SolarWinds Cattools – Script Manager – The cat’s Meeeeoooow

If you have more than 6 firewalls, I know most of you probably have a script library sitting around. Maybe you’ve been through 10 admins and so the scripts are a hodge-podge of semi supported and hacked up tools that sometimes work…until a new R1000.45 HF 201 comes out and changes formats, so then you hack into your scripts yet one more time.

CP is suppose to come out with some sort of scripting support in R10001.48 HF 132 (R77 has some of this, haven’t seen it). I’ve been begging them to go out and buy SolarWinds Cattools. I’ve started to use it in the past month and I’m not sure how I survived without it all these years.

Cattools is a script manager based on a primitive form of Visual Basic.  You import all your firewalls from an MDS export into an excel spreadsheet and import into the panel on the left. Then on the right panel you have your scripting library. Below you can see I have various scripts for inventorying our firewalls as well as modifying them, etc.

console

Here is one example of how I inventory our firewalls to make sure they all have snapshots in case we have to rebuild. You highlight the script you want to run and click ‘run’. It will execute this bash script I wrote which downloads a bash script to inventory snapshots and executes the script and dumps the results into standard output on the Cattools management station. From there I use perl, awk, grep to gather the output (I’m working on turning this into a spreadsheet).

script

Cattools is awesome.  In reality it is fairly good…because its like giving a cup of water to a dying man searing in the Judaean Desert of Scriptland. CheckPoint really needs to regain its lead in supporting and managing large enterprises, and if they bought Cattools and improved it to work best with CP products they could rock the world.  As is…Cattools is designed very specifically for Cisco/Juniper/appliance markets so it had some quirks I had to overcome. It will work out of the package…but I improved it with my own scripts..the results of one you can see above.

Specifically Cattools is designed to work with Cisco like products. So it is hardcoded to expect certain prompts on the CLI. And the GUI is designed around these Cisco  like prompts. As is, it will work with GAIA but you get a lot of errors and timeouts…but in the end it works. So I made it work more generically with Unix and any application like FTP, GAIA clish, Install scripts, SCP with passwords, etc.

When reviewing scripting tools the big hangup is handling prompts. Your script can hang on a “password:” prompt or a prompt from a weird application like installing patches. Cattools with my mods does a great job of handling prompts. Out of the box Unix and GAIA require you install expect scripts to handle the prompts so can be done but a bit of a challenge.

Also look at how wayward processes are killed. Cattools does a great job monitoring and killing off wayward processes. It has several levels of timers where if a response is not forthcoming, it shoots the process.

Also look at how the output is gathered and brought home. The scripting tool should handle this for you. Cattools I feel does a great job of this. It also allows you to post process the output. I am figuring this part out now and will report in the future.

I’ll be talking more about Cattools as I get time. In the mean time you should give it a go…but temper it with knowning about the out-of-box issues. But it is still a cup of water to a dying soul.

Massive script engines are a double edge sword. They can save you incredible amounts of time….or destroy your entire environment. When using tools like these make sure you have control processes around them. For example: On operations that modify the firewalls, those have to undergo review and have 2 people execute them together and on a max of 2,4,,8,16 firewalls as you prove it works.

NOTE: I loved this product so much that my company Midpoint Technologies now sells this product. So I have a strong bias.

Script ON!

dreez

Advertisements
Post a comment or leave a trackback: Trackback URL.

Comments

  • Arnfinn  On December 5, 2013 at 7:14 pm

    Hi,
    I R77 SDB you have some of this available. Not perfect yet, but…
    Enable it in SDB > Global Properties > SmartDashboard Customization.
    In the Central Device Management area, select Enable Central Device Management. Restart SmartDashboard. You can have a central script repository and run them on R77 GW’s from SDB.

    • Dreezman  On December 5, 2013 at 7:23 pm

      Thanks for update! I heard about this but have not seen it yet.

      A couple things Cattools does really nice:
      1) Works with all types of prompts like password prompts, install prompts. I know this is harder to do
      without expect scripting on Unix
      2) Collects standard output or custom output files back on the management station
      3) Great tools to debug your scripts
      4) You can format the output files (say to CSV) back on the management station
      5) Works with ALL devices, not just CheckPoint R77+

      Its sorta like Tufin. SmartWorkflow is OK but Tufin is awesome because that is their focus. Tufin is for the Enterprise. SmartWorkFlow is for smallershops.

      I’m guessing the scripting facility will get better over time. Just thinking they could get there NOW with a cool support library today if they bought Cattools.

      Thanks for the input!
      dreez

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

blog.lachmann.org

Michael Endrizzi's - St. Paul MN - CheckPoint blog on topics related to Check Point products and security in general.

%d bloggers like this: