- CheckMates
- :
- CheckMates Toolbox
- :
- Scripts
- :
- GAIA - Easy execute CLI commands on all gateways s...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HeikoAnkenbrand
Champion
Now you can use the new command "gw_mbash" and "g_mclish" to execute bash or clish commands on all gateway simultaneously from the management server. All you have to do is copy and paste the above lines to the management server. After that you have two new commands on the management server. Here you can now centrally execute simple commands on all gateways which are connected via SIC with the management.
| Attention! |
You can quickly destroy your gateways if you enter the wrong commands!
Command syntax:
| Command | Description |
|
# gw_detect # gw_detect80 |
Detect all your gateways that support from this tool. This command only needs to be executed once or when gateways changed in topology. The execution of this command may take a few minutes. Use this command on R80.x gateways "gw_detect80" is a little bit faster. Use this command on R77.x gateways "gw_detect". |
| # gw_mbash <command> | Execute expert mode command on all gateway
simultaneously |
| # gw_mclish <command> | Execute clish command on all gateway
simultaneously |
An example!
You want see the version of all gateway they are defined in the topology.
|
Management# gw_detect -> start this command fist to detect all your supported gateways or "gw_detect80" on R80.x gateways |
Now the command "show version os edition" is executed on all gateways and the output is displayed on the management server sorted according to the ip addresses of the gateways in the firewall topologie.
The same also works for the expert mode. For example:
|
Management# gw_detect -> start this command fist to detect all your supported gateways or "gw_detect80" on R80.x gateways |
| Tip 1 |
|
Use this command to backup your clish configs from all gateways. Management# gw_mclish show configuration > backup_clish_all_gateways.txt This can also be start as simply cronjob😀. |
| Tip 2 |
|
Check central performance settings for all gateways: Management# gw_mbash fw tab -t connections -s -> show state table for all gateways Management# gw_mbash fwaccel stat -> show fwaccel state's for all gateways ... |
Cppy and paste this lines to the management server or download the script "new_multi_commands.sh" and execute the script.
echo '#!/bin/bash' > /usr/local/bin/gw_mbash
echo 'if [ ! -f /var/log/g_gateway.txt ]; then' >> /usr/local/bin/gw_mbash
echo 'echo "First start \"gw_detect\" and\or edit the file \var\log\gw_gateway.txt manually. Add here all your gateway IP addresses."' >> /usr/local/bin/gw_mbash
echo 'else' >> /usr/local/bin/gw_mbash
echo 'HAtest="$@"' >> /usr/local/bin/gw_mbash
echo 'echo $HAtest > /var/log/g_command.txt;' >> /usr/local/bin/gw_mbash
echo 'while read line' >> /usr/local/bin/gw_mbash
echo 'do' >> /usr/local/bin/gw_mbash
echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_mbash
echo 'then' >> /usr/local/bin/gw_mbash
echo 'echo "--------- GAIA $line execute command: $HAtest"' >> /usr/local/bin/gw_mbash
echo '$CPDIR/bin/cprid_util -server $line putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;' >> /usr/local/bin/gw_mbash
echo '$CPDIR/bin/cprid_util -server $line -verbose rexec -rcmd /bin/bash -f /var/log/g_command.txt' >> /usr/local/bin/gw_mbash
echo 'else' >> /usr/local/bin/gw_mbash
echo 'echo "--------- STOP $line Error: no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_mbash
echo 'fi' >> /usr/local/bin/gw_mbash
echo 'done < /var/log/g_gateway.txt' >> /usr/local/bin/gw_mbash
echo 'fi' >> /usr/local/bin/gw_mbash
chmod +x /usr/local/bin/gw_mbash
echo '#!/bin/bash' > /usr/local/bin/gw_mclish
echo 'if [ ! -f /var/log/g_gateway.txt ]; then' >> /usr/local/bin/gw_mclish
echo 'echo "First start \"gw_detect\" and\or edit the file \var\log\gw_gateway.txt manually. Add here all your gateway IP addresses."' >> /usr/local/bin/gw_mclish
echo 'else' >> /usr/local/bin/gw_mclish
echo 'HAtest="$@"' >> /usr/local/bin/gw_mclish
echo 'echo $HAtest > /var/log/g_command.txt;' >> /usr/local/bin/gw_mclish
echo 'while read line' >> /usr/local/bin/gw_mclish
echo 'do' >> /usr/local/bin/gw_mclish
echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_mclish
echo 'then' >> /usr/local/bin/gw_mclish
echo 'echo "--------- GAIA $line execute command: $HAtest"' >> /usr/local/bin/gw_mclish
echo '$CPDIR/bin/cprid_util -server $line putfile -local_file /var/log/g_command.txt -remote_file /var/log/g_command.txt;' >> /usr/local/bin/gw_mclish
echo '$CPDIR/bin/cprid_util -server $line -verbose rexec -rcmd /bin/clish -f /var/log/g_command.txt' >> /usr/local/bin/gw_mclish
