topic Re: command to check particular segment is already part of any encryption domain in General Topics

command to check particular segment is already part of any encryption domain

Giridhar_Sasidh — Tue, 29 Aug 2017 18:59:50 GMT

Hi Experts,

In checkpoint is there any command available to check whether a particular segment is being used in any existing vpn encryption domain so that the new segment can be used for a new vpn domain.

Command " vpn overlap_encdom communities –s " is used for checking existing overlapping

Thanks,

Giridhar

Re: command to check particular segment is already part of any encryption domain

Timothy_Hall — Tue, 29 Aug 2017 20:41:28 GMT

Sort of, you can dump all the known VPN domains and their associated peers from the vpn_routing table which is used by vpnd to determine if traffic is "interesting" to a VPN tunnel or not and the subsequent VPN peer selection. Once you have this data dumped you can use grep to find what you are looking for; note that the externally routable IP address of our firewall and the external routable IP addresses of all known VPN peers are included in the output as well which can be a bit confusing. In this example our firewall's "routable" address is 172.31.128.251 and a VPN peer's routable address is 6.7.8.9.

This is something I whipped up awhile back for a client:

# fw tab -t vpn_routing -u -f | awk '{ print $18 " " $19 " " $20 " " $21 " " $22 " " $23 }' | awk NF | sort -n
Using cptfmt
Formatting table's data - this might take a while...

: (+)====================================(+); Table_Name: vpn_routing; : (+);
From: 172.16.10.0; To: 172.16.10.255; Peer: 6.7.8.9;
From: 172.31.128.251; To: 172.31.128.251; Peer: 192.0.2.181;
From: 192.0.2.0; To: 192.0.2.255; Peer: 192.0.2.181;
From: 6.7.8.9; To: 6.7.8.9; Peer: 6.7.8.9;

I don't think it would be too tough to come up some kind of script based on this that could prompt for the source and dest IP and then tell you which VPN peers match (if any).

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Re: command to check particular segment is already part of any encryption domain

Tomer_Sole — Tue, 29 Aug 2017 22:40:55 GMT

You mean you would like to check for a given IP or IP range which gateways have them in their VPN encryption domains, so that you will not add the same segment in more than one Gateway's encryption domain? Is that what you're looking for?

Re: command to check particular segment is already part of any encryption domain

Timothy_Hall — Tue, 29 Aug 2017 23:22:48 GMT

Something like this for example:

vpn check_traffic [ src IP ] dst IP

"dst IP" is mandatory and will resolve to the VPN peer object name possessing that destination IP address in its VPN domain and also report the matched VPN Community in simplified mode. Hopefully only one VPN peer/Community is reported and if more than one matches a warning should be thrown, although that function is already served to some degree by vpn overlap_encdom.

It would also be nice if optionally "src IP" could be passed as well, and the command would ensure that the src IP provided actually falls within the local gateway's VPN domain as well. Basically a test to see if a src ip and dst ip combo would be considered "interesting" (to borrow a Cisco term) and to which VPN peer and Community it matches.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Re: command to check particular segment is already part of any encryption domain

Giridhar_Sasidh — Wed, 30 Aug 2017 01:31:30 GMT

Yes..Exactly Tomer..

Re: command to check particular segment is already part of any encryption domain

Giridhar_Sasidh — Wed, 30 Aug 2017 01:38:03 GMT

Thanks Tim...This is very useful...

Re: command to check particular segment is already part of any encryption domain

Tomer_Sole — Wed, 30 Aug 2017 05:54:35 GMT

Thank you for this feedback, we will consider it.

Re: command to check particular segment is already part of any encryption domain

Kishorilal_CJ — Thu, 23 Aug 2018 05:30:12 GMT

Hello

Even i was looking for this command to find out if given IP / network is already existed in vpn encryption domain, but I could not execute this commend either in CLish/expert mode

Kindly confirm if I am missing something here, currently using R77.30

XXXVSX11:1> vpn check_traffic X.X.X.X
Unknown command "check_traffic"

Thanks in advance

Re: command to check particular segment is already part of any encryption domain

Timothy_Hall — Thu, 23 Aug 2018 12:09:40 GMT

The check_traffic option to the vpn command does not actually exist, it was a hypothetical exercise to show what could potentially be useful in a future release.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Re: command to check particular segment is already part of any encryption domain

Kishorilal_CJ — Thu, 23 Aug 2018 12:22:50 GMT

Hello

Thanks for quicker response!!!

Re: command to check particular segment is already part of any encryption domain

Kishorilal_CJ — Thu, 23 Aug 2018 13:37:37 GMT

Hello

I got reply with no update missing something here

fw tab -t vpn_routing -u -f | awk '{ print $18 " " $19 " " $20 " " $21 " " $22 " " $23 }' | awk NF | sort -n
Using cptfmt
Formatting table's data - this might take a while...

Re: command to check particular segment is already part of any encryption domain

Timothy_Hall — Thu, 23 Aug 2018 19:40:28 GMT

Does running just this produce any output:

fw tab -t vpn_routing -u -f

My guess is no. Are any VPN tunnels actually up when you are running this command?

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Re: command to check particular segment is already part of any encryption domain

HeikoAnkenbrand — Thu, 23 Aug 2018 20:04:00 GMT

You can use this oneliner to show VPN routes:

Show VPN Routing on CLI

Regards

Heiko

Re: command to check particular segment is already part of any encryption domain

Kishorilal_CJ — Tue, 28 Aug 2018 06:04:19 GMT

Hello

found something which helps for my requirement

fw tab -t vpn_routing -u -f | awk --field-separator=";" '/192.168.1/ {print $2, $3,$6}'