Re: NEW - Easy execute commands from management on...

HeikoAnkenbrand

Now you can use the new command "g_bash" and "g_cli" to execute bash or clish commands on gateway from the management server. All you have to do is copy and paste the above lines to the management server. After that you have two new commands on the management server. Here you can now centrally execute simple commands on all gateways which are connected via SIC with the management.

You only need to enter the IP address of the gateways and the command will be executed there.

Cppy and paste this lines to the management server or download the script "new_commands.sh" and execute the script.

echo "echo Gateways configured in policy:" > /usr/local/bin/g_show
echo "more $FWDIR/conf/objects.C |grep -A 20 -B 1  ':type (gateway)' | grep ipaddr | sed 's/^[ \t]*//' | sed 's/\:ipaddr (//' |sed 's/)//'" >> /usr/local/bin/g_show
chmod 777 /usr/local/bin/g_show

echo '#!/bin/bash' > /usr/local/bin/g_bash
echo "more $FWDIR/conf/objects.C |grep -A 20 -B 1  ':type (gateway)' | grep ipaddr | sed 's/^[ \t]*//' | sed 's/\:ipaddr (//' |sed 's/)//' > /var/log/g_gateway.txt" >> /usr/local/bin/g_bash
echo 'HAtest="$2 $3 $4 $5 $6 $7 $8 $9"' >> /usr/local/bin/g_bash
echo 'if grep -xq $1 /var/log/g_gateway.txt; then' >> /usr/local/bin/g_bash 
echo "echo \$HAtest > /var/log/g_command.txt;"  >> /usr/local/bin/g_bash
echo "\$CPDIR/bin/cprid_util -server \$1 putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;" >> /usr/local/bin/g_bash
echo "\$CPDIR/bin/cprid_util -server \$1 -verbose rexec -rcmd /bin/bash -f /var/log/g_command.txt;" >> /usr/local/bin/g_bash
echo "else" >> /usr/local/bin/g_bash
echo "echo This is not a gateway IP. Use an IP of following list:;" >> /usr/local/bin/g_bash
echo "more /var/log/g_gateway.txt" >> /usr/local/bin/g_bash
echo "fi" >> /usr/local/bin/g_bash
chmod 777 /usr/local/bin/g_bash

echo '#!/bin/bash' > /usr/local/bin/g_cli
echo "more $FWDIR/conf/objects.C |grep -A 20 -B 1  ':type (gateway)' | grep ipaddr | sed 's/^[ \t]*//' | sed 's/\:ipaddr (//' |sed 's/)//' > /var/log/g_gateway.txt" >> /usr/local/bin/g_cli
echo 'HAtest="$2 $3 $4 $5 $6 $7 $8 $9"' >> /usr/local/bin/g_cli
echo 'if grep -xq $1 /var/log/g_gateway.txt; then' >> /usr/local/bin/g_cli 
echo "echo \$HAtest > /var/log/g_command.txt;"  >> /usr/local/bin/g_cli
echo "\$CPDIR/bin/cprid_util -server \$1 putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;" >> /usr/local/bin/g_cli
echo "\$CPDIR/bin/cprid_util -server \$1 -verbose rexec -rcmd /bin/clish -f /var/log/g_command.txt;" >> /usr/local/bin/g_cli
echo "else" >> /usr/local/bin/g_cli
echo "echo This is not a gateway IP. Use an IP of following list:;" >> /usr/local/bin/g_cli
echo "more /var/log/g_gateway.txt" >> /usr/local/bin/g_cli
echo "fi" >> /usr/local/bin/g_cli
chmod 777 /usr/local/bin/g_cli

Command syntax:

Command	Description
# g_show	show all gateway IP addresses
# g_bash <gateway IP> <command>	execute expert mode command on gateway
# g_cli <gateway IP> <command>	execute clish command on gateway

An example!

You want to see the configuration of the gateway with IP 1.2.3.4 from the management.
So you only have to enter the following command:

Management# g_cli 1.2.3.4 show configuration

Now the command "show configuration" is executed on the gateway and the output is displayed on the management server.

