Difference between revisions of "cpmiquerybin"

From cpwiki.net
Jump to: navigation, search
Check Point Profressional Services
(MDS queries)
(MDS queries)
 
(28 intermediate revisions by one user not shown)
Line 1: Line 1:
 +
cpmiquerybin is found on Provider-1 installations only.  If you want to use it on a SmartCenter server, follow this guide [http://www.cpwiki.net/index.php/cpmiquerybin_on_SmartCenter_server cpmiquerybin on SmartCenter server]
 +
 +
 
== Usage ==
 
== Usage ==
 
'''cpmiquerybin''' <query_result_type> <database> <table> <query> [-a <attributes_list>]'''
 
'''cpmiquerybin''' <query_result_type> <database> <table> <query> [-a <attributes_list>]'''
  
  
== jumbled examples ==
+
== indentify firewall objects ==
 +
 +
'''Standalone Firewalls'''
 +
cpmiquerybin attr "" network_objects "(type='gateway') & (location='internal')" -a __name__
 +
'''clusters'''
 +
CLUSTERS=( `cpmiquerybin attr "" network_objects "(type='gateway_cluster') & (location='internal')" -a __name__ | tr '\n' ' '` )
 +
'''cluster members'''
 +
<br>list all objects of type cluster member
 +
cpmiquerybin attr "" network_objects "(type='cluster_member') | (type='gateway') & (location='internal')" -a __name__
 +
<br> list the member of a particular cluster
 +
cpmiquerybin attr "" network_objects "name='<name_of_cluster_here>'" -a cluster_members
 +
 
 +
'''identify clusters and standalone firewalls (excluding cluster members)'''
 +
cpmiquerybin attr "" network_objects "(type='gateway_cluster') & (location='internal') | (type='gateway') & (location='internal')" -a __name__,svn_version_name
  
'''indentify firewall objects'''
 
cpmiquerybin attr "" network_objects "firewall='installed'" -a __name__
 
  
cpmiquerybin object "" network_objects "type='cluster_member'"|grep -E ":name|spoof"
 
cpmiquerybin object "" network_objects "type='gateway_cluster'"|grep -E ":name|spoof"
 
  
 
  cpmiquerybin object "mdsdb" pv1_administrators ""
 
  cpmiquerybin object "mdsdb" pv1_administrators ""
Line 23: Line 35:
 
or  
 
or  
 
  cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members
 
  cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members
 +
 +
anti-spoofing check on all firewall interfaces
 +
fw="xxx"; cpmiquerybin object "" network_objects "name='$fw'" |grep anti_spoof
  
  
Line 35: Line 50:
  
 
'''All members of a group formatted'''
 
'''All members of a group formatted'''
cpmiquerybin object "" network_objects "name='group_name'" | grep ":Name" | awk -F "(" '{print $2}' | sed -e 's/)//'
+
  cpmiquerybin object "" network_objects "name='$GROUP_NAME'" | grep -E ":Name" | sed -n 's/.*(\([^ ]*\))/\1/p'
 +
 
 +
'''All IPs and masks of group's members'''
 +
 
 +
GROUPNAME="<group name>"; cpmiquerybin object "" network_objects "name='$GROUPNAME'" | grep ":Name" | awk '{print $2}' | tr -d '()' | while read line; do IPADDRESS=`cpmiquerybin attr "" network_objects "name='$line'" -a ipaddr | tr -d '\t';`; MASK=`cpmiquerybin attr "" network_objects "name='$line'" -a netmask`; CIDR=`/usr/local/bin/mask2cidr $MASK`; echo "$IPADDRESS/$MASK"; done
 +
 
  
 
List services with 'Match for Any' ticked
 
List services with 'Match for Any' ticked
Line 51: Line 71:
 
  cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr
 
  cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr
  
List CLMs / log servers from CMA env
+
  cpmiquerybin attr "mdsdb" network_objects "hosted_by_mds='<mds_name>'" -a __name__
  cpmiquerybin attr "" network_objects "(log_server='true') & (management='false')" -a __name__,ipaddr
+
***note*** above is example of a compound query
+
  
 
get IP for CLM name
 
get IP for CLM name
 
  cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr
 
  cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr
 +
 +
get list of firewalls / cp devices
 +
 +
cpmiquerybin attr "mdsdb" network_objects "(type='gateway_cluster') | (type='gateway') | (type='cluster_member')" -a __name__
 +
 +
== CMA queries ==
 +
 +
List CLMs / log servers from CMA env
 +
cpmiquerybin attr "" network_objects "(log_server='true') & (management='false')" -a __name__,ipaddr
 +
***note*** above is example of a compound query
  
