Dhansham - Engineer's Notebook Checkpoint Firewalls Gaia: Script

#!/bin/bash
#
# CHECKUP.SH
# Script to gather performance and environmental information in order to examine the health and condition of a Check Point system
# Elements of this script are inspired by the information contained within SK33781, sk38992, sk36846, and sk54400
#
# Michael E. Natkin
# This tool is provided on a best-effort basis as-is with no expressed nor implied warrantee or support.
#
# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported License. To view a copy of this license,
# visit http://creativecommons.org/licenses/by-sa/3.0/.
#
# PLEASE BE SURE TO CHECK THE WIKI OR WITH THE AUTHOR TO ENSURE YOU ARE RUNNING THE MOST CURRENT VERSION OF THIS SCRIPT
#
# TO:DOs: Add logic in script, check for disk space prior to writing to output directory, add NIC checks to ignore secondary IPs
#
# Version 20150624 - Minor tweak for VPN counts
# Version 20150422 - Add flag allowing for DU bypass
# Version 20150418 - Add alternative method for sourcing CPprofile.sh
# Version 20150416 - Add Monitor Mode interface check
# Version 20150408 - Fixes for improved operation on Solaris
# Version 20150305 - Minor adjustments
# Version 20150202 - Confirm operating MAC Magic numbers
# Version 20141216 - Additional NIC information gathering
# Version 20141126 - Minor programatic improvements, additional appliance definitions
# Version 20140930 - Modify Rulebase counters to include Manual NAT
# Version 20140929 - Rulebase counters (management)
# Version 20140925 - Minor programatic improvements, ensured redirection of stdout and stderr across the entire script
# Version 20140905 - Address some VSX-related inconsistencies
# Version 20140713 - 13800 and 21800
# Version 20140505 - Additional file checks
# Version 20140425 - Revised acceleration functionality, addressed some programatic issues, and tweaked top talkers
# Version 20140424 - Variable cleanup, log cleanup, minor script cleanup and formatting
# Version 20140423 - additional CPU check logic initial implementation
# Version 20140420 - Minor adjustments
# Version 20140219 - Minor cleanup
# Version 20140121 - Additional checks, cleanup
# Version 20140117 - Bond interface checks (SPLAT and GAiA), minor cleanup
# Version 20131118 - Additional UserCheck checks, minor cleanup -- TODO - revise host count
# Version 20131112 - Host count, RAD checks, minor cleanup, additional ID checks
# Version 20131015 - Initial 61000 integration
# Version 20131010 - Additional CPU / IRQ details, partition inode check, cleanup, documentation, and improved user feedback
# Version 20130925 - Minor cleanup and documentation
# Version 20130905 - Minor cleanup and adjsutments
# Version 20130828 - Threat Emulation and MTA
# Version 20130729 - Minor cleanup and adjsutments
# Version 20130724 - Updated SmartEvent checks, addressed SWB detection bug
# Version 20130709 - Added 13500 appliance
# Version 20130610 - Additional file checks
# Version 20130509 - Added array status check, tweaked LOM check, added flags allowing for TOP, IOStat, and VMSTAT bypass
# Version 20130503 - Added MDS checks, added SofaWare LibSW version check
# Version 20130228 - 21700, update LOM detection mechanism
# Version 20130213 - fixes, tweaks, and optimizations, additional cache size checks
# Version 20130206 - Additional ID and blade checks,LOM Check, Fix R76 (and future) VS script support
# Version 20130129 - fixes, tweaks, and optimizations
# Version 20130127 - URLF Stats in 75.* or better (basic today, enhancements planned)
# Version 20130122 - Enhance IPS reporting visibility, add IA checks (following field feedback), added community disclaimer to the output
# Version 20130113 - Address some test issues on legacy versions, enhance VS test criteria
# Version 20121221 - Minor NIC reporting tweaks
# Version 20121210 - minor changes to TOP and IOSTAT output
# Version 20121208 - minor script cleanup and additional documentation, fix 12200 reporting
# Version 20121206 - More stuff!!! Specifically, incorporated blade checks from machine_info.sh... Plus added more complete version history
# Version 20121205 - Additional NIC checks
# Version 20121127 - Additional file checks
# Version 20121107 - More GAiA and dynamic routing stuff
# Version 20121016 - 21600
# Version 20121013 - Fixes and SEM additions
# Version 20121011 - a few more file checks, more documentation
# Version 20121001 - additional IPSO-related tests from sk54400 added
# Version 20120930 - addressed some IPSO-problematic changes, introduced revision history
# Version 20120924 - Script cleanup, additional file checks, improve SecureXL checks
# Version 20120918 - Output cleanup, revision control check, IPS stats, management server checks
# Version 20120907 - Add GAiA checks, improve VSX checks
# Version 20120905 - Improve and simplify scripting, improve VSX checks, improve memory checks, add housekeeping
# Version 20120830 - Improve scripting, reduce non-applicable checks
# Version 20120823 - Simplify and expand file and process checks, improve end-user feedback
# Version 20120821 - Script cleanup, tweak Crossbeam-specific checks
# Version 20120802 - Add user interaction, minor cosmetic changes
# Version 20120702 - Add appliance mapping
# Version 20120622 - More IPSO reporting parity information, add user VPN checks
# Version 20120516 - Minor cosmetic changes only
# Version 20120515 - Address IPSO and VSX check issues, add IPSO and VSX reporting parity
# Version 20120410 - (Formerly Version 0.9989) Add scheduled tasks check, more CoreXL checks and logic
# Version 20120315 - (Formerly Version 0.9986) Expand VSX checks. Add virtual memory / swap checks
# Version 20120306 - (Formerly Version 0.998) Expand IPSO and Crossbeam support, add significant memory and kernel checks. Begin migration to date-based versioning
# Version 20120207 - (Formerly Version 0.996) Add section comments, add process and file dumps
# Version 20120120 - (Formerly Version 0.995) Script cleanup, address some Crossbeam-problematic changes, more checks
# Version 20120104 - (Formerly Version 0.993) Script cleanup, additional VSX checks
# Version 20111211 - (Formerly Version 0.99) VSX-specific additions and more checks added
# Version 20111205 - (Formerly Version 0.98) Expanded list of checks, script cleanups
# Version 20111010 - (Formerly Version 0.975) Expanded list of checks, script cleanups
# Version 20110909 - The basics start to come into form -- very rough
# Version 0.0.0.0 - Initial stab at automating FW checks

################################################################################
################################################################################
## Script start ##
################################################################################
################################################################################

# Script version
SCRVER="Version 20150624"

# By default, the script will execute TOP, VMSTAT, and IOSTAT (where available)
# In order to disable these features, change the following variable from "1" to something else
DOTIMEDCHECKS=1

# By default, the script will execute du (where available)
# In order to disable these features, change the following variable from "1" to something else
DODUCHECK=1

# Define output location. Default is /var/log
# If you wish to change the output location, this is the place to change it:
OUTTO=/var/log/tmp

# If the chosen output path above doesn't exist, change it to something guaranteed to exist
if [ ! -d "$OUTTO" ]
then
OUTTO=/var/log
fi

# Check for the existence of $TMP variable. If it doesn't exist, make it.
CHECKTMP=$TMP

if [ "$CHECKTMP" = "" ]
then
TMP=/var/tmp
fi

# Define hostname of the installation and the date and time of execution
HNAME=`hostname`
NOW=$(date +"%F-%H%M")

# Simplify the output variable
# If you wish to change the output file name from the default, this is the place to change it:
OUTFILE=$OUTTO/checkup-$HNAME-$NOW.txt

################################################################################
################################################################################
## ##
## Do not modify anything beyond this point. ##
## ##
################################################################################
################################################################################

# Provide brief product description and opportunity to cancel execution
echo "##########################################################################"
echo "# This script gathers performance and environmental information in order #"
echo "# to examine the health and condition of a Check Point system. #"
echo "# #"
echo "# Elements of this script are based on information contained within #"
echo "# SK33781, sk38992, sk36846, and sk54400 #"
echo "# #"
echo "# NOTE: This tool is provided on a best-effort basis as-is with no #"
echo "# expressed nor implied warrantee or support. #"
echo "# #"
echo "# Executing script $SCRVER #"
echo "# #"
echo "##########################################################################"

echo
echo " ######################################################################"
echo " ## This work is licensed under the Creative Commons Attribution- ##"
echo " ## ShareAlike 3.0 Unported License. To view a copy of this license, ##"
echo " ## visit http://creativecommons.org/licenses/by-sa/3.0/. ##"
echo " ## ##"
echo " ## Press any key to continue ##"
echo " ## or wait 10 seconds and the script will continue automatically ##"
echo " ######################################################################"

read -n1 -t10 $1

echo
echo "#########################################################################"
echo "# Beginning data acquisition. #"
echo "# Data will be collected into $OUTFILE #"
echo "# You may see some messages and errors appear on the screen during the #"
echo "# script's execution. These may safely be ignored. #"
echo "#########################################################################"

echo "#########################################################################"
echo

################################################################################
################################################################################
## ##
## Function Definintions ##
## ##
################################################################################
################################################################################

secbreak() # Function providing section break -- break up the information for easier digestion
{
echo "" >> $OUTFILE 2>&1
echo "########################################################################" >> $OUTFILE 2>&1
echo "" >> $OUTFILE 2>&1
}

smallbreak() # Function providing blank line for between checks within the same section
{
echo "" >> $OUTFILE 2>&1
}

warnuser() # Function providing some user feedback RE warnings that may be displayed during execution
{
echo
echo "##########################################################################"
echo "## You may see some messages and errors appear on the screen during the ##"
echo "## script's execution. These may safely be ignored. ##"
echo "##########################################################################"
echo
}

