Friday, March 18, 2022

CPRID_UTIL

If you have access to the Checkpoint smartcenter you have a powerful command to manage your firewalls 

This command is cprid_util and it uses the SIC channel established between management and remote firewalls

What you can do with this command is based on your fantasy

I am adding some commands I have collected so far but of course this is not exhaustive

I found this command looking at the script /opt/CPsuite-R77/fw1/bin/licenseDataCollector.sh from Checkpoint 

this command checks if you have access to a remote system

variable remoteServerIpAddr : firewall IP address


# test access

#

cprid_util -server $remoteServerIpAddr getarch &> /dev/null

if [ $? -ne 0 ]; then

   echo ${scriptName}: Cannot communicate with server $remoteServerIpAddr 1>&2

     # return an error value

     return 1

fi


Example: 


[Expert@srfacpmgnt1:0]#  cprid_util -server 10.39.35.10 getarch

gaia


You can send a script to the remote firewall to be executed locally


variables

 remoteServerIpAddr : firewall IP address

 scriptNameFullPath : full script path

 scriptName         : filename on remote server


# copy the command

#

cprid_util -server $remoteServerIpAddr putfile -local_file $scriptNameFullPath -remote_file /tmp/remote-command-$scriptName.$$ -perms 755

if [ $? -ne 0 ]; then

       echo ${scriptName}: Cannot copy script to server $remoteServerIpAddr 1>&2

        # return an error value

        return 1

fi


### some examples


cprid_util -server 192.168.1.1 -verbose rexec -rcmd bash -c "/bin/df -h"


Filesystem            Size  Used Avail Use% Mounted on

/dev/mapper/vg_splat-lv_current

                       32G   10G   20G  34% /

/dev/md0              145M   99M   39M  73% /boot

tmpfs                  32G     0   32G   0% /dev/shm

/dev/mapper/vg_splat-lv_log

                      146G   17G  122G  12% /var/log

## reboot machine

cprid_util -server 192.168.1.1 -verbose rexec -rcmd bash -c "/sbin/shutdown -r 0"


What if you need to create a user on a remote firewall

Easy>

### remote create user on gateway


1. create file with clish commands newuser.sh


add user myuser uid 0 homedir /home/myuser 

add rba user myuser roles adminRole

set user myuser gid 0 shell /bin/bash

set user myuser realname myuser 

set user myuser password-hash $1$i7VPfjkjug%fkPP00ddddsY7RVAG/K.

save config


2. copy file to gateway


cprid_util -server $remoteServerIpAddr putfile -local_file newuser.sh -remote_file /tmp/newuser.sh -perms 755


3. execute command


cprid_util -verbose -server $remoteServerIpAddr rexec -rcmd clish -f /tmp/newuser.sh 

Posted by at No comments:
Subscribe to: Posts (Atom)