This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ibosscloud
Explorer
‎2021-09-30 05:26 AM
Jump to solution

Update Existing VTI (vpnt) Interface Topology Setttings

Hi There, 

Is there any way via CLI to update the topology settings for a numbered VTI interface that already exists without deleting all other network interfaces under the gateway?

 

We are attempting to set the "Leads To" value to "All_Internet" on the VTI interface via CLI.

Capture.PNG

 

Using the "set simple-gateway" removes all existing interfaces on an interface change, unfortunately. 

Is there any other command that can be can used?

 

We could certainly create the VTI interfaces initially if this makes it easier, rather than update existing ones but I can't see a way to do that so far.

 

 

These are the steps we have been working through, currently (Step 4 - Set Topology "Leads to") is where this question relates, 

 

Any ideas would be greatly appreciated, thank you!

 

Step 1 - Create virtual tunnel interfaces “VTI“

add vpn tunnel 1 type numbered local 192.168.85.3 remote 192.168.85.5 peer ibosscloud-1
add vpn tunnel 2 type numbered local 192.168.85.4 remote 192.168.85.6 peer ibosscloud-2

set interface vpnt1 state on
set interface vpnt1 mtu 1500
set interface vpnt2 state on
set interface vpnt2 mtu 1500

 

 

Step 2 - Create “IP Reachability Detection“ - Monitoring Profiles

set ip-reachability-detection ping interval 10
set ip-reachability-detection ping address 192.168.85.5 enable-ping on
set ip-reachability-detection ping address 192.168.85.6 enable-ping on

 

Step 3 - Discover VTI Interfaces

get-interfaces target-name gw-102690 with-topology true

 

Step 4 - Set Topology "Leads to"

????????

 

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2021-09-30 06:47 AM
Jump to solution

When you use set-simple-gateway to change existing interface settings, you also have to (re)define all the other interfaces at the same time or they are lost.
This is currently the expected behavior of the API.
However, if you’re doing this programmatically, you should be able to obtain all the necessary settings in order to recreate them.

View solution in original post

0 Kudos
12 Replies
the_rock
Legend
Legend
‎2021-09-30 05:33 AM
Jump to solution

I tried doing same many times and it never worked, so I just assumed logically its not possible without deleting it and then re-creating again. Even had TAC case about it for weeks and no one could find the solution.

0 Kudos
ibosscloud
Explorer
‎2021-09-30 05:42 AM
In response to the_rock
Jump to solution

Thank you, from what we can see this is preventing vendor integration via cli/api.

Amazon and other vendors simply cannot do via CLI for route mode VPN. 

 

We have a UI integration guide for routed mode x2 tunnels and monitored policy-based routing for redundant failover.

However, we really want to translate this to CLI which setting the topology on an existing VTI interface is very invasive to the existing customer interfaces.

 

Happy to connect with anyone at Checkpoint to share our integration guides and partner up on the documentation we have. 

0 Kudos
PhoneBoy
Admin
Admin
‎2021-09-30 06:47 AM
Jump to solution

When you use set-simple-gateway to change existing interface settings, you also have to (re)define all the other interfaces at the same time or they are lost.
This is currently the expected behavior of the API.
However, if you’re doing this programmatically, you should be able to obtain all the necessary settings in order to recreate them.

0 Kudos
ibosscloud
Explorer
‎2021-09-30 08:25 AM
In response to PhoneBoy
Jump to solution

Thanks!, yes this is what I was asking, how could we say build a numbered VTI interface, define the peer name and peer ID's while setting the topology "leads to"?

 

"add vpn tunnel" doesn't support setting the topology, is there another command to do this than "set simple-gateway"

 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2021-09-30 08:38 AM
In response to ibosscloud
Jump to solution

Topology is a function of the firewall, which requires changing the relevant gateway object.
The only way to do that via the API/CLI is using set-simple-gateway.

0 Kudos
ibosscloud
Explorer
‎2021-09-30 08:51 AM
In response to PhoneBoy
Jump to solution

Understood so this just loops back to the original problem, where using this command deletes all other network interfaces under the gateway?

 

 

0 Kudos
the_rock
Legend
Legend
‎2021-09-30 09:06 AM
In response to ibosscloud
Jump to solution

Wait a moment, I just realized something when I looked at more carefully at your post. I checked in one customer's config and in their dashboard, I can click and change the topology on vti without any issues. Is it possible (not saying 100%) that someone might have a lock in dashboard on that object? Usually when you see message like that "object is viewed in read only mode", its certainly a possibility.

If you navigate to manage and settings -> sessions -> view sessions -> make sure there are no locks present there, but if there are, right click and take over or discard.

 

Andy

0 Kudos
ibosscloud
Explorer
‎2021-09-30 09:08 AM
In response to the_rock
Jump to solution

Hey its more via CLI than UI so I was exploring that possibility it seems the command is set simple-gateway which impacts all other existing interfaces if you need to alter an interface property. 

0 Kudos
the_rock
Legend
Legend
‎2021-09-30 09:09 AM
In response to ibosscloud
Jump to solution

No, I get it, I understood that part, but why do it that way if you can change it via dashboard without impacting anything else?

0 Kudos
ibosscloud
Explorer
‎2021-09-30 09:11 AM
In response to the_rock
Jump to solution

Because of integration and automation for many customers. 

0 Kudos
the_rock
Legend
Legend
‎2021-09-30 09:13 AM
In response to ibosscloud
Jump to solution

K, fair enough. With that part, I will let @PhoneBoy guide you, since he is CP king...I honestly dont use API much, so wont even pretend : )

0 Kudos
ibosscloud
Explorer
‎2021-09-30 09:16 AM
In response to the_rock
Jump to solution

I appreciate your help anyway,  As it's working as expected we'll have to work around that and use what we have. Thanks again 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events