Difference between revisions of "cpmiquerybin"
From cpwiki.net
(→MDS queries) |
(→MDS queries) |
||
| (29 intermediate revisions by one user not shown) | |||
| Line 1: | Line 1: | ||
| + | cpmiquerybin is found on Provider-1 installations only. If you want to use it on a SmartCenter server, follow this guide [http://www.cpwiki.net/index.php/cpmiquerybin_on_SmartCenter_server cpmiquerybin on SmartCenter server] | ||
| + | |||
| + | |||
== Usage == | == Usage == | ||
'''cpmiquerybin''' <query_result_type> <database> <table> <query> [-a <attributes_list>]''' | '''cpmiquerybin''' <query_result_type> <database> <table> <query> [-a <attributes_list>]''' | ||
| − | == | + | == indentify firewall objects == |
| + | |||
| + | '''Standalone Firewalls''' | ||
| + | cpmiquerybin attr "" network_objects "(type='gateway') & (location='internal')" -a __name__ | ||
| + | '''clusters''' | ||
| + | CLUSTERS=( `cpmiquerybin attr "" network_objects "(type='gateway_cluster') & (location='internal')" -a __name__ | tr '\n' ' '` ) | ||
| + | '''cluster members''' | ||
| + | <br>list all objects of type cluster member | ||
| + | cpmiquerybin attr "" network_objects "(type='cluster_member') | (type='gateway') & (location='internal')" -a __name__ | ||
| + | <br> list the member of a particular cluster | ||
| + | cpmiquerybin attr "" network_objects "name='<name_of_cluster_here>'" -a cluster_members | ||
| + | |||
| + | '''identify clusters and standalone firewalls (excluding cluster members)''' | ||
| + | cpmiquerybin attr "" network_objects "(type='gateway_cluster') & (location='internal') | (type='gateway') & (location='internal')" -a __name__,svn_version_name | ||
| − | |||
| − | |||
| − | |||
| − | |||
cpmiquerybin object "mdsdb" pv1_administrators "" | cpmiquerybin object "mdsdb" pv1_administrators "" | ||
| Line 23: | Line 35: | ||
or | or | ||
cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members | cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members | ||
| + | |||
| + | anti-spoofing check on all firewall interfaces | ||
| + | fw="xxx"; cpmiquerybin object "" network_objects "name='$fw'" |grep anti_spoof | ||
| Line 35: | Line 50: | ||
'''All members of a group formatted''' | '''All members of a group formatted''' | ||
| − | + | cpmiquerybin object "" network_objects "name='$GROUP_NAME'" | grep -E ":Name" | sed -n 's/.*(\([^ ]*\))/\1/p' | |
| + | |||
| + | '''All IPs and masks of group's members''' | ||
| + | |||
| + | GROUPNAME="<group name>"; cpmiquerybin object "" network_objects "name='$GROUPNAME'" | grep ":Name" | awk '{print $2}' | tr -d '()' | while read line; do IPADDRESS=`cpmiquerybin attr "" network_objects "name='$line'" -a ipaddr | tr -d '\t';`; MASK=`cpmiquerybin attr "" network_objects "name='$line'" -a netmask`; CIDR=`/usr/local/bin/mask2cidr $MASK`; echo "$IPADDRESS/$MASK"; done | ||
| + | |||
List services with 'Match for Any' ticked | List services with 'Match for Any' ticked | ||
| Line 51: | Line 71: | ||
cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr | cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr | ||
| − | + | cpmiquerybin attr "mdsdb" network_objects "hosted_by_mds='<mds_name>'" -a __name__ | |
| − | cpmiquerybin attr "" network_objects " | + | |
| − | + | ||
get IP for CLM name | get IP for CLM name | ||
cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr | cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr | ||
| + | |||
| + | get list of firewalls / cp devices | ||
| + | |||
| + | cpmiquerybin attr "mdsdb" network_objects "(type='gateway_cluster') | (type='gateway') | (type='cluster_member')" -a __name__ | ||
| + | |||
| + | == CMA queries == | ||
| + | |||
| + | List CLMs / log servers from CMA env | ||
| + | cpmiquerybin attr "" network_objects "(log_server='true') & (management='false')" -a __name__,ipaddr | ||
| + | ***note*** above is example of a compound query | ||
get CMA policy names | get CMA policy names | ||
cpmiquerybin attr "" fw_policies "" -a __name__ | cpmiquerybin attr "" fw_policies "" -a __name__ | ||
| + | |||
| + | get CMA list of policy collections (similar to above) | ||
| + | cpmiquerybin attr "" policies_collections "" -a __name__ | ||
| + | |||
| + | get installable targets for a policy named standard | ||
| + | cpmiquerybin attr "" policies_collections "name='Standar'" -a __name__,installable_targets | ||
| + | |||
| + | print raw dump of a policy named Standard (it does contain rule UIDs unlike dbedit output) | ||
| + | cpmiquerybin object "" fw_policies "name='##Standard'" | ||
| + | |||
dump MDS admin account info | dump MDS admin account info | ||
cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm | cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm | ||
| Line 69: | Line 107: | ||
if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' | if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } ' | ||
| − | get | + | get secondary CMA |
| − | cpmiquerybin attr " | + | cpmiquerybin attr "" network_objects "(primary_management='false') & (management='true')" -a __name__ |
| + | |||
| + | == cma global properties == | ||
| + | individual parameters are not available by name. You have to dump them all and grep for what you want. | ||
| + | |||
| + | cpmiquerybin object "" properties "name='firewall_properties'" | ||
| + | |||
| + | example - cma auto sync rules / objects on policy save global setting: | ||
| + | cpmiquerybin object "" properties "name='firewall_properties'" |grep auto_sync_on_install | sed -n 's/.*(\([^ ]*\))/\1/p' | ||
== Tables == | == Tables == | ||
Latest revision as of 14:48, 27 March 2018
cpmiquerybin is found on Provider-1 installations only. If you want to use it on a SmartCenter server, follow this guide cpmiquerybin on SmartCenter server
Contents[hide] |
Usage
cpmiquerybin <query_result_type> <database> <query> [-a <attributes_list>]indentify firewall objects
