- CheckMates
- :
- CheckMates Toolbox
- :
- Scripts
- :
- Re: NEW - Easy execute commands from management on...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
GAIA - Easy execute CLI commands from management on gateways!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Now you can use the new command "g_bash" and "g_cli" to execute bash or clish commands on gateway from the management server. All you have to do is copy and paste the above lines to the management server. After that you have two new commands on the management server. Here you can now centrally execute simple commands on all gateways which are connected via SIC with the management.
You only need to enter the IP address of the gateways and the command will be executed there.
Cppy and paste this lines to the management server or download the script "new_commands.sh" and execute the script.
echo "echo Gateways configured in policy:" > /usr/local/bin/g_show
echo "more $FWDIR/conf/objects.C |grep -A 20 -B 1 ':type (gateway)' | grep ipaddr | sed 's/^[ \t]*//' | sed 's/\:ipaddr (//' |sed 's/)//'" >> /usr/local/bin/g_show
chmod 777 /usr/local/bin/g_show
echo '#!/bin/bash' > /usr/local/bin/g_bash
echo "more $FWDIR/conf/objects.C |grep -A 20 -B 1 ':type (gateway)' | grep ipaddr | sed 's/^[ \t]*//' | sed 's/\:ipaddr (//' |sed 's/)//' > /var/log/g_gateway.txt" >> /usr/local/bin/g_bash
echo 'HAtest="$2 $3 $4 $5 $6 $7 $8 $9"' >> /usr/local/bin/g_bash
echo 'if grep -xq $1 /var/log/g_gateway.txt; then' >> /usr/local/bin/g_bash
echo "echo \$HAtest > /var/log/g_command.txt;" >> /usr/local/bin/g_bash
echo "\$CPDIR/bin/cprid_util -server \$1 putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;" >> /usr/local/bin/g_bash
echo "\$CPDIR/bin/cprid_util -server \$1 -verbose rexec -rcmd /bin/bash -f /var/log/g_command.txt;" >> /usr/local/bin/g_bash
echo "else" >> /usr/local/bin/g_bash
echo "echo This is not a gateway IP. Use an IP of following list:;" >> /usr/local/bin/g_bash
echo "more /var/log/g_gateway.txt" >> /usr/local/bin/g_bash
echo "fi" >> /usr/local/bin/g_bash
chmod 777 /usr/local/bin/g_bash
echo '#!/bin/bash' > /usr/local/bin/g_cli
echo "more $FWDIR/conf/objects.C |grep -A 20 -B 1 ':type (gateway)' | grep ipaddr | sed 's/^[ \t]*//' | sed 's/\:ipaddr (//' |sed 's/)//' > /var/log/g_gateway.txt" >> /usr/local/bin/g_cli
echo 'HAtest="$2 $3 $4 $5 $6 $7 $8 $9"' >> /usr/local/bin/g_cli
echo 'if grep -xq $1 /var/log/g_gateway.txt; then' >> /usr/local/bin/g_cli
echo "echo \$HAtest > /var/log/g_command.txt;" >> /usr/local/bin/g_cli
echo "\$CPDIR/bin/cprid_util -server \$1 putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;" >> /usr/local/bin/g_cli
echo "\$CPDIR/bin/cprid_util -server \$1 -verbose rexec -rcmd /bin/clish -f /var/log/g_command.txt;" >> /usr/local/bin/g_cli
echo "else" >> /usr/local/bin/g_cli
echo "echo This is not a gateway IP. Use an IP of following list:;" >> /usr/local/bin/g_cli
echo "more /var/log/g_gateway.txt" >> /usr/local/bin/g_cli
echo "fi" >> /usr/local/bin/g_cli
chmod 777 /usr/local/bin/g_cli
Command syntax:
Command | Description |
# g_show | show all gateway IP addresses |
# g_bash <gateway IP> <command> | execute expert mode command on gateway |
# g_cli <gateway IP> <command> | execute clish command on gateway |
An example!
You want to see the configuration of the gateway with IP 1.2.3.4 from the management.
So you only have to enter the following command:
Management# g_cli 1.2.3.4 show configuration |
Now the command "show configuration" is executed on the gateway and the output is displayed on the management server.
The same also works for the expert mode. For example:
Management# g_bash 1.2.3.4 cphaprob stat |
Show all gateway IP addresses. For example:
Management# g_show Show all gateways configured in policy: 1.2.3.4 |
More "Easy Tools":
- Easy Backup Tool - (migrate export + all GAIA configs) -> Easy backup of all gateway GAIA configs + migrate export with one CLI command.
- Easy execute CLI commands on all gateways simultaneously -> Now you can use the new command to execute bash or clish commands on all gateway simultaneously.
- Easy execute CLI commands from management on gateways -> Easy execute CLI commands from management on gateways
- Mobile User License Tool - replaced "dtps lic" -> It displays all Secure Client, SSL VPN and Mobile Access Portal licenses in total (sum) on the SMS.
