Friday, 22 February 2013

WGET on CheckPoint

Just a quick post here since I've been asked about the best way of transfering the scripts I host on github to a FW. The answer of course is wget :)

It's not in the default $PATH of SPLAT/GAIA, however on every version I've looked CP has hidden it somewhere on the device.

For example:
[Expert@R75-B]# wget
-bash: wget: command not found
[Expert@R75-B]# find / -name wget
/var/tmp/CD1/linux/MiniWrapperForMajor/linux/Actions/wget
/sysimg/CPwrapper/linux/MiniWrapperForMajor/linux/Actions/wget

If you want to pull one of my scripts down directly (and assuming you've got a name server in /etc/resolv.conf...), just use the binary in one of the results from find like so:

Tada:
[Expert@R75-B]# /sysimg/CPwrapper/linux/MiniWrapperForMajor/linux/Actions/wget https://raw.github.com/craigdods/scripts/master/interface_rebuild_splat.sh
--10:14:27--  https://raw.github.com/craigdods/scripts/master/interface_rebuild_splat.sh
           => `interface_rebuild_splat.sh.1'
Resolving raw.github.com... done.
Connecting to raw.github.com[199.27.72.133]:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 748 [text/plain]

100%[=================================================================================================================================================================================================>] 748          730.47K/s    ETA 00:00

10:14:27 (730.47 KB/s) - `interface_rebuild_splat.sh.1' saved [748/748]



Posted by at 3 comments:
Labels:

SPLAT: Interface rebuild script

Hi everyone,

Today I got tired of using sysconfig to create hundreds of subinterfaces while migrating large FWs to new hardware, so I've gone ahead and made a script which does it for you.

First (optional, really), take a backup of your existing firewall with this script:

Interface Backup Script

Side note:
Instead of using this to restore/migrate interfaces, since the format is extremely easy (interface IP netmask), you can use this to quickly configure a new device as well.

Second, transfer the file (or create your own) on the new hardware, and run the rebuild script:

Interface Rebuild Script

Here it is in action:

New firewall (basic config):

[Expert@R75-B]# ifconfig -a | grep -A 1 eth
eth0        Link encap:Ethernet  HWaddr 00:0C:29:13:5C:FC
            inet addr:192.168.0.60  Bcast:192.168.0.255  Mask:255.255.255.0
--
eth1        Link encap:Ethernet  HWaddr 00:0C:29:13:5C:06
            BROADCAST MULTICAST  MTU:1500  Metric:1
--
eth2        Link encap:Ethernet  HWaddr 00:0C:29:13:5C:10
            BROADCAST MULTICAST  MTU:1500  Metric:1

Run the script:
[Expert@R75-B]# ./interface_rebuild_splat.sh 
Hello, please enter the correct log file to analyze
firewall_interfaces_backup
Thank you - Recreating interfaces now
Finished recreating the interfaces...
Please remember to run ifconfig --save when finished!
Goodbye 
[Expert@R75-B]# ifconfig --save

We can now see all of our interfaces have been created and are present in netconf.C:
[Expert@R75-B]# ifconfig -a | grep -A 1 eth
eth0        Link encap:Ethernet  HWaddr 00:0C:29:13:5C:FC  
            inet addr:192.168.0.60  Bcast:192.168.0.255  Mask:255.255.255.0
--
eth1        Link encap:Ethernet  HWaddr 00:0C:29:13:5C:06  
            inet addr:1.1.1.1  Bcast:1.1.1.255  Mask:255.255.255.0
--
eth2        Link encap:Ethernet  HWaddr 00:0C:29:13:5C:10  
            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
--
eth2:2      Link encap:Ethernet  HWaddr 00:0C:29:13:5C:10  
            inet addr:10.2.2.1  Bcast:10.2.2.255  Mask:255.255.255.0
--
eth2:3      Link encap:Ethernet  HWaddr 00:0C:29:13:5C:10  
            inet addr:10.3.3.1  Bcast:10.3.3.255  Mask:255.255.255.0
--
eth2:4      Link encap:Ethernet  HWaddr 00:0C:29:13:5C:10  
            inet addr:10.4.4.1  Bcast:10.4.4.255  Mask:255.255.255.0
--
eth2:5      Link encap:Ethernet  HWaddr 00:0C:29:13:5C:10  
            inet addr:10.5.5.1  Bcast:10.5.5.255  Mask:255.255.255.0
--
eth2:6      Link encap:Ethernet  HWaddr 00:0C:29:13:5C:10  
            inet addr:10.6.6.1  Bcast:10.6.6.255  Mask:255.255.255.0
--
eth2:7      Link encap:Ethernet  HWaddr 00:0C:29:13:5C:10  
            inet addr:10.7.7.1  Bcast:10.7.7.255  Mask:255.255.255.0

etc....

You can see them via sysconfig:
Choose a connection to display ('e' to exit):
------------------------------------------------------------------
1) eth0       4) eth2:10   7) eth2:13  10) eth2:3   13) eth2:6
2) eth1       5) eth2:11   8) eth2:14  11) eth2:4   14) eth2:7
3) eth2       6) eth2:12   9) eth2:2   12) eth2:5   15) eth2:8
------------------------------------------------------------------
(Note: configuration changes are automatically saved)

And it's in netconf.C:
[Expert@R75-B]# cat /etc/sysconfig/netconf.C | grep -B 1 -A 6 eth2:6
                : (conn
                        :ifname ("eth2:6")
                        :type (3)
                        :ipaddr ("10.6.6.1/24")
                        :onboot (1)
                        :depend-on (eth2)
                        :s-code (0)
                )

You might find this useful in combination with my  route rebuild scripts located here:

Route rebuild scripts for SPLAT+GAIA

Hopefully some of you get some use out of this! :)




Posted by at 7 comments:
Labels:
Subscribe to: Posts (Atom)