topic Re: File/command to verify all the vpn settings for all the S2S tunnels in Firewall and Security Management

File/command to verify all the vpn settings for all the S2S tunnels

the_rock — Thu, 06 Apr 2023 17:30:32 GMT

Hey guys,

I never had anyone ask me this before, but customer had a question if there is any file or command on CP that would let them see all phase1/2 settings for all the S2S vpn tunnels (in case smart console is not available).

I ran vpn and vpn tu ? commands and see bunch of commands that can be ran, but nothing like what they asked.

Interesting question, but not sure something like that exists ; - )

Thoughts?

Tx for the help as always.

Re: File/command to verify all the vpn settings for all the S2S tunnels

PhoneBoy — Sat, 08 Apr 2023 02:35:23 GMT

From the gateway itself?
That stuff is compiled as part of the Access Policy, so in theory it should be available.
How accessible it is...separate question.

If it were me, I'd poke around in $FWDIR/state/FW1 and see if you can find it somewhere in there.

Re: File/command to verify all the vpn settings for all the S2S tunnels

the_rock — Sat, 08 Apr 2023 02:41:39 GMT

Yea, either gateway or mgmt server. Will check that dir in R81.20 lab gateway and see what I find. Thanks for the help.

Cheers,

Andy

Re: File/command to verify all the vpn settings for all the S2S tunnels

the_rock — Sat, 08 Apr 2023 16:00:36 GMT

K, so had a quick look and that dir does not exist on the fw, but I found similar on mgmt server:

[Expert@QUANTUM-MANAGEMENT:0]# pwd
/opt/CPsuite-R81.20/fw1/state/quantum-fw/FW1
[Expert@QUANTUM-MANAGEMENT:0]#

K, small correction, there is dir on the fw (similar path), but files are literally the same:

/opt/CPsuite-R81.20/fw1/state/local/FW1

Now, out of all files listed in that dir, I cant really find one that would have what cusotmer is looking for, so not sure as you said how accessible this could be... : - )

