topic Re: list all VPNs using certificate for phase1 and vpn cert store in mds in Firewall and Security Management

list all VPNs using certificate for phase1 and vpn cert store in mds

sorinstf — Thu, 02 May 2024 11:08:40 GMT

Hello,

Here's the case study: MDS R81.20 with multiple CMA domains, each one having multiple gateways with IPSEC VPN tunnels. Some of the tunnels have PSK for phase 1, some of them are using Certificates. Most of the certs are signed by our internal PKI infrastructure, but some are MDS ICA signed.

1) How to I get a list of VPN tunnel which are using certs for phase 1? So I could check the cert validity (is there any automated way of getting this info?)

2) Where are the 3rd Party VPN certs stored in MDS?

Thanks!

Re: list all VPNs using certificate for phase1 and vpn cert store in mds

spottex — Fri, 03 May 2024 01:29:47 GMT

Sorry I'm not fast enough to sort this for you in the time I have...
but If you have some API skills or someone else can help you can refine the following or export to csv and filter in excel.

show vpn-communities-star limit 50 details-level "full"
show vpn-communities-mesh limit 50 details-level "full"

(I ran these from the GUI > Cli so didn't need to use the mgmt_cli)

You will need to filter the community name and the field "use-shared-secret"

true = PSK.

false = Cert

Also research command ALL_DOMAINS_ON_THIS_SERVER to save you going into all the domains.

I think the certs are imported into the database and Check Point black magic files then rolled up and pushed out to the gateways

You can see them in GUIDBedit Managed Object > Servers

Re: list all VPNs using certificate for phase1 and vpn cert store in mds

PhoneBoy — Fri, 03 May 2024 05:39:12 GMT

I suspect what you're trying to do is renew those certificates before they expired.
Hopefully very soon, we will have a script published in SupportCenter that, when run on MDS or regular management, will:

Show certificate information
Renew certificates based on the specified criteria

The specified operation will be performed on all managed Security Gateways, Cluster Members, and Virtual Systems.
For R81.20, this will require JHF 54 or above.
It will also be available for R81 and R81.10 and will require a specific JHF level.

Re: list all VPNs using certificate for phase1 and vpn cert store in mds

the_rock — Fri, 03 May 2024 12:28:26 GMT

Those commands are good!

Re: list all VPNs using certificate for phase1 and vpn cert store in mds

sorinstf — Fri, 03 May 2024 21:15:11 GMT

Hello ,

Many thanks for your quick reply. I tried both commands from MDS using mgmt_cli but they returned 0 objects ( before reaching out to CheckMates).

[Expert@srv-r8120:0]# mgmt_cli -r true show vpn-communities-meshed objects: [] total: 0 [Expert@mds-r8120-prod:0]# mgmt_cli -r true show vpn-communities-star objects: [] total: 0

Then I tried from GUI > cli as you suggested and it worked! Of course the GUI Cli has limitations and I need to send the output to a text file to parse it. What am I doing wrong?

I choose the smallest domain with only 3 VPN tunnels, and it returned 1184 lines! That's not something you can easily search from that window.

Good point with "use-shared-secret: - true/false - it looks like this is what I'm looking for.

Re: list all VPNs using certificate for phase1 and vpn cert store in mds

sorinstf — Fri, 03 May 2024 20:47:37 GMT

Let's hope so! Many thanks for the heads up!

There are too many certificates (LOL). SIC + IKE + Management = 3

If you are also using Identity Awareness, extra certs to take care of : broker.portal, web portal. = 2.

Re: list all VPNs using certificate for phase1 and vpn cert store in mds

Nüüül — Sun, 05 May 2024 07:54:52 GMT

Hello,

ICA Certs:

In the Checkmates Toolbox there is a good oneliner, as basic check...

https://community.checkpoint.com/t5/Scripts/Valid-Certificates-Overview-Oneliner/m-p/179954

when changing into the cma, it should also get you the certificates from the tenant.

I wrote something to get those states reported into monitoring engines like PRTG or Nagios compatible (like Centreon), which then can alarm/notify you, if thresholds are hit. But thats not finished yet

Re: list all VPNs using certificate for phase1 and vpn cert store in mds

the_rock — Sun, 05 May 2024 12:42:39 GMT

Thanks for that, will try on my lab mgmt.

Andy

Re: list all VPNs using certificate for phase1 and vpn cert store in mds

the_rock — Sun, 05 May 2024 13:07:38 GMT

Thanks so much for sharing that, super useful.