 
get CMA policy names
 
get CMA policy names
 
  cpmiquerybin attr "" fw_policies "" -a __name__
 
  cpmiquerybin attr "" fw_policies "" -a __name__
 +
 +
get CMA list of policy collections (similar to above)
 +
cpmiquerybin attr "" policies_collections "" -a __name__
 +
 +
get installable targets for a policy named standard
 +
cpmiquerybin attr "" policies_collections "name='Standar'" -a __name__,installable_targets
 +
 +
print raw dump of a policy named Standard (it does contain rule UIDs unlike dbedit output)
 +
cpmiquerybin object "" fw_policies "name='##Standard'"
 +
 
dump MDS admin account info
 
dump MDS admin account info
 
  cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm
 
  cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm
Line 69: Line 107:
 
  if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } '
 
  if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } '
  
get list of firewalls / cp devices
+
get secondary CMA
  cpmiquerybin attr "mdsdb" network_objects "cp_products_installed='true'" -a __name__
+
  cpmiquerybin attr "" network_objects "(primary_management='false') & (management='true')" -a __name__
 +
 
 +
== cma global properties ==
 +
individual parameters are not available by name. You have to dump them all and grep for what you want.
 +
 
 +
cpmiquerybin object "" properties "name='firewall_properties'"
 +
 
 +
example - cma auto sync rules / objects on policy save global setting:
 +
cpmiquerybin object "" properties "name='firewall_properties'" |grep auto_sync_on_install | sed -n 's/.*(\([^ ]*\))/\1/p'
  
 
== Tables ==
 
== Tables ==

Latest revision as of 14:48, 27 March 2018

cpmiquerybin is found on Provider-1 installations only. If you want to use it on a SmartCenter server, follow this guide cpmiquerybin on SmartCenter server


Contents

Usage

cpmiquerybin <query_result_type> <database> <query> [-a <attributes_list>]

indentify firewall objects

Standalone Firewalls

cpmiquerybin attr "" network_objects "(type='gateway') & (location='internal')" -a __name__

clusters

CLUSTERS=( `cpmiquerybin attr "" network_objects "(type='gateway_cluster') & (location='internal')" -a __name__ | tr '\n' ' '` )

cluster members
list all objects of type cluster member

cpmiquerybin attr "" network_objects "(type='cluster_member') | (type='gateway') & (location='internal')" -a __name__


list the member of a particular cluster

cpmiquerybin attr "" network_objects "name='<name_of_cluster_here>'" -a cluster_members

identify clusters and standalone firewalls (excluding cluster members)

cpmiquerybin attr "" network_objects "(type='gateway_cluster') & (location='internal') | (type='gateway') & (location='internal')" -a __name__,svn_version_name


cpmiquerybin object "mdsdb" pv1_administrators ""

get name of all objects of type cluster member

cpmiquerybin attr "" network_objects "type='cluster_member'" -a __name__

To get a list of names of all VALID cluster members from cluster object name

cpmiquerybin object "" network_objects "" |grep -A 12 cluster_members |grep Name | awk -F "(" '{printf $2}' | sed -e 's/)/|/g'

or

cpmiquerybin attr "" network_objects "name='cluster_name'" -a cluster_members

anti-spoofing check on all firewall interfaces

fw="xxx"; cpmiquerybin object "" network_objects "name='$fw'" |grep anti_spoof


query all objects for an ip address

cpmiquerybin attr "" network_objects "ipaddr='192.168.1.2'" -a __name__,ipaddr

from cma env, list management/cma objects

# cpmiquerybin attr "" network_objects "management='true'" -a __name__,ipaddr 

All members of a group

cpmiquerybin object "" network_objects "name='group_name_goes_here'" | grep ":Name"

All members of a group formatted

 cpmiquerybin object "" network_objects "name='$GROUP_NAME'" | grep -E ":Name" | sed -n 's/.*(\([^ ]*\))/\1/p'

All IPs and masks of group's members

GROUPNAME="<group name>"; cpmiquerybin object "" network_objects "name='$GROUPNAME'" | grep ":Name" | awk '{print $2}' | tr -d '()' | while read line; do IPADDRESS=`cpmiquerybin attr "" network_objects "name='$line'" -a ipaddr | tr -d '\t';`; MASK=`cpmiquerybin attr "" network_objects "name='$line'" -a netmask`; CIDR=`/usr/local/bin/mask2cidr $MASK`; echo "$IPADDRESS/$MASK"; done


