Re: Creating multiple remote Gateway for IPsec VPN

SD_Networking · ‎2017-10-26

Hi Team,

I am looking to create multiple 3rd party remote gateway for IPsec VPN, i can create the object via Smartdashboard by

Object Exporer --> New--Network Object--More ---Interoperable Devices.

I cannot find, how can i do it via Script ? any one has worked on migration of VPN customers from ASA to Checkpoint ?

Regards,

SD_Networking · ‎2017-10-26

I found the answer here:

https://community.checkpoint.com/community/checkmates-live/blog/2017/09/02/i-am-dorit-dor-vp-of-prod...

But still i cannot create the objects as i can't find correct syntax to create new object, this comment do provide how to edit but not how to create new, i am getting following error.

{
"code": "generic_err_missing_required_parameters",
"message": "Missing parameter: [create]"
}

Not sure, wht should be the value of create ?

SD_Networking · ‎2017-10-30

any one to comment on ? my migration is stuck based on this

PhoneBoy · ‎2017-10-30

I'm curious how your upgrade is stuck on this as I do not believe this was possible in R77.x (but could be wrong).

In any case, let me see if we can get the create scripts that were promised in the AMA posted.

SD_Networking · ‎2017-10-31

Hi Dameon,

Thanks, my migration is stuck as i cant make huge number of Interoperable objects via api, and dont want to do it manually one by one.

I was just curious if checkpoint will release the script promised in another post, it will make my life easier

Thanks.

Robert_Decker · ‎2017-10-31

Here is how it can be done using the "Generic-Object" API:

Create a basic Interoperable device with given name "interdev_2" and IP address "10.1.1.2"
=====================================================================

mgmt_cli add generic-object create "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain" name "interdev_2" ipaddr "10.1.1.2" thirdPartyEncryption "True" osInfo.osName "Gaia" vpn.create "com.checkpoint.objects.classes.dummy.CpmiVpn" vpn.owned-object.vpnClientsSettingsForGateway.create "com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.create "com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.owned-object.endpointVpnEnable "True" vpn.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiIke" vpn.owned-object.sslNe.create "com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender" vpn.owned-object.sslNe.owned-object.sslEnable "False" vpn.owned-object.sslNe.owned-object.gwCertificate "defaultCert" vpn.owned-object.isakmpUniversalSupport "True"

OUTPUT:

=======

{
"create" : "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain",
"name" : "interdev_2",
"ipaddr" : "10.1.1.2",
"thirdPartyEncryption" : true,
"osInfo" : {
"osName" : "Gaia"
},
"vpn" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiVpn",
"owned-object" : {

"vpnClientsSettingsForGateway" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway",
"owned-object" : {
"endpointVpnClientSettings" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway",
"owned-object" : {
"endpointVpnEnable" : true
}
}
}
},
"ike" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiIke"
},
"sslNe" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender",
"owned-object" : {
"sslEnable" : false,
"gwCertificate" : "defaultCert"
}
},
"isakmpUniversalSupport" : true
}
}
}

Create Interoperable device with the given name "interdev_2" and IP address "10.1.1.2", also add interface:
==================================================================================
Added interfaces list section with interface:
- name eth0
- IP Address 10.1.1.1
- netmask 255.255.255.0

mgmt_cli -s id.txt add generic-object create "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain" name "interdev_2" ipaddr "10.1.1.2" thirdPartyEncryption "True" osInfo.osName "Gaia" vpn.create "com.checkpoint.objects.classes.dummy.CpmiVpn" vpn.owned-object.vpnClientsSettingsForGateway.create "com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.create "com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.owned-object.endpointVpnEnable "True" vpn.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiIke" vpn.owned-object.sslNe.create "com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender" vpn.owned-object.sslNe.owned-object.sslEnable "False" vpn.owned-object.sslNe.owned-object.gwCertificate "defaultCert" vpn.owned-object.isakmpUniversalSupport "True" interfaces.add.1.create "com.checkpoint.objects.classes.dummy.CpmiInterface" interfaces.add.1.owned-object.officialname "eth0" interfaces.add.1.owned-object.ipaddr "10.1.1.1" interfaces.add.1.owned-object.netmask "255.255.255.0"

OUTPUT:

=======

{
"create" : "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain",
"name" : "interdev_2",
"ipaddr" : "10.1.1.2",
"thirdPartyEncryption" : true,
"osInfo" : {
"osName" : "Gaia"
},
"vpn" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiVpn",
"owned-object" : {

"vpnClientsSettingsForGateway" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway",
"owned-object" : {
"endpointVpnClientSettings" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway",
"owned-object" : {
"endpointVpnEnable" : true
}
}
}
},
"ike" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiIke"
},
"sslNe" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender",
"owned-object" : {
"sslEnable" : false,
"gwCertificate" : "defaultCert"
}
},
"isakmpUniversalSupport" : true
}
},
"interfaces" : {
"add" : [
{
"create" : "com.checkpoint.objects.classes.dummy.CpmiInterface",
"owned-object" : {
"officialname" : "eth0",
"ipaddr": "10.1.1.1",
"netmask": "255.255.255.0"
}
}
]
}
}

Topology settings - Create Interoperable device with the given name "interdev_2" and IP address "10.1.1.2", also add interface.
=========================================================================================

The topology of the added interface was set to be behind the given network (in my case - CP_default_Office_Mode_addresses_pool).

In an interface object, the field: security.netaccess.access set to "SPECIFIC" and
security.netaccess.allowed is set to UID of the required network object.

