Wednesday, December 17, 2014

Checkpoint -- queryDB_util to query Smartcenter from command line

A few days ago I looked at the licenseDataCollector.sh: script and found that it was creating a lot of files in a temporary directory. these files were the network objects in the Smartcenter DB.
inside the script I found several calls to the command queryDB_util
some investigation on Google returned a few hits on this interesting tool

here is the help from the queryDB_util

U s a g e:
==========

queryDB interactive mode:
----------------------
[-t <table_name> [-s <query_str>]]  # name of requested table. 'query_str' is valid CPMI query string
[-o <object_name>]                  # name of requested object
[-a]                                # prints details of all objects

[-mu <modified_by>]                 # administrator who last modified the object
[-mh <modified_from>]               # host from which object was last modified
[-ma <modified_after>]              # minimum last modification date <[hh:mm:ss][-ddmmmyyyy]>
[-mb <modified_before>]             # maximum last modification date <[hh:mm:ss][-ddmmmyyyy]>

[-p<m|u|h|t|f>]                     # special print options: 
                                    #    m - last_modification details
                                    #    u - administrator name modification 
                                    #    h - host name modification
                                    #    t - last modification time 
                                    #    f - fields details

[-f <file_name>]                    # output file name for results
[-h]                                # get this usage info
[-q]                                # quit

Arguments can appear in any order.
If an argument appears more than once, the last one counts.


To get one of 'Objects Query' or 'Rules Query' modes:
----------------------------------------------------
   Phase I - connection arguments:
----------------------------------
-s <server_name> [-u <username> -p <password> | -c <certificate_name> -p <password>]

   Phase II - feature-mode argument:
------------------------------------
-objectsquery | -rulesquery             #'objectsquery' for Objects Query, 'rulesquery' for Rules Query

   Phase III - specific mode arguments:
---------------------------------------

Objects Query Usage:
====================
<ip address(es)>        #one or more ip addresses to be query for their referencing objects

Rules Query Usage:
==================

-ob <network_objects name(s) or ip(s)>          #a mix of objects names and ip addresses is valid
[-c <column_name>]                                              #specify the query on one column
[-op]                                   #search of ALL given objects under sub-query (default: AT LEAST ONE)
[-e]                                    #force explicit search in rules (default: implicit search)
[-n]                                    #for search of the negation of sub-query

[-r]                                    #defines an OR relation on all sub-queries. (default: AND relation)


Notes:
======
1.      Only the -ob argument has to be present. This argument informs the utility that a new sub-query is to be parsed.
2.      Due to the former note, the -ob argument have to be the first argument of each sub-query input.
3.      The -r argument applies to all of the sub-queries set and defines there relation. Since the number of sub-queries is unlimited, this argument must come last!
4.      All other arguments can appear in any order.


What can you do with this utility?
You can query the Smartcenter database for all kind of objects ( as long as you understand the CPMI syntax).
here are a few examples to give you an idea taken from the licenseDataCollector.sh script

return number of smartcenter objects:

echo -e "localhost\n-t network_objects -s management='true'\n-q" | queryDB_util 

Enter Server name: 
Please enter a query, -h for help or -q to quit: 
query> 

Q u e r y i n g   D B
=====================

Object Name: Management1
Table Name: network_objects
Last Modified by: Security Management Server
Last Modified from: localhost
Last Modification time: Tue Sep  9 09:26:09 2014


Object Name: Management2
Table Name: network_objects
Last Modified by: Security Management Server
Last Modified from: localhost
Last Modification time: Tue Sep  9 09:26:08 2014


Object Name: Management3
Table Name: network_objects
Last Modified by: Security Management Server
Last Modified from: localhost
Last Modification time: Tue Sep  9 09:26:06 2014


A total of 3 objects match the query.

query all network objects of type host, then extract with grep name and ip address

echo -e "localhost\n-t network_objects -s type='host' -pf\n-q" | queryDB_util | egrep 'Name Object|ipaddr:'



Object Name: Node1
    ipaddr: 10.1.2.3
Object Name: Node2
    ipaddr: 10.4.5.6



Query to find all firewalls modules (both managed and externally managed:

echo -e "localhost\n-t network_objects -s type='gateway' -s cp_products_installed='true' \n-q" | queryDB_util  | grep Object