List services with 'Match for Any' ticked

cpmiquerybin attr "" services "include_in_any='true'" -a __name__

MDS queries

list all MDSs

cpmiquerybin attr "mdsdb" mdss "" -a __name__

list primary MDS

cpmiquerybin attr "mdsdb" mdss "primary='true'" -a __name__

list CMAs

cpmiquerybin attr "mdsdb" network_objects "management='true'" -a __name__,ipaddr
cpmiquerybin attr "mdsdb" network_objects "hosted_by_mds='<mds_name>'" -a __name__

get IP for CLM name

cpmiquerybin attr "mdsdb" network_objects "name='clm_name_goes_here'" -a __name__,ipaddr

get list of firewalls / cp devices

cpmiquerybin attr "mdsdb" network_objects "(type='gateway_cluster') | (type='gateway') | (type='cluster_member')" -a __name__

CMA queries

List CLMs / log servers from CMA env

cpmiquerybin attr "" network_objects "(log_server='true') & (management='false')" -a __name__,ipaddr
***note*** above is example of a compound query

get CMA policy names

cpmiquerybin attr "" fw_policies "" -a __name__

get CMA list of policy collections (similar to above)

cpmiquerybin attr "" policies_collections "" -a __name__

get installable targets for a policy named standard

cpmiquerybin attr "" policies_collections "name='Standar'" -a __name__,installable_targets

print raw dump of a policy named Standard (it does contain rule UIDs unlike dbedit output)

cpmiquerybin object "" fw_policies "name='##Standard'"

dump MDS admin account info

cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm

same as above plus formatting

cpmiquerybin attr "mdsdb" pv1_administrators "type='pv1_administrator'" -a __name__,auth_method,msp_perm \
| awk '{ printf $1 ",";  for (i=2; i<NF; i++) printf $i; printf ","; if ($NF==80000000) print "Provider-1 Superuser"; \
if ($NF==40000000) print "Customer Superuser"; if ($NF==20000000) print "Global Manageer";  \
if ($NF==10000000) print "Customer Manager"; if ($NF==00000000) print "None"; } '

get secondary CMA

cpmiquerybin attr "" network_objects "(primary_management='false') & (management='true')" -a __name__

cma global properties

individual parameters are not available by name. You have to dump them all and grep for what you want.

cpmiquerybin object "" properties "name='firewall_properties'"

example - cma auto sync rules / objects on policy save global setting:

cpmiquerybin object "" properties "name='firewall_properties'" |grep auto_sync_on_install | sed -n 's/.*(\([^ ]*\))/\1/p'

Tables

queryable tables can be gleaned from tables.C
 cat tables.C |grep ": ("


Default Queries for mdsquerydb

mdsquerydb is utilizes cpmiquerybin. The table below defines all the queries it uses. It is included here as a reference for cpmiquerybin.

$MDSDIR/conf/queries.conf

# (c) Copyright 1993-2005 Check Point Software Technologies Ltd.
# All rights reserved.
#
# This is proprietary information of Check Point Software Technologies
# Ltd., which is provided for informational purposes only and for use
# solely in conjunction with the authorized use of Check Point Software
# Technologies Ltd. products.  The viewing and use of this information is
# subject, to the extent appropriate, to the terms and conditions of the
# license agreement that authorizes the use of the relevant product.
#
# This configuration file is a part of Provider-1/SiteManager-1 Database Query Tool
#
# each line in queries.conf is:
# $1 - query environment [ MDS | CMA | ANY ]
# $2 - dbname
# $3 - key
# $4 - display format [ attr | object ]
# $5 - tablename
# $6 - query
# $7 - fields to be printed
#
CMA ""          NetworkObjects                  attr    network_objects         ""                                      __name__,type   # Get name and type of all network objects
MDS ""          GlobalNetworkObjects    attr    network_objects         ""                                      __name__,type   # Get name and type of all global network objects
MDS "mdsdb"     NetworkObjects                  attr    network_objects         ""                                      __name__,type   # Get all customers' internal Check Point installed network objects
MDS "mdsdb"     Customers                               attr    pv1_customers           ""                                      __name__                # Get names of all PV-1 Customers
MDS "mdsdb"     Administrators                  attr    pv1_administrators      ""                                      __name__                # Get names of all PV-1 Administrators
MDS "mdsdb"     MDSs                                    attr    mdss                            ""                                      __name__,ipaddr # Get names and IPs of all MDSs
MDS "mdsdb"     CMAs                                    attr    network_objects         "management='true'" __name__            # Get names of all CMAs
CMA ""          Gateways                                attr    network_objects         "type='gateway'"        __name__,ipaddr # Get names and IPs of all gateways
MDS "mdsdb"     GuiClients                              attr    pv1_guiclients          ""                                      __name__,ipaddr # Get names and IPs of all gui clients
CMA ""          Status                                  attr            statuses   ""   __name__ 
CMA "" Policies object fw_policies ""