topic Re: Creating multiple remote Gateway for IPsec VPN in API / CLI Discussion

Creating multiple Remote Gateways/Interoperable Devices for IPsec VPN

SD_Networking — Thu, 26 Oct 2017 09:43:24 GMT

Hi Team,

I am looking to create multiple 3rd party remote gateway for IPsec VPN, i can create the object via Smartdashboard by

Object Exporer --> New--Network Object--More ---Interoperable Devices.

I cannot find, how can i do it via Script ? any one has worked on migration of VPN customers from ASA to Checkpoint ?

Regards,

Re: Creating multiple remote Gateway for IPsec VPN

SD_Networking — Thu, 26 Oct 2017 11:51:54 GMT

I found the answer here:

https://community.checkpoint.com/community/checkmates-live/blog/2017/09/02/i-am-dorit-dor-vp-of-products-for-check-point…

But still i cannot create the objects as i can't find correct syntax to create new object, this comment do provide how to edit but not how to create new, i am getting following error.

{
"code": "generic_err_missing_required_parameters",
"message": "Missing parameter: [create]"
}

Not sure, wht should be the value of create ?

Re: Creating multiple remote Gateway for IPsec VPN

SD_Networking — Mon, 30 Oct 2017 10:40:22 GMT

any one to comment on ? my migration is stuck based on this

Re: Creating multiple remote Gateway for IPsec VPN

PhoneBoy — Mon, 30 Oct 2017 23:34:56 GMT

I'm curious how your upgrade is stuck on this as I do not believe this was possible in R77.x (but could be wrong).

In any case, let me see if we can get the create scripts that were promised in the AMA posted.

Re: Creating multiple remote Gateway for IPsec VPN

SD_Networking — Tue, 31 Oct 2017 07:46:14 GMT

Hi Dameon,

Thanks, my migration is stuck as i cant make huge number of Interoperable objects via api, and dont want to do it manually one by one.

I was just curious if checkpoint will release the script promised in another post, it will make my life easier

Thanks.

Re: Creating multiple remote Gateway for IPsec VPN

Robert_Decker — Tue, 31 Oct 2017 09:57:37 GMT

Here is how it can be done using the "Generic-Object" API:

Create a basic Interoperable device with given name "interdev_2" and IP address "10.1.1.2"
=====================================================================

mgmt_cli add generic-object create "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain" name "interdev_2" ipaddr "10.1.1.2" thirdPartyEncryption "True" osInfo.osName "Gaia" vpn.create "com.checkpoint.objects.classes.dummy.CpmiVpn" vpn.owned-object.vpnClientsSettingsForGateway.create "com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.create "com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.owned-object.endpointVpnEnable "True" vpn.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiIke" vpn.owned-object.sslNe.create "com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender" vpn.owned-object.sslNe.owned-object.sslEnable "False" vpn.owned-object.sslNe.owned-object.gwCertificate "defaultCert" vpn.owned-object.isakmpUniversalSupport "True"

OUTPUT:

=======

{
"create" : "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain",
"name" : "interdev_2",
"ipaddr" : "10.1.1.2",
"thirdPartyEncryption" : true,
"osInfo" : {
"osName" : "Gaia"
},
"vpn" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiVpn",
"owned-object" : {

"vpnClientsSettingsForGateway" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway",
"owned-object" : {
"endpointVpnClientSettings" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway",
"owned-object" : {
"endpointVpnEnable" : true
}
}
}
},
"ike" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiIke"
},
"sslNe" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender",
"owned-object" : {
"sslEnable" : false,
"gwCertificate" : "defaultCert"
}
},
"isakmpUniversalSupport" : true
}
}
}

Create Interoperable device with the given name "interdev_2" and IP address "10.1.1.2", also add interface:
==================================================================================
Added interfaces list section with interface:
- name eth0
- IP Address 10.1.1.1
- netmask 255.255.255.0

mgmt_cli -s id.txt add generic-object create "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain" name "interdev_2" ipaddr "10.1.1.2" thirdPartyEncryption "True" osInfo.osName "Gaia" vpn.create "com.checkpoint.objects.classes.dummy.CpmiVpn" vpn.owned-object.vpnClientsSettingsForGateway.create "com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.create "com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.owned-object.endpointVpnEnable "True" vpn.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiIke" vpn.owned-object.sslNe.create "com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender" vpn.owned-object.sslNe.owned-object.sslEnable "False" vpn.owned-object.sslNe.owned-object.gwCertificate "defaultCert" vpn.owned-object.isakmpUniversalSupport "True" interfaces.add.1.create "com.checkpoint.objects.classes.dummy.CpmiInterface" interfaces.add.1.owned-object.officialname "eth0" interfaces.add.1.owned-object.ipaddr "10.1.1.1" interfaces.add.1.owned-object.netmask "255.255.255.0"

OUTPUT:

=======

Topology settings - Create Interoperable device with the given name "interdev_2" and IP address "10.1.1.2", also add interface.
=========================================================================================

The topology of the added interface was set to be behind the given network (in my case - CP_default_Office_Mode_addresses_pool).

In an interface object, the field: security.netaccess.access set to "SPECIFIC" and
security.netaccess.allowed is set to UID of the required network object.

Use the following Bash command to find out the UID of the required network, i.e. : CP_default_Office_Mode_addresses_pool

local_network=$(mgmt_cli -s id.txt show-generic-objects name CP_default_Office_Mode_addresses_pool -f json | /opt/CPshrd-R80/jq/jq -r '.objects[] | select (.type | contains("network")) | .uid')

OUTPUT:

=======

Create Interoperable device with the given name "interdev_2" and IP address "10.1.1.2", also set Manually Defined VPN encryption domain
===========================================================================================
Set encdomain to be MANUAL.
Set manualEncdomain field to hold the UID of the required network.
Use the following Bash command to find out the UID of the required network, i.e. : CP_default_Office_Mode_addresses_pool

vpn_enc_domain=$(mgmt_cli -s id.txt show-generic-objects name CP_default_Office_Mode_addresses_pool -f json | /opt/CPshrd-R80/jq/jq -r '.objects[] | select (.type | contains("network")) | .uid')

OUTPUT:

========

ENJOY!

Re: Creating multiple remote Gateway for IPsec VPN

SD_Networking — Thu, 02 Nov 2017 09:37:47 GMT

Thanks man

Re: Creating multiple remote Gateway for IPsec VPN

Amiad_Stern — Wed, 21 Feb 2018 10:48:27 GMT

An important disclaimer!

These APIs provide direct access to different objects and fields in the database. As a result, when the objects schema change, scripts that rely on specific schema fields may break.

The usage of generic-object API is similar to use dbedit script allowing customers to manipulate the Check Point database. The generic-object API calls are supported calls that customers are allowed to use. However, if a customer writes a script using generic-object API calls and later that script is “broken” because Check Point had changed the schema of the database. Check Point TAC will not be responsible for adjusting the customer’s script to use the new schema.

When you have the option, always use the documented APIs and not the generic APIs:

They are documented
They are future compatible
They are tested
They have owners and you can get support if you run into trouble

Re: Creating multiple Remote Gateways/Interoperable Devices for IPsec VPN

Robert_Decker — Tue, 01 May 2018 11:58:11 GMT

If you need to add that interoperable device as a center/satellite gateway to a VPN community, follow my post in this thread -

https://community.checkpoint.com/thread/7668-how-to-add-interoperative-device-via-api

Robert.

Re: Creating multiple remote Gateway for IPsec VPN

Francisco_Melo — Fri, 25 Mar 2022 19:49:47 GMT

Hey Robert first thank you for this. I do have a question how would we do a batch on this? let say I have a list of 100 objects with name and IP's. I was trying a CVS and running a batch. Just an example

mgmt_cli add generic-object create "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain" thirdPartyEncryption "True" osInfo.osName "Gaia" vpn.create "com.checkpoint.objects.classes.dummy.CpmiVpn" vpn.owned-object.vpnClientsSettingsForGateway.create "com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.create "com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.owned-object.endpointVpnEnable "True" vpn.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiIke" vpn.owned-object.sslNe.create "com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender" vpn.owned-object.sslNe.owned-object.sslEnable "False" vpn.owned-object.sslNe.owned-object.gwCertificate "defaultCert" vpn.owned-object.isakmpUniversalSupport "True" --batch ssg_test1.csv

mgmt_cli add generic-object create "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain" --batch ssg_test1.csv

both didn't get anywhere so I'm just trying to get this batch working. Any feedback would be appreciated.

Re: Creating multiple remote Gateway for IPsec VPN

PhoneBoy — Fri, 25 Mar 2022 22:07:15 GMT

What did the file precisely look like and what precise results did you get?
I suspect this may not be supported with generic objects.

Re: Creating multiple remote Gateway for IPsec VPN

Francisco_Melo — Mon, 28 Mar 2022 13:03:10 GMT

name ,ipaddr
Ahemadnagar_India_VRoom,172.18.201.250
Airdrie_Alberta_Canada_VRoom,151.110.77.19
Aldridge_UK_CoopSaf_Vroom,10.253.64.132

**how will it work with generic objects to create a bulk of them? is it through a perl code? or how exactly can I make this work. thank you for the prompt response.

Re: Creating multiple remote Gateway for IPsec VPN

PhoneBoy — Mon, 28 Mar 2022 13:14:32 GMT

You would have to create a CSV with each name/value pair, not just the name and ipaddr.
Your CLI would look something like: mgmt_cli add generic-object --batch file.csv
Whether you can make this work or not is a separate question.
Also, keep in mind generic-objects aren't formally supported.

I think you're better off scripting this (either with Perl, Bash, or whatever language you feel comfortable in).

Re: Creating multiple remote Gateway for IPsec VPN

Francisco_Melo — Fri, 08 Apr 2022 21:32:53 GMT

Thank you, I have done the perl Script and almost got it. I need to add it to an encryption domain when I'm using @Robert_Decker script of:

vpn_enc_domain=$(mgmt_cli -s id.txt show-generic-objects name CP_default_Office_Mode_addresses_pool -f json | /opt/CPshrd-R80/jq/jq -r '.objects[] | select (.type | contains("network")) | .uid')

I get this sh: line 5: /opt/CPshrd-80.40/jq/jq: No such file or directory

Re: Creating multiple remote Gateway for IPsec VPN

PhoneBoy — Sat, 09 Apr 2022 02:38:01 GMT

The path to the jq binary is wrong.
You will need to modify it accordingly based on your precise version.

Re: Creating multiple remote Gateway for IPsec VPN

Francisco_Melo — Mon, 11 Apr 2022 12:48:09 GMT

Thanks, but how do I actually find it. I try a couple but no go. Here are the only JQ directories I found .

./opt/CPshrd-R80.40/bin/jq
./opt/CPshrd-R80.40/jq
./opt/CPshrd-R80.40/jq/jq

Re: Creating multiple remote Gateway for IPsec VPN

PhoneBoy — Mon, 11 Apr 2022 14:43:51 GMT

Typing which jq from the expert CLI should tell you what binary is being used.