- CheckMates
- :
- CheckMates Toolbox
- :
- Scripts
- :
- Re: NEW - Easy execute CLI commands on all gateway...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Now you can use the new command "gw_mbash" and "g_mclish" to execute bash or clish commands on all gateway simultaneously from the management server. All you have to do is copy and paste the above lines to the management server. After that you have two new commands on the management server. Here you can now centrally execute simple commands on all gateways which are connected via SIC with the management.
Attention! |
You can quickly destroy your gateways if you enter the wrong commands!
Command syntax:
Command | Description |
# gw_detect # gw_detect80 |
Detect all your gateways that support from this tool. This command only needs to be executed once or when gateways changed in topology. The execution of this command may take a few minutes. Use this command on R80.x gateways "gw_detect80" is a little bit faster. Use this command on R77.x gateways "gw_detect". |
# gw_mbash <command> | Execute expert mode command on all gateway
simultaneously |
# gw_mclish <command> | Execute clish command on all gateway
simultaneously |
An example!
You want see the version of all gateway they are defined in the topology.
Management# gw_detect -> start this command fist to detect all your supported gateways or "gw_detect80" on R80.x gateways |
Now the command "show version os edition" is executed on all gateways and the output is displayed on the management server sorted according to the ip addresses of the gateways in the firewall topologie.
The same also works for the expert mode. For example:
Management# gw_detect -> start this command fist to detect all your supported gateways or "gw_detect80" on R80.x gateways
|
Tip 1 |
Use this command to backup your clish configs from all gateways. Management# gw_mclish show configuration > backup_clish_all_gateways.txt This can also be start as simply cronjob😀. |
Tip 2 |
Check central performance settings for all gateways: Management# gw_mbash fw tab -t connections -s -> show state table for all gateways Management# gw_mbash fwaccel stat -> show fwaccel state's for all gateways ... |
Cppy and paste this lines to the management server or download the script "new_multi_commands.sh" and execute the script.
echo '#!/bin/bash' > /usr/local/bin/gw_mbash
echo 'if [ ! -f /var/log/g_gateway.txt ]; then' >> /usr/local/bin/gw_mbash
echo 'echo "First start \"gw_detect\" and\or edit the file \var\log\gw_gateway.txt manually. Add here all your gateway IP addresses."' >> /usr/local/bin/gw_mbash
echo 'else' >> /usr/local/bin/gw_mbash
echo 'HAtest="$@"' >> /usr/local/bin/gw_mbash
echo 'echo $HAtest > /var/log/g_command.txt;' >> /usr/local/bin/gw_mbash
echo 'while read line' >> /usr/local/bin/gw_mbash
echo 'do' >> /usr/local/bin/gw_mbash
echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_mbash
echo 'then' >> /usr/local/bin/gw_mbash
echo 'echo "--------- GAIA $line execute command: $HAtest"' >> /usr/local/bin/gw_mbash
echo '$CPDIR/bin/cprid_util -server $line putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;' >> /usr/local/bin/gw_mbash
echo '$CPDIR/bin/cprid_util -server $line -verbose rexec -rcmd /bin/bash -f /var/log/g_command.txt' >> /usr/local/bin/gw_mbash
echo 'else' >> /usr/local/bin/gw_mbash
echo 'echo "--------- STOP $line Error: no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_mbash
echo 'fi' >> /usr/local/bin/gw_mbash
echo 'done < /var/log/g_gateway.txt' >> /usr/local/bin/gw_mbash
echo 'fi' >> /usr/local/bin/gw_mbash
chmod +x /usr/local/bin/gw_mbash
echo '#!/bin/bash' > /usr/local/bin/gw_mclish
echo 'if [ ! -f /var/log/g_gateway.txt ]; then' >> /usr/local/bin/gw_mclish
echo 'echo "First start \"gw_detect\" and\or edit the file \var\log\gw_gateway.txt manually. Add here all your gateway IP addresses."' >> /usr/local/bin/gw_mclish