From my lab:

Current Date and Time
----------------------------------------------------------------------
05 May 2024 09:05:52 -04:00 EDT

Check Point Internal Certificate Authority (ICA) Experation Date
----------------------------------------------------------------------
18 Jan 2038 22:14:07 -05:00 EST

Current Valid IKE & SIC Certificates signed by ICA
----------------------------------------------------------------------
Nr. Objectname Type Serial Not Valid After
1 azurefw IKE 19056 20 Feb 2027 13:51:25
2 CPAZUREcluster IKE 82773 20 Feb 2027 13:52:04
3 cp_mgmt SIC 66461 03 Jan 2029 08:46:27
4 cp_mgmt SIC 80400 03 Jan 2029 08:46:36
5 cp_mgmt SIC 80670 03 Jan 2029 08:46:43
6 cpazuremgmt SIC 96588 03 Jan 2029 08:46:36
7 azurefw SIC 39123 03 Jan 2029 09:32:43
8 CPAZUREcluster1 SIC 75718 18 Jan 2029 08:34:45
9 CPAZUREcluster2 SIC 78289 18 Jan 2029 08:36:03

[Expert@cpazuremgmt:0]#

Re: list all VPNs using certificate for phase1 and vpn cert store in mds

spottex — Sun, 05 May 2024 20:54:08 GMT

If you still want to go down this path and use ssh ...

Per domain:
mgmt_cli -d "your-domain" show vpn-communities-star limit 100 details-level "full"

Cross domain will not allow the use the detail-level "full"
mgmt_cli show vpn-communities-star limit 100 domains-to-process.1 "ALL_DOMAINS_ON_THIS_SERVER" ignore-warnings true

I'm an API Noob so cannot figure out how to filter output on just community name and use-shared-secret. Though I did try.

Re: list all VPNs using certificate for phase1 and vpn cert store in mds

sorinstf — Thu, 09 May 2024 21:46:18 GMT

Hello,

Oneliner script is amazing! thanks! I go through each MDS domain using "mdsenv domain" and run it. I used to parse data from cpca_client lscert .... even made a script to go through each domain ...a real pain as I had to remove empty lines and so on.

With regards to showing vpn star/meshed config, I still have an issue.

1) once I login to MDS using ssh and type mdsenv Domain_Name - mgmt_cli show vpn-communities-star commands returns - 0 objects.

2) I'm able to login successfully to "System Data" domain using "> id.txt" option. When I run mgmt_cli -d Domain_VPN show vpn-communities-meshed limit 100 details-level "full" -s id.txt , I get

objects: []
total: 0

My MDS user account has access to Management CLI and read rights across all domains.

This is from Management API reference:.

Security Management Server and Multi-Domain Server

There are different domains for the Multi-Domain Server and the Security Management Server, and each domain has its own API calls:

Multi-Domain Server - The default login is to the System Data domain. This allows you to manage administrators, domains and other system objects.
- To log in to a specific domain by name or IP address, use the domain parameter.

Re: list all VPNs using certificate for phase1 and vpn cert store in mds

spottex — Fri, 10 May 2024 02:32:01 GMT

Hi.

Just tried on another MDM and had the same issue as you. I was able to get around it with using the domain IP address.
Also using the domain IP to create the id.txt as well. So have a play around with that

mgmt_cli login user <username> -d "<CMA IP>" > id.txt
mgmt_cli -d <CMA IP> show vpn-communities-meshed limit 100 details-level "full" -s id.txt

Re: list all VPNs using certificate for phase1 and vpn cert store in mds

sorinstf — Fri, 10 May 2024 19:39:09 GMT

This simple change from domain name to domain IP address did the trick! I appreciate you time and effort.

Just to give something back to the community:

Step one :

1) login to MDS using SSH then type: mgmt_cli login user justin_user domain domain_IP_addr > id.txt

2) use this command to extract VPN Star Domains using jq to parse json , extract VPN community and join it with Domain Name, for example.

mgmt_cli -d "domain_IP_address" show vpn-communities-star limit 200 details-level full -s id.txt --format json | $CPDIR/jq/jq -r '.objects[] | select(.type == "vpn-community-star" or .type == "interoperable-device") | [.["name"],.["domain"]["name"]] | join(";")' -r

As I'm no Linux guru, I was not able to extract only VPN Communities with ""use-shared-secret" : false"

Re: list all VPNs using certificate for phase1 and vpn cert store in mds

sorinstf — Fri, 10 May 2024 19:28:27 GMT

Many thanks for the onliner tool !

