- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Why do Hackers Love IoT Devices so Much?
Join our TechTalk on Aug 17, at 5PM CET | 11AM EST
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hi Team,
I am looking to create multiple 3rd party remote gateway for IPsec VPN, i can create the object via Smartdashboard by
Object Exporer --> New--Network Object--More ---Interoperable Devices.
I cannot find, how can i do it via Script ? any one has worked on migration of VPN customers from ASA to Checkpoint ?
Regards,
I found the answer here:
But still i cannot create the objects as i can't find correct syntax to create new object, this comment do provide how to edit but not how to create new, i am getting following error.
{
"code": "generic_err_missing_required_parameters",
"message": "Missing parameter: [create]"
}
Not sure, wht should be the value of create ?
any one to comment on ? my migration is stuck based on this
I'm curious how your upgrade is stuck on this as I do not believe this was possible in R77.x (but could be wrong).
In any case, let me see if we can get the create scripts that were promised in the AMA posted.
Hi Dameon,
Thanks, my migration is stuck as i cant make huge number of Interoperable objects via api, and dont want to do it manually one by one.
I was just curious if checkpoint will release the script promised in another post, it will make my life easier
Thanks.
Here is how it can be done using the "Generic-Object" API:
Create a basic Interoperable device with given name "interdev_2" and IP address "10.1.1.2"
=====================================================================
mgmt_cli add generic-object create "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain" name "interdev_2" ipaddr "10.1.1.2" thirdPartyEncryption "True" osInfo.osName "Gaia" vpn.create "com.checkpoint.objects.classes.dummy.CpmiVpn" vpn.owned-object.vpnClientsSettingsForGateway.create "com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.create "com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.owned-object.endpointVpnEnable "True" vpn.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiIke" vpn.owned-object.sslNe.create "com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender" vpn.owned-object.sslNe.owned-object.sslEnable "False" vpn.owned-object.sslNe.owned-object.gwCertificate "defaultCert" vpn.owned-object.isakmpUniversalSupport "True"
OUTPUT:
=======
{
"create" : "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain",
"name" : "interdev_2",
"ipaddr" : "10.1.1.2",
"thirdPartyEncryption" : true,
"osInfo" : {
"osName" : "Gaia"
},
"vpn" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiVpn",
"owned-object" : {
"vpnClientsSettingsForGateway" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway",
"owned-object" : {
"endpointVpnClientSettings" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway",
"owned-object" : {
"endpointVpnEnable" : true
}
}
}
},
"ike" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiIke"
},
"sslNe" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender",
"owned-object" : {
"sslEnable" : false,
"gwCertificate" : "defaultCert"
}
},
"isakmpUniversalSupport" : true
}
}
}
Create Interoperable device with the given name "interdev_2" and IP address "10.1.1.2", also add interface:
==================================================================================
Added interfaces list section with interface:
- name eth0
- IP Address 10.1.1.1
- netmask 255.255.255.0
mgmt_cli -s id.txt add generic-object create "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain" name "interdev_2" ipaddr "10.1.1.2" thirdPartyEncryption "True" osInfo.osName "Gaia" vpn.create "com.checkpoint.objects.classes.dummy.CpmiVpn" vpn.owned-object.vpnClientsSettingsForGateway.create "com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.create "com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.owned-object.endpointVpnEnable "True" vpn.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiIke" vpn.owned-object.sslNe.create "com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender" vpn.owned-object.sslNe.owned-object.sslEnable "False" vpn.owned-object.sslNe.owned-object.gwCertificate "defaultCert" vpn.owned-object.isakmpUniversalSupport "True" interfaces.add.1.create "com.checkpoint.objects.classes.dummy.CpmiInterface" interfaces.add.1.owned-object.officialname "eth0" interfaces.add.1.owned-object.ipaddr "10.1.1.1" interfaces.add.1.owned-object.netmask "255.255.255.0"
OUTPUT:
=======
{
"create" : "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain",
"name" : "interdev_2",
"ipaddr" : "10.1.1.2",
"thirdPartyEncryption" : true,
"osInfo" : {
"osName" : "Gaia"
},
"vpn" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiVpn",
"owned-object" : {
"vpnClientsSettingsForGateway" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway",
"owned-object" : {
"endpointVpnClientSettings" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway",
"owned-object" : {
"endpointVpnEnable" : true
}
}
}
},
"ike" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiIke"
},
"sslNe" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender",
"owned-object" : {
"sslEnable" : false,
"gwCertificate" : "defaultCert"
}
},
"isakmpUniversalSupport" : true
}
},
"interfaces" : {
"add" : [
{
"create" : "com.checkpoint.objects.classes.dummy.CpmiInterface",
"owned-object" : {
"officialname" : "eth0",
"ipaddr": "10.1.1.1",
"netmask": "255.255.255.0"
}
}
]
}
}
Topology settings - Create Interoperable device with the given name "interdev_2" and IP address "10.1.1.2", also add interface.
