Who rated this post

Bob_Zimmerman · ‎2024-10-30

I have a new version which solves several issues.

Added support for the API running on non-default ports.
Added support for over 500 CMAs and for over 500 firewall objects within a CMA.
Improved how the script to run on each system is defined. It's now a heredoc at the top of the script block, and it's literal, so you no longer need to play around with any weird quoting. Run commands on one firewall, then you can copy them exactly into this script to run on every firewall.
Improved reporting of connectivity errors. Now, instead of "(NULL BUF)", a connectivity failure will result in "[Couldn't connect via CPRID]".

scriptFile=$(mktemp)
cat << 'EOF' > "${scriptFile}"
########################################################################
printf "%-25s %5s %-6s %3s %-20s" \
$(hostname) \
$(clish -c "show asset system" | egrep -q "^Model";if [ $? -eq 0 ];then clish -c "show asset system" | egrep "^Model" | awk '{print $NF}';else clish -c "show asset system" | egrep "^Platform" | cut -d" " -f2 | cut -c 1-5;fi) \
$(fw ver | awk '{print $7}') \
$(jumbo=$(cpinfo -y fw1 2>/dev/null | grep JUMBO | grep Take | awk '{print $NF}');echo "${jumbo:-0}") \
"$(uptime | cut -d, -f1 | xargs)"
########################################################################
EOF

unset cmaList cmaAddress
. /etc/profile.d/CP.sh
portNumber=$(api status | grep "APACHE Gaia Port" | awk '{print $NF}')
showAll() {
IFS=$(printf "\377")
sharedArguments=( --port ${portNumber} -f json ${cmaAddress:+-d} ${cmaAddress:+${cmaAddress}} -r true show "$1" details-level full limit 500 )
firstResult=$(mgmt_cli ${sharedArguments[@]})
if [ $? -ne 0 ];then return 1;fi
toReturn="$(echo "${firstResult}" | jq -c '.objects[]|.')
";objectCount=$(echo "${firstResult}" | jq -c '.total')
if [ "$objectCount" -lt 501 ];then echo "${toReturn}" | head -n -1;return 0;fi
for offsetVal in $(seq 500 500 "${objectCount}" 2>/dev/null | tr "\n" "$IFS");do
toReturn+="$(mgmt_cli ${sharedArguments[@]} offset "${offsetVal}" \
| jq -c '.objects[]|.')
";done;echo "${toReturn}" | head -n -1;}
cmaList=$(showAll domains \
| jq -c '{name:.name,server:.servers[]|{host:."multi-domain-server",ipAddress:."ipv4-address"}}' \
| grep $(hostname) \
| jq -c '[.name,.server.ipAddress]')
if [ ${#cmaList} -eq 0 ];then cmaList=("[\"$(hostname)\",\"\"]");fi

for cmaRow in $cmaList; do
cmaName=$(echo "${cmaRow}" | jq '.[0]' | sed 's#"##g')
cmaAddress=$(echo "${cmaRow}" | jq '.[1]' | sed 's#"##g')
mdsenv "${cmaAddress}" 2>/dev/null
firewallList=$(showAll gateways-and-servers \
| jq -c '{type:.type,address:."ipv4-address"}' \
| grep -v CpmiGatewayCluster \
| grep -v CpmiVsClusterNetobj \
| grep -v CpmiVsxClusterNetobj \
| grep -v "checkpoint-host" \
| jq -c '.address' \
| sed 's#"##g')
for firewall in $firewallList; do
printf "%15s %15s: " "${cmaName}" "${firewall}"
cprid_util -server "${firewall}" putfile -local_file "${scriptFile}" -remote_file "${scriptFile}" -perms 500
if [ "$?" == "0" ];then
cprid_util -verbose -server "${firewall}" rexec -rcmd sh -c "${scriptFile};rm ${scriptFile} >/dev/null 2>/dev/null"
else echo "[Couldn't connect via CPRID]";fi
done;done;rm "${scriptFile}"

I've split it into three parts. The top is where you define the script you want to run on every system. This is the only part you should need to change to use the script.

The second gets the management API port number, defines a function to get all instances of a given type of object (this is what got rid of the 500 object limitation), gets all of the CMAs, and makes a fake CMA if it's running on a SmartCenter. If you're running the script a bunch of times, you should only need to run this part once each time you log in.

The third part connects to each CMA and gets a list of all of the firewalls in that CMA. It then goes through the list one by one and tries to copy the script to run to that system. If the copy works, it then tries to run it, then delete it. If the copy doesn't work, it prints the error message to tell you it couldn't connect, then moves on.