[Expert@QUANTUM-MANAGEMENT:0]# ls -lh
total 7.0M
-rw-rw---- 1 admin root 1.7K Apr 8 11:41 auxfiles.map
-rw-rw---- 1 admin root 2.6K Apr 8 11:41 local.DynamicContent
-rw-rw---- 1 admin root 37K Apr 8 11:41 local.Sandbox-persistence.xml
-rw-rw---- 1 admin root 270 Apr 8 11:41 local._policy_metadata
-rw-rw---- 1 admin root 3 Apr 8 11:41 local.ad_query_profiles
-rw-rw---- 1 admin root 309 Apr 8 11:41 local.adlog.networks.exclude
-rw-rw---- 1 admin root 148 Apr 8 11:41 local.adlog.users.exclude
-rw-rw---- 1 admin root 3 Apr 8 11:41 local.allowed_clients_objects
-rw-rw---- 1 admin root 23K Apr 8 11:41 local.appfw_misc
-rw-rw---- 1 admin root 13K Apr 8 11:41 local.application
-rw-r--r-- 1 admin root 1.3K Apr 8 11:41 local.application_group
-rw-rw---- 1 admin root 16K Apr 8 11:41 local.category
-rw-rw---- 1 admin root 0 Apr 8 11:41 local.ccp
-rw-rw---- 1 admin root 3 Apr 8 11:41 local.cloudShadowObjectsDumpForGateway
-rw-rw---- 1 admin root 3 Apr 8 11:41 local.cmsDumpForGateway
-rw-rw---- 1 admin root 7.8K Apr 8 11:41 local.connectra_global_properties
-rw-rw---- 1 admin root 1.3K Apr 8 11:41 local.connectra_policy
-rw-rw---- 1 admin root 577 Apr 8 11:41 local.cpmi_file
-rw-rw---- 1 admin root 8 Apr 8 11:41 local.ctlver
-rw-rw---- 1 admin root 680 Apr 8 11:41 local.current_recovery.profile
-rw-r--r-- 1 admin root 1.1K Apr 8 11:41 local.data_awareness_settings
-rw-rw---- 1 admin root 47K Apr 8 11:41 local.data_files
-rw-rw---- 1 admin root 61K Apr 8 11:41 local.db
-rw-r--r-- 1 admin root 27K Apr 8 11:41 local.dcerpc_service
-rw-rw---- 1 admin root 0 Apr 8 11:41 local.device_settings_transactions
-rw-rw---- 1 admin root 4 Apr 8 11:41 local.domain_objects_for_web_applications
-rw-r--r-- 1 admin root 9.7K Apr 8 11:41 local.dynobj
-rw-rw---- 1 admin root 6.8K Apr 8 11:41 local.embedded_applications
-rw-rw---- 1 admin root 966 Apr 8 11:41 local.eps_notify.html
-rw-rw---- 1 admin root 1.7K Apr 8 11:41 local.eps_notify.mail
-rw-rw---- 1 admin root 713K Apr 8 11:41 local.fc
-rw-rw---- 1 admin root 777K Apr 8 11:41 local.fc6
-rw-r--r-- 1 admin root 928 Mar 14 20:31 local.file_data_type
-rw-r--r-- 1 admin root 603 Mar 14 20:31 local.file_type
-rw-rw---- 1 admin root 343K Apr 8 11:41 local.file_types
-rw-rw---- 1 admin root 867 Apr 8 11:41 local.fileslist
-rw-rw---- 1 admin root 220K Apr 8 11:41 local.ft
-rw-rw---- 1 admin root 220K Apr 8 11:41 local.ft6
-rw-rw---- 1 admin root 5.3K Apr 8 11:41 local.fwrl.conf
-rw-r--r-- 1 admin root 3.7K Apr 8 11:41 local.gateway
-rw-r--r-- 1 admin root 836 Apr 8 11:41 local.gateway_general_properties
-rw-r--r-- 1 admin root 621 Apr 8 11:41 local.global_preferences
-rw-rw---- 1 admin root 19K Apr 8 11:41 local.gtp_services
-rw-r--r-- 1 admin root 14K Apr 8 11:41 local.host
-rw-r--r-- 1 admin root 2.6K Apr 8 11:41 local.host_ckp
-rw-rw---- 1 admin root 3 Apr 8 11:41 local.httpsi_dnd
-rw-r--r-- 1 admin root 8.1K Apr 8 11:41 local.icmp_service
-rw-r--r-- 1 admin root 16K Apr 8 11:41 local.icmpv6_service
-rw-rw---- 1 admin root 207K Apr 8 11:41 local.ics_configuration
-rw-rw---- 1 admin root 1.3K Apr 8 11:41 local.identity_awareness_custom_settings
-rw-rw---- 1 admin root 3 Apr 8 11:41 local.identity_roles
-rw-rw---- 1 admin root 11 Apr 8 11:41 local.ifs
-rw-rw---- 1 admin root 29K Apr 8 11:41 local.implied_rules
-rw-rw---- 1 admin root 614 Apr 8 11:41 local.inspect.lf
-rw-rw---- 1 admin root 1.2K Apr 8 11:41 local.intranet_community
-rw-rw---- 1 admin root 9.5K Apr 8 11:41 local.ips_enhance
-rw-rw---- 1 admin root 4.4K Apr 8 11:41 local.ips_granular_contexts
-rw-rw---- 1 admin root 8.0K Apr 8 11:41 local.languages
-rw-rw---- 1 admin root 10K Apr 8 11:41 local.lg
-rw-rw---- 1 admin root 10K Apr 8 11:41 local.lg6
-rw-rw---- 1 admin root 39 Apr 8 11:41 local.logo_directory_content.conf
-rw-rw---- 1 admin root 41K Apr 8 11:41 local.magic
-rw-rw---- 1 admin root 3 Apr 8 11:41 local.mail_servers
-rw-rw---- 1 admin root 35 Apr 8 11:41 local.mgmt_dhcp_data
-rw-rw---- 1 admin root 11K Apr 8 11:41 local.mobile_profiles
-rw-rw---- 1 admin root 1.4K Apr 8 11:41 local.mobile_profiles_rulebase
-rw-rw---- 1 admin root 104 Apr 8 11:41 local.mv_tag
-rw-rw---- 1 admin root 2.2K Apr 8 11:41 local.nac_agents
-rw-rw---- 1 admin root 3 Apr 8 11:41 local.nat_dnd
-rw-r--r-- 1 admin root 2.1K Apr 8 11:41 local.network
-rw-rw---- 1 admin root 7.2K Apr 8 11:41 local.network_applications
-rw-r--r-- 1 admin root 4.1K Apr 8 11:41 local.network_group
-rw-rw---- 1 admin root 635K Apr 8 11:41 local.objects
-rw-r--r-- 1 admin root 3.8K Apr 8 11:41 local.other_service
-rw-rw---- 1 admin root 710 Apr 8 11:41 local.policy
-rw-rw---- 1 admin root 42K Apr 8 11:41 local.policy.xml
-rw-rw---- 1 admin root 5.2K Apr 8 11:41 local.products_updates
-rw-rw---- 1 admin root 6.5K Apr 8 11:41 local.rad_services
-rw-rw---- 1 admin root 8.6K Apr 8 11:41 local.realm_objects
-rw-rw---- 1 admin root 27K Apr 8 11:41 local.realms
-rw-rw---- 1 admin root 5.7K Apr 8 11:41 local.remote_access_clients_objects
-rw-r--r-- 1 admin root 12K Apr 8 11:41 local.rpc_service
-rw-rw---- 1 admin root 62K Apr 8 11:41 local.rule
-rw-rw---- 1 admin root 3 Apr 8 11:41 local.rule_adtr
-rw-rw---- 1 admin root 4.4K Apr 8 11:41 local.rulebase
-rw-rw---- 1 admin root 8.4K Apr 8 11:41 local.rulebase_tracks
-rw-rw---- 1 admin root 0 Apr 8 11:41 local.sdopts.rec
-rw-rw---- 1 admin root 0 Apr 8 11:41 local.securid
-rw-r--r-- 1 admin root 1.8K Apr 8 11:41 local.security_zone
-rw-r--r-- 1 admin root 3.2K Apr 8 11:41 local.service_group
-rw-rw---- 1 admin root 561K Apr 8 11:41 local.set
-rw-rw---- 1 admin root 59 Apr 8 11:41 local.sic_name
-rw-r--r-- 1 admin root 621 Apr 8 11:41 local.sr_community
-rw-rw---- 1 admin root 5.5K Apr 8 11:41 local.ssl_certificates
-rw-rw---- 1 admin root 1.3M Apr 8 11:41 local.ssl_inspection
-rw-rw---- 1 admin root 4 Apr 8 11:41 local.sso_groups
-rw-rw---- 1 admin root 958 Apr 8 11:41 local.str
-rw-rw---- 1 admin root 958 Apr 8 11:41 local.str6
-rw-r--r-- 1 admin root 524K Apr 8 11:41 local.tcp_protocol
-rw-r--r-- 1 admin root 304K Apr 8 11:41 local.tcp_service
-rw-rw---- 1 admin root 48K Apr 8 11:41 local.thresholds.conf
-rw-r--r-- 1 admin root 3.8K Apr 8 11:41 local.track
-rw-r--r-- 1 admin root 65K Apr 8 11:41 local.udp_protocol
-rw-r--r-- 1 admin root 131K Apr 8 11:41 local.udp_service
-rw-r--r-- 1 admin root 29K Apr 8 11:41 local.updatable_obj
-rw-r--r-- 1 admin root 681 Apr 8 11:41 local.user_at_location
-rw-rw---- 1 admin root 690 Mar 14 20:39 local.user_category
-rw-rw---- 1 admin root 94K Apr 8 11:41 local.user_check_interactions.C.converted
-rw-rw---- 1 admin root 0 Apr 8 11:41 local.userdef
-rw-rw---- 1 admin root 7.4K Apr 8 11:41 local.{939922F7-DF98-4988-B776-B70B9B8340F3}
-rw-r----- 1 admin root 11K Apr 8 11:41 local.{B9D14722-3936-4B33-814B-F87EA4062BEB}
-rw-rw---- 1 admin root 7.2K Apr 8 11:41 policy.info
-rw-rw---- 1 admin root 3.1K Apr 8 11:41 policy.map
-rw-rw---- 1 admin root 21K Apr 8 11:41 robo-IKE.NDB

Re: File/command to verify all the vpn settings for all the S2S tunnels

PhoneBoy — Mon, 10 Apr 2023 17:15:22 GMT

If you know some information about the VPN tunnels, grep is your friend 🙂
It may not be visible in an uncompiled form.

Re: File/command to verify all the vpn settings for all the S2S tunnels

the_rock — Mon, 10 Apr 2023 17:44:26 GMT

Thats a good point, but then I need to know what file to look through 🙂

Re: File/command to verify all the vpn settings for all the S2S tunnels

Bob_Zimmerman — Mon, 10 Apr 2023 18:22:52 GMT

You can grep all files with a single command, including recursing into subdirectories:

[Expert@DallasSA]# cd /etc/ssh/ [Expert@DallasSA]# grep -R "Forwarding" * sshd_config:#AllowAgentForwarding yes sshd_config:AllowTcpForwarding no sshd_config:X11Forwarding no sshd_config:# X11Forwarding no sshd_config:# AllowTcpForwarding no templates/sshd_config.templ:#AllowAgentForwarding yes templates/sshd_config.templ:AllowTcpForwarding no templates/sshd_config.templ:X11Forwarding no templates/sshd_config.templ:# X11Forwarding no templates/sshd_config.templ:# AllowTcpForwarding no

Try that with one of the VPN community names. I don't have any VPN communities set up on this box, so I can't check for myself.