I look forward to any Check Point PRTG integration!!! Plese leave a message if there is anything I can help with testing 🙂

Re: list all VPNs using certificate for phase1 and vpn cert store in mds

the_rock — Fri, 10 May 2024 19:56:14 GMT

Amazing tool indeed.

Re: list all VPNs using certificate for phase1 and vpn cert store in mds

PhoneBoy — Tue, 14 May 2024 17:43:26 GMT

Get it done and submit it...you might win something 🙂
https://community.checkpoint.com/t5/Toolbox-Contest-2024/con-p/toolbox2024

Re: list all VPNs using certificate for phase1 and vpn cert store in mds

spottex — Tue, 14 May 2024 20:03:02 GMT

Try this:
mgmt_cli -d "domain_IP_address" show vpn-communities-star limit 200 details-level full -s id.txt --format json | $CPDIR/jq/jq -r '.objects[] | "NAME,\(.name)","PreSharedKey,\(."use-shared-secret")"'

Re: list all VPNs using certificate for phase1 and vpn cert store in mds

sorinstf — Tue, 14 May 2024 20:28:44 GMT

That's excellent!!! Many thanks!

Is there any possibility to have the output on a single line?

I would then export this in a text, run the script from a remote linux machine and grab it with scp. Makes life easier 🙂

NAME,RAS-VPN-BMC PreSharedKey,false NAME,RAS-VPN-FTC PreSharedKey,true NAME,VPN-JAY-DMA PreSharedKey,false NAME,VPN-COR-HEV PreSharedKey,true

Re: list all VPNs using certificate for phase1 and vpn cert store in mds

spottex — Tue, 14 May 2024 22:16:40 GMT

Nah I failed 🙂

Best effort I can do is the following.
mgmt_cli -d "domain_IP_address" show vpn-communities-star limit 200 details-level full -s id.txt --format json | $CPDIR/jq/jq -r '.objects[] | "NAME/PSK,\([.name,."use-shared-secret"])"'

and to text

mgmt_cli -d "domain_IP_address" show vpn-communities-star limit 200 details-level full -s id.txt --format json | $CPDIR/jq/jq -r '.objects[] | "NAME/PSK,\([.name,."use-shared-secret"])"' > cert.txt

Re: list all VPNs using certificate for phase1 and vpn cert store in mds

the_rock — Tue, 14 May 2024 22:28:03 GMT

Is this expected?

Andy

[Expert@CP-management:0]# mgmt_cli -d "domain_IP_address" show vpn-communities-star limit 200 details-level full -s id.txt --format json | $CPDIR/jq/jq -r '.objects[] | "NAME,\(.name)","PreSharedKey,\(."use-shared-secret")"'
Failed to open login output file [id.txt]

topic Re: list all VPNs using certificate for phase1 and vpn cert store in mds in Firewall and Security Management

list all VPNs using certificate for phase1 and vpn cert store in mds

Re: list all VPNs using certificate for phase1 and vpn cert store in mds

Re: list all VPNs using certificate for phase1 and vpn cert store in mds

Re: list all VPNs using certificate for phase1 and vpn cert store in mds

Re: list all VPNs using certificate for phase1 and vpn cert store in mds

Re: list all VPNs using certificate for phase1 and vpn cert store in mds

Re: list all VPNs using certificate for phase1 and vpn cert store in mds

Re: list all VPNs using certificate for phase1 and vpn cert store in mds

Re: list all VPNs using certificate for phase1 and vpn cert store in mds

Re: list all VPNs using certificate for phase1 and vpn cert store in mds

Re: list all VPNs using certificate for phase1 and vpn cert store in mds

Security Management Server and Multi-Domain Server

There are different domains for the Multi-Domain Server and the Security Management Server, and each domain has its own API calls:

Multi-Domain Server - The default login is to the System Data domain. This allows you to manage administrators, domains and other system objects.

To log in to a specific domain by name or IP address, use the domain parameter.

Re: list all VPNs using certificate for phase1 and vpn cert store in mds

Re: list all VPNs using certificate for phase1 and vpn cert store in mds

Re: list all VPNs using certificate for phase1 and vpn cert store in mds

Re: list all VPNs using certificate for phase1 and vpn cert store in mds

Re: list all VPNs using certificate for phase1 and vpn cert store in mds

Re: list all VPNs using certificate for phase1 and vpn cert store in mds

Re: list all VPNs using certificate for phase1 and vpn cert store in mds

Re: list all VPNs using certificate for phase1 and vpn cert store in mds

Re: list all VPNs using certificate for phase1 and vpn cert store in mds