The same also works for the expert mode. For example:

Management# g_bash 1.2.3.4 cphaprob stat

Show all gateway IP addresses. For example:

Management# g_show

Show all gateways configured in policy:

1.2.3.4
1.2.3.5
1.1.1.1

More "Easy Tools":

- Easy Backup Tool - (migrate export + all GAIA configs)                   -> Easy backup of all gateway GAIA configs + migrate export with one CLI command.
- Easy execute CLI commands on all gateways simultaneously        -> Now you can use the new command to execute bash or clish commands on all gateway simultaneously.
- Easy execute CLI commands from management on gateways        -> Easy execute CLI commands from management on gateways
- Mobile User License Tool - replaced "dtps lic"                                   -> It displays all Secure Client, SSL VPN and Mobile Access Portal licenses in total (sum) on the SMS.
- Easy View Tool - (system infos from all gateways simultaneously) -> This toll shows you quickly an overview of status information of all your gateways with only one CLI command.

Video tutorial:

(view in My Videos)

Copyright by Heiko Ankenbrand 1996-2019

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Danny · ‎2019-04-12

So it‘s basically just a wrapper for cprid_util?

HeikoAnkenbrand · ‎2019-04-12

Hi @Danny

Yes!

It has always bothered me that I have to jump between the systems via ssh when I debugging. So I built this little script on the basis of cprid_util.

Regards

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Jul_Kapendale · ‎2019-04-12

Hi @HeikoAnkenbrand

That's a good idea!

Thanks

Tommy_Forrest · ‎2019-04-12

I gave this a try.

Created the scripts as defined. When I attempt to run a command I either get a prompt or I get a [NULL] returned.

Do you have to set your MDS environment to the CMA that has the SIC with the target firewall?

HeikoAnkenbrand · ‎2019-04-13

Hi@Tommy_Forrest

I have added the two new commands as installation script.

Regards

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Tommy_Forrest · ‎2019-04-16

Thanks Heiko.

I gave your new script a try. I am in a Multi-Domain environment on 80.10.

I mdsenv to one of my CMA's and run ./g_show.

"Gateways configured in policy:" is all that is returned (there are lots of gateways here).

I try ./g_cli 10.1.1.1 show version os edition and I get:

"This is not a gateway IP. Use an IP of following list:" - nothing is returned.

10.1.1.1 is a very valid gateway IP.

HeikoAnkenbrand · ‎2019-04-13

Hi @Tommy_Forrest

You would have to insert the CMA for the MDS environment. Here the script still a little bit adapt:-)

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

PhoneBoy · ‎2019-04-12

Interesting.
I moved this into the Gaia space, though, as it seems more appropriate there.

HeikoAnkenbrand · ‎2019-04-13

Here a small tutorial video:

(view in My Videos)

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

JozkoMrkvicka · ‎2019-04-13

Is port tcp_18208 enabled by default via Implied Rules? In case of no, there is a need to have this port enabled at first:

In case you are using MDS, you need to be inside CMA where the gateway is managed from.

Support for VSX would be really great 🙂

There is a very similar script already mentioned:

How to manage Security Gateway using the "cprid_util" tool

Kind regards,
Jozko Mrkvicka

HeikoAnkenbrand · ‎2019-04-13

Hi @JozkoMrkvicka

TCP 18208 (FW1_CPRID) is always included in inplied rules between management and gateway

Regards

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

HeikoAnkenbrand · ‎2019-04-13

Hi @JozkoMrkvicka

More infos to implied rules can you found here in a other article from me:

R80.x Ports Used for Communication by Various Check Point Modules

Regards

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

HeikoAnkenbrand · ‎2019-04-13

I just tested it in a vsx environment. Works also😃!

# g_bash 1.1.1.1 vsenv3; cphaprob stat

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Vidar_Haugsvar · ‎2019-10-21

> # g_bash 1.1.1.1 vsenv3; cphaprob stat

This won't work. This line concist of two commands:

The first command will run g_bash with 1.1.1.1 and vsenv3 as parameters.

The second command will run cphaprob stat locally, not through the g_bash script.

