This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
DanielS
Employee
Employee
‎2018-10-16 09:14 AM

CheckPoint DAIP VPN get Peer Names

Hi Guys,

I'm trying to link the public IP address as shown in vpn tu to the object name, I know the objects are assigned an internal IP of 0.0.0.x, is this number consistent?

My main goal here is to analyse the VPN's public IP address and check when it changes as they are configured as DAIP on the 1430's, unfortunately the vpn sub commands don't seem to be able to give this link.

7 Replies
Marco_Valenti
Advisor
‎2018-10-16 11:42 PM

The command is ts_db_tool that should be issued from management side

rs_db_tool
Description rs_db_tool is used to manage DAIP gateways in a DAIP database.
Syntax
# rs_db_tool [-d] <-operation <add <-name object_name> <-ip module_ip>
<-TTL Time-To-Live> >
# rs_db_tool [-d] <-operation fetch <-name object_name> >
# rs_db_tool [-d] <-operation <delete <-name object_name> >
# rs_db_tool [-d] <-operation <list> >
# rs_db_tool [-d] <-operation <sync> >

DanielS
Employee
Employee
‎2018-10-17 02:04 AM
In response to Marco_Valenti

Hi Marco,

Is there a similar command that can be executed from the gateway? and do would you happen to have example output of the rs_db_tool -operation list as I currently don't have cli access to the mdsm. And what does the -d flag do ?

0 Kudos
Marco_Valenti
Advisor
‎2018-10-17 06:04 AM
In response to DanielS

the flag -d is for debug I suppose , anyway I don t know about security gateway but I guess the database for the dynamic object is hosted on the management server.

Anyway from vpn tu command you should be able to see (if you have a valid sa) something like that

Peer (dynamic) xxx.xxx.xxx.xxx SAs:

0 Kudos
DanielS
Employee
Employee
‎2018-10-17 09:12 AM
In response to Marco_Valenti

Hi Marco,

I built up a setup in my lab until I can get access to their manager, but it gives the exact information that I needed.

[Expert@vpn-test-mgmt:0]# rs_db_tool -operation list

----------------------------------------
Daip modules database - entries list
----------------------------------------

Entry # | Object name | IP | TTL
-------- ------------------------------ ------------------ -------
1 | Remote-GW-DAIP | 12.12.12.100 | 5198225
-------- ------------------------------ ------------------ -------

Marco Valenti wrote:

The command is ts_db_tool that should be issued from management side

 

rs_db_tool
Description rs_db_tool is used to manage DAIP gateways in a DAIP database.
Syntax
# rs_db_tool [-d] <-operation <add <-name object_name> <-ip module_ip>
<-TTL Time-To-Live> >
# rs_db_tool [-d] <-operation fetch <-name object_name> >
# rs_db_tool [-d] <-operation <delete <-name object_name> >
# rs_db_tool [-d] <-operation <list> >
# rs_db_tool [-d] <-operation <sync> >

0 Kudos
DanielS
Employee
Employee
‎2018-10-17 06:19 AM

yes I'm aware the vpn tu/ vpn shell will give me output of IKE SA and the dynamic IP of the 1430, but the trick is linking that to an object name.

and yes the -d is confirmed as debug flag found it on one of the documents.

0 Kudos
DanielS
Employee
Employee
‎2018-11-02 03:59 AM

So I've put together a script to capture the dynamic IP's if it is of interest to anyone, and the times that the ip address changes.

#!/bin/bash
today=$(date +%s)
cma="<CMA_NAME>"
outputFile="/home/admin/output.txt"
touch $outputFile

function checkIPs {
if [ -r /etc/profile.d/CP.sh ]; then
. /etc/profile.d/CP.sh
else
echo "Could not source /etc/profile.d/CP.sh"
exit
fi

mdsenv $cma

rs_db_tool -operation list 2>&1| tail -n +8 | head -n -2 | grep -v -- '------' | awk '/ / {print $3, $5, $7}' | \

#cleans up rs_db_tool output to what we need and pipes it to awk
while read fwName ipAddress age ; do \
#echo $fwName
#echo $ipAddress
#echo $age

if grep -Fwq "$fwName" "$outputFile"
#checks if the object names already exists in the output file
then
echo "Object Already Exists"
existingIPAddress=$(grep $fwName $outputFile | awk '{print $(NF-1)}')
#compares the devices previous ip address with the latest checked IP address, if different it records the new address and time.
if [ "$existingIPAddress" != "$ipAddress" ]
then
#echo "IP address does not matches"
sed -i "\,${fwName}, s,$, ${ipAddress}," $outputFile
sed -i "\,${fwName}, s,$, ${today}," $outputFile
fi

else
#echo "Object Does not exist"
echo "$fwName" "$ipAddress" "$today" >> "$outputFile"
fi

done

}

checkIPs

0 Kudos
Marco_Valenti
Advisor
‎2018-11-05 01:43 AM
In response to DanielS

wonderful job thanks

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events