=========================================================================================
The topology of the added interface was set to be behind the given network (in my case - CP_default_Office_Mode_addresses_pool).
In an interface object, the field: security.netaccess.access set to "SPECIFIC" and
security.netaccess.allowed is set to UID of the required network object.
Use the following Bash command to find out the UID of the required network, i.e. : CP_default_Office_Mode_addresses_pool
local_network=$(mgmt_cli -s id.txt show-generic-objects name CP_default_Office_Mode_addresses_pool -f json | /opt/CPshrd-R80/jq/jq -r '.objects[] | select (.type | contains("network")) | .uid')
mgmt_cli -s id.txt add generic-object create "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain" name "interdev_2" ipaddr "10.1.1.2" thirdPartyEncryption "True" osInfo.osName "Gaia" vpn.create "com.checkpoint.objects.classes.dummy.CpmiVpn" vpn.owned-object.vpnClientsSettingsForGateway.create "com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.create "com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.owned-object.endpointVpnEnable "True" vpn.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiIke" vpn.owned-object.sslNe.create "com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender" vpn.owned-object.sslNe.owned-object.sslEnable "False" vpn.owned-object.sslNe.owned-object.gwCertificate "defaultCert" vpn.owned-object.isakmpUniversalSupport "True" interfaces.add.1.create "com.checkpoint.objects.classes.dummy.CpmiInterface" interfaces.add.1.owned-object.officialname "eth0" interfaces.add.1.owned-object.ipaddr "10.1.1.1" interfaces.add.1.owned-object.netmask "255.255.255.0" interfaces.add.1.owned-object.security.netaccess.access "SPECIFIC" interfaces.add.1.owned-object.security.netaccess.allowed $local_network interfaces.add.1.owned-object.security.netaccess.performAntiSpoofing "True" interfaces.add.1.owned-object.security.antispoof "True"
OUTPUT:
=======
{
"create" : "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain",
"name" : "interdev_2",
"ipaddr" : "10.1.1.2",
"thirdPartyEncryption" : true,
"osInfo" : {
"osName" : "Gaia"
},
"vpn" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiVpn",
"owned-object" : {
"vpnClientsSettingsForGateway" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway",
"owned-object" : {
"endpointVpnClientSettings" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway",
"owned-object" : {
"endpointVpnEnable" : true
}
}
}
},
"ike" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiIke"
},
"sslNe" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender",
"owned-object" : {
"sslEnable" : false,
"gwCertificate" : "defaultCert"
}
},
"isakmpUniversalSupport" : true
}
},
"interfaces" : {
"add" : [
{
"create" : "com.checkpoint.objects.classes.dummy.CpmiInterface",
"owned-object" : {
"officialname" : "eth0",
"ipaddr": "10.1.1.1",
"netmask": "255.255.255.0",
"security" : {
"netaccess" : {
"access" : "SPECIFIC",
"allowed" : "065e3266-f32a-4bec-9eee-7947888ad122",
"performAntiSpoofing": true
},
"antispoof" : true
}
}
}
]
}
}
Create Interoperable device with the given name "interdev_2" and IP address "10.1.1.2", also set Manually Defined VPN encryption domain
===========================================================================================
Set encdomain to be MANUAL.
Set manualEncdomain field to hold the UID of the required network.
Use the following Bash command to find out the UID of the required network, i.e. : CP_default_Office_Mode_addresses_pool
vpn_enc_domain=$(mgmt_cli -s id.txt show-generic-objects name CP_default_Office_Mode_addresses_pool -f json | /opt/CPshrd-R80/jq/jq -r '.objects[] | select (.type | contains("network")) | .uid')
mgmt_cli -s id.txt add generic-object create "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain" name "interdev_2" ipaddr "10.1.1.2" thirdPartyEncryption "True" osInfo.osName "Gaia" vpn.create "com.checkpoint.objects.classes.dummy.CpmiVpn" vpn.owned-object.vpnClientsSettingsForGateway.create "com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.create "com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.owned-object.endpointVpnEnable "True" vpn.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiIke" vpn.owned-object.sslNe.create "com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender" vpn.owned-object.sslNe.owned-object.sslEnable "False" vpn.owned-object.sslNe.owned-object.gwCertificate "defaultCert" manualEncdomain $vpn_enc_domain encdomain "MANUAL"
OUTPUT:
========
{
"create" : "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain",
"name" : "interdev_2",
"ipaddr" : "10.1.1.2",
"thirdPartyEncryption" : true,
"osInfo" : {
"osName" : "Gaia"
},
"vpn" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiVpn",
"owned-object" : {
"vpnClientsSettingsForGateway" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway",
"owned-object" : {
"endpointVpnClientSettings" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway",
"owned-object" : {
"endpointVpnEnable" : true
}
}
}
},
"ike" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiIke"
},
"sslNe" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender",
"owned-object" : {
"sslEnable" : false,
"gwCertificate" : "defaultCert"
}
}
}
},
"manualEncdomain" : "065e3266-f32a-4bec-9eee-7947888ad122",
"encdomain" : "MANUAL"
}
ENJOY!