Re: File/command to verify all the vpn settings for all the S2S tunnels

the_rock — Mon, 10 Apr 2023 18:29:41 GMT

Thanks for your help guys, but I will assume this is not possible at this time, at least not exactly how customer imagined it. I think we can close this subject. Appreciate the help as always 🙌

Re: File/command to verify all the vpn settings for all the S2S tunnels

Maarten_Sjouw — Tue, 11 Apr 2023 07:15:23 GMT

mgmt_cli will be able to give you the correct data:

mgmt_cli show vpn-communities-meshed details-level full -s id.txt
objects:
- uid: "bde4848b-64b8-4647-9501-49b17c0cb870"
name: "MyIntranet"
type: "vpn-community-meshed"
domain:
uid: "bdcfc21b-9bc2-44fd-bb61-dede55a7a6de"
name: "IOT"
domain-type: "domain"
gateways: []
tunnel-granularity: "per_subnet"
use-shared-secret: false
encryption-method: "ikev1 for ipv4 and ikev2 for ipv6 only"
encryption-suite: "custom"
ike-phase-1:
encryption-algorithm: "aes-256"
diffie-hellman-group: "group-2"
ike-p1-rekey-time: 1440
data-integrity: "sha1"
ike-phase-2:
encryption-algorithm: "aes-128"
ike-p2-use-pfs: false
ike-p2-pfs-dh-grp: "group-2"
ike-p2-rekey-time: 3600
data-integrity: "sha1"
comments: ""
color: "black"
icon: "VPNCommunities/Meshed"
tags: []
meta-info:
lock: "unlocked"
validation-state: "ok"
last-modify-time:
posix: 1612186256723
iso-8601: "2021-02-01T14:30+0100"
last-modifier: "System"
creation-time:
posix: 1612186256723
iso-8601: "2021-02-01T14:30+0100"
creator: "System"
read-only: false

This will list all meshed communities and the same command with -star will give you all Star comminities.

Re: File/command to verify all the vpn settings for all the S2S tunnels

PhoneBoy — Tue, 11 Apr 2023 15:16:40 GMT

The question relates to when the management server is not available (thus mgmt_cli wouldn't work).

Re: File/command to verify all the vpn settings for all the S2S tunnels

the_rock — Tue, 11 Apr 2023 16:55:27 GMT

PERFECT! Gave that to a customer and he was super happy, greatly appreciate it @Maarten_Sjouw 🙌🙌🙌

Re: File/command to verify all the vpn settings for all the S2S tunnels

the_rock — Tue, 11 Apr 2023 17:18:54 GMT

Customer liked it, so if they are good, Im good too ; - )

Re: File/command to verify all the vpn settings for all the S2S tunnels

the_rock — Tue, 11 Apr 2023 17:27:41 GMT

One quick question @Maarten_Sjouw ...I tried outputting into a file but it fails, I believe -s is the right flag, is it not?

Cheers,

Andy

Re: File/command to verify all the vpn settings for all the S2S tunnels

Maarten_Sjouw — Wed, 12 Apr 2023 04:29:13 GMT

The question was when SmartConsole was not available, of the management server there was no mentioning.

Re: File/command to verify all the vpn settings for all the S2S tunnels

Maarten_Sjouw — Wed, 12 Apr 2023 04:36:06 GMT

No just use the standard linux command > file method. The -s is for accepting the login information stored in the file id.txt like this:

mgmt_cli login user admin domain Test -m 127.0.0.1 > id.txt

mgmt_cli show vpn-communities-meshed details-level full -s id.txt > vpn meshed.txt

mgmt_cli show vpn-communities-star details-level full -s id.txt > vpn-star.txt (or use >> vpn-meshed.txt to add the output to the same file)

mgmt_cli logout -s id.txt

Re: File/command to verify all the vpn settings for all the S2S tunnels

the_rock — Wed, 12 Apr 2023 10:04:12 GMT

Thanks again!