################################################################################
################################################################################
## ##
## Start of Script ##
## ##
################################################################################
################################################################################

secbreak

# Output File header
echo "##########################################################################" > $OUTFILE
echo "### ### Starting checkup script for $HNAME at `date +"%F-%H%M"` " >> $OUTFILE 2>&1
echo "##########################################################################" >> $OUTFILE 2>&1
echo "# This script gathers performance and environmental information in order #" >> $OUTFILE 2>&1
echo "# to examine the health and condition of a Check Point system. #" >> $OUTFILE 2>&1
echo "# #" >> $OUTFILE 2>&1
echo "# Elements of this script are based on information contained within #" >> $OUTFILE 2>&1
echo "# SK33781, sk38992, sk36846, and sk54400 #" >> $OUTFILE 2>&1
echo "# #" >> $OUTFILE 2>&1
echo "# NOTE: This tool is provided on a best-effort basis as-is with no #" >> $OUTFILE 2>&1
echo "# expressed nor implied warrantee or support. #" >> $OUTFILE 2>&1
echo "##########################################################################" >> $OUTFILE 2>&1

secbreak

# Kernel version -- Start of logic for IPSO / XBM
smallbreak
RUNOSFULL=`uname -a`
RUNOS=`uname | egrep 'Linux|IPSO|XOS|SunOS' `
# Build a simple variable for Linux-derivatives
if [ "$RUNOS" = "Linux" ]
then
ISTORVALDS=1
fi
if [ "$RUNOS" = "XOS" ]
then
ISTORVALDS=1
fi
if [ "$RUNOS" = "IPSO" ]
then
ISTORVALDS=0
fi
if [ "$RUNOS" = "SunOS" ]
then
ISTORVALDS=0
fi

echo "Running checkup script $SCRVER on $RUNOSFULL platform running $RUNOS" >> $OUTFILE 2>&1
smallbreak

##############################################################################
# #
# Hardware determination #
# #
##############################################################################

# create a "product-code to security-gateway" translation-file, based on -
# http://wiki.checkpoint.com/confluence/display/CPPublic/Appliance+Specifications
# Extracted from cpeval and modified to include Crossbeam and new appliances
echo " *** hardware platform" >> $OUTFILE 2>&1

# use mktemp to create temp files based on PID
# Inconsistencies in mktemp across platforms, REMMED out mktemp, forcing manual definition
# APPLTMP=`mktemp -t appliance.xxxxxxxx`
# NOCONNTMP=`mktemp -t appnoconn.xxxxxxxx`

APPLTMP=$TMP/appliances
NOCONNTMP=$TMP/noconns

cat<<_ > $APPLTMP

Crossbeam Hardware - X Series
Product Code Crossbeam
Thurley Crossbeam-APM 9600
Bridgeport Crossbeam-APM 8650
XBM-TBD Crossbeam-APM 8600
XBM-TBD Crossbeam-APM x700

Armageddon class - Check Point 61000 SGMs
Product Code Security Gateway Blade
A-20 SGM-220
A-40 SGM-240
A-60 SGM-260

Prometheus class - Check Point 13000 models
Product Code Security Gateway
P-370 Check Point 13500

Poseidon Class - Check Point 13800
P-380 Check Point 13800

Toxotai class - Check Point 4000 models
Product Code Security Gateway
T-110 Check Point 2200
T-120 Check Point 4200
T-140 Check Point 4400
T-160 Check Point 4600
T-180 Check Point 4800
T-181 Check Point TE250

Pireus class - Check Point 12000 models
Product Code Security Gateway VSX Appliance
P-210 Check Point 12200
P-220 Check Point 12400
P-230 Check Point 12600
P-231 Check Point TE1000

Grizzly class - Check Point 21000 models
Product Code Security Gateway VSX Appliance
G-50 Check Point 21400
G-70 Check Point 21600
G-72 Check Point 21700
G-75 Check Point 21800

London class - Series 80 models
Product Code Security Gateway 80
L-50 Security Gateway 80

Hoverfly class - 11000 models
Product Code Power-1 VSX-1
P-30 Power-1 11000 Series VSX-1 11000 Series

Dragonfly class - xx7x models
Product Code Power-1 UTM-1 Connectra Smart-1 VSX-1
Platforms Group Platforms Group VPN Group Platforms Group High End Gateway
Security Group
U-10 UTM-1 270 Connectra 270
U-15 UTM-1 570
U-20 UTM-1 1070
U-30 UTM-1 2070
U-40 UTM-1 3070 Connectra 3070 Smart-1 3074 VSX-1 3070
P-10 Power-1 5070
P-20 Power-1 9070 Connectra 9072 VSX-1 9070

IP Series
Product Code IP
IP-150 IP-150
IP-282 IP-282
IP-295 IP-295
IP-380 IP-380
IP-395 IP-395
IP-565 IP-565
IP-695 IP-695
IP-1285 IP-1285
IP-2455 IP-2455

IPS-1
Product Code IPS-1
U-31 IPS-1 2076
P-11 IPS-1 5076
P-21 IPS-1 9076

DLP-1
DLP-1 specifications
U-42 DLP-1 2571
P-22 DLP-1 9571

Butterfly class - UTM-1 130
Product Code UTM-1
U-5 UTM-1 130

Stonefly class - Smart-1 models
Product Code Smart-1
S-10 Smart-1 5
S-20 Smart-1 25
S-21 Smart-1 25b
S-30 Smart-1 50
S-40 Smart-1 150

Socrates class - Smart-1 models
Product Code Smart-1
ST-5 Smart-1 205
ST-10 Smart-1 210
ST-25 Smart-1 225
ST-50 Smart-1 3050
ST-150 Smart-1 3150

Tombo class - NEC Univerge models
Product Code UTM-1
BT0161-00001 UNIVERGE UnifiedWall 1000
BT0161-00002 UNIVERGE UnifiedWall 2000
BT0161-00003 UNIVERGE UnifiedWall 4000

Doda class - xx50 models
Product Code UTM-1
C2_UTM UTM-1 450
C6_UTM UTM-1 1050
C6P_UTM UTM-1 2050

Seattle Class - 600 and 1100 (for reference only)
Product Code SMB
L-50 SG80
L-61i CIP 1100
L-62 CIP 1200R

Miscellaneous
VMware Virtual Platform VE

_

# a list of appliance names to exclude from connections-sampling -
# each name (e.g. "UTM-1 130") should be in a separate line, no quotes.
cat<<_ > $NOCONNTMP
_

product_name() # extract "Product Name" from DMI's System Information section:
{
(dmidecode) 2>&1 \
| awk '/System Information/,/^Handle/ {if ($2=="Name:") print}' \
| sed 's/^.*Product Name: //' # e.g. "U-10-00"
}

product_code() # extract an appliance's significant part of a product-name:
{
product_name | awk -F'-|_' '{print $2 ? $1"-"$2 : "N/A"}' # e.g. 'U-10'
}

security_gateway() # find the first name matching a product-code:
{
awk -F' ' "gensub(\"_\", \"-\", 1, \$1)==\"$(product_code)\" {
for (i=2; i<=NF; i++) if (\$i) {print \$i; exit} # e.g. 'UTM-1 270'
}" $APPLTMP
}

NAME="{unidentified}"
MEM="{not calculated}"

if [ "$RUNOS" = "Linux" ]
then
NAME=`security_gateway`
if [ "$NAME" ]
then
grep -xq "$NAME" $NOCONNTMP && unset CONNS
else
NAME=`product_name` # e.g. "VMware Virtual Platform"
fi
MEM=`awk '/^MemTotal:/ {printf "%.0f",$2/1024}' /proc/meminfo`
elif [ "$RUNOS" = "IPSO" ]
then
NAME=`(ipsctl -n hw:motherboard:modelname) 2>/dev/null` # e.g. "IP690"
MEM=`ipsctl -n net:ip:cluster:physical_memory`
fi

echo " * Appliance: $NAME" >> $OUTFILE 2>&1
echo " * Total Physical Memory: $MEM MB" >> $OUTFILE 2>&1

##############################################################################
# #
# Hyper-threading Check #
# #
##############################################################################

if [ $ISTORVALDS = "1" ]
then
smallbreak
cpuinfo >> $OUTFILE 2>&1
if [ -f /proc/smt_status ]
then
SMTSTAT=`cat /proc/smt_status`
echo "Hyper-Threading (SMT) Status: $SMTSTAT" >> $OUTFILE 2>&1
fi
secbreak
fi

##############################################################################
# #
# LOM Check #
# #
##############################################################################

if [ "$RUNOS" = "Linux" ]
then
HASLOM=`lspci | grep -ci aspeed`; export HASLOM
if [ "$HASLOM" != "0" ] || [ "$lom_exists" = "1" ]
then
echo "LOM installed" >> $OUTFILE 2>&1
secbreak
else
echo "LOM possibly not installed" >> $OUTFILE 2>&1
secbreak
fi
fi

##############################################################################
# #
# Array Controller Check #
# #
##############################################################################

# Note: Tested on systems with only 1 array

if [ "$RUNOS" = "Linux" ]
then
HASMPT=`lspci | grep -ci "mpt sas"`; export HASMPT
if [ "$HASMPT" != "0" ]
then
echo "LSI Array controller installed. Status check: " >> $OUTFILE 2>&1
HASMPTSTATUS=`type -P mpt-status`
if [ $HASMPTSTATUS != "" ]
then
mpt-status >> $OUTFILE 2>&1
fi

HASLSIUTIL=`type -P lsiutil`; export HASLSIUTIL
if [ $HASLSIUTIL != "" ]
then
lsiutil -s >> $OUTFILE 2>&1
lsiutil check_state >> $OUTFILE 2>&1
secbreak
fi
fi
fi

##############################################################################
# #
# END of the appliance stuff #
# #
##############################################################################

# Source CP variables -- just in case
# Source CP variables -- just in case
if [ -f /etc/profile.d/CP.sh ]
then
echo "....... Sourcing CP Variables file /etc/profile.d/CP.sh" >> $OUTFILE
source /etc/profile.d/CP.sh
else
echo "....... CP Variables file at /etc/profile.d/CP.sh not present. Attempting sourcing of CPprofile.sh" >> $OUTFILE
if [ -f /opt/CPshared/5.0/tmp/.CPprofile.sh ]
then
echo "....... Sourcing CPprofile Variables file /opt/CPshared/5.0/tmp/.CPprofile.sh" >> $OUTFILE
source /opt/CPshared/5.0/tmp/.CPprofile.sh
else