Thanks man
If you need to add that interoperable device as a center/satellite gateway to a VPN community, follow my post in this thread -
https://community.checkpoint.com/thread/7668-how-to-add-interoperative-device-via-api
Robert.
An important disclaimer!
These APIs provide direct access to different objects and fields in the database. As a result, when the objects schema change, scripts that rely on specific schema fields may break.
The usage of generic-object API is similar to use dbedit script allowing customers to manipulate the Check Point database. The generic-object API calls are supported calls that customers are allowed to use. However, if a customer writes a script using generic-object API calls and later that script is “broken” because Check Point had changed the schema of the database. Check Point TAC will not be responsible for adjusting the customer’s script to use the new schema.
When you have the option, always use the documented APIs and not the generic APIs:
Hey Robert first thank you for this. I do have a question how would we do a batch on this? let say I have a list of 100 objects with name and IP's. I was trying a CVS and running a batch. Just an example
mgmt_cli add generic-object create "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain" thirdPartyEncryption "True" osInfo.osName "Gaia" vpn.create "com.checkpoint.objects.classes.dummy.CpmiVpn" vpn.owned-object.vpnClientsSettingsForGateway.create "com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.create "com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.owned-object.endpointVpnEnable "True" vpn.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiIke" vpn.owned-object.sslNe.create "com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender" vpn.owned-object.sslNe.owned-object.sslEnable "False" vpn.owned-object.sslNe.owned-object.gwCertificate "defaultCert" vpn.owned-object.isakmpUniversalSupport "True" --batch ssg_test1.csv
or
mgmt_cli add generic-object create "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain" --batch ssg_test1.csv
both didn't get anywhere so I'm just trying to get this batch working. Any feedback would be appreciated.
What did the file precisely look like and what precise results did you get?
I suspect this may not be supported with generic objects.
name ,ipaddr
Ahemadnagar_India_VRoom,172.18.201.250
Airdrie_Alberta_Canada_VRoom,151.110.77.19
Aldridge_UK_CoopSaf_Vroom,10.253.64.132
**how will it work with generic objects to create a bulk of them? is it through a perl code? or how exactly can I make this work. thank you for the prompt response.
You would have to create a CSV with each name/value pair, not just the name and ipaddr.
Your CLI would look something like: mgmt_cli add generic-object --batch file.csv
Whether you can make this work or not is a separate question.
Also, keep in mind generic-objects aren't formally supported.
I think you're better off scripting this (either with Perl, Bash, or whatever language you feel comfortable in).
Thank you, I have done the perl Script and almost got it. I need to add it to an encryption domain when I'm using @Robert_Decker script of:
vpn_enc_domain=$(mgmt_cli -s id.txt show-generic-objects name CP_default_Office_Mode_addresses_pool -f json | /opt/CPshrd-R80/jq/jq -r '.objects[] | select (.type | contains("network")) | .uid')
mgmt_cli -s id.txt add generic-object create "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain" name "interdev_2" ipaddr "10.1.1.2" thirdPartyEncryption "True" osInfo.osName "Gaia" vpn.create "com.checkpoint.objects.classes.dummy.CpmiVpn" vpn.owned-object.vpnClientsSettingsForGateway.create "com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.create "com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.owned-object.endpointVpnEnable "True" vpn.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiIke" vpn.owned-object.sslNe.create "com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender" vpn.owned-object.sslNe.owned-object.sslEnable "False" vpn.owned-object.sslNe.owned-object.gwCertificate "defaultCert" manualEncdomain $vpn_enc_domain encdomain "MANUAL"
I get this sh: line 5: /opt/CPshrd-80.40/jq/jq: No such file or directory
The path to the jq binary is wrong.
You will need to modify it accordingly based on your precise version.
Thanks, but how do I actually find it. I try a couple but no go. Here are the only JQ directories I found .
./opt/CPshrd-R80.40/bin/jq
./opt/CPshrd-R80.40/jq
./opt/CPshrd-R80.40/jq/jq
Typing which jq from the expert CLI should tell you what binary is being used.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY