https://community.checkpoint.com/t5/API-CLI-Discussion/Activate-PFS-in-a-VPN-community-via-API/m-p/48863#M3211 <P>Hey Christian,</P><P>&nbsp;</P><P>The standard managment API (still) does not support the configuration that you need.</P><P>But&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/9262">@Kim_Moberg</a>&nbsp;did a nice writeup regarding his solution via the generic objects API - see <A href="https://community.checkpoint.com/t5/Developers-API-CLI/Missing-API-possibility-to-set-vpn-community-star-objects/td-p/20956" target="_self">here</A>.</P><P>&nbsp;</P><P>Regards</P> Wed, 27 Mar 2019 15:24:54 GMT Maik 2019-03-27T15:24:54Z https://community.checkpoint.com/t5/API-CLI-Discussion/Activate-PFS-in-a-VPN-community-via-API/m-p/48861#M3210 <P>Hello Checkpoint,</P><P>in the after Snowden aera,&nbsp; we have learnt that perfect forward secrecy is one of the most important cryptographic features.</P><P>From the API documentation it is not clear how to activate PFS and how to select the PFS group when creating a VPN community or modifying an existing one.</P><P>Please Clarify: How can I activate PFS and select the PFS DH group via the API?</P><P>Thanks</P><P>Christian Riede</P> Wed, 27 Mar 2019 15:09:13 GMT https://community.checkpoint.com/t5/API-CLI-Discussion/Activate-PFS-in-a-VPN-community-via-API/m-p/48861#M3210 Christian_Riede 2019-03-27T15:09:13Z https://community.checkpoint.com/t5/API-CLI-Discussion/Activate-PFS-in-a-VPN-community-via-API/m-p/48863#M3211 <P>Hey Christian,</P><P>&nbsp;</P><P>The standard managment API (still) does not support the configuration that you need.</P><P>But&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/9262">@Kim_Moberg</a>&nbsp;did a nice writeup regarding his solution via the generic objects API - see <A href="https://community.checkpoint.com/t5/Developers-API-CLI/Missing-API-possibility-to-set-vpn-community-star-objects/td-p/20956" target="_self">here</A>.</P><P>&nbsp;</P><P>Regards</P> Wed, 27 Mar 2019 15:24:54 GMT https://community.checkpoint.com/t5/API-CLI-Discussion/Activate-PFS-in-a-VPN-community-via-API/m-p/48863#M3211 Maik 2019-03-27T15:24:54Z https://community.checkpoint.com/t5/API-CLI-Discussion/Activate-PFS-in-a-VPN-community-via-API/m-p/49000#M3219 <P>Summary:</P><P>Get Community uid with:</P><P>mgmt_cli show vpn-community-star name "communityname"</P><P>Get DH group UIDs with:</P><P>mgmt_cli show generic-objects class-name com.checkpoint.objects.classes.dummy."CpmiIkeDiffieHellmanParametersObject"</P><P>&nbsp;</P><P>Then:</P><P>mgmt_cli set generic-object uid "uid-of-community" ikeP1.ikeP1EncAlg "AES_MINUS_256"<BR />mgmt_cli set generic-object uid "uid-of-community" ikeP1.ikeP1HashAlg "SHA256"<BR />mgmt_cli set generic-object uid "uid-of-community" ikeP1.ikeP1DhGrp "86ee63a3-cb9a-478e-add4-857aff8a7ab3"<BR />mgmt_cli set generic-object uid "uid-of-community" ikeP1.ikeP1RekeyTime "1440"<BR />mgmt_cli set generic-object uid "uid-of-community" ikeP2.ikeP2EncAlg "AES_MINUS_256"<BR />mgmt_cli set generic-object uid "uid-of-community" ikeP2.ikeP2HashAlg "SHA256"<BR />mgmt_cli set generic-object uid "uid-of-community" ikeP2.ikeP2RekeyTime "3600"<BR />mgmt_cli set generic-object uid "uid-of-community" ikeP2.ikeP2UsePfs "true"<BR />mgmt_cli set generic-object uid "uid-of-community" ikeP2.ikeP2PfsDhGrp "86ee63a3-cb9a-478e-add4-857aff8a7ab3"<BR />mgmt_cli set generic-object uid "uid-of-community" ikeP2.ikeP2EnableSupernetFromR8020 "FALSE"</P> Thu, 28 Mar 2019 10:51:29 GMT https://community.checkpoint.com/t5/API-CLI-Discussion/Activate-PFS-in-a-VPN-community-via-API/m-p/49000#M3219 Christian_Riede 2019-03-28T10:51:29Z https://community.checkpoint.com/t5/API-CLI-Discussion/Activate-PFS-in-a-VPN-community-via-API/m-p/49003#M3220 <P>&nbsp;</P><P>Summary:</P><P>find uid of community</P><P>mgmt_cli show vpn-community-star name "communityname"</P><P>find uid of dh group:</P><P>mgmt_cli show generic-objects class-name com.checkpoint.objects.classes.dummy."CpmiIkeDiffieHellmanParametersObject"</P><P>mgmt_cli set generic-object uid "uid-of-community" ikeP1.ikeP1EncAlg AES_MINUS_256<BR />mgmt_cli set generic-object uid "uid-of-community" ikeP1.ikeP1HashAlg SHA256<BR />mgmt_cli set generic-object uid "uid-of-community" ikeP1.ikeP1DhGrp 86ee63a3-cb9a-478e-add4-857aff8a7ab3<BR />mgmt_cli set generic-object uid "uid-of-community" ikeP1.ikeP1RekeyTime 1440<BR />mgmt_cli set generic-object uid "uid-of-community" ikeP2.ikeP2EncAlg AES_MINUS_256<BR />mgmt_cli set generic-object uid "uid-of-community" ikeP2.ikeP2HashAlg SHA256<BR />mgmt_cli set generic-object uid "uid-of-community" ikeP2.ikeP2RekeyTime 3600<BR />mgmt_cli set generic-object uid "uid-of-community" ikeP2.ikeP2UsePfs true<BR />mgmt_cli set generic-object uid "uid-of-community" ikeP2.ikeP2PfsDhGrp 86ee63a3-cb9a-478e-add4-857aff8a7ab3<BR />mgmt_cli set generic-object uid "uid-of-community" ikeP2.ikeP2EnableSupernetFromR8020 FALSE</P><P>&nbsp;</P> Thu, 28 Mar 2019 10:56:37 GMT https://community.checkpoint.com/t5/API-CLI-Discussion/Activate-PFS-in-a-VPN-community-via-API/m-p/49003#M3220 Christian_Riede 2019-03-28T10:56:37Z