###
# Use advanced search to find latest .CPprofile.sh
###
VER=0
for x in `seq 85 60`;
do
if [ -r "/opt/CPshrd-R$x/tmp/.CPprofile.sh" ]
then
echo "....... Sourcing CPprofile Variables file /opt/CPshrd-R$x/tmp/.CPprofile.sh" >> $OUTFILE
source /opt/CPshrd-R$x/tmp/.CPprofile.sh
VER=$x
break
fi
done
if [ $VER -eq 0 ]
then
for x in `seq 85 60`; do for y in `seq 99 1`;
do
if [ -f "/opt/CPshrd-R$x.$y/tmp/.CPprofile.sh" ]
then
echo "....... Sourcing CPprofile Variables file /opt/CPshrd-R$x.$y/tmp/.CPprofile.sh" >> $OUTFILE
source /opt/CPshrd-R$x.$y/tmp/.CPprofile.sh
VER=$x$y
break
fi
done
if [ $VER -ne 0 ]
then
break
fi
done
fi
if [ $VER -eq 0 ]
then
a=$(echo {85..60})
b=$(echo {99..1})
for x in $a;
do
if [ -r "/opt/CPshrd-R$x/tmp/.CPprofile.sh" ]
then
echo "....... Sourcing CPprofile Variables file /opt/CPshrd-R$x/tmp/.CPprofile.sh" >> $OUTFILE
source /opt/CPshrd-R$x/tmp/.CPprofile.sh
VER=$x
break
fi
done
if [ $VER -eq 0 ] ; then
for x in $a; do for y in $b
do
if [ -f "/opt/CPshrd-R$x.$y/tmp/.CPprofile.sh" ]
then
echo "....... Sourcing CPprofile Variables file /opt/CPshrd-R$x.$y/tmp/.CPprofile.sh" >> $OUTFILE
source /opt/CPshrd-R$x.$y/tmp/.CPprofile.sh
VER=$x$y
break
fi
done
if [ $VER -ne 0 ]
then
break
fi
done
fi
fi
if [ $VER -eq 0 ]
then
echo "!!!!! Warning: can't find either CP.sh nor .CPprofile.sh. Cannot proceed and therefore terminating execution !!!!!" >> $OUTFILE
echo "!!!!! Warning: can't find either CP.sh nor .CPprofile.sh. Cannot proceed and therefore terminating execution !!!!!"
exit 1
fi
fi
fi
if [ -f /etc/profile.d/vsenv.sh ]
then
echo " ...... Sourcing VSX environment shell..." >> $OUTFILE 2>&1
source /etc/profile.d/vsenv.sh
fi

FWLABEL=`$CPDIR/bin/cpprod_util CPPROD_GetValue CPshared CurrentLabel 1 | sed 's/ //g'` ; export FWLABEL
SWBVER=`echo $FWLABEL |awk 'BEGIN { FS="." } { print $1 }' | sed 's/R//g' | sed 's/ //g'`; export SWBVER
echo "Current FW Version Label is - $FWLABEL" >> $OUTFILE 2>&1

# What version of code?
smallbreak
fw ver >> $OUTFILE 2>&1

secbreak

# Set some variables for use throughout the script for versioning
ISVSX=0
ISVSXSWB=0
ISSWB=0

##################################################################################
# Start of logic for Provider-1 / Multi-Domain #
# #
# Set a variable for use throughout the script in the event that MDM is detected #
##################################################################################

smallbreak
ISMDS=0
CHECKMDS=$MDSDIR
if [ "$CHECKMDS" != "" ]
then
ISMDS=1
echo " *** This is a Provider-1 / Multi-Domain Management System ***" >> $OUTFILE 2>&1
# Ensure that environment variables are set properly
if [ -f $MDS_SYSTEM/shared/OSdependency.sh ]
then
echo "....... Sourcing MDS OS Dependency file" >> $OUTFILE
source $MDS_SYSTEM/shared/OSdependency.sh
else
echo "....... MDS OS Dependency file at $MDS_SYSTEM/shared/OSdependency.sh not present. Bypassing sourcing" >> $OUTFILE
fi

fi

###################################################################################
# Start of logic for GAiA OS #
# #
# Set a variable for use throughout the script in the event that GAiA is detected #
###################################################################################

ISGAIA=0
if [ -f "/etc/appliance_config.xml" ]
then
ISGAIA=1
echo " *** System is running GAiA ***" >> $OUTFILE 2>&1
fi

##################################################################################
# Start of logic for VSX #
# #
# Set a variable for use throughout the script in the event that VSX is detected #
# The second should address R75.40VS - future revs to come #
# Added a second variable for 75.40VS and later checks #
##################################################################################

if [ "$FWLABEL" = "V40" ]
then
ISVSX=1
ISVSXSWB=0
ISSWB=0
echo " *** System is running Legacy VSX ***" >> $OUTFILE 2>&1

else

if [ $SWBVER -gt 74 ]
then
ISVSX=0
ISVSXSWB=0
ISSWB=1
CHECKVSX=`$CPDIR/bin/cpprod_util FwIsVSX` ; export CHECKVSX
if [ $CHECKVSX = "1" ]
then
ISVSX=1
ISVSXSWB=1
echo " *** System is running Virtual Systems ***" >> $OUTFILE 2>&1
fi
else
ISVSX=0
ISVSXSWB=0
ISSWB=1
fi
fi

##############################################################################
# #
# The Basics #
# #
##############################################################################

secbreak

echo " ########### Basic stuff ###########" >> $OUTFILE 2>&1
echo " *** uptime ***" >> $OUTFILE 2>&1
# How long has the installation been running
uptime >> $OUTFILE 2>&1

secbreak

if [ "$RUNOS" = "IPSO" ]
then
echo " *** Net_Taskq ***" >> $OUTFILE 2>&1
# How many cpus are dedicated to IO
ps aux | grep net_taskq >> $OUTFILE 2>&1
ipsctl -a net:taskq:dev >> $OUTFILE 2>&1
echo " *** fw_worker ***" >> $OUTFILE 2>&1
# How many cpus are dedicated to IO
ps aux | grep fw_worker >> $OUTFILE 2>&1

fi

if [ "$ISTORVALDS" = "1" ]
then

##############################################################################
# PROCESS CHECKS #
# Simplifying piping of processes through the use of a file check temp file. #
# Reduces the manual coding and room for error #
##############################################################################

# Add any files desired to this list, ending at the "_"

# Simplifying piping of processes through the use of a process check temp file. Reduces the manual coding and room for error
# Add any processes desired to this list, ending at the "_"

# Inconsistencies in mktemp variable, forcing manual intervention
# PROCCHECKS=`mktemp -t proccheck.xxxxxxxx`
PROCCHECKS=$TMP/proccheck

cat<<_ > $PROCCHECKS
/proc/cpuinfo # How many and what kinds of CPUs are in the installation
/proc/loadavg # CPU Load Average
/proc/bus/pci/devices # What PCI devices are installed -- important for understanding the platform and NICs
/proc/sys/vm/balance_pgdat_debug # Verify the new value of the balancing
/proc/sys/vm/balance_pgdat_limit # Verify the new value of the balancing
/proc/sys/vm/balance_pgdat_order # Verify the new value of the balancing
/proc/sys/vm/balance_pgdat_zone # Verify the new value of the balancing
/proc/interrupts # What Interrupts are being used (and where)
/proc/slabinfo
/proc/sys/net/ipv4/route/max_size # Linux kernel parameters -- most often important when there's a large network
/proc/sys/net/ipv4/neigh/default/gc_thresh1 # kernel memory garbage collection
/proc/sys/net/ipv4/neigh/default/gc_thresh2 # kernel memory garbage collection
/proc/sys/net/ipv4/neigh/default/gc_thresh3 # kernel memory garbage collection
/proc/sys/net/ipv4/route/gc_timeout # kernel memory garbage collection
/proc/sys/net/ipv4/route/gc_interval # kernel memory garbage collection
/proc/sys/net/ipv4/route/gc_elasticity # kernel memory garbage collection
/proc/sys/net/ipv6/route/max_size # IPv6 route cache size
/proc/sys/net/ipv6/neigh/default/gc_thresh1 # v6 kernel memory garbage collection
/proc/sys/net/ipv6/neigh/default/gc_thresh2 # v6 kernel memory garbage collection
/proc/sys/net/ipv6/neigh/default/gc_thresh3 # v6 kernel memory garbage collection
/proc/sys/net/ipv6/route/gc_timeout # v6 kernel memory garbage collection
/proc/sys/net/ipv6/route/gc_interval # v6 kernel memory garbage collection
/proc/sys/net/ipv6/route/gc_elasticity # v6 kernel memory garbage collection
/proc/ppk/cpls # SecureXL configuration for ClusterXL Load Sharing support
/proc/ppk/erdos # SXL Penalty box
_

# end of list of processes. Start of code to pipe the processes to the checkup file

PROCLIST=`cat $PROCCHECKS | awk '{print $1}' `
echo
echo " ###################################################################"
echo " # Starting process checks... #"
echo " ###################################################################"
echo

echo "#### Process checks ####" >> $OUTFILE 2>&1

for PROCNAME in $PROCLIST; do
if [ -e "$PROCNAME" ]; then
echo " *** $PROCNAME ***" >> $OUTFILE 2>&1
cat $PROCNAME >> $OUTFILE 2>&1
smallbreak
else
echo " *** Host does not have $PROCNAME present ***" >> $OUTFILE 2>&1
smallbreak
fi
done

# End of process pipe. Grab some specific information below

# More directly map IRQ to CPU
echo " ##### IRQ to CPU detailed information #####" >> $OUTFILE 2>&1
echo " IRQ -- CPU" >> $OUTFILE 2>&1
for i in `ls /proc/irq/`
do
echo -n "$i -- " >> $OUTFILE 2>&1
cat /proc/irq/$i/smp_affinity >> $OUTFILE 2>&1
done
smallbreak

echo " ##### egrep ip_dst_cache /proc/slabinfo" >> $OUTFILE 2>&1
egrep ip_dst_cache /proc/slabinfo >> $OUTFILE 2>&1

secbreak

echo " ########## LowFree ##########" >> $OUTFILE 2>&1
cat /proc/meminfo | grep -i lowfree >> $OUTFILE 2>&1
smallbreak

echo " ########## VMALLOC ##########" >> $OUTFILE 2>&1
cat /proc/meminfo | grep -i vmalloc >> $OUTFILE 2>&1
smallbreak

echo " ######### CPD Scheduled Tasks ##########" >> $OUTFILE 2>&1
# What tasks are scheduled using the CP Scheduler?
cpd_sched_config print >> $OUTFILE 2>&1
smallbreak
fi

secbreak

##########################################################################
# FILE CHECKS #
# Simplifying piping of files through the use of a file check temp file. #
# Reduces the manual coding and room for error #
##########################################################################