Standalone Firewalls
cpmiquerybin attr "" network_objects "(type='gateway') & (location='internal')" -a __name__
clusters
CLUSTERS=( `cpmiquerybin attr "" network_objects "(type='gateway_cluster') & (location='internal')" -a __name__ | tr '\n' ' '` )
cluster members
list all objects of type cluster member
cpmiquerybin attr "" network_objects "(type='cluster_member') | (type='gateway') & (location='internal')" -a __name__
list the member of a particular cluster
cpmiquerybin attr "" network_objects "name='<name_of_cluster_here>'" -a cluster_members
identify clusters and standalone firewalls (excluding cluster members)
cpmiquerybin attr "" network_objects "(type='gateway_cluster') & (location='internal') | (type='gateway') & (location='internal')" -a __name__,svn_version_name
cpmiquerybin object "mdsdb" pv1_administrators ""
get name of all objects of type cluster member
cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__
To get a list of names of all VALID cluster members from cluster object name
cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g'
or
cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members
anti-spoofing check on all firewall interfaces
fw="xxx"; cpmiquerybin object "" network_objects "name='$fw'" |grep anti_spoof
query all objects for an ip address
cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr
from cma env, list management/cma objects
# cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr
All members of a group
cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name"
All members of a group formatted
cpmiquerybin object "" network_objects "name='$GROUP_NAME'" | grep -E ":Name" | sed -n 's/.*(\([^ ]*\))/\1/p'
All IPs and masks of group's members
GROUPNAME="<group name>"; cpmiquerybin object "" network_objects "name='$GROUPNAME'" | grep ":Name" | awk '{print $2}' | tr -d '()' | while read line; do IPADDRESS=`cpmiquerybin attr "" network_objects "name='$line'" -a ipaddr | tr -d '\t';`; MASK=`cpmiquerybin attr "" network_objects "name='$line'" -a netmask`; CIDR=`/usr/local/bin/mask2cidr $MASK`; echo "$IPADDRESS/$MASK"; done
List services with 'Match for Any' ticked
cpmiquerybin attr "" services "include_in_any='true'" -a __name__
MDS queries
list all MDSs
cpmiquerybin attr "mdsdb" mdss "" -a __name__
list primary MDS
cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__
list CMAs
cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr
cpmiquerybin attr "mdsdb" network_objects "hosted_by_mds='<mds_name>'" -a __name__
get IP for CLM name
cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr
get list of firewalls / cp devices
cpmiquerybin attr "mdsdb" network_objects "(type='gateway_cluster') | (type='gateway') | (type='cluster_member')" -a __name__
CMA queries
List CLMs / log servers from CMA env
cpmiquerybin attr "" network_objects "(log_server='true') & (management='false')" -a __name__,ipaddr ***note*** above is example of a compound query
get CMA policy names
cpmiquerybin attr "" fw_policies "" -a __name__
get CMA list of policy collections (similar to above)
cpmiquerybin attr "" policies_collections "" -a __name__
get installable targets for a policy named standard
cpmiquerybin attr "" policies_collections "name='Standar'" -a __name__,installable_targets
print raw dump of a policy named Standard (it does contain rule UIDs unlike dbedit output)
cpmiquerybin object "" fw_policies "name='##Standard'"
dump MDS admin account info
cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm
same as above plus formatting
cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm \
| awk '{ printf $1 ","; for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; \
if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer"; \
if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } '
get secondary CMA
cpmiquerybin attr "" network_objects "(primary_management='false') & (management='true')" -a __name__
cma global properties
individual parameters are not available by name. You have to dump them all and grep for what you want.
cpmiquerybin object "" properties "name='firewall_properties'"
example - cma auto sync rules / objects on policy save global setting:
cpmiquerybin object "" properties "name='firewall_properties'" |grep auto_sync_on_install | sed -n 's/.*(\([^ ]*\))/\1/p'
Tables
queryable tables can be gleaned from tables.C
cat tables.C |grep ": ("
Default Queries for mdsquerydb
mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin.
$MDSDIR/conf/queries.conf
# (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products. The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool # # each line in queries.conf is: # $1 - query environment [ MDS | CMA | ANY ] # $2 - dbname # $3 - key # $4 - display format [ attr | object ] # $5 - tablename # $6 - query # $7 - fields to be printed # CMA "" NetworkObjects attr network_objects "" __name__,type # Get name and type of all network objects MDS "" GlobalNetworkObjects attr network_objects "" __name__,type # Get name and type of all global network objects MDS "mdsdb" NetworkObjects attr network_objects "" __name__,type # Get all customers' internal Check Point installed network objects MDS "mdsdb" Customers attr pv1_customers "" __name__ # Get names of all PV-1 Customers MDS "mdsdb" Administrators attr pv1_administrators "" __name__ # Get names of all PV-1 Administrators MDS "mdsdb" MDSs attr mdss "" __name__,ipaddr # Get names and IPs of all MDSs MDS "mdsdb" CMAs attr network_objects "management='true'" __name__ # Get names of all CMAs CMA "" Gateways attr network_objects "type='gateway'" __name__,ipaddr # Get names and IPs of all gateways MDS "mdsdb" GuiClients attr pv1_guiclients "" __name__,ipaddr # Get names and IPs of all gui clients CMA "" Status attr statuses "" __name__CMA "" Policies object fw_policies ""