Malte_Wienberg · ‎2019-04-13

Hello @HeikoAnkenbrand

there is a typo in your command:

CUT>>>

# g_clish <gateway IP> <command>      --> for clish commands

<<CUT

That's how it should be:

# g_cli <gateway IP> <command>      --> for clish commands

Works perfectly for me.
And thank you very much!

HeikoAnkenbrand · ‎2019-04-13

I changed it.

Thanks

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Werner_Oberbaue · ‎2019-04-13

If I execute this command I become a NULL.

HeikoAnkenbrand · ‎2019-04-14

If you become a NULL it is not a valid gateway IP address.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

JozkoMrkvicka · ‎2019-04-14

Maybe in future updates, you can include checks if provided IP is valid IP of any of managed gateways ?

The original script can be slightly modified, but the core logic can be found:

How to get a list of all managed Security Gateways from Multi-Domain Management Server

For SMS, it can be a little bit tricky, as there is only a tool "query" with no option to print the needed parameters (like IP).

Kind regards,
Jozko Mrkvicka

HeikoAnkenbrand · ‎2019-04-14

Hi @JozkoMrkvicka,

Yes, I still have some ideas what you can change in this script.

- Check gateway IP's

- Copy files to and from all gateways. For example copy all "/var/log/messages" to the management server.

I still have some crazy ideas. They will follow in the next days.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

HeikoAnkenbrand · ‎2019-04-14

I also used $FWDIR here so it would work under all versions.

echo "more $FWDIR/conf/objects.C |grep -B 30  "sic_name" |grep ipaddr |sed 's/^ \t//' |sed s/:ipaddr/'Gateway IP: '/ | sed s/\(// | sed s/\)//" > /usr/local/bin/g_show
chmod 777 /usr/local/bin/g_show

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

JozkoMrkvicka · ‎2019-04-14

What an elegant solution!

It is possible to use also Cluster VIP in order to connect directly to the active node ?

Kind regards,
Jozko Mrkvicka

HeikoAnkenbrand · ‎2019-04-14

Hi @JozkoMrkvicka

I intercepted the error with NULL and now you see the possible gateway ip's.

I will post a new article with a crazy version in one hour:-)

Regards

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

HeikoAnkenbrand · ‎2019-04-14

Here a other interresting version:

Easy execute CLI commands on all gateways simultaneously

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Saleme_Sabaj · ‎2019-04-15

The other script for many Gatewas is a very interesting solution. I tested it today and it saves a lot of work.

Thank you.

bernhard_m · ‎2020-01-15

I have some installations, where gw_detect80.sh also puts the ip-address of the smartcenter in the gateways list. I found out that in this installations the command

mgmt_cli -r true show gateways-and-servers details-level full --format json | 
  "$CPDIR/jq/jq" -r '.objects[] | [."name", ."ipv4-address", ."type"] | '

returns type "simple-gateway" for the smartcenter instead of "CpmiHostCkp".

"fw stat" on these installations tells me "Local host is not a FireWall-1 module"

Any idea where this comes from? (Upgrades? Migrations?)
And how to fix this? (where is this information stored?)

kr, Bernhard

AlexeyB · ‎2020-01-15

Instead

HAtest="$2 $3 $4 $5 $6 $7 $8 $9"

better use

HAtest="${@:2}"

because may be more than 9 arguments in some cases

Norbert_Bohusch · ‎2020-04-09

The fetching of the gateway IPs is not working in my lab environment (R80.40).

But the issue is a simple one. There are more lines needed for the grep of objects.C to find the ip-addresses.

I think there should be a better way to fetch them. Best would be to do the same as in your other script for gw_detect80.

And another minor thing:

clish command "show hostname" is not returning anything, as I assume you filter out lines starting with the hostname from the output.

Christian_Wagen · ‎2020-04-20

Nice and easy tool:-)

THX

Filters

Sort By

Categories

GAIA - Easy execute CLI commands from management on gateways!

Disclaimer: Check Point does not provide maintenance services or technical or customer support for third party content provided on this Site, including in CheckMates Toolbox. See also our Third Party Software Disclaimer.