Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
SD_Networking
Contributor

Creating multiple Remote Gateways/Interoperable Devices for IPsec VPN

Hi Team,

I am looking to create multiple 3rd party remote gateway for IPsec VPN, i can create the object via Smartdashboard by

Object Exporer --> New--Network Object--More ---Interoperable Devices.

I cannot find, how can i do it via Script ? any one has worked on migration of VPN customers from ASA to Checkpoint ?

Regards,

16 Replies
SD_Networking
Contributor

I found the answer here:

https://community.checkpoint.com/community/checkmates-live/blog/2017/09/02/i-am-dorit-dor-vp-of-prod... 

But still i cannot create the objects as i can't find correct syntax to create new object, this comment do provide how to edit but not how to create new, i am getting following error.

{
"code": "generic_err_missing_required_parameters",
"message": "Missing parameter: [create]"
}

Not sure, wht should be the value of create ?

SD_Networking
Contributor

any one to comment on ? my migration is stuck based on this Smiley Sad

0 Kudos
PhoneBoy
Admin
Admin

I'm curious how your upgrade is stuck on this as I do not believe this was possible in R77.x (but could be wrong).

In any case, let me see if we can get the create scripts that were promised in the AMA posted.

0 Kudos
SD_Networking
Contributor

Hi Dameon,

Thanks, my migration is stuck as i cant make huge number of Interoperable objects Smiley Happy via api, and dont want to do it manually one by one.

I was just curious if checkpoint will release the script promised in another post, it will make my life easier Smiley Happy

Thanks.

0 Kudos
Robert_Decker
Employee Alumnus
Employee Alumnus

Here is how it can be done using the "Generic-Object" API:

Create a basic Interoperable device with given name "interdev_2" and IP address "10.1.1.2"
=====================================================================

mgmt_cli add generic-object create "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain" name "interdev_2" ipaddr "10.1.1.2" thirdPartyEncryption "True" osInfo.osName "Gaia" vpn.create "com.checkpoint.objects.classes.dummy.CpmiVpn" vpn.owned-object.vpnClientsSettingsForGateway.create "com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.create "com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.owned-object.endpointVpnEnable "True" vpn.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiIke" vpn.owned-object.sslNe.create "com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender" vpn.owned-object.sslNe.owned-object.sslEnable "False" vpn.owned-object.sslNe.owned-object.gwCertificate "defaultCert" vpn.owned-object.isakmpUniversalSupport "True"

OUTPUT:

=======

{
"create" : "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain",
"name" : "interdev_2",
"ipaddr" : "10.1.1.2",
"thirdPartyEncryption" : true,
"osInfo" : {
"osName" : "Gaia"
},
"vpn" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiVpn",
"owned-object" : {

"vpnClientsSettingsForGateway" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway",
"owned-object" : {
"endpointVpnClientSettings" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway",
"owned-object" : {
"endpointVpnEnable" : true
}
}
}
},
"ike" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiIke"
},
"sslNe" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender",
"owned-object" : {
"sslEnable" : false,
"gwCertificate" : "defaultCert"
}
},
"isakmpUniversalSupport" : true
}
}
}

Create Interoperable device with the given name "interdev_2" and IP address "10.1.1.2", also add interface:
==================================================================================
Added interfaces list section with interface:
- name eth0
- IP Address 10.1.1.1
- netmask 255.255.255.0

mgmt_cli -s id.txt add generic-object create "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain" name "interdev_2" ipaddr "10.1.1.2" thirdPartyEncryption "True" osInfo.osName "Gaia" vpn.create "com.checkpoint.objects.classes.dummy.CpmiVpn" vpn.owned-object.vpnClientsSettingsForGateway.create "com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.create "com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.owned-object.endpointVpnEnable "True" vpn.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiIke" vpn.owned-object.sslNe.create "com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender" vpn.owned-object.sslNe.owned-object.sslEnable "False" vpn.owned-object.sslNe.owned-object.gwCertificate "defaultCert" vpn.owned-object.isakmpUniversalSupport "True" interfaces.add.1.create "com.checkpoint.objects.classes.dummy.CpmiInterface" interfaces.add.1.owned-object.officialname "eth0" interfaces.add.1.owned-object.ipaddr "10.1.1.1" interfaces.add.1.owned-object.netmask "255.255.255.0"

OUTPUT:

=======


{
"create" : "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain",
"name" : "interdev_2",
"ipaddr" : "10.1.1.2",
"thirdPartyEncryption" : true,
"osInfo" : {
"osName" : "Gaia"
},
"vpn" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiVpn",
"owned-object" : {

"vpnClientsSettingsForGateway" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway",
"owned-object" : {
"endpointVpnClientSettings" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway",
"owned-object" : {
"endpointVpnEnable" : true
}
}
}
},
"ike" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiIke"
},
"sslNe" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender",
"owned-object" : {
"sslEnable" : false,
"gwCertificate" : "defaultCert"
}
},
"isakmpUniversalSupport" : true
}
},
"interfaces" : {
"add" : [
{
"create" : "com.checkpoint.objects.classes.dummy.CpmiInterface",
"owned-object" : {
"officialname" : "eth0",
"ipaddr": "10.1.1.1",
"netmask": "255.255.255.0"
}
}
]
}
}


Topology settings - Create Interoperable device with the given name "interdev_2" and IP address "10.1.1.2", also add interface.
=========================================================================================


The topology of the added interface was set to be behind the given network (in my case - CP_default_Office_Mode_addresses_pool).

