期望脚本+ ssh =>检查点防火墙
使用期望脚本时需要解析命令的输出。
目标是为每个网络对象提取IP地址(subnet4 :)和名称(name :)。 然后将提取的IP地址与输入的地址进行比较,如果相等,则在防火墙上创建访问规则时,请使用$ name变量(将其与其对应的IP关联后)作为服务。
objects:
- uid: "67c51c9a-81e3-43ee-ba96-b733c7672d83"
name: "CP_default_Office_Mode_addresses_pool"
type: "network"
domain:
uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
name: "SMC User"
domain-type: "domain"
subnet4: "172.16.10.0"
mask-length4: 24
subnet-mask: "255.255.255.0"
- uid: "caee1116-8087-4310-9208-b422d3628a7e"
name: "IPv6_Link_Local_Hosts"
type: "network"
domain:
uid: "a0bbbc99-adef-4ef8-bb6d-defdefdefdef"
name: "Check Point Data"
domain-type: "data domain"
subnet6: "fe80::"
mask-length6: 64
from: 1
to: 2
total: 2
1)无法将唯一名称获取到$ name变量中
2)不知道如何将IP地址与名称绑定
send "mgmt add network name DuplicateTst subnet $srcIPAddr mask-length 32\r"
expect {
-re "same" {
expect ">"
send "set clienv rows 0\r"
expect ">"
send "mgmt show networks\r"
expect {
-re "objects(.*)>" {
set Outcome $expect_out(1,string)
puts "The whole array $Outcome"
#exit 100
}
}
#timeout { puts "timeout"}
}
}
set lines [split $Outcome "\n"]
foreach line $lines {
#puts "line: $line"
set notCleanIP [regexp -inline -lineanchor -all -- {(?:)(\s+)\"(?!255) \d+\.\d+\.\d+\.\d+\"} $line];
set notCleanName [regexp -inline -lineanchor -all -- {(?:)(\s+)name: \"[a-z A-Z 0-9]+\"} $line ];
set cleanName [regexp -inline -lineanchor -all -- {(?:)[a-z A-Z 0-9]+} $notCleanName ]
set cleanIP [regexp -inline -lineanchor -all -- {(?:)\d+\.\d+\.\d+\.\d+} $notCleanIP ];
puts "CleanIP >>> $cleanIP"
puts "CleanName >>> $cleanName"
if { $cleanIP == $srcIPAddr } {
#puts "equivalent *************************"
#set cleanName [regexp -inline -lineanchor -all -- {(?:)[a-z A-Z 0-9]+} $notCleanName ];
#puts "################# clean name >> $cleanName"
}
#set newVariable2 [regexp -inline -lineanchor -all -- {(?:)(\s+)\"[a-z A-Z 0-9]+\"} $line];
puts "NotCleanIP >>> $notCleanIP"
puts "NotCleanName >>> $notCleanName"
}
exit 100
{ name} { } AddressSrc8b3c855163437d0be28cc8995864 { } { }
这不是我期望的。仅应使用:AddressSrc8b3c855163437d0be28cc8995864
CleanIP >>> 100.5.5.5 IPAdrress已正确提取。
如何解决此问题? 任何想法将不胜感激。
谢谢。
答案 0 :(得分:0)
@Emily E.下次要牢记。谢谢。
开始工作。解决的办法是进入expertMode(root)并使用jq。
# for((i=0;i<=2;i++));do VV=$(jq -cr ".objects[$i].subnet4" jsonOutput) VVV="100.5.5.5";for nbr in $VV; do if [[ $nbr =~ $VVV ]];then echo "$nbr $(jq -cr ".objects[$i].name" jsonOutput)";fi;done;done
result => 100.5.5.5 SrcAddressObj8b3c855163437d0be28cc8995864
以上内容适用于将shell配置为“ / bin / bash”而非gaiaCLI的用户。
对于gaiaCLI用户:
send "for((i=0;i<=3;i++));do VV=\$(jq -c -r \".objects\[\$i\].subnet4\" /tmp/jsonOutput) VVV=\$V;for nbr in \$VV; do if \[\[ \$nbr =~ \$\{VV
V\} \]\];then echo \"\$nbr \$(jq -c -r \".objects\[\$i\].name\" /tmp/jsonOutput)\";fi;done;done\r"
#expect "#"
sleep 15
expect {
-re "done(.*)\n" {
set shutsu $expect_out(1,string)
puts "$shutsu"
}
}
sleep 15
expect "#"
send "exit\r"
expect ">"
set lines [split $shutsu "\n"]
foreach line $lines {
set objectIP [regexp -inline -lineanchor -all -- {\d+\.\d+\.\d+\.\d+} $line];
set objectName [regexp -inline -lineanchor -all -- {(?:)(\s)[a-z A-Z 0-9]+} $line];
set objName [regexp -inline -lineanchor -all -- {(?!\s)[a-zA-Z 0-9]+} $objectName];
if { $objectIP == $srcIPAddr } {
puts "objectIP: $objectIP and objectName: $objName"
set service $objName
puts "finally: here is the service to use => $service"