Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

GAIA - Easy execute CLI commands from management on gateways!

HeikoAnkenbrand
Champion Champion
Champion

eein.JPG

Now you can use the new command "g_bash" and "g_cli" to execute bash or clish commands on gateway from the management server. All you have to do is copy and paste the above lines to the management server. After that you have two new commands on the management server. Here you can now centrally execute simple commands on all gateways which are connected via SIC with the management.

You only need to enter the IP address of the gateways and the command will be executed there.

C

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free

Disclaimer: Check Point does not provide maintenance services or technical or customer support for third party content provided on this Site, including in CheckMates Toolbox. See also our Third Party Software Disclaimer.




41 Replies

Danny
Champion Champion
Champion

So it‘s basically just a wrapper for cprid_util?

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


HeikoAnkenbrand
Champion Champion
Champion

Hi @Danny 

Yes!

It has always bothered me that I have to jump between the systems via ssh when I debugging. So I built this little script on the basis of cprid_util.

Regards

Heiko

 
;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Jul_Kapendale
Participant

Hi @HeikoAnkenbrand 

That's a good idea!

Thanks

 

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Tommy_Forrest
Advisor

I gave this a try.

 

Created the scripts as defined.  When I attempt to run a command I either get a prompt or I get a [NULL] returned.

 

Do you have to set your MDS environment to the CMA that has the SIC with the target firewall?

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


HeikoAnkenbrand
Champion Champion
Champion

Hi @Tommy_Forrest 

I have added the two new commands as installation script.

Regards

Heiko

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Tommy_Forrest
Advisor

Thanks Heiko.

I gave your new script a try.  I am in a Multi-Domain environment on 80.10.

I mdsenv to one of my CMA's and run ./g_show. 

"Gateways configured in policy:" is all that is returned (there are lots of gateways here).

I try ./g_cli 10.1.1.1 show version os edition and I get:

"This is not a gateway IP.  Use an IP of following list:" - nothing is returned.

10.1.1.1 is a very valid gateway IP.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


HeikoAnkenbrand
Champion Champion
Champion

Hi @Tommy_Forrest 

You would have to insert the CMA for the MDS environment. Here the script still a little bit adapt:-)

 

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


PhoneBoy
Admin
Admin
Interesting.
I moved this into the Gaia space, though, as it seems more appropriate there. ;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


HeikoAnkenbrand
Champion Champion
Champion

Here a small tutorial video:

new_commands.mp4 (2)
Video Player is loading.
Current Time 0:00
Duration 0:51
Loaded: 0%
Stream Type LIVE
Remaining Time 0:51
 
1x
    • Chapters
    • descriptions off, selected
    • captions off, selected
    • default, selected
    (view in My Videos)
     
    ;
    TO ACCESS CHECKMATES TOOLBOX it's simple and free


    JozkoMrkvicka
    Authority
    Authority

     

    Is port tcp_18208 enabled by default via Implied Rules? In case of no, there is a need to have this port enabled at first:

    image.png

    In case you are using MDS, you need to be inside CMA where the gateway is managed from.

    Support for VSX would be really great 🙂

    There is a very similar script already mentioned:

    How to manage Security Gateway using the "cprid_util" tool

    ;
    TO ACCESS CHECKMATES TOOLBOX it's simple and free


    HeikoAnkenbrand
    Champion Champion
    Champion

    Hi @JozkoMrkvicka 

    TCP 18208 (FW1_CPRID) is always included in inplied rules between management and gateway

    Regards

    Heiko

    ;
    TO ACCESS CHECKMATES TOOLBOX it's simple and free


    HeikoAnkenbrand
    Champion Champion
    Champion

    Hi @JozkoMrkvicka 

    More infos to implied rules can you found here in a other article from me:

    R80.x Ports Used for Communication by Various Check Point Modules

    Regards

    Heiko

    ;
    TO ACCESS CHECKMATES TOOLBOX it's simple and free


    HeikoAnkenbrand
    Champion Champion
    Champion

    I just tested it in a vsx environment. Works also 😃!

    
       # g_bash 1.1.1.1 vsenv3; cphaprob stat
      

     

    ;
    TO ACCESS CHECKMATES TOOLBOX it's simple and free


    Vidar_Haugsvar
    Explorer

    > # g_bash 1.1.1.1 vsenv3; cphaprob stat

     

    This won't work. This line concist of two commands:

    The first command will run g_bash with 1.1.1.1 and vsenv3 as parameters.

    The second command will run cphaprob stat locally, not through the g_bash script.

     

    ;
    TO ACCESS CHECKMATES TOOLBOX it's simple and free


    Malte_Wienberg
    Explorer

    Hello  @HeikoAnkenbrand  

    there is a typo in your command:

    CUT>>>

    
       # g_clish <gateway IP> <command> --> for clish commands
      

    <<CUT 

    That's how it should be:

    
       # g_cli <gateway IP> <command> --> for clish commands
      

     

    Works perfectly for me.
    And thank you very much!