# Add any files desired to this list, ending at the "_"

# Inconsistencies in mktemp variable, forcing manual intervention
# FILECHECKS=`mktemp -t filecheck.xxxxxxxx`
FILECHECKS=$TMP/filecheck

cat<<_ > $FILECHECKS
/etc/resolv.conf # What's the name resolution config -- sometimes performance is adversely influenced by bad DNS settings
/etc/ntpd.conf # Time config
/etc/ntp.conf
/etc/hosts # Local hosts file
/etc/modprobe.conf # Any NIC or kernel tweaks?
/etc/sysctl.conf # Any kernel tweaks?
/etc/ssh/sshd_config # Any hacks to sshd?
/etc/issue # console banner file
/etc/issue.net # network banner file
/etc/fstab # File system table
/etc/motd # message of the day file
/etc/grub.conf # Grub config -- important to see vmalloc
/etc/gated.ami # gated config file
/etc/gated_xl.ami # gated config file
/etc/rc.d/rc.local # local RC files -- any changes here (such as kernel tweaks)?
/etc/rc.d/rc.local.user # local RC files -- any changes here (such as kernel tweaks)?
/etc/snmp/snmpd.conf # SNMP server paramters
/etc/snmp/snmpd.users.conf # SNMP users paramters
$FWDIR/boot/boot.conf # Firewall boot params
/etc/fw.boot/boot.conf # Firewall boot params
$FWDIR/boot/modules/fwkern.conf # Any firewall kernel tweaks?
$PPKDIR/boot/modules/simkern.conf # Any SIM tweaks?
$FWDIR/conf/discntd.if # ClusterXL Disconnected Interfaces
$FWDIR/conf/cpha_hosts # ClusterXL Monitored IPs
$FWDIR/conf/cphaprob.conf # ClusterXL configuration tweaks (timers)
$FWDIR/conf/local.arp # SPLAT / GAiA manual ARP
$FWDIR/conf/snmp.C # Firewall SNMP config
$FWDIR/conf/vsaffinity_exception.conf # Relevant to R75.40VS and later Virtual systems only
$FWDIR/conf/masters # masters file
$MDSDIR/conf/external.if # Relevant to P1 / MDSM only
$FWDIR/conf/mta_postfix_options.cf # R77 and later Postfix MTA custom options
$FWDIR/conf/fwopsec.conf # OPSEC / LEA configuration options
_

FILELIST=`cat $FILECHECKS | awk '{print $1}' `

smallbreak

echo
echo " ###################################################################"
echo " # Starting file checks... #"
echo " ###################################################################"
echo

echo "#### File checks ####" >> $OUTFILE 2>&1

for FILENAME in $FILELIST; do
if [ -e "$FILENAME" ]
then
echo " *** $FILENAME ***" >> $OUTFILE 2>&1
cat $FILENAME >> $OUTFILE 2>&1
smallbreak
secbreak
else
echo " *** Host does not have $FILENAME present ***" >> $OUTFILE 2>&1
smallbreak
secbreak
fi
done

secbreak

if [ "$ISGAIA" = "1" ]
then
echo " *** GAiA Base OS config ***" >> $OUTFILE 2>&1
clish -i -c "show configuration" >> $OUTFILE 2>&1
smallbreak
echo " *** Monitor Mode configuration ***" >> $OUTFILE 2>&1
echo "`grep -i monitor /config/active | grep interface`" >> $OUTFILE 2>&1
secbreak
fi

##########################################################################
# MEMORY AND DISK CHECKS #
##########################################################################

echo " *** Disk (Partition) utilization ***" >> $OUTFILE 2>&1
# Disk partition information
df -h >> $OUTFILE 2>&1
smallbreak

# Solaris doesn't seem to respect the || operand, so let's do it the hard way...
if [ "$ISTORVALDS" = "1" ]
then
echo " ########## free ##########" >> $OUTFILE 2>&1
free >> $OUTFILE 2>&1
smallbreak

echo " ####### Disk utilization - file, df and du ########## " >> $OUTFILE 2>&1
echo " *** Files open currently: {# of allocated file handles} {# of free file handles} {system-wide limit} ***" >> $OUTFILE 2>&1
cat /proc/sys/fs/file-nr >> $OUTFILE 2>&1

echo " *** Partition iNode utilization ***" >> $OUTFILE 2>&1
# iNode utilization information
df -i >> $OUTFILE 2>&1
smallbreak
fi

if [ "$DODUCHECK" = "1" ]
then
echo " *** du ***" >> $OUTFILE 2>&1
# Disk Utilization information
if [ "$ISTORVALDS" = "1" ]
then
du -h / --max-depth=2 >> $OUTFILE 2>&1
else
if [ "$RUNOS" = "IPSO" ]
then
du -h -d 2 / >> $OUTFILE 2>&1
else
du -sh /* >> $OUTFILE 2>&1
fi
fi
else
echo " *** du check being bypassed ***" >> $OUTFILE 2>&1
fi

smallbreak
secbreak

##########################################################################
# KERNEL BUFFER AND MODULE CHECKS #
##########################################################################

echo "########## DMESG ############" >> $OUTFILE 2>&1
dmesg >> $OUTFILE 2>&1

smallbreak
secbreak

# Module usage and alloc
if [ "$ISTORVALDS" = "1" ]
then
echo "########## LSMOD ############" >> $OUTFILE 2>&1
lsmod >> $OUTFILE 2>&1
fi

smallbreak
secbreak

echo " ##### arp -an | wc -l: `arp -an | wc -l`" >> $OUTFILE 2>&1
# Number of ARP entries

secbreak

##############################################################################
##############################################################################
## ##
## Check Point Software Checks ##
## ##
##############################################################################
##############################################################################

echo
echo " ###################################################################"
echo " # Starting Check Point product checks... #"
echo " ###################################################################"
echo

echo " ########### Check Point Software stuff ###########" >> $OUTFILE 2>&1

#############################################################################
# FFEATURE CHECKS #
#############################################################################

echo " ### Basic installed feature check ### " >> $OUTFILE 2>&1
$CPDIR/bin/cpprod_util CPPROD_GetKeyValues Products 0 >> $OUTFILE 2>&1

smallbreak

if [ "$ISMDS" != "1" ]
then
##############################################################################
# #
# Check what features (blades) are running (detailed check) #
# This section was extracted from machine_info.sh (Eyal Sher, Raz Amir, #
# Eitan Lugassi) #
# #
##############################################################################

# blades - format is: "short name for user" property-name [inner set-name]
BLADECHECK=$TMP/blade_names
BLADESTAT=$TMP/blade_disabled

cat<<_ > $BLADECHECK
FW firewall
MGMT management
MNTR monitor_blade
UDIR user_dir_blade
VPN VPN_1
QOS floodgate
MAB connectra
URLF uf_integrated
A_URLF advanced_uf_blade
AV anti_virus_blade
ASPM antispam_integrated
APP_CTL application_firewall_blade
IPS Name SD_profile
DLP data_loss_prevention_blade
IA identity_aware_blade_installed identity_aware_blade
SSL_INSPECT ssl_inspection_enabled
ANTB anti_malware_blade
MON real_time_monitor
EVNT event_analyzer
RPTR reporting_server
EVCOR ips_event_correlator
EVNT ips_event_manager
EVIN smartevent_intro
MTA mta_enabled
TED threat_emulation_blade
_

# property values that indicate a disabled blade:
cat<<_ > $BLADESTAT
No_protection
not-installed
false
_

# Run as function to support return codes

activeblades() {
# print a line, e.g. "Enabled Blades: FW MGMT VPN IPS":
echo -n "* Active blades:" >> $OUTFILE 2>&1 # start a single line ...

OBJ_FILE=$FWDIR/database/objects.C
if ! [ -r $OBJ_FILE ] 2>/dev/null
then
echo " N/A - cannot read file: $OBJ_FILE"
return 1
fi

REG_FILE=$CPDIR/registry/HKLM_registry.data
if [ ! -r $REG_FILE ] 2>/dev/null
then
echo " N/A - cannot read file: $REG_FILE"
return 1
fi

SIC_NAME=$(
awk -F\" '
/^[[:blank:]]+:MySICname \("/ {
print toupper($2) # case-insensitive
exit # one match only
}
' $REG_FILE
)

if [ -z "$SIC_NAME" ]
then
echo ' N/A - failed to retrieve SIC name'
return 1
fi

OBJ_NAME=$(
awk -F\( "
/^\t\t: \(/ {
# save current set's name as object's context:
obj=\$2
}
/^\t\t\t:sic_name \(/ {
# match the saved SIC name with current set's:
if (toupper(\$2)~/^\"$SIC_NAME\"/) {
print obj
exit
}
}
" $OBJ_FILE
)

if [ -z "$OBJ_NAME" ]
then
echo ' N/A - failed to match an object to SIC name'
return 1
fi

# dump the local object:
cat $OBJ_FILE | tr '\t' ' ' | sed -n "/^ : ($OBJ_NAME$/,/^ )/p" > $TMP/local_obj

# go over the blades file, skip empty lines:
grep -v "^[[:blank:]]*$" $BLADECHECK | while read LINE
do
eval "set -- $LINE" # set positional parameters ("eval" preserves quotes)
# try to find a blade's value - if unavailable, skip to next blade:
sed -n "/^ :${3-$2} (/,/^ )/p" $TMP/local_obj | \
grep "^ ${3+ }:$2 (" > $TMP/blade_val || continue
# match value for "disabled" - if unmatched, assume enabled:
grep -wqf $BLADESTAT $TMP/blade_val || \
echo -n " $1" # append the blade's name to line, e.g. " MGMT"
done
echo # end the blades line (carriage-return)
}

activeblades >> $OUTFILE 2>&1
smallbreak

if [ -z "$SIC_NAME" ]
then
echo "Unable to determine SIC name of module" >> $OUTFILE 2>&1
else
echo "SIC Name of module: $SIC_NAME" >> $OUTFILE 2>&1
fi
smallbreak

if [ -z "$OBJ_NAME" ]
then
echo "Unable to determine object name of module" >> $OUTFILE 2>&1
else
echo "Object name: $OBJ_NAME" >> $OUTFILE 2>&1
fi
smallbreak
# Cleanup temporary files
rm $TMP/local_obj
rm $TMP/blade_val
rm $BLADECHECK
rm $BLADESTAT
fi