Object Name: FW1
Object Name: FW2
Object Name: Fw3
Object Name: FW4
Object Name: Fw5


If you want to go deeper you change the greps

echo -e "localhost\n-t network_objects -s type='gateway' -s cp_products_installed='true' -pf \n-q" | queryDB_util  | egrep 'Object Name|location:|osName' | grep -v ip_pool | grep -v phone_directo

Object Name: FW1
    location:internal
    osName=Gaia
Object Name: FW2
    location:external
Object Name: Fw3
    location:internal
    osName=Gaia

Furthering analyzing the text based objects_5.0.C file provides info about the query that should be performed to obtain specific objects. ClassName attribute provides the type that should be queried.
For example here is a list of possible types:


  • gateway
  • host
  • cluster_member
  • gateway_cluster
  • network
  • group_with_exception


Tuesday, December 2, 2014

Checkpoint - how to install updates with CPUSE from Gaia CLISH


  1. First update CPUSE software 
    1. Download latest build from Usercenter
    2. Latest build of Check Point CPUSE - Gaia Software Updates(Solution ID: sk98228). At 02 Dic. 2014 build 714 is latest version.
    3. To check the current version of the Gaia Software Updates Agent, run[Expert@HostName]# cpvinfo $DADIR/bin/DAService | grep -E "Build|Minor"
    4. Transfer the updated Gaia Software Updates Agent package (GaiaSoftwareUpdatesAgent_<build>.tgz) to the machine into /tmp/DA.patch directory.
    5. Unpack the Gaia Software Updates Agent package:
    6. [Expert@HostName]# cd /tmp/DA.patch
    7. [Expert@HostName]# tar zxvf GaiaSoftwareUpdatesAgent_<build>.tgz

Install the Gaia Software Updates Agent RPM (starting in Build 553, the currently running agent will be automatically stopped during the RPM installation):


  • $DADIR/stop/dastop
  • dbget installer:stop
  • [Expert@HostName]# rpm -Uhv --force CPda-00-00.i386.rpm
  • Start the Gaia Software Updates Agent:
  • [Expert@HostName]# $DADIR/bin/dastart 


Installation instructions for Hotfixes / Minor version / Major version


  •  Log in to Clish shell.
  •  See the list of available packages for download:
  •  HostName> show installer available_packages 


 Num File Name                                             Type
1   Check_Point_Hotfix_R77_sk101186.tgz                   Hotfix
2   Check_Point_Hotfix_R77_sk100431.tgz                   Hotfix
3   Check_Point_R76_T265.tgz                              Major Version
4   Check_Point_Hotfix_R77_sk100195.tgz                   Hotfix
5   Check_Point_Hotfix_R77_sk98814.tgz                    Hotfix
6   Check_Point_R77_Hotfix_SK97566.tgz                    Hotfix
7   Check_Point_R75.46_Fresh_Install.tgz                  Major Version
8   Check_Point_hotfix_R77_sk96269.tgz                    Hotfix
9   Check_Point_R77_UDP_Hotfix_sk95056.tgz                Wrapper
10  Check_Point_SmartConsole_and_SmartDomain_Manager_R... Wrapper
11  Check_Point_R77.tgz                                   Major Version
12  Check_Point_R75_40VS_T157.tgz                         Major Version
13  Check_Point_Hotfix_R77_sk102673.tgz                   Hotfix
14  Check_Point_Hotfix_R77_sk102989.tgz                   Wrapper
15  Check_Point_R77.10.tgz                                Wrapper
16  Check_Point_R77_R77_20_T124.tgz                       Wrapper



  • Hostname>  installer download 16
  • verify download progress
  • Hostname> show installer  package_status

Check_Point_R77_R77_20_T124.tgz              - Downloading (1.05 MB/s)   - Progress: 92%


  • Hostname>  installer install 16
  • verify installation progress
  • Hostname> show installer  package_status


16  Check_Point_R77_R77_20_T124.tgz        Installing                   (0%)


after installing the upgrade package R77.20 the firewall will automatically reboot