    ;
    TO ACCESS CHECKMATES TOOLBOX it's simple and free


    HeikoAnkenbrand
    Champion Champion
    Champion

    I changed it.

    Thanks

    Heiko

     

     

    ;
    TO ACCESS CHECKMATES TOOLBOX it's simple and free


    Werner_Oberbaue
    Explorer

    If I execute this command I become a NULL.

    ;
    TO ACCESS CHECKMATES TOOLBOX it's simple and free


    HeikoAnkenbrand
    Champion Champion
    Champion

    If you become a NULL it is not a valid gateway IP address.

    ;
    TO ACCESS CHECKMATES TOOLBOX it's simple and free


    JozkoMrkvicka
    Authority
    Authority

    Maybe in future updates, you can include checks if provided IP is valid IP of any of managed gateways ?

    The original script can be slightly modified, but the core logic can be found:

    How to get a list of all managed Security Gateways from Multi-Domain Management Server

    For SMS, it can be a little bit tricky, as there is only a tool "query" with no option to print the needed parameters (like IP).

    ;
    TO ACCESS CHECKMATES TOOLBOX it's simple and free


    HeikoAnkenbrand
    Champion Champion
    Champion

    Hi @JozkoMrkvicka,

    Yes, I still have some ideas what you can change in this script.

    - Check gateway IP's

    - Copy files to and from all gateways. For example copy all "/var/log/messages" to the management server.


    I still have some crazy ideas. They will follow in the next days.

    ;
    TO ACCESS CHECKMATES TOOLBOX it's simple and free


    HeikoAnkenbrand
    Champion Champion
    Champion

    I also used $FWDIR here so it would work under all versions.

    
       echo "more $FWDIR/conf/objects.C |grep -B 30 "sic_name" |grep ipaddr |sed 's/^ \t//' |sed s/:ipaddr/'Gateway IP: '/ | sed s/\(// | sed s/\)//" > /usr/local/bin/g_show chmod 777 /usr/local/bin/g_show
      

     

    ;
    TO ACCESS CHECKMATES TOOLBOX it's simple and free


    JozkoMrkvicka
    Authority
    Authority

    What an elegant solution!

    It is possible to use also Cluster VIP in order to connect directly to the active node ?

    ;
    TO ACCESS CHECKMATES TOOLBOX it's simple and free


    HeikoAnkenbrand
    Champion Champion
    Champion

    Hi @JozkoMrkvicka 

    I intercepted the error with NULL and now you see the possible gateway ip's.

    I will post a new article with a crazy version in one hour:-)

    Regards

    Heiko

    ;
    TO ACCESS CHECKMATES TOOLBOX it's simple and free


    HeikoAnkenbrand
    Champion Champion
    Champion

    Here a other interresting version:

    Easy execute CLI commands on all gateways simultaneously

    ;
    TO ACCESS CHECKMATES TOOLBOX it's simple and free


    Saleme_Sabaj
    Participant

    The other script for many Gatewas is a very interesting solution. I tested it today and it saves a lot of work.

    Thank you.

    ;
    TO ACCESS CHECKMATES TOOLBOX it's simple and free


    bernhard_m
    Collaborator

    I have some installations, where gw_detect80.sh also puts the ip-address of the smartcenter in the gateways list. I found out that in this installations the command

     

    
       mgmt_cli -r true show gateways-and-servers details-level full --format json | "$CPDIR/jq/jq" -r '.objects[] | [."name", ."ipv4-address", ."type"] | '
      

     

    returns type "simple-gateway" for the smartcenter instead of "CpmiHostCkp".

    "fw stat" on these installations tells me "Local host is not a FireWall-1 module"

    ...;
    TO ACCESS CHECKMATES TOOLBOX it's simple and free


    AlexeyB
    Contributor

    Instead

    
       HAtest="$2 $3 $4 $5 $6 $7 $8 $9"
      

     better use

    
       HAtest="${@:2}"
      

    because may be more than 9 arguments in some cases

    ;
    TO ACCESS CHECKMATES TOOLBOX it's simple and free


    Norbert_Bohusch
    Advisor

    The fetching of the gateway IPs is not working in my lab environment (R80.40).

    But the issue is a simple one. There are more lines needed for the grep of objects.C to find the ip-addresses.

    I think there should be a better way to fetch them. Best would be to do the same as in your other script for gw_detect80.

     

    And another minor thing:

    clish command "show hostname" is not returning anything, as I assume you filter out lines starting with the hostname from the output.

    ;
    TO ACCESS CHECKMATES TOOLBOX it's simple and free


    Christian_Wagen
    Contributor

    Nice and easy tool:-)

    THX

    ;
    TO ACCESS CHECKMATES TOOLBOX it's simple and free