echo 'else' >> /usr/local/bin/gw_mclish
echo 'echo "--------- STOP $line Error: no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_mclish
echo 'fi' >> /usr/local/bin/gw_mclish
echo 'done < /var/log/g_gateway.txt' >> /usr/local/bin/gw_mclish
echo 'fi' >> /usr/local/bin/gw_mclish
chmod +x /usr/local/bin/gw_mclish
echo '#!/bin/bash' > /usr/local/bin/gw_detect
echo 'echo -n > /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect
echo "more $FWDIR/conf/objects.C |grep -A 500 -B 1 ':type (gateway)'| sed -n '/gateway/,/:ipaddr (/p' | grep 'ipaddr (' | sed 's/^[ \t]*//' | sed 's/\:ipaddr (//' |sed 's/)//' > /var/log/g_gwl.txt" >> /usr/local/bin/gw_detect
echo 'while read line' >> /usr/local/bin/gw_detect
echo 'do' >> /usr/local/bin/gw_detect
echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_detect
echo 'then' >> /usr/local/bin/gw_detect
echo 'echo "--------- GAIA $line "' >> /usr/local/bin/gw_detect
echo 'echo "$line" >> /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect
echo 'else' >> /usr/local/bin/gw_detect
echo 'echo "--------- STOP no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_detect
echo 'fi' >> /usr/local/bin/gw_detect
echo 'done < /var/log/g_gwl.txt' >> /usr/local/bin/gw_detect
chmod +x /usr/local/bin/gw_detect
echo '#!/bin/bash' > /usr/local/bin/gw_detect80
echo 'echo -n > /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect80
echo "mgmt_cli -r true show gateways-and-servers details-level full --format json | $CPDIR/jq/jq -r '.objects[] | select(.type | contains(\"Member\",\"simple-gateway\")) | .\"ipv4-address\"' |grep -v null|grep -v 0.0. > /var/log/g_gwl.txt" >> /usr/local/bin/gw_detect80
echo 'while read line' >> /usr/local/bin/gw_detect80
echo 'do' >> /usr/local/bin/gw_detect80
echo 'if $CPDIR/bin/cprid_util getarch -server $line |grep "gaia" > /dev/null;' >> /usr/local/bin/gw_detect80
echo 'then' >> /usr/local/bin/gw_detect80
echo 'echo "--------- GAIA $line "' >> /usr/local/bin/gw_detect80
echo 'echo "$line" >> /var/log/g_gateway.txt' >> /usr/local/bin/gw_detect80
echo 'else' >> /usr/local/bin/gw_detect80
echo 'echo "--------- STOP no SIC to gateway or no compatible gateway"' >> /usr/local/bin/gw_detect80
echo 'fi' >> /usr/local/bin/gw_detect80
echo 'done < /var/log/g_gwl.txt' >> /usr/local/bin/gw_detect80
chmod +x /usr/local/bin/gw_detect80
More "Easy Tools":
- Easy Backup Tool - (migrate export + all GAIA configs) -> Easy backup of all gateway GAIA configs + migrate export with one CLI command.
- Easy execute CLI commands on all gateways simultaneously -> Now you can use the new command to execute bash or clish commands on all gateway simultaneously.
- Easy execute CLI commands from management on gateways -> Easy execute CLI commands from management on gateways
- Mobile User License Tool - replaced "dtps lic" -> It displays all Secure Client, SSL VPN and Mobile Access Portal licenses in total (sum) on the SMS.
- Easy View Tool - (system infos from all gateways simultaneously) -> This toll shows you quickly an overview of status information of all your gateways with only one CLI command.
Versions:
v0.1 - 04-14-2019 - gw_multi_commands_v0.1.sh -> beta
v0.2 - 04-16-2019 - gw_multi_commands_v0.2.sh -> remove bugs
v0.3 - 04-17-2019 - gw_multi_commands_v0.3.sh -> split to two commands (gw_detect and the old commands)
v0.4 - 05-05-2019 - gw_multi_commands_v0.4.sh -> add command "gw_detect80"
Video tutorial:
command on all gateways gw_m.mp4 Video Player is loading. Current Time 0:00 / Duration 0:00 Loaded: 0% 0:00 Stream Type LIVE Remaining Time -0:00 1x
This is a modal window. Beginning of dialog window. Escape will cancel and close the window. End of dialog window. This is a modal window. This modal can be closed by pressing the Escape key or activating the close button. |
Copyright by Heiko Ankenbrand 1996-2019
➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Now you can use the new command "gw_mbash" and "g_mclish" to execute bash or clish commands on all gateway simultaneously from the management server. All you have to do is copy and paste the above lines to the management server. After that you have two new commands on the management server. Here you can now centrally execute simple commands on all gateways which are connected via SIC with the management.
| Attention! |
You can quickly destroy you
...;Disclaimer: Check Point does not provide maintenance services or technical or customer support for third party content provided on this Site, including in CheckMates Toolbox. See also our Third Party Software Disclaimer.