#############################################################################
# STATUS CHECKS #
#############################################################################

# Not all the commands work on all platforms. Giving some feedback to the end user pacifies concerns
warnuser

# Firewall-1 Process list - Run only if not on an MDS
if [ "$ISMDS" != "1" ]
then
echo " ########## cpwd_admin list ##########" >> $OUTFILE 2>&1
cpwd_admin list >> $OUTFILE 2>&1
smallbreak
fi

echo " ########## cpstat stuff ##########" >> $OUTFILE 2>&1
echo " *** -f cpu os ***" >> $OUTFILE 2>&1
cpstat -f cpu os >> $OUTFILE 2>&1
echo " *** -f memory os ***" >> $OUTFILE 2>&1
cpstat -f memory os >> $OUTFILE 2>&1
echo " *** -f multi_cpu os ***" >> $OUTFILE 2>&1
cpstat -f multi_cpu os >> $OUTFILE 2>&1
echo " *** -f all os ***" >> $OUTFILE 2>&1
cpstat -f all os >> $OUTFILE 2>&1

secbreak

# Run some feature checks if on a gateway
if [ `cpprod_util FwIsFirewallModule` = "1" ] && [ "$ISVSX" != "1" ]
then
# Check for the presence of the new ips command
IPSPROGCHK=`type -P ips`

echo " ########## Gateway checks ##########" >> $OUTFILE 2>&1
echo " *** -f all fw ***" >> $OUTFILE 2>&1
cpstat -f all fw >> $OUTFILE 2>&1
echo " *** -f sysinfo cvpn ***" >> $OUTFILE 2>&1
cpstat -f sysinfo cvpn >> $OUTFILE 2>&1
echo " *** -f all vpn ***" >> $OUTFILE 2>&1
cpstat -f all vpn >> $OUTFILE 2>&1
smallbreak
echo " *** ASM / IPS ***" >> $OUTFILE 2>&1
cpstat -f default asm >> $OUTFILE 2>&1
cpstat -f WS asm >> $OUTFILE 2>&1

# Basic URLF cache check -- can use refinement
if [ "$ISSWB" = "1" ]
then
echo " ### URL Filtering Cache Status ###" >> $OUTFILE 2>&1
fw tab -t urlf_cache_tbl -s >> $OUTFILE 2>&1
smallbreak
APURCACHE=( `grep cache_max_hash_size $FWDIR/database/rad_services.C | awk '{print $2}' `)
echo " *** URLF Cache table size: ${APURCACHE[4]} " >> $OUTFILE 2>&1
smallbreak
echo " ### Application Control Status ###" >> $OUTFILE 2>&1
fw tab -t appi_connections -t appi_session_table -s >> $OUTFILE 2>&1
smallbreak
echo " *** Application Control Cache table size: ${APURCACHE[3]} " >> $OUTFILE 2>&1

smallbreak
echo " ### Usercheck configuration parameters ###" >> $OUTFILE 2>&1
echo " *** UserCheck HTTPD.CONF *** " >> $OUTFILE 2>&1
echo " `grep ServerLimit /opt/CPUserCheckPortal/conf/httpd.conf` " >> $OUTFILE 2>&1
echo " `grep MaxClients /opt/CPUserCheckPortal/conf/httpd.conf` " >> $OUTFILE 2>&1
echo " `grep MinSpareServers /opt/CPUserCheckPortal/conf/httpd.conf` " >> $OUTFILE 2>&1
echo " `grep StartServers /opt/CPUserCheckPortal/conf/httpd.conf` " >> $OUTFILE 2>&1
smallbreak
echo " *** UserCheck PHP.INI *** " >> $OUTFILE 2>&1
echo " `grep session.gc_maxlife /opt/CPUserCheckPortal/conf/php.ini` " >> $OUTFILE 2>&1
smallbreak
fi

if [ "$IPSPROGCHK" != "" ]
then
echo " *** IPS Configuration ***" >> $OUTFILE 2>&1
ips stat >> $OUTFILE 2>&1
smallbreak
fi
echo " *** FloodGate ***" >> $OUTFILE 2>&1
cpstat -f all fg >> $OUTFILE 2>&1

# Check for the presence of the IA command for AD
ADPROGCHK=`type -P adlog`
if [ "$ADPROGCHK" != "" ]
then
echo " #### Identity Awareness Active Directory ####" >> $OUTFILE 2>&1
cpstat -f default identityServer >> $OUTFILE 2>&1
smallbreak
echo " *** DC Connectivity ***" >> $OUTFILE 2>&1
adlog a dc >> $OUTFILE 2>&1
smallbreak
echo " *** DC statistics ***" >> $OUTFILE 2>&1
adlog a statistics >> $OUTFILE 2>&1
smallbreak
echo " *** IA Suspected Service Accounts ***" >> $OUTFILE 2>&1
adlog a service_accounts >> $OUTFILE 2>&1
smallbreak
echo " *** IA Authentication Metrics ***" >> $OUTFILE 2>&1
cpstat identityServer -f authentication >> $OUTFILE 2>&1
fi

# Check for the presence of the IA command for PDP
PDPPROGCHK=`type -P pdp`
if [ "$PDPPROGCHK" != "" ]
then
echo " #### Identity Awareness Personality Detection (PDP) ####" >> $OUTFILE 2>&1
pdp status show >> $OUTFILE 2>&1
smallbreak
echo " *** PDP connections to enforcement points ***" >> $OUTFILE 2>&1
pdp connections pep >> $OUTFILE 2>&1
smallbreak
echo " *** PDP connections to terminal servers ***" >> $OUTFILE 2>&1
pdp connections ts >> $OUTFILE 2>&1
smallbreak
echo " *** PDP tables ***" >> $OUTFILE 2>&1
fw tab -t pdp_sessions -t pdp_super_sessions -t pdp_super_sessions -t pdp_encryption_keys -t pdp_whitelist -t pdp_timers -t pdp_expired_timers -t pdp_ip -t pdp_net_db -t pdp_cluster_stat -s >> $OUTFILE 2>&1
smallbreak
fi

# Check for the presence of the IA command for PEP
PEPPROGCHK=`type -P pep`
if [ "$PEPPROGCHK" != "" ]
then
echo " #### Identity Awareness Personality Enforcement (PEP) ####" >> $OUTFILE 2>&1
pep show stat >> $OUTFILE 2>&1
smallbreak
echo " *** PEP connections to Detection points (PDP) ***" >> $OUTFILE 2>&1
pep show pdp all >> $OUTFILE 2>&1
smallbreak
echo " *** PEP tables ***" >> $OUTFILE 2>&1
fw tab -t pep_pdp_db -t pep_networks_to_pdp_db -t pep_net_reg -t pep_reported_network_masks_db -t pep_port_range_db -t pep_async_id_calls -t pep_client_db -t pep_identity_index -t pep_revoked_key_clients -t pep_src_mapping_db -t pep_log_completion -s >> $OUTFILE 2>&1
smallbreak
fi

# Check for the presence of TED commands
TEDPROGCHK=`type -P tecli`
if [ "$TEDPROGCHK" != "" ]
then
echo " #### Threat Emulation Basic Statistics ####" >> $OUTFILE 2>&1
tecli s s >> $OUTFILE 2>&1
smallbreak
echo " #### Threat Emulation Cloud Information ####" >> $OUTFILE 2>&1
tecli s c i >> $OUTFILE 2>&1
smallbreak
echo " #### Threat Emulation Cloud Quota Status ####" >> $OUTFILE 2>&1
tecli s c q >> $OUTFILE 2>&1
smallbreak

fi

echo " *** Provisioning Agent ***" >> $OUTFILE 2>&1
cpstat -f default PA >> $OUTFILE 2>&1
echo " *** LS ***" >> $OUTFILE 2>&1
cpstat -f default ls >> $OUTFILE 2>&1
echo " *** High Availability ***" >> $OUTFILE 2>&1
cpstat -f default ha >> $OUTFILE 2>&1

unset IPSPROGCHK
unset TEDPROGCHK
unset PDPPROGCHK
unset PEPPROGCHK
else
echo "### Node is not a gateway or is a VSX system. FW Module checks bypassed ###" >> $OUTFILE 2>&1
fi

secbreak

# Run some feature checks if on a manager and NOT P1
if [ "$ISMDS" != "1" ]
then
if [ `cpprod_util FwIsFirewallMgmt` = "1" ]
then
echo " ### Management checks ###" >> $OUTFILE 2>&1
echo " *** Management ***" >> $OUTFILE 2>&1
cpstat -f default mg >> $OUTFILE 2>&1
echo " *** Cert Authority ***" >> $OUTFILE 2>&1
cpstat -f default ca >> $OUTFILE 2>&1
smallbreak
echo " *** Policies ***" >> $OUTFILE 2>&1
echo " *** Number of policies: `grep rule-base $FWDIR/conf/rulebases_5_0.fws | wc -l`" >> $OUTFILE 2>&1
RULELIST=`grep rule-base $FWDIR/conf/rulebases_5_0.fws | awk 'BEGIN { FS="##" } { print $2 }' | awk 'BEGIN { FS="\"" } { print $1 }' `
for RULENAME in $RULELIST; do
echo " *** Policy Name: $RULENAME" >> $OUTFILE 2>&1
if [ -f $FWDIR/conf/$RULENAME.W ]
then
echo " --- Number of rules in $RULENAME (compiled): `grep ":unified_rulenum (" $FWDIR/conf/$RULENAME.W | tail -n 1 | awk ' BEGIN { FS = "(" } { print $2 } ' | awk ' BEGIN { FS = ")" } { print $1 } '` " >> $OUTFILE
echo " --- Number of Manual NAT rules in $RULENAME (compiled): `grep rule_adtr $FWDIR/conf/$RULENAME.W | wc -l` " >> $OUTFILE
else
echo " --- Rulebase not compiled for installation" >> $OUTFILE
fi
done
smallbreak
echo " *** revision control ***" >> $OUTFILE 2>&1
if [ -d $FWDIR/conf/db_versions/repository/ ]
then
echo " *** Number of database revisions: `ls $FWDIR/conf/db_versions/repository/ | wc -l` " >> $OUTFILE 2>&1
else
echo " *** No Database revision directory." >> $OUTFILE 2>&1
fi
unset RULELIST
unset RULENAME
smallbreak
# Some basic SmartEvent checks
CHECKRTDIR=$RTDIR
if [ "$CHECKRTDIR" = "" ]
then
echo " *** SmartEvent Stats ***" >> $OUTFILE 2>&1
echo " *** Number of unprocessed records `ls -l $RTDIR/distrib/* | wc -l` " >> $OUTFILE 2>&1
smallbreak
fi
unset CHECKRTDIR
smallbreak
if [ ! -z "$(pgrep "cpsead")" ]
then
echo " *** CPSEAD Stats ***" >> $OUTFILE 2>&1
cpstat cpsead >> $OUTFILE 2>&1
smallbreak
fi
if [ ! -z "$(pgrep "cpsemd")" ]
then
echo " *** CPSEMD Stats ***" >> $OUTFILE 2>&1
cpstat cpsemd >> $OUTFILE 2>&1
smallbreak
fi