echo 'else' >> /usr/local/bin/gw_mclish
echo 'HAtest="$@"' >> /usr/local/bin/gw_mclish
echo 'echo $HAtest > /var/log/g_command.txt;' >> /usr/local/bin/gw_mclish
echo 'while read line' >> /usr/local/bin/gw_mclish
echo 'do' >> /usr/local/bin/gw_mclish
echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_mclish
echo 'then' >> /usr/local/bin/gw_mclish
echo 'echo "--------- GAIA $line execute command: $HAtest"' >> /usr/local/bin/gw_mclish
echo '$CPDIR/bin/cprid_util -server $line putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;' >> /usr/local/bin/gw_mclish
echo '$CPDIR/bin/cprid_util -server $line -verbose rexec -rcmd /bin/clish -f /var/log/g_command.txt' >> /usr/local/bin/gw_mclish
echo 'else' >> /usr/local/bin/gw_mclish
echo 'echo "--------- STOP $line Error: no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_mclish
echo 'fi' >> /usr/local/bin/gw_mclish
echo 'done < /var/log/g_gateway.txt' >> /usr/local/bin/gw_mclish
echo 'fi' >> /usr/local/bin/gw_mclish
chmod +x /usr/local/bin/gw_mclish
echo '#!/bin/bash' > /usr/local/bin/gw_detect
echo 'echo -n > /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect
echo "more $FWDIR/conf/objects.C |grep -A 500 -B 1 ':type (gateway)'| sed -n '/gateway/,/:ipaddr (/p' | grep 'ipaddr (' | sed 's/^[ \t]*//' | sed 's/\:ipaddr (//' |sed 's/)//' > /var/log/g_gwl.txt" >> /usr/local/bin/gw_detect
echo 'while read line' >> /usr/local/bin/gw_detect
echo 'do' >> /usr/local/bin/gw_detect
echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_detect
echo 'then' >> /usr/local/bin/gw_detect
echo 'echo "--------- GAIA $line "' >> /usr/local/bin/gw_detect
echo 'echo "$line" >> /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect
echo 'else' >> /usr/local/bin/gw_detect
echo 'echo "--------- STOP no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_detect
echo 'fi' >> /usr/local/bin/gw_detect
echo 'done < /var/log/g_gwl.txt' >> /usr/local/bin/gw_detect
chmod +x /usr/local/bin/gw_detect
echo '#!/bin/bash' > /usr/local/bin/gw_detect80
echo 'echo -n > /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect80
echo "mgmt_cli -r true show gateways-and-servers details-level full --format json | $CPDIR/jq/jq -r '.objects[] | select(.type | contains(\"Member\",\"simple-gateway\")) | .\"ipv4-address\"' |grep -v null|grep -v 0.0. > /var/log/g_gwl.txt" >> /usr/local/bin/gw_detect80
echo 'while read line' >> /usr/local/bin/gw_detect80
echo 'do' >> /usr/local/bin/gw_detect80
echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_detect80
echo 'then' >> /usr/local/bin/gw_detect80
echo 'echo "--------- GAIA $line "' >> /usr/local/bin/gw_detect80
echo 'echo "$line" >> /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect80
echo 'else' >> /usr/local/bin/gw_detect80
echo 'echo "--------- STOP no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_detect80
echo 'fi' >> /usr/local/bin/gw_detect80
echo 'done < /var/log/g_gwl.txt' >> /usr/local/bin/gw_detect80
chmod +x /usr/local/bin/gw_detect80
More "Easy Tools":
- Easy Backup Tool - (migrate export + all GAIA configs) -> Easy backup of all gateway GAIA configs + migrate export with one CLI command.
- Easy execute CLI commands on all gateways simultaneously -> Now you can use the new command to execute bash or clish commands on all gateway simultaneously.
- Easy execute CLI commands from management on gateways -> Easy execute CLI commands from management on gateways
- Mobile User License Tool - replaced "dtps lic" -> It displays all Secure Client, SSL VPN and Mobile Access Portal licenses in total (sum) on the SMS.
- Easy View Tool - (system infos from all gateways simultaneously) -> This toll shows you quickly an overview of status information of all your gateways with only one CLI command.
