Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

GAIA - Easy execute CLI commands from management on gateways!

HeikoAnkenbrand
Champion Champion
Champion

eein.JPG

Now you can use the new command "g_bash" and "g_cli" to execute bash or clish commands on gateway from the management server. All you have to do is copy and paste the above lines to the management server. After that you have two new commands on the management server. Here you can now centrally execute simple commands on all gateways which are connected via SIC with the management.

You only need to enter the IP address of the gateways and the command will be executed there.

C

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free

Disclaimer: Check Point does not provide maintenance services or technical or customer support for third party content provided on this Site, including in CheckMates Toolbox. See also our Third Party Software Disclaimer.




41 Replies

miguel
Participant

Found a bug in this that is resolved by not using 'more' command in this script, just replace it with 'cat'. The bug manifests when remotely executing this script on the mgmt server. I.e. [root@lab-netbox1 ~]# ssh scriptrunner@lab-cpmgmt-01  /usr/local/bin/g_cli 10.39.62.3 show route

 

The 'more' command just hangs, probably because it's trying to figure out the terminal height settings which doesn't exist, or something like that.

 

My changes also include the 'more than 9 argumen

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Prashant_YADAV1
Contributor

Hello Heiko,

in my R80.40 mds enviorment it gives the below error

./new_commands.sh: line 4: $'\r': command not found
./new_commands.sh: line 17: $'\r': command not found
./new_commands.sh: line 30: $'\r': command not found

I have run this script from mdsenv .

 

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


G_W_Albrecht
Legend Legend
Legend

These three lines are empty  😎 Convert the line ending to Unix, LF instead of CRLF, GAiA has the dos2unix command to convert the file:

dos2unix new_commands.sh 

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Tim_Spencer
Contributor

Hi there @HeikoAnkenbrand . Loving the idea of this tool and your others. I'm looking to use it and the multi gateway versions to run backups of our show configuration from our management servers. We have a HA management setup, one at our prime site and the secondary at our DR site. I tried running this from the Secondary and even a g_show just comes back with a empty list of gateways in policy. Similarly if I use the g_cli it created the g_gateway.txt file with nothing in it. Would I

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


G_W_Albrecht
Legend Legend
Legend

Better try this one that works very similar: Easy execute CLI commands on all gateways simultaneously     

Difference is that you can use a manually edited list of GW IPs that will be raed in by the commands, so you can run it form all SMS...

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Tim_Spencer
Contributor

@G_W_Albrecht Thanks for the quick response. I was building up to using that one once I'd satisfied myself I wasn't going to kill everything with the single one 🙂

----Update---

I have since # out the second line in g_cli that does the check for gateways and edited the g_gateway.txt file manually and its all good now on the Secondary. Many thanks

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Tim_Spencer
Contributor

Hmm any geniuses out there...

So I note in the 'all gateway' link page it is mentioned the jobs can be cron'd so I'm assuming this should be able to as well. 

I have tested the following commands and both worth at the cli of the SMS... (masked IP obviously)

/usr/local/bin/g_cli 10.x.x.x show configuration | tee ~/firewall01_config.txt

/usr/local/bin/g_cli 10.x.x.x show configuration  > firewall01_config.txt

As expected, both create a file that contains the output of show co

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


bernhard_m
Collaborator

Probably the CP environment is missing:

source /etc/profile.d/CP.sh

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Tim_Spencer
Contributor

@bernhard_m thanks for the response. Forgive my inexperience. Surely if the command works at the cli then it would be the same command in the cronjob? Not sure where I'd even put your suggestion in the cronjob

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


bernhard_m
Collaborator

You have two Options:

1) Set $CPDIR directly in the cron line (without ; between var and cmd)
CPDIR=/opt/CPshrd-R80.40 /usr/local/bin/g_cli 10.x.x.x show configuration

2) Modify the g_cli script and source the environment (which adds some overhead if you use the script interactively)
#!/bin/bash
source /etc/profile.d/CP.sh
more /opt/CPsuite-R80.40/fw1/conf/objects.C | grep ...

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


_Val_
Admin
Admin

As  @bernhard_m suggested, you are most probably missing the environment call. cron does not use the same environment as a bash admin, by default. "source" command should be placed at the beginning of the script you are running with cron. Also, you want to make sure bash is called.

In short, start your script with 

#!/bin/bash
source /etc/profile.d/CP.sh
;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Tim_Spencer
Contributor

Bravo  @bernhard_m ,  @_Val_ 
Thanks very much for your input. Whilst I didn't have any joy with option 1, option 2 has done the trick perfectly.

Thanks again

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free