smallbreak
# Edge checks
echo " *** Edge LibSW Version Check *** " >> $OUTFILE 2>&1
LIBSWPATH=`$CPDIR/bin/cpprod_util CPPROD_GetProdDir EdgeCmp | sed 's/ //g'` ; export LIBSWPATH
grep -i "version" $LIBSWPATH/libsw/version.txt >> $OUTFILE 2>&1
else
echo "### Node is not a manager. FW management checks bypassed ###" >> $OUTFILE 2>&1
fi
else
echo "### Provider-1 / MDSM Checks ###" >> $OUTFILE 2>&1
echo " *** MDS Stat ***" >> $OUTFILE 2>&1
mdsstat >> $OUTFILE 2>&1
for CMANAME in $($MDSVERUTIL AllCMAs)
do
mdsenv $CMANAME
secbreak
echo " *** Checks for Domain $CMANAME *** " >> $OUTFILE 2>&1
if [ `$CPDIR/bin/cpprod_util FwIsActiveManagement` = '1' ]
then
echo " *** This CMA is the ACTIVE CMA for this customer" >> $OUTFILE 2>&1
else
echo " *** This CMA is the BACKUP CMA for this customer" >> $OUTFILE 2>&1
fi
echo " *** Management ***" >> $OUTFILE 2>&1
cpstat -f default mg >> $OUTFILE 2>&1
smallbreak
echo " *** Policies ***" >> $OUTFILE 2>&1
echo " *** Number of policies: `grep rule-base $FWDIR/conf/rulebases_5_0.fws | wc -l`" >> $OUTFILE 2>&1
RULELIST=`grep rule-base $FWDIR/conf/rulebases_5_0.fws | awk 'BEGIN { FS="##" } { print $2 }' | awk 'BEGIN { FS="\"" } { print $1 }' `
for RULENAME in $RULELIST; do
echo " *** Policy Name: $RULENAME" >> $OUTFILE 2>&1
if [ -f $FWDIR/conf/$RULENAME.W ]
then
echo " --- Number of rules in $RULENAME (compiled): `grep ":unified_rulenum (" $FWDIR/conf/$RULENAME.W | tail -n 1 | awk ' BEGIN { FS = "(" } { print $2 } ' | awk ' BEGIN { FS = ")" } { print $1 } '` " >> $OUTFILE
echo " --- Number of Manual NAT rules in $RULENAME (compiled): `grep rule_adtr $FWDIR/conf/$RULENAME.W | wc -l` " >> $OUTFILE
else
echo " --- Rulebase not compiled for installation" >> $OUTFILE
fi
done
unset RULELIST
unset RULENAME

smallbreak
echo " *** revision control ***" >> $OUTFILE 2>&1
if [ -d $FWDIR/conf/db_versions/repository/ ]
then
echo " *** Number of database revisions: `ls $FWDIR/conf/db_versions/repository/ | wc -l` " >> $OUTFILE 2>&1
else
echo " *** No Database revision directory." >> $OUTFILE 2>&1
fi
smallbreak
echo " *** Edge LibSW Version Check *** " >> $OUTFILE 2>&1
LIBSWPATH=`$CPDIR/bin/cpprod_util CPPROD_GetProdDir EdgeCmp | sed 's/ //g'` ; export LIBSWPATH
grep -i "version" $LIBSWPATH/libsw/version.txt >> $OUTFILE 2>&1
smallbreak
echo " *** CMA Disk Utilization Check ***" >> $OUTFILE 2>&1
du --max-depth=1 -h $FWDIR >> $OUTFILE 2>&1
smallbreak
done
unset CMANAME
mdsenv
fi

secbreak

############################################################################################
# FW Acceleration Stuff #
############################################################################################

# Not all the commands work on all platforms. Giving some feedback to the end user pacifies concerns
warnuser

if [ `cpprod_util FwIsFirewallModule` = "1" ]
then
echo " ######## fwaccel stuff ########## " >> $OUTFILE 2>&1
# VSX STUFF
if [ "$ISVSX" = "1" ]
# Begin VSX-specific logic for FWACCEL stuff
then
echo "############# THIS IS A VSX System ############" >> $OUTFILE 2>&1

echo " ######## Connections ##########" >> $OUTFILE 2>&1
cpstat -f conns vsx >> $OUTFILE 2>&1
smallbreak

echo " ######## fw ctl pstat ##########" >> $OUTFILE 2>&1
fw ctl pstat >> $OUTFILE 2>&1
smallbreak

echo " *** VSX STAT ***" >> $OUTFILE 2>&1
vsx stat -v -l >> $OUTFILE 2>&1

if [ "$ISVSXSWB" = "1" ]
then
echo " *** 75.40VS or newer Virtual System Checks ***" >> $OUTFILE 2>&1
echo " *** MSTAT ***" >> $OUTFILE 2>&1
fw vsx mstat >> $OUTFILE 2>&1
echo " *** Resource Control ***" >> $OUTFILE 2>&1
fw vsx resctrl monitor show >> $OUTFILE 2>&1
fw vsx resctrl stat >> $OUTFILE 2>&1
echo " *** Basic SIM Affinity settings ***" >> $OUTFILE 2>&1
fw ctl affinity -l >> $OUTFILE 2>&1
smallbreak
fi

echo " *** VSX FWACCEL STAT ***" >> $OUTFILE 2>&1
if [ "$ISVSXSWB" = "1" ]
then
fwaccel stat -a >> $OUTFILE 2>&1
smallbreak
else
fwaccel stat -all >> $OUTFILE 2>&1
smallbreak
fi

echo "--------------- CPHAPROB SYNCSTAT for VS0 ---------------" >> $OUTFILE 2>&1
cphaprob -all syncstat >> $OUTFILE 2>&1
smallbreak

# Pipe the list of virtual devices to a temp file for parsing
vsx stat -v | grep "|" | grep [1-9] | awk 'BEGIN { FS="|" } { print $1 $2} ' | awk 'BEGIN { FS=" " } { print $1, $2, $3 }' > $TMP/vsobjs

# Run commands on all VS's (but not VR's or VSw's)
while IFS=: read VSLINE
do
VSNUM=`echo $VSLINE | awk 'BEGIN { FS=" " } { print $1 }'`
VSTYPE=`echo $VSLINE | awk 'BEGIN { FS=" " } { print $2 }'`
VSNAME=`echo $VSLINE | awk 'BEGIN { FS=" " } { print $3 }'`
if [ "$VSTYPE" = "S" ] || [ "$VSTYPE" = "B" ]
then

if [ "$ISVSXSWB" = "1" ]
then
smallbreak
vsenv $VSNUM >> $OUTFILE 2>&1 # R75.40VS and later require some commands to be run from the VS context
echo " *** 75.40VS or newer Virtual System Checks for VS $VSNUM ***" >> $OUTFILE 2>&1
echo " *** VSX STAT ***" >> $OUTFILE 2>&1
fw vsx stat -l -vsid $VSNUM >> $OUTFILE 2>&1
smallbreak
echo " *** Detailed Affinity Settings ***" >> $OUTFILE 2>&1
fw ctl affinity -l -x -vsid $VSNUM -flags tne >> $OUTFILE 2>&1
smallbreak

# Check SecureXL Status.
ISFWACCEL=`fwaccel stat | grep Status | awk 'BEGIN { FS=" : " } { print $2}'`

if [ "$ISFWACCEL" = "on" ]
then
echo " *** FWACCEL Stat ***" >> $OUTFILE 2>&1
fwaccel stats -s >> $OUTFILE 2>&1
smallbreak
else
echo " ** SecureXL Acceleration is disabled on this VS. **" >> $OUTFILE 2>&1
fi

echo " *** FW Affinity Config ***" >> $OUTFILE 2>&1
fw ctl affinity -l -x -vsid $VSNUM -flags tne >> $OUTFILE 2>&1
smallbreak
# Check for the presence of the new ips command
IPSPROGCHK=`type -P ips`

echo " ########## Gateway checks ##########" >> $OUTFILE 2>&1
echo " *** -f all fw ***" >> $OUTFILE 2>&1
cpstat -f all fw >> $OUTFILE 2>&1
smallbreak
echo " *** -f sysinfo cvpn ***" >> $OUTFILE 2>&1
cpstat -f sysinfo cvpn >> $OUTFILE 2>&1
smallbreak
echo " *** -f all vpn ***" >> $OUTFILE 2>&1
cpstat -f all vpn >> $OUTFILE 2>&1
smallbreak
echo " *** ASM / IPS ***" >> $OUTFILE 2>&1
cpstat -f default asm >> $OUTFILE 2>&1
cpstat -f WS asm >> $OUTFILE 2>&1

if [ "$IPSPROGCHK" != "" ]
then
echo " *** IPS Configuration ***" >> $OUTFILE 2>&1
ips stat >> $OUTFILE 2>&1
smallbreak
fi
else
smallbreak
vsx set $VSNUM >> $OUTFILE 2>&1