Versions:
v0.1 - 04-14-2019 - gw_multi_commands_v0.1.sh -> beta
v0.2 - 04-16-2019 - gw_multi_commands_v0.2.sh -> remove bugs
v0.3 - 04-17-2019 - gw_multi_commands_v0.3.sh -> split to two commands (gw_detect and the old commands)
v0.4 - 05-05-2019 - gw_multi_commands_v0.4.sh -> add command "gw_detect80"
Video tutorial:
command on all gateways gw_m.mp4 Video Player is loading. Current Time 0:00 / Duration 0:00 Loaded: 0% 0:00 Stream Type LIVE Remaining Time -0:00 1x
This is a modal window. Beginning of dialog window. Escape will cancel and close the window. End of dialog window. This is a modal window. This modal can be closed by pressing the Escape key or activating the close button. |
Copyright by Heiko Ankenbrand 1996-2019
Now you can use the new command "gw_mbash" and "g_mclish" to execute bash or clish commands on all gateway simultaneously from the management server. All you have to do is copy and paste the above lines to the management server. After that you have two new commands on the management server. Here you can now centrally execute simple commands on all gateways which are connected via SIC with the management.
Attention! |
You can quickly destroy you
...;Disclaimer: Check Point does not provide maintenance services or technical or customer support for third party content provided on this Site, including in CheckMates Toolbox. See also our Third Party Software Disclaimer.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've split the command in two.
gw_detect -> Writes all IP addresses of the gateways to the file /var/log/g_gateway.txt
gw_mclish or gw_mbash -> Executes the command remotely only now.
Now you can edit the file /var/log/g_gateway.txt twith the gateway IP addresses.
Regards
Heiko
I've split the command in two.
gw_detect -> Writes all IP addresses of the gateways to the file /var/log/g_gateway.txt
gw_mclish or gw_mbash -> Executes the command remotely only now.
Now you can edit the file /var/log/g_gateway.txt twith the gateway IP addresses.
Regards
Heiko
;
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Y__Bakisli
For example you can backup all GAIA gateway clish configs with "g_multicli show configuratinon > config_backup.txt" to the management server.
😀
Regards
Heiko
Hi @Y__Bakisli
For example you can backup all GAIA gateway clish configs with "g_multicli show configuratinon > config_backup.txt" to the management server.
😀
Regards
Heiko
;
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have 70 firewalls worldwide and I have to back up the clish configuration weekly.
That's a brilliant solution.
Thanks
Dan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here a other interresting version:
Easy execute CLI commands from management on gateways!
Here a other interresting version:
;- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This really is a very useful add-on to the cprid_util, Is there a way to differentiate between SMB and normal GAIA gateways?
Command structure is quit a bit different.
I know that we can continue that path with versions etc, but this distinction would be a great add-on.
This really is a very useful add-on to the cprid_util, Is there a way to differentiate between SMB and normal GAIA gateways?
Command structure is quit a bit different.
I know that we can continue that path with versions etc, but this distinction would be a great add-on. ;
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a very great script.
I have started a local snapshot at all gateways without to do this on 30 appliances manually.
# g_multicli add snapshot R80.10_20190415
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nice script, but SMB GWs are an issue here: File with GW IPs only contains the SMB GW encountered first, so only an error for the SMB GW is displayed, as no other GW got listed...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'll see how I can fix this bug.
I need to find a parameter in objects.C that can be used to identify SMB appliances.
Thanks
Heiko
I'll see how I can fix this bug.
I need to find a parameter in objects.C that can be used to identify SMB appliances.
Thanks
Heiko
;- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can discriminate SMB GWs in Objects.C by the parameter
:slim_fw_hardware_type
that is not present in GAiA GWs. Values can be e.g. ("1430/1450") as slected in Dashboard or (CIP) for 1200R.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @G_W_Albrecht,
I already tested with this parameter. Unfortunately it is not set at all SMB appliances.
I need a parameter that is unique on real gateway. I must find it with grep.
I compared with diff gateway objects 3 hours on the weekend . I didn't find any parameter:-(
Regards
Heiko
Hi @G_W_Albrecht,
I already tested with this parameter. Unfortunately it is not set at all SMB appliances.
I need a parameter that is unique on real gateway. I must find it with grep.