In an interface object, the field: security.netaccess.access set to "SPECIFIC" and
security.netaccess.allowed is set to UID of the required network object.

Use the following Bash command to find out the UID of the required network, i.e. : CP_default_Office_Mode_addresses_pool

local_network=$(mgmt_cli -s id.txt show-generic-objects name CP_default_Office_Mode_addresses_pool -f json | /opt/CPshrd-R80/jq/jq -r '.objects[] | select (.type | contains("network")) | .uid')

mgmt_cli -s id.txt add generic-object create "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain" name "interdev_2" ipaddr "10.1.1.2" thirdPartyEncryption "True" osInfo.osName "Gaia" vpn.create "com.checkpoint.objects.classes.dummy.CpmiVpn" vpn.owned-object.vpnClientsSettingsForGateway.create "com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.create "com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.owned-object.endpointVpnEnable "True" vpn.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiIke" vpn.owned-object.sslNe.create "com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender" vpn.owned-object.sslNe.owned-object.sslEnable "False" vpn.owned-object.sslNe.owned-object.gwCertificate "defaultCert" vpn.owned-object.isakmpUniversalSupport "True" interfaces.add.1.create "com.checkpoint.objects.classes.dummy.CpmiInterface" interfaces.add.1.owned-object.officialname "eth0" interfaces.add.1.owned-object.ipaddr "10.1.1.1" interfaces.add.1.owned-object.netmask "255.255.255.0" interfaces.add.1.owned-object.security.netaccess.access "SPECIFIC" interfaces.add.1.owned-object.security.netaccess.allowed $local_network interfaces.add.1.owned-object.security.netaccess.performAntiSpoofing "True" interfaces.add.1.owned-object.security.antispoof "True"

OUTPUT:

=======


{
"create" : "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain",
"name" : "interdev_2",
"ipaddr" : "10.1.1.2",
"thirdPartyEncryption" : true,
"osInfo" : {
"osName" : "Gaia"
},
"vpn" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiVpn",
"owned-object" : {

"vpnClientsSettingsForGateway" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway",
"owned-object" : {
"endpointVpnClientSettings" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway",
"owned-object" : {
"endpointVpnEnable" : true
}
}
}
},
"ike" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiIke"
},
"sslNe" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender",
"owned-object" : {
"sslEnable" : false,
"gwCertificate" : "defaultCert"
}
},
"isakmpUniversalSupport" : true
}
},
"interfaces" : {
"add" : [
{
"create" : "com.checkpoint.objects.classes.dummy.CpmiInterface",
"owned-object" : {
"officialname" : "eth0",
"ipaddr": "10.1.1.1",
"netmask": "255.255.255.0",
"security" : {
"netaccess" : {
"access" : "SPECIFIC",
"allowed" : "065e3266-f32a-4bec-9eee-7947888ad122",
"performAntiSpoofing": true
},
"antispoof" : true
}
}
}
]
}
}

Create Interoperable device with the given name "interdev_2" and IP address "10.1.1.2", also set Manually Defined VPN encryption domain
===========================================================================================
Set encdomain to be MANUAL.
Set manualEncdomain field to hold the UID of the required network.
Use the following Bash command to find out the UID of the required network, i.e. : CP_default_Office_Mode_addresses_pool

vpn_enc_domain=$(mgmt_cli -s id.txt show-generic-objects name CP_default_Office_Mode_addresses_pool -f json | /opt/CPshrd-R80/jq/jq -r '.objects[] | select (.type | contains("network")) | .uid')

mgmt_cli -s id.txt add generic-object create "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain" name "interdev_2" ipaddr "10.1.1.2" thirdPartyEncryption "True" osInfo.osName "Gaia" vpn.create "com.checkpoint.objects.classes.dummy.CpmiVpn" vpn.owned-object.vpnClientsSettingsForGateway.create "com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.create "com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.owned-object.endpointVpnEnable "True" vpn.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiIke" vpn.owned-object.sslNe.create "com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender" vpn.owned-object.sslNe.owned-object.sslEnable "False" vpn.owned-object.sslNe.owned-object.gwCertificate "defaultCert" manualEncdomain $vpn_enc_domain encdomain "MANUAL"

OUTPUT:

========

{
"create" : "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain",
"name" : "interdev_2",
"ipaddr" : "10.1.1.2",
"thirdPartyEncryption" : true,
"osInfo" : {
"osName" : "Gaia"
},
"vpn" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiVpn",
"owned-object" : {

"vpnClientsSettingsForGateway" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway",
"owned-object" : {
"endpointVpnClientSettings" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway",
"owned-object" : {
"endpointVpnEnable" : true
}
}
}
},
"ike" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiIke"
},
"sslNe" : {
"create" : "com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender",
"owned-object" : {
"sslEnable" : false,
"gwCertificate" : "defaultCert"
}
}
}
},
"manualEncdomain" : "065e3266-f32a-4bec-9eee-7947888ad122",
"encdomain" : "MANUAL"
}

ENJOY!