# Check SecureXL Status.
ISFWACCEL=`fwaccel stat | grep Status | awk 'BEGIN { FS=" : " } { print $2}'`

fi

echo "--------------- CPHAPROB SYNCSTAT for VS $VSNUM ---------------" >> $OUTFILE 2>&1
cphaprob syncstat >> $OUTFILE 2>&1
smallbreak

if [ "$ISFWACCEL" = "on" ]
then
echo "--------------- FWACCEL STATS for Virtual System # $VSNUM ---------------" >> $OUTFILE 2>&1
echo "fwaccel conns count at `$DATEFUNC` is `fwaccel -vs $VSNUM conns | wc -l` " >> $OUTFILE 2>&1
echo "fwaccel templates count at `$DATEFUNC` is `fwaccel -vs $VSNUM templates | wc -l` " >> $OUTFILE 2>&1
smallbreak
echo " *** stat ***" >> $OUTFILE 2>&1
fwaccel stat >> $OUTFILE 2>&1
smallbreak
echo " *** stats ***" >> $OUTFILE 2>&1
fwaccel stats >> $OUTFILE 2>&1
smallbreak
echo " *** stats -s ***" >> $OUTFILE 2>&1
fwaccel stats -s >> $OUTFILE 2>&1
smallbreak
echo " *** stats -p ***" >> $OUTFILE 2>&1
fwaccel stats -p >> $OUTFILE 2>&1
smallbreak
else
echo " ** SecureXL Acceleration is disabled on this VS. **" >> $OUTFILE 2>&1
fi

echo "--------------- TOP CONNECTIONS for Virtual System # $VSNUM ---------------" >> $OUTFILE 2>&1
fw -vs $VSNUM tab -t connections -t fwx_alloc -t fwx_cache -t frag_table -s >> $OUTFILE 2>&1
if [ "$ISFWACCEL" = "on" ]
then
# If acceleration is enabled, we can leverage the SecureXL table for connections information
echo " Count | Source IP | Destination IP | Destination Port" >> $OUTFILE 2>&1
fwaccel conns | awk '{printf "%-16s %-15s %-15s\n", $1,$3,$4}' | sort | uniq -c | sort -n -r | head -n 10 >> $OUTFILE 2>&1
smallbreak
fi

# Without acceleration, we have to rely on the connections table
fw -vs $VSNUM tab -t connections -u | grep \; | awk '{print $9}' | sort -bg | uniq -c | sort -bg | head -n 10 >> $OUTFILE 2>&1

smallbreak
echo "-------------- INTERFACE INFORMATION FOR Virtual System # $VSNUM ---------------" >> $OUTFILE 2>&1
ifconfig -s >> $OUTFILE 2>&1

smallbreak
fi

# Reset back to VS 0
if [ "$ISVSXSWB" = "1" ]
then
vsenv 0 >> $OUTFILE 2>&1 # R75.40VS and later require some commands to be run from the VS context
else
vsx set 0 >> $OUTFILE 2>&1
fi

done < $TMP/vsobjs

else
# Check SecureXL Status.
ISFWACCEL=`fwaccel stat | grep Status | awk 'BEGIN { FS=" : " } { print $2}'`

if [ "$ISFWACCEL" = "on" ]
then
# FWACCEL Stuff on non-VSX/VS systems
echo " *** stat ***" >> $OUTFILE 2>&1
fwaccel stat >> $OUTFILE 2>&1
echo " *** stats ***" >> $OUTFILE 2>&1
fwaccel stats >> $OUTFILE 2>&1
echo " *** stats -s ***" >> $OUTFILE 2>&1
fwaccel stats -s >> $OUTFILE 2>&1
echo " *** stats -p ***" >> $OUTFILE 2>&1
fwaccel stats -p >> $OUTFILE 2>&1
echo "--------------- FWACCEL STATS ----------------" >> $OUTFILE 2>&1
echo "fwaccel conns count at `$DATEFUNC` is `fwaccel conns | wc -l` " >> $OUTFILE 2>&1
echo "fwaccel templates count at `$DATEFUNC` is `fwaccel templates | wc -l` " >> $OUTFILE 2>&1
smallbreak
else
echo " ** SecureXL Acceleration is disabled **" >> $OUTFILE 2>&1
fi
fi
secbreak
if [ "$ISVSX" != "1" ]
then
#CoreXL Stuff
echo " ##### Multi-CPU #####" >> $OUTFILE 2>&1
echo " *** Licensed CPU Count ***" >> $OUTFILE 2>&1
$FWDIR/bin/fw ctl get int fwlic_num_of_allowed_cpus >> $OUTFILE 2>&1
echo " *** multik ***" >> $OUTFILE 2>&1
fw ctl multik stat >> $OUTFILE 2>&1
echo " *** fw ctl affinity ***" >> $OUTFILE 2>&1
fw ctl affinity -l -r -v -a >> $OUTFILE 2>&1
fi
smallbreak
# SIM commands don't work in IPSO or Solaris
if [ "ISTORVALDS" != "1" ]
then
echo " ##### sim affinity #####" >> $OUTFILE 2>&1
echo " *** -l ***" >> $OUTFILE 2>&1
sim affinity -l >> $OUTFILE 2>&1
echo " *** -l -r -v -a ***" >> $OUTFILE 2>&1
sim affinity -l -r -v -a >> $OUTFILE 2>&1
smallbreak
else
if [ "$RUNOS" = "IPSO" ]
then
echo " ##### IPSO Flow stat #####" >> $OUTFILE 2>&1
ipsofwd list >> $OUTFILE 2>&1
fi
fi
else
echo " ##### Node is not a gateway. Acceleration and SIM checks bypassed #####" >> $OUTFILE 2>&1
smallbreak
fi

#############################################################################
# TABLES CHECKS #
#############################################################################

# Run certain commands if on a gateway but not running VSX
if [ `cpprod_util FwIsFirewallModule` = "1" ] && [ "$ISVSX" != "1" ]
then
echo " ######## fw tab ##########" >> $OUTFILE 2>&1
echo " *** connections and stuff ***" >> $OUTFILE 2>&1
fw tab -t host_ip_addrs -t connections -t fwx_alloc -t fwx_cache -t frag_table -s >> $OUTFILE 2>&1

echo " *** remote users ***" >> $OUTFILE 2>&1
fw tab -t userc_users -s -t sslt_om_ip_params -t L2TP_tunnels -t om_assigned_ips -s >> $OUTFILE 2>&1
smallbreak

echo " ######## fw ctl pstat ##########" >> $OUTFILE 2>&1
fw ctl pstat >> $OUTFILE 2>&1
smallbreak
else
echo " ### Node is not a gateway or is a VSX system. Table and pstat checks bypassed." >> $OUTFILE 2>&1
smallbreak
fi

#############################################################################
# HIGH AVAILABILITY CHECKS #
#############################################################################

# Run certain commands only if the gateway thinks it's running in HA mode
if [ `cpprod_util FwIsHighAvail` = "1" ]
then
echo " ############# cphaprob stuff ##########" >> $OUTFILE 2>&1
echo " *** -a if ***" >> $OUTFILE 2>&1
cphaprob -a if >> $OUTFILE 2>&1
echo " *** stat ***" >> $OUTFILE 2>&1
cphaprob stat >> $OUTFILE 2>&1
echo " *** syncstat ***" >> $OUTFILE 2>&1
cphaprob syncstat >> $OUTFILE 2>&1
echo " *** cpstat ***" >> $OUTFILE 2>&1
cpstat ha -f all >> $OUTFILE 2>&1
echo " *** list ***" >> $OUTFILE 2>&1
cphaprob list >> $OUTFILE 2>&1
echo " *** MAC MAGIC NUMBERS AS CURRENTLY CONFIGURED ***" >> $OUTFILE 2>&1
echo " -- MAC MAGIC: `fw ctl get int fwha_mac_magic` " >> $OUTFILE 2>&1
echo " -- MAC FORWARD MAGIC: `fw ctl get int fwha_mac_forward_magic` " >> $OUTFILE 2>&1
smallbreak
else
echo " #### Node is not running HA feature. cphaprob checks bypassed ####" >> $OUTFILE 2>&1
smallbreak
fi

#############################################################################
#############################################################################
## NETWORKING CHECKS ##
#############################################################################
#############################################################################

secbreak
echo
echo " ###################################################################"
echo " # Starting networking checks... #"
echo " ###################################################################"
echo

echo " #######################################################################"
echo " ## NOTE: Not all network checks function on all systems. Some checks ##"
echo " ## may result in warnings of Operation not supported. These warnings ##"
echo " ## can be safely ignored. ##"
echo " ## ##"
echo " ## Press any key to continue ##"
echo " ## or wait 5 seconds and the script will continue automatically ##"
echo " #######################################################################"
read -n1 -t5 $1

warnuser

if [ "$ISMDS" = "1" ]
then
echo "## NOTE: Some network tests on Provider-1 or MDSM may return warnings ##"
fi

echo "####### netstat ########## " >> $OUTFILE 2>&1
echo " *** -ni ***" >> $OUTFILE 2>&1
netstat -ni >> $OUTFILE 2>&1
smallbreak
echo " *** -s ***" >> $OUTFILE 2>&1
netstat -s >> $OUTFILE 2>&1
smallbreak
echo " *** -anp ***" >> $OUTFILE 2>&1
if [ "$RUNOS" = "IPSO" ]
then
netstat -an >> $OUTFILE 2>&1
smallbreak
echo " *** -m ***" >> $OUTFILE 2>&1
netstat -m >> $OUTFILE 2>&1

# Run checks for IPSO flows
IPSOFLOWS=`ipsctl -n net:ip:forward:available_modes | grep -q -s flowpath`
if [ "$IPSOFLOWS" -eq 0 ]
then
echo " *** host is running IPSO Flows ***" >> $OUTFILE 2>&1
echo "Flows active: $((`netstat -nF | wc -l`-2))" >> $OUTFILE 2>&1
echo " ***Flow stats***" >> $OUTFILE 2>&1
ipsctl -a net:ip:flow >> $OUTFILE 2>&1
smallbreak
else
echo " *** host is not running IPSO Flows, bypassing flow checks ***"
fi
unset IPSOFLOWS
else
netstat -anp >> $OUTFILE 2>&1
smallbreak
fi

secbreak

echo " ######## Interface stuff ########" >> $OUTFILE 2>&1
# Gather various interface statistics
if [ "$RUNOS" = "IPSO" ]
then
echo " *** Basic IPSO NIC stats metrics ***" >> $OUTFILE 2>&1
ipsctl -a net:ip:rxstats net:ip:txstat net:ip:misc:stats net:ip:frag:stats >> $OUTFILE 2>&1
smallbreak

if [ "ipsctl -n net:dev:adp_detect | egrep -v '0'" = "1" ]
then
echo " *** ADP metrics ***" >> $OUTFILE 2>&1
ipsctl -a net:dev:adp >> $OUTFILE 2>&1
smallbreak
fi
echo " *** Interface information ***" >> $OUTFILE 2>&1
ifconfig -v -a >> $OUTFILE 2>&1
smallbreak