I compared with diff gateway objects 3 hours on the weekend . I didn't find any parameter:-(
Regards
Heiko
;- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am sure that dbedit or cpmiquerybin can help in this case 🙂 I will have a look on that over the weekend.
Jozko Mrkvicka
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see two issues with this suggestion:
1. g_ sintax is reserved for multi-SGM commands on Scalable Platforms and Maestro
2. R80.30 is closed now 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @_Val_,
You're right the g_ syntax is used with 64k/61k/44k/41k and maestro.
I'll change this to gw_ in the next few days.
Regards
Heiko
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Saleme_Sabaj
Hi @_Val_
Maybe with the version R80.40:-)
Hi
@Saleme_Sabaj
Hi
@_Val_
Maybe with the version R80.40:-)
;- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Now it works with SMB GWs present, too - only that gw_multi_commands.sh had issues:
First try, script stopped because of \r found in line 17 - after removing this line, it stopped with:
chmod: cannot access '/usr/local/bin/gw_mclish': No such file or directory
After adding Return/LF to the chmod line, issue was resolved.
[Expert@SMS8010:0]# gw_mbash fw ver
--------- STOP 172.27.39.126 Error: no SIC to gateway or no compatible gateway
#### a 730 SMB
--------- GAIA 172.27.39.190 execute command: fw ver
This is Check Point's software version R80.20 - Build 077
--------- STOP :ipaddr6 ("2a00:1628:11:2000:21c:7fff:fe72:2118" Error: no SIC to gateway or no compatible gateway
#### same 730 SMBs IP6 IP
--------- STOP 172.28.8.177 Error: no SIC to gateway or no compatible gateway
#### a 1200R SMB
--------- GAIA 192.168.80.8 execute command: fw ver
This is Check Point's software version R80.20 - Build 077
--------- GAIA 172.27.39.192 execute command: fw ver
This is Check Point's software version R77.30 - Build 161
--------- STOP 172.27.39.126 Error: no SIC to gateway or no compatible gateway
#### duplicate object with IP from 730 SMB
--------- STOP 172.27.39.1 Error: no SIC to gateway or no compatible gateway
#### This is a Brocade Switch....
But what is missing from g_gateway.txt is my TE100X 172.27.39.191 - or is it just somehow shortening 172.27.39.191 to 172.27.39.1 by mistake ?
Now it works with SMB GWs present, too - only that gw_multi_commands.sh had issues:
First try, script stopped because of \r found in line 17 - after removing this line, it stopped with:
chmod: cannot access '/usr/local/bin/gw_mclish': No such file or directory
After adding Return/LF to the chmod line, issue was resolved.
[Expert@SMS8010:0]# gw_mbash fw ver
--------- STOP 172.27.39.126 Error: no SIC to gateway or no compatible gateway
#### a 730 SMB
--------- GAIA 172.27.3
...;- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
RFE: It is nice to automatically generate the g_gateway.txt file, but a bit too much that it is generated anew with every gw_mbash call ! A user editable g_gateway.txt file could:
- leave out SMB GWs
- leave out GWs that better are not included here 😉
- help to workaround issues
RFE: It is nice to automatically generate the g_gateway.txt file, but a bit too much that it is generated anew with every gw_mbash call ! A user editable g_gateway.txt file could:
- leave out SMB GWs
- leave out GWs that better are not included here 😉
- help to workaround issues
;- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @G_W_Albrecht ,
You're right, it's all a little too much.
Hi @G_W_Albrecht ,
You're right, it's all a little too much.
;- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've split the command in two.
gw_detect -> Writes all IP addresses of the gateways to the file /var/log/g_gateway.txt
gw_mclish or gw_mbash -> Executes the command remotely only now.
Now you can edit the file /var/log/g_gateway.txt twith the gateway IP addresses.
Regards
Heiko
I've split the command in two.
gw_detect -> Writes all IP addresses of the gateways to the file /var/log/g_gateway.txt
gw_mclish or gw_mbash -> Executes the command remotely only now.
Now you can edit the file /var/log/g_gateway.txt twith the gateway IP addresses.
Regards
Heiko
;
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A tip on the top of my head for Heiko 😉
Now it will be very nice to handle, and i can addd my TX100 that still is not found manually !