topic Re: CheckPoint DAIP VPN get Peer Names in API / CLI Discussion

CheckPoint DAIP VPN get Peer Names

DanielS — Tue, 16 Oct 2018 16:14:50 GMT

Hi Guys,

I'm trying to link the public IP address as shown in vpn tu to the object name, I know the objects are assigned an internal IP of 0.0.0.x, is this number consistent?

My main goal here is to analyse the VPN's public IP address and check when it changes as they are configured as DAIP on the 1430's, unfortunately the vpn sub commands don't seem to be able to give this link.

Re: CheckPoint DAIP VPN get Peer Names

Marco_Valenti — Wed, 17 Oct 2018 06:42:41 GMT

The command is ts_db_tool that should be issued from management side

rs_db_tool
Description rs_db_tool is used to manage DAIP gateways in a DAIP database.
Syntax
# rs_db_tool [-d] <-operation <add <-name object_name> <-ip module_ip>
<-TTL Time-To-Live> >
# rs_db_tool [-d] <-operation fetch <-name object_name> >
# rs_db_tool [-d] <-operation <delete <-name object_name> >
# rs_db_tool [-d] <-operation <list> >
# rs_db_tool [-d] <-operation <sync> >

Re: CheckPoint DAIP VPN get Peer Names

DanielS — Wed, 17 Oct 2018 09:04:21 GMT

Hi Marco,

Is there a similar command that can be executed from the gateway? and do would you happen to have example output of the rs_db_tool -operation list as I currently don't have cli access to the mdsm. And what does the -d flag do ?

Re: CheckPoint DAIP VPN get Peer Names

Marco_Valenti — Wed, 17 Oct 2018 13:04:34 GMT

the flag -d is for debug I suppose , anyway I don t know about security gateway but I guess the database for the dynamic object is hosted on the management server.

Anyway from vpn tu command you should be able to see (if you have a valid sa) something like that

Peer (dynamic) xxx.xxx.xxx.xxx SAs:

Re: CheckPoint DAIP VPN get Peer Names

DanielS — Wed, 17 Oct 2018 13:19:31 GMT

yes I'm aware the vpn tu/ vpn shell will give me output of IKE SA and the dynamic IP of the 1430, but the trick is linking that to an object name.

and yes the -d is confirmed as debug flag found it on one of the documents.

Re: CheckPoint DAIP VPN get Peer Names

DanielS — Wed, 17 Oct 2018 16:12:32 GMT

Hi Marco,

I built up a setup in my lab until I can get access to their manager, but it gives the exact information that I needed.

[Expert@vpn-test-mgmt:0]# rs_db_tool -operation list

----------------------------------------
Daip modules database - entries list
----------------------------------------

Entry # | Object name | IP | TTL
-------- ------------------------------ ------------------ -------
1 | Remote-GW-DAIP | 12.12.12.100 | 5198225
-------- ------------------------------ ------------------ -------

Marco Valenti wrote:
The command is ts_db_tool that should be issued from management side

rs_db_tool
Description rs_db_tool is used to manage DAIP gateways in a DAIP database.
Syntax
# rs_db_tool [-d] <-operation <add <-name object_name> <-ip module_ip>
<-TTL Time-To-Live> >
# rs_db_tool [-d] <-operation fetch <-name object_name> >
# rs_db_tool [-d] <-operation <delete <-name object_name> >
# rs_db_tool [-d] <-operation <list> >
# rs_db_tool [-d] <-operation <sync> >

Re: CheckPoint DAIP VPN get Peer Names

DanielS — Fri, 02 Nov 2018 10:59:35 GMT

So I've put together a script to capture the dynamic IP's if it is of interest to anyone, and the times that the ip address changes.

#!/bin/bash
today=$(date +%s)
cma="<CMA_NAME>"
outputFile="/home/admin/output.txt"
touch $outputFile
function checkIPs {
if [ -r /etc/profile.d/CP.sh ]; then
. /etc/profile.d/CP.sh
else
echo "Could not source /etc/profile.d/CP.sh"
exit
fi
mdsenv $cma
rs_db_tool -operation list 2>&1| tail -n +8 | head -n -2 | grep -v -- '------' | awk '/ / {print $3, $5, $7}' | \
#cleans up rs_db_tool output to what we need and pipes it to awk
while read fwName ipAddress age ; do \
#echo $fwName
#echo $ipAddress
#echo $age
if grep -Fwq "$fwName" "$outputFile"
#checks if the object names already exists in the output file
then
echo "Object Already Exists"
existingIPAddress=$(grep $fwName $outputFile | awk '{print $(NF-1)}')
#compares the devices previous ip address with the latest checked IP address, if different it records the new address and time.
if [ "$existingIPAddress" != "$ipAddress" ]
then
#echo "IP address does not matches"
sed -i "\,${fwName}, s,$, ${ipAddress}," $outputFile
sed -i "\,${fwName}, s,$, ${today}," $outputFile
fi
else
#echo "Object Does not exist"
echo "$fwName" "$ipAddress" "$today" >> "$outputFile"
fi
done
}
checkIPs

Re: CheckPoint DAIP VPN get Peer Names

Marco_Valenti — Mon, 05 Nov 2018 09:43:39 GMT

wonderful job thanks