If you have access to the Checkpoint smartcenter you have a powerful command to manage your firewalls
This command is cprid_util and it uses the SIC channel established between management and remote firewalls
What you can do with this command is based on your fantasy
I am adding some commands I have collected so far but of course this is not exhaustive
I found this command looking at the script /opt/CPsuite-R77/fw1/bin/licenseDataCollector.sh from Checkpoint
this command checks if you have access to a remote system
variable remoteServerIpAddr : firewall IP address
# test access
#
cprid_util -server $remoteServerIpAddr getarch &> /dev/null
if [ $? -ne 0 ]; then
echo ${scriptName}: Cannot communicate with server $remoteServerIpAddr 1>&2
# return an error value
return 1
fi
Example:
[Expert@srfacpmgnt1:0]# cprid_util -server 10.39.35.10 getarch
gaia
You can send a script to the remote firewall to be executed locally
variables
remoteServerIpAddr : firewall IP address
scriptNameFullPath : full script path
scriptName : filename on remote server
# copy the command
#
cprid_util -server $remoteServerIpAddr putfile -local_file $scriptNameFullPath -remote_file /tmp/remote-command-$scriptName.$$ -perms 755
if [ $? -ne 0 ]; then
echo ${scriptName}: Cannot copy script to server $remoteServerIpAddr 1>&2
# return an error value
return 1
fi
### some examples
cprid_util -server 192.168.1.1 -verbose rexec -rcmd bash -c "/bin/df -h"
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg_splat-lv_current
32G 10G 20G 34% /
/dev/md0 145M 99M 39M 73% /boot
tmpfs 32G 0 32G 0% /dev/shm
/dev/mapper/vg_splat-lv_log
146G 17G 122G 12% /var/log
## reboot machine
cprid_util -server 192.168.1.1 -verbose rexec -rcmd bash -c "/sbin/shutdown -r 0"
What if you need to create a user on a remote firewall
Easy>
### remote create user on gateway
1. create file with clish commands newuser.sh
add user myuser uid 0 homedir /home/myuser
add rba user myuser roles adminRole
set user myuser gid 0 shell /bin/bash
set user myuser realname myuser
set user myuser password-hash $1$i7VPfjkjug%fkPP00ddddsY7RVAG/K.
save config
2. copy file to gateway
cprid_util -server $remoteServerIpAddr putfile -local_file newuser.sh -remote_file /tmp/newuser.sh -perms 755
3. execute command
cprid_util -verbose -server $remoteServerIpAddr rexec -rcmd clish -f /tmp/newuser.sh