably missing the environment call. cron does not use the same environment as a bash admin, by default. "source" command should be placed at the beginning of the script you are running with cron. Also, you want to make sure bash is called.
In short, start your script with
#!/bin/bash;
source /etc/profile.d/CP.sh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Bravo @bernhard_m , @_Val_
Thanks very much for your input. Whilst I didn't have any joy with option 1, option 2 has done the trick perfectly.
Thanks again
Bravo
@bernhard_m ,
@_Val_
Thanks very much for your input. Whilst I didn't have any joy with option 1, option 2 has done the trick perfectly.
Thanks again
;- « Previous
-
- 1
- 2
- Next »