Use the following Bash command to find out the UID of the required network, i.e. : CP_default_Office_Mode_addresses_pool

local_network=$(mgmt_cli -s id.txt show-generic-objects name CP_default_Office_Mode_addresses_pool -f json | /opt/CPshrd-R80/jq/jq -r '.objects[] | select (.type | contains("network")) | .uid')

mgmt_cli -s id.txt add generic-object create "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain" name "interdev_2" ipaddr "10.1.1.2" thirdPartyEncryption "True" osInfo.osName "Gaia" vpn.create "com.checkpoint.objects.classes.dummy.CpmiVpn" vpn.owned-object.vpnClientsSettingsForGateway.create "com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.create "com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.owned-object.endpointVpnEnable "True" vpn.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiIke" vpn.owned-object.sslNe.create "com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender" vpn.owned-object.sslNe.owned-object.sslEnable "False" vpn.owned-object.sslNe.owned-object.gwCertificate "defaultCert" vpn.owned-object.isakmpUniversalSupport "True" interfaces.add.1.create "com.checkpoint.objects.classes.dummy.CpmiInterface" interfaces.add.1.owned-object.officialname "eth0" interfaces.add.1.owned-object.ipaddr "10.1.1.1" interfaces.add.1.owned-object.netmask "255.255.255.0" interfaces.add.1.owned-object.security.netaccess.access "SPECIFIC" interfaces.add.1.owned-object.security.netaccess.allowed $local_network interfaces.add.1.owned-object.security.netaccess.performAntiSpoofing "True" interfaces.add.1.owned-object.security.antispoof "True"

OUTPUT:

=======

{
"create" : "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain",
"name" : "interdev_2",
"ipaddr" : "10.1.1.2",
"thirdPartyEncryption" : true,
"osInfo" : {
"osName" : "Gaia"
},
"vpn" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiVpn",
"owned-object" : {

"vpnClientsSettingsForGateway" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway",
"owned-object" : {
"endpointVpnClientSettings" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway",
"owned-object" : {
"endpointVpnEnable" : true
}
}
}
},
"ike" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiIke"
},
"sslNe" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender",
"owned-object" : {
"sslEnable" : false,
"gwCertificate" : "defaultCert"
}
},
"isakmpUniversalSupport" : true
}
},
"interfaces" : {
"add" : [
{
"create" : "com.checkpoint.objects.classes.dummy.CpmiInterface",
"owned-object" : {
"officialname" : "eth0",
"ipaddr": "10.1.1.1",
"netmask": "255.255.255.0",
"security" : {
"netaccess" : {
"access" : "SPECIFIC",
"allowed" : "065e3266-f32a-4bec-9eee-7947888ad122",
"performAntiSpoofing": true
},
"antispoof" : true
}
}
}
]
}
}

Create Interoperable device with the given name "interdev_2" and IP address "10.1.1.2", also set Manually Defined VPN encryption domain
===========================================================================================
Set encdomain to be MANUAL.
Set manualEncdomain field to hold the UID of the required network.
Use the following Bash command to find out the UID of the required network, i.e. : CP_default_Office_Mode_addresses_pool

vpn_enc_domain=$(mgmt_cli -s id.txt show-generic-objects name CP_default_Office_Mode_addresses_pool -f json | /opt/CPshrd-R80/jq/jq -r '.objects[] | select (.type | contains("network")) | .uid')

mgmt_cli -s id.txt add generic-object create "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain" name "interdev_2" ipaddr "10.1.1.2" thirdPartyEncryption "True" osInfo.osName "Gaia" vpn.create "com.checkpoint.objects.classes.dummy.CpmiVpn" vpn.owned-object.vpnClientsSettingsForGateway.create "com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.create "com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.owned-object.endpointVpnEnable "True" vpn.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiIke" vpn.owned-object.sslNe.create "com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender" vpn.owned-object.sslNe.owned-object.sslEnable "False" vpn.owned-object.sslNe.owned-object.gwCertificate "defaultCert" manualEncdomain $vpn_enc_domain encdomain "MANUAL"

OUTPUT:

========

{
"create" : "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain",
"name" : "interdev_2",
"ipaddr" : "10.1.1.2",
"thirdPartyEncryption" : true,
"osInfo" : {
"osName" : "Gaia"
},
"vpn" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiVpn",
"owned-object" : {

"vpnClientsSettingsForGateway" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway",
"owned-object" : {
"endpointVpnClientSettings" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway",
"owned-object" : {
"endpointVpnEnable" : true
}
}
}
},
"ike" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiIke"
},
"sslNe" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender",
"owned-object" : {
"sslEnable" : false,
"gwCertificate" : "defaultCert"
}
}
}
},
"manualEncdomain" : "065e3266-f32a-4bec-9eee-7947888ad122",
"encdomain" : "MANUAL"
}

ENJOY!

SD_Networking · ‎2017-11-02

Thanks man

Robert_Decker · ‎2018-05-01

If you need to add that interoperable device as a center/satellite gateway to a VPN community, follow my post in this thread -

https://community.checkpoint.com/thread/7668-how-to-add-interoperative-device-via-api

Robert.

Amiad_Stern · ‎2018-02-21

An important disclaimer!

These APIs provide direct access to different objects and fields in the database. As a result, when the objects schema change, scripts that rely on specific schema fields may break.

The usage of generic-object API is similar to use dbedit script allowing customers to manipulate the Check Point database. The generic-object API calls are supported calls that customers are allowed to use. However, if a customer writes a script using generic-object API calls and later that script is “broken” because Check Point had changed the schema of the database. Check Point TAC will not be responsible for adjusting the customer’s script to use the new schema.

When you have the option, always use the documented APIs and not the generic APIs:

They are documented
They are future compatible
They are tested
They have owners and you can get support if you run into trouble

Creating multiple Remote Gateways/Interoperable Devices for IPsec VPN