- Easy View Tool - (system infos from all gateways simultaneously) -> This toll shows you quickly an overview of status information of all your gateways with only one CLI command.
Video tutorial:
new_commands.mp4 Video Player is loading. Current Time 0:00 / Duration 0:00 Loaded: 0% 0:00 Stream Type LIVE Remaining Time -0:00 1x
This is a modal window. Beginning of dialog window. Escape will cancel and close the window. End of dialog window. This is a modal window. This modal can be closed by pressing the Escape key or activating the close button. |
|
Copyright by Heiko Ankenbrand 1996-2019
Now you can use the new command "g_bash" and "g_cli" to execute bash or clish commands on gateway from the management server. All you have to do is copy and paste the above lines to the management server. After that you have two new commands on the management server. Here you can now centrally execute simple commands on all gateways which are connected via SIC with the management.
You only need to enter the IP address of the gateways and the command will be executed there.
C
...;Disclaimer: Check Point does not provide maintenance services or technical or customer support for third party content provided on this Site, including in CheckMates Toolbox. See also our Third Party Software Disclaimer.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Danny
Yes!
It has always bothered me that I have to jump between the systems via ssh when I debugging. So I built this little script on the basis of cprid_util.
Regards
Heiko
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I gave this a try.
Created the scripts as defined. When I attempt to run a command I either get a prompt or I get a [NULL] returned.
Do you have to set your MDS environment to the CMA that has the SIC with the target firewall?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have added the two new commands as installation script.
Regards
Heiko
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Heiko.
I gave your new script a try. I am in a Multi-Domain environment on 80.10.
I mdsenv to one of my CMA's and run ./g_show.
"Gateways configured in policy:" is all that is returned (there are lots of gateways here).
I try ./g_cli 10.1.1.1 show version os edition and I get:
"This is not a gateway IP. Use an IP of following list:" - nothing is returned.
10.1.1.1 is a very valid gateway IP.
Thanks Heiko.
I gave your new script a try. I am in a Multi-Domain environment on 80.10.
I mdsenv to one of my CMA's and run ./g_show.
"Gateways configured in policy:" is all that is returned (there are lots of gateways here).
I try ./g_cli 10.1.1.1 show version os edition and I get:
"This is not a gateway IP. Use an IP of following list:" - nothing is returned.
10.1.1.1 is a very valid gateway IP.
;- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You would have to insert the CMA for the MDS environment. Here the script still a little bit adapt:-)
You would have to insert the CMA for the MDS environment. Here the script still a little bit adapt:-)
;
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here a small tutorial video:
new_commands.mp4 (2) Video Player is loading. Current Time 0:00 / Duration 0:51 Loaded: 0% 0:00 Stream Type LIVE Remaining Time -0:51 1x
This is a modal window. Beginning of dialog window. Escape will cancel and close the window. End of dialog window. This is a modal window. This modal can be closed by pressing the Escape key or activating the close button. |
Here a small tutorial video:
new_commands.mp4 (2) Video Player is loading. Current Time 0:00 / Duration 0:51 Loaded: 0% 0:00 Stream Type LIVE Remaining Time -0:51 1x
This is a modal window. Beginning of dialog window. Escape will cancel and close the window. End of dialog window. This is a modal window. This modal can be closed by pressing the Escape key or activating the close button. |
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is port tcp_18208 enabled by default via Implied Rules? In case of no, there is a need to have this port enabled at first:
In case you are using MDS, you need to be inside CMA where the gateway is managed from.
Support for VSX would be really great 🙂
There is a very similar script already mentioned:
How to manage Security Gateway using the "cprid_util" tool
Jozko Mrkvicka
Is port tcp_18208 enabled by default via Implied Rules? In case of no, there is a need to have this port enabled at first:
In case you are using MDS, you need to be inside CMA where the gateway is managed from.
Support for VSX would be really great 🙂
There is a very similar script already mentioned:
;- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
TCP 18208 (FW1_CPRID) is always included in inplied rules between management and gateway
Regards
Heiko
TCP 18208 (FW1_CPRID) is always included in inplied rules between management and gateway
Regards
Heiko
;- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
More infos to implied rules can you found here in a other article from me:
R80.x Ports Used for Communication by Various Check Point Modules
Regards
Heiko
More infos to implied rules can you found here in a other article from me:
R80.x Ports Used for Communication by Various Check Point Modules
Regards
Heiko
;- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
> # g_bash 1.1.1.1 vsenv3; cphaprob stat
This won't work. This line concist of two commands:
The first command will run g_bash with 1.1.1.1 and vsenv3 as parameters.
The second command will run cphaprob stat locally, not through the g_bash script.
> # g_bash 1.1.1.1 vsenv3; cphaprob stat
This won't work. This line concist of two commands:
The first command will run g_bash with 1.1.1.1 and vsenv3 as parameters.
The second command will run cphaprob stat locally, not through the g_bash script.