SD_Networking
Contributor

Thanks man Smiley Happy

0 Kudos
Robert_Decker
Employee Alumnus
Employee Alumnus

If you need to add that interoperable device as a center/satellite gateway to a VPN community, follow my post in this thread - 

https://community.checkpoint.com/thread/7668-how-to-add-interoperative-device-via-api

Robert.

0 Kudos

An important disclaimer!

These APIs provide direct access to different objects and fields in the database. As a result, when the objects schema change, scripts that rely on specific schema fields may break.

The usage of generic-object API is similar to use dbedit script allowing customers to manipulate the Check Point database. The generic-object API calls are supported calls that customers are allowed to use. However, if a customer writes a script using generic-object API calls and later that script is “broken” because Check Point had changed the schema of the database. Check Point TAC will not be responsible for adjusting the customer’s script to use the new schema.

When you have the option, always use the documented APIs and not the generic APIs:

  • They are documented
  • They are future compatible
  • They are tested
  • They have owners and you can get support if you run into trouble
Francisco_Melo
Explorer

Hey Robert first thank you for this. I do have a question how would we do a batch on this? let say I have a list of 100 objects with name and IP's. I was trying a CVS and running a batch. Just an example 

 

mgmt_cli add generic-object create "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain" thirdPartyEncryption "True" osInfo.osName "Gaia" vpn.create "com.checkpoint.objects.classes.dummy.CpmiVpn" vpn.owned-object.vpnClientsSettingsForGateway.create "com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.create "com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.owned-object.endpointVpnEnable "True" vpn.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiIke" vpn.owned-object.sslNe.create "com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender" vpn.owned-object.sslNe.owned-object.sslEnable "False" vpn.owned-object.sslNe.owned-object.gwCertificate "defaultCert" vpn.owned-object.isakmpUniversalSupport "True" --batch ssg_test1.csv

or 

mgmt_cli add generic-object create "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain" --batch ssg_test1.csv

 

both didn't get anywhere so I'm just trying to get this batch working. Any feedback would be appreciated.

 

0 Kudos
PhoneBoy
Admin
Admin

What did the file precisely look like and what precise results did you get?
I suspect this may not be supported with generic objects.

0 Kudos
Francisco_Melo
Explorer

name ,ipaddr
Ahemadnagar_India_VRoom,172.18.201.250
Airdrie_Alberta_Canada_VRoom,151.110.77.19
Aldridge_UK_CoopSaf_Vroom,10.253.64.132

 

**how will it work with generic objects to create a bulk of them? is it through a perl code? or how exactly can I make this work. thank you for the prompt response.

0 Kudos
PhoneBoy
Admin
Admin

You would have to create a CSV with each name/value pair, not just the name and ipaddr.
Your CLI would look something like: mgmt_cli add generic-object --batch file.csv
Whether you can make this work or not is a separate question.
Also, keep in mind generic-objects aren't formally supported.

I think you're better off scripting this (either with Perl, Bash, or whatever language you feel comfortable in).

0 Kudos
Francisco_Melo
Explorer

Thank you, I have done the perl Script and almost got it. I need to add it to an encryption domain when I'm using @Robert_Decker  script of:

 

vpn_enc_domain=$(mgmt_cli -s id.txt show-generic-objects name CP_default_Office_Mode_addresses_pool -f json | /opt/CPshrd-R80/jq/jq -r '.objects[] | select (.type | contains("network")) | .uid')

 

mgmt_cli -s id.txt add generic-object create "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain" name "interdev_2" ipaddr "10.1.1.2" thirdPartyEncryption "True" osInfo.osName "Gaia" vpn.create "com.checkpoint.objects.classes.dummy.CpmiVpn" vpn.owned-object.vpnClientsSettingsForGateway.create "com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.create "com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.owned-object.endpointVpnEnable "True" vpn.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiIke" vpn.owned-object.sslNe.create "com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender" vpn.owned-object.sslNe.owned-object.sslEnable "False" vpn.owned-object.sslNe.owned-object.gwCertificate "defaultCert" manualEncdomain $vpn_enc_domain encdomain "MANUAL"

I get this sh: line 5: /opt/CPshrd-80.40/jq/jq: No such file or directory 

0 Kudos
PhoneBoy
Admin
Admin

The path to the jq binary is wrong.
You will need to modify it accordingly based on your precise version.

0 Kudos
Francisco_Melo
Explorer

Thanks, but how do I actually find it. I try a couple but no go. Here are the only JQ directories I found .

 

./opt/CPshrd-R80.40/bin/jq
./opt/CPshrd-R80.40/jq
./opt/CPshrd-R80.40/jq/jq

0 Kudos
PhoneBoy
Admin
Admin

Typing which jq from the expert CLI should tell you what binary is being used.

0 Kudos