64 Replies
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maria_Pologova
Collaborator
2020-09-05
04:01 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
marko2921
Explorer
2022-04-06
06:07 AM
Hi @HeikoAnkenbrand,
I run at one issue runing the gw_mclish +command on SMB.
First I edited this line in gw_mclish: if $CPDIR/bin/cprid_util getarch -server $line |grep -i "gaia" > /dev/null; (added -i for grep option, without -i it didn't work)
When I try to execute command "add user test123 type admin password 1234 permission RW" with gw_mclish on SMB r80.20 device from SMS r81.10 there is this error:
Unexpected error: attempt to index global 'cgilua' (a nil value).
Here are the steps which I did in order to find out what is going wrong:
1. Then I tried simple show commands, which works perfectly
2. Then I tried to add user and got mentioned error
3. I troubleshooted the error and I found out that problem is with next line:$CPDIR/bin/cprid_util -server $line -verbose rexec -rcmd /bin/clish -f /var/log/g_command.txt
4. I tried next variations of cprid_util:
$CPDIR/bin/cprid_util -server ipaddress -verbose rexec -rcmd /bin/clish -c "add user test123 type admin password 1234 permission RW" (even if I try with hashed password situation is the same)
$CPDIR/bin/cprid_util -server ipaddress -verbose rexec -rcmd /bin/clish -f /var/log/g_command.txt (in g_command.txt is command: add user test123 type admin password 1234 permission RW)
Adding user is working fine when I try it on gw with r81.10.
So I assume that problem is with cprid_util command...
Do you have any clue how to overcome this issue, if that is possible?
Thanks a lot in advance!
Hi @HeikoAnkenbrand,
I run at one issue runing the gw_mclish +command on SMB.
First I edited this line in gw_mclish: if $CPDIR/bin/cprid_util getarch -server $line |grep -i "gaia" > /dev/null; (added -i for grep option, without -i it didn't work)
When I try to execute command "add user test123 type admin password 1234 permission RW" with gw_mclish on SMB r80.20 device from SMS r81.10 there is this error:
Unexpected error: attempt to index global 'cgilua' (a nil value).
Here
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fernando_Lopez
Contributor
2022-06-02
01:46 PM
hi Heiko!
Loved your script; really useful.
Is there any way you could add a real-time read for the command's output?
Say I ran a CPinfo; is there a possibility to read from stdout in real time so i can watch live what the command is doing over the GWs?
That would be awesome
Thanks!
hi Heiko!
Loved your script; really useful.
Is there any way you could add a real-time read for the command's output?
Say I ran a CPinfo; is there a possibility to read from stdout in real time so i can watch live what the command is doing over the GWs?
That would be awesome
Thanks!
;- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fernando_Lopez
Contributor
2022-06-02
01:56 PM
Oh, and 2 more things, if I may ask:
1. Could there be a way to pipe or send stdout to file inside the GW?
if, say, i run "gw_mclish show configuration > config.txt", the file config.txt is created in the current mgmt dir.
2. is there a way for the gw_m commands to understand bash variables?
E.G.: $USER variable
it would be really awesome if i could just do "gw_mbash cd /home/$USER/"
Thats about it, thank you!!
Oh, and 2 more things, if I may ask:
1. Could there be a way to pipe or send stdout to file inside the GW?
if, say, i run "gw_mclish show configuration > config.txt", the file config.txt is created in the current mgmt dir.
2. is there a way for the gw_m commands to understand bash variables?
E.G.: $USER variable
it would be really awesome if i could just do "gw_mbash cd /home/$USER/"
Thats about it, thank you!!
;- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sidlab1584
Explorer
2024-02-19
03:27 PM
Hi HeikoAnkenbrand,
Pretty handy script !. I want to use this to change admin passwords and expert passwords across all gateways , when I try to run this I cannot input any values , any suggestions if I can use this script for this use-case?.
Hi HeikoAnkenbrand,
Pretty handy script !. I want to use this to change admin passwords and expert passwords across all gateways , when I try to run this I cannot input any values , any suggestions if I can use this script for this use-case?.
;
- « Previous
- Next »