;
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @HeikoAnkenbrand
there is a typo in your command:
CUT>>>
# g_clish <gateway IP> <command> --> for clish commands
<<CUT
That's how it should be:
# g_cli <gateway IP> <command> --> for clish commands
Works perfectly for me.
And thank you very much!
Hello @HeikoAnkenbrand
there is a typo in your command:
CUT>>>
# g_clish <gateway IP> <command> --> for clish commands
<<CUT
That's how it should be:
# g_cli <gateway IP> <command> --> for clish commands
Works perfectly for me.
And thank you very much!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe in future updates, you can include checks if provided IP is valid IP of any of managed gateways ?
The original script can be slightly modified, but the core logic can be found:
How to get a list of all managed Security Gateways from Multi-Domain Management Server
For SMS, it can be a little bit tricky, as there is only a tool "query" with no option to print the needed parameters (like IP).
Jozko Mrkvicka
Maybe in future updates, you can include checks if provided IP is valid IP of any of managed gateways ?
The original script can be slightly modified, but the core logic can be found:
How to get a list of all managed Security Gateways from Multi-Domain Management Server
For SMS, it can be a little bit tricky, as there is only a tool "query" with no option to print the needed parameters (like IP).
;- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @JozkoMrkvicka,
Yes, I still have some ideas what you can change in this script.
- Check gateway IP's
- Copy files to and from all gateways. For example copy all "/var/log/messages" to the management server.
I still have some crazy ideas. They will follow in the next days.
Hi @JozkoMrkvicka,
Yes, I still have some ideas what you can change in this script.
- Check gateway IP's
- Copy files to and from all gateways. For example copy all "/var/log/messages" to the management server.
I still have some crazy ideas. They will follow in the next days.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I also used $FWDIR here so it would work under all versions.
echo "more $FWDIR/conf/objects.C |grep -B 30 "sic_name" |grep ipaddr |sed 's/^ \t//' |sed s/:ipaddr/'Gateway IP: '/ | sed s/\(// | sed s/\)//" > /usr/local/bin/g_show
chmod 777 /usr/local/bin/g_show
I also used $FWDIR here so it would work under all versions.
echo "more $FWDIR/conf/objects.C |grep -B 30 "sic_name" |grep ipaddr |sed 's/^ \t//' |sed s/:ipaddr/'Gateway IP: '/ | sed s/\(// | sed s/\)//" > /usr/local/bin/g_show chmod 777 /usr/local/bin/g_show
;
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What an elegant solution!
It is possible to use also Cluster VIP in order to connect directly to the active node ?
Jozko Mrkvicka
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I intercepted the error with NULL and now you see the possible gateway ip's.
I will post a new article with a crazy version in one hour:-)
Regards
Heiko
I intercepted the error with NULL and now you see the possible gateway ip's.
I will post a new article with a crazy version in one hour:-)
Regards
Heiko
;- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here a other interresting version:
Easy execute CLI commands on all gateways simultaneously
Here a other interresting version:
;- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The other script for many Gatewas is a very interesting solution. I tested it today and it saves a lot of work.
Thank you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have some installations, where gw_detect80.sh also puts the ip-address of the smartcenter in the gateways list. I found out that in this installations the command
mgmt_cli -r true show gateways-and-servers details-level full --format json |
"$CPDIR/jq/jq" -r '.objects[] | [."name", ."ipv4-address", ."type"] | '
returns type "simple-gateway" for the smartcenter instead of "CpmiHostCkp".
"fw stat" on these installations tells me "Local host is not a FireWall-1 module"
Any idea where this comes from? (Upgrades? Migrations?)
And how to fix this? (where is this information stored?)
kr, Bernhard
I have some installations, where gw_detect80.sh also puts the ip-address of the smartcenter in the gateways list. I found out that in this installations the command
mgmt_cli -r true show gateways-and-servers details-level full --format json | "$CPDIR/jq/jq" -r '.objects[] | [."name", ."ipv4-address", ."type"] | '
returns type "simple-gateway" for the smartcenter instead of "CpmiHostCkp".
"fw stat" on these installations tells me "Local host is not a FireWall-1 module"
...;- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Instead
HAtest="$2 $3 $4 $5 $6 $7 $8 $9"
better use
HAtest="${@:2}"
because may be more than 9 arguments in some cases
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The fetching of the gateway IPs is not working in my lab environment (R80.40).
But the issue is a simple one. There are more lines needed for the grep of objects.C to find the ip-addresses.
I think there should be a better way to fetch them. Best would be to do the same as in your other script for gw_detect80.
And another minor thing:
clish command "show hostname" is not returning anything, as I assume you filter out lines starting with the hostname from the output.
The fetching of the gateway IPs is not working in my lab environment (R80.40).
But the issue is a simple one. There are more lines needed for the grep of objects.C to find the ip-addresses.
I think there should be a better way to fetch them. Best would be to do the same as in your other script for gw_detect80.
And another minor thing:
clish command "show hostname" is not returning anything, as I assume you filter out lines starting with the hostname from the output.
;- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content