# REMmed OUT CONTENT REQUIRES ADDITIONAL LOGIC. MAY BE REDUNDANT TO -v -a ABOVE
# echo " *** IPSCTL metrics for $IFN ***" >> $OUTFILE 2>&1
# ipsctl -a ifphys:$IFN:errors ifphys:$IFN:stats ifphys:$IFN:dev >> $OUTFILE 2>&1

else
if [ "$ISTORVALDS" = "1" ]
then
echo " *** ifconfig -s ***" >> $OUTFILE 2>&1
ifconfig -s >> $OUTFILE 2>&1
smallbreak
LIST=`ifconfig -s | grep -Ev "Iface|lo" | awk '{print $1}' `
for IFN in $LIST; do
echo " ### Interface information for $IFN ###" >> $OUTFILE 2>&1
echo " *** basics ***" >> $OUTFILE 2>&1
ifconfig -v $IFN >> $OUTFILE 2>&1
smallbreak

# Bonded Interface check
if [ ${IFN:0:4} = "bond" ]
then
cphaconf show_bond $IFN >> $OUTFILE 2>&1
cat /proc/interfaces/bond/$IFN >> $OUTFILE 2>&1
smallbreak
fi

echo " *** settings ***" >> $OUTFILE 2>&1
ethtool $IFN >> $OUTFILE 2>&1
smallbreak
echo " *** driver and firmware for $IFN ***" >> $OUTFILE 2>&1
ethtool -i $IFN >> $OUTFILE 2>&1
smallbreak
echo " *** statistics for $IFN ***" >> $OUTFILE 2>&1
ethtool -S $IFN >> $OUTFILE 2>&1
smallbreak
echo " *** Flow control for $IFN ***" >> $OUTFILE 2>&1
ethtool -a $IFN >> $OUTFILE 2>&1
smallbreak
echo " *** ring settings for $IFN ***" >> $OUTFILE 2>&1
ethtool -g $IFN >> $OUTFILE 2>&1
echo " *** TSO settings for $IFN ***" >> $OUTFILE 2>&1
ethtool -k $IFN >> $OUTFILE 2>&1
echo " *** coalesce settings for $IFN ***" >> $OUTFILE 2>&1
ethtool -c $IFN >> $OUTFILE 2>&1
smallbreak
done
fi
fi

secbreak

#############################################################################
#############################################################################
## FINAL CHECKS ##
#############################################################################
#############################################################################

echo
echo " ###################################################################"
echo " # Starting final checks... #"
echo " ###################################################################"
echo

# Not all the commands work on all platforms. Giving some feedback to the end user pacifies concerns
warnuser

#############################################################################
# PROCESS CHECKS #
#############################################################################

echo " ########## process information ##########" >> $OUTFILE 2>&1
if [ "$ISTORVALDS" = "1" ]
then
ps -AFHwww >> $OUTFILE 2>&1
else
if [ "$RUNOS" = "IPSO" ]
then
ps auxwwwlSHmf >> $OUTFILE 2>&1
fi
fi
smallbreak
if [ "$RUNOS" != "SunOS" ]
then
ps auxwwwf >> $OUTFILE 2>&1
else
ps -elf >> $OUTFILE 2>&1
fi

secbreak

#############################################################################
# TIME-REPEATED CHECKS (vmstat, iostat, top #
#############################################################################

if [ "$DOTIMEDCHECKS" = "1" ]
then
echo
echo " ###################################################################"
echo " ###################################################################"
echo " ## Beginning Time-repeated checks. These checks each take a few ##"
echo " ## moments to execute... ##"
echo " ###################################################################"
echo " ###################################################################"
echo

echo " ######### CPU Utilization Stuff #########" >> $OUTFILE 2>&1

echo " ###################################################################"
echo " # Running vmstat collection. This will take a few moments... #"
echo " ###################################################################"

echo " *** vmstat ***" >> $OUTFILE 2>&1
vmstat 2 20 >> $OUTFILE 2>&1
smallbreak

if [ "$RUNOS" = "IPSO" ]
then
echo " *** -i ***" >> $OUTFILE 2>&1
vmstat -i >> $OUTFILE 2>&1
smallbreak
echo " *** -z ***" >> $OUTFILE 2>&1
vmstat -z >> $OUTFILE 2>&1
smallbreak
fi

# Check for the presence of iostat
IOCHECK=`type -P iostat`
if [ "$IOCHECK" = "" ]
then
smallbreak
echo " *** bypassing IOSTAT collection ***" >> $OUTFILE 2>&1
else
echo
echo " ###################################################################"
echo " # Running IO statistics collection. This will take a few moments..#"
echo " ###################################################################"
echo " *** iostat ***" >> $OUTFILE 2>&1
iostat -x 2 10 >> $OUTFILE 2>&1
fi

secbreak

#check for dumb terminal
if [ ! -e /usr/share/terminfo/d/dumb ]
then
echo " ##### making dumb terminal symlink" >> $OUTFILE 2>&1
mkdir /usr/share/terminfo/d > /dev/null 2>&1
ln -s /usr/share/terminfo/x/xterm /usr/share/terminfo/d/dumb > /dev/null 2>&1
fi

if [ "$RUNOS" != "SunOS" ]
then
echo " *** top ***" >> $OUTFILE 2>&1
echo
echo " ###################################################################"
echo " # Running TOP. This will take a few moments... #"
echo " ###################################################################"

# CPULOOP is mentioned in top's manual to increase 1st-iteration accuracy
# COLUMNS is used to allow showing longer command-lines on terminal output

if [ "$RUNOS" != "IPSO" ]
then
COLUMNS=512 LINES=256 CPULOOP=1 top -bcSH -n 5 >> $OUTFILE 2>&1
else
top -mio -bSH -d 5 >> $OUTFILE 2>&1
fi
else
echo " *** prstat ***" >> $OUTFILE
echo
echo " ###################################################################"
echo " # Running PRSTAT. This will take a few moments... #"
echo " ###################################################################"

prstat 3 5 >> $OUTFILE
fi

echo " ###################################################################"
echo " # Gathering some additional CPU Load information. #"
echo " # This will take a few moments... #"
echo " ###################################################################"

# MPSTAT exists in GAiA but not SPLAT
MPSCHECK=`type -P mpstat`
if [ "$MPSCHECK" = "" ]
then
smallbreak
echo " *** bypassing mpstat collection ***" >> $OUTFILE 2>&1
else
echo " *** MPSTAT metrics ***" >> $OUTFILE 2>&1
# Linux and Solaris have different CLI switch requirements
if [ "$ISTORVALDS" = "1" ]
then
mpstat -P ALL 2 5 >> $OUTFILE 2>&1
else
mpstat -p 2 5 >> $OUTFILE 2>&1
fi
fi

smallbreak

if [ "$RUNOS" != "SunOS" ]
then
echo " *** /proc/stat metrics ***" >> $OUTFILE 2>&1
# Plan to add logic to calculate per-CPU information soon. For now, it'll be manual
echo "------- Columns --------" >> $OUTFILE 2>&1
echo "CPU | user | nice | system | idle | iowait | irq | softirq " >> $OUTFILE 2>&1

# Number of polling iterations to run
LOOPEND=5
LOOPTIME=1
# Delay time -- how long to sleep between polling intervals
SNOOZETIME=5

while [ $LOOPTIME -le $LOOPEND ]
do
cat /proc/stat >> $OUTFILE 2>&1
# Increment the loop counter
(( LOOPTIME++ ))
# Take a nap
sleep $SNOOZETIME
done
fi

else
echo " ###################################################################"
echo " # Bypassing timed checks... #"
echo " ###################################################################"

fi

secbreak
echo "###### Completed checkup script for $HNAME at `date +"%F-%H%M"` ######" >> $OUTFILE 2>&1
secbreak

################################################################################
################################################################################
## SCRIPT CLEANUP ##
################################################################################
################################################################################

# Clean up temp files
rm $APPLTMP
rm $NOCONNTMP
rm $PROCCHECKS
rm $FILECHECKS

# Clean up variables
unset HASMPTSTATUS
unset HASLSIUTIL
unset CHECKTMP
unset CHECKMDS
unset CHECKVSX
unset HASLOM
unset HASMPT
unset SCRVER
unset RUNOS
unset RUNOSFULL
unset ISTORVALDS
unset ISMDS
unset APPLTMP
unset NOCONNTMP
unset PROCLIST
unset PROCCHECKS
unset PROCNAME
unset IOCHECK
unset MPSCHECK
unset FWLABEL
unset BLADECHECK
unset BLADESTAT
unset SIC_NAME
unset OBJ_NAME
unset OBJ_FILE
unset REG_FILE
unset ISVSX
unset ISVSXSWB
unset ISGAIA
unset ISFWACCEL
unset FILELIST
unset VSNUM
unset VSLINE
unset VSTYPE
unset VSNAME
unset DODUCHECK
unset DOTIMEDCHECKS

# COMPLETED
echo
echo "#########################################################################"
echo "#########################################################################"
echo " Data was collected into $OUTFILE"
echo " The output file is `ls -lah $OUTFILE | awk '{ print $5 }'` in size. "
echo "#########################################################################"
echo "#########################################################################"
echo
echo "#########################################################################"
echo "# Completed data acquisition. Thank you. Have a nice day. #"
echo "#########################################################################"
echo
echo

# Clean up final variables - these couldn't be unset until the end
unset HNAME
unset NOW
unset OUTTO
unset OUTFILE

exit 0

Dhansham - Engineer's Notebook Checkpoint Firewalls Gaia

2

Tuesday, May 24, 2016

Script - Checkup.sh

Followers

Live Feed

Visitors