This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Rickard_K
Participant
‎2018-10-24 12:26 AM

VPN details using API

Hi!

I'm trying to export as much info as possible about the VPNs configured in our Check Point environment. Using the command show-vpn-communities-meshed I get most of the info needed but I'm missing the following attributes

  • Phase 1 Lifetime
  • Phase 2 Lifetime
  • PFS enabled?
  • Phase 2 DH Group
  • Remote encryption domain 

I'm able to get the local encryption domain by querying the specific GW if the type is 'CpmiVsClusterNetobj' however if it's a simple gateway I'm not getting any VPN Encryption Domain in the response. 

Any idea of how I can get the missing attributes using the API?

Labels
5 Replies
Kim_Moberg
Advisor
‎2018-10-24 12:57 AM

Hello Richard

I have asked similar question on how to set values vpn communities maybe that would help?

https://community.checkpoint.com/thread/7701-missing-api-possibility-to-set-vpn-community-star-objec...

That API doesnt provide that infor so you will need yo get the information via generic object.

BR

Kim


Best Regards
Kim
Kim_Moberg
Advisor
‎2018-10-24 08:27 AM

Hi Richard,

I have created a small script for you, so you can try it out, and then modify it for your purpose.

#/bin/bash

#########################################################################
# script created by Kim Moberg, Erowind Energy A/S - October 24th 2018
#
# Use script for extract generic information on VPN communities..
# typically this is done by single lines commands, but as an illustration
# I have create the script how to.
# One have to enter credentials to Check Point API, and then enter a
# known VPN community name to extra the information.
# Please feel free to modify script.
########################################################################

clear

########################################################################
# Login to the API server, and save session to file id.txt
# Remeber when running the script setting the username and password
# without saving the password in the script file.
#

#######################################################################

# ask for credentials from user
echo "Please enter your username and password"
read -p "Enter username and press [ENTER]: " USER
read -s -p "Enter password and press [ENTER]: " PASS
echo

mgmt_cli login user ${USER} password ${PASS} > id.txt

# in case of an error: print to screen the error message and abort
if [ $? -ne 0 ]; then
echo "Login command failed."
cat id.txt
exit 1
fi

######################################################################
# Ask for user to enter a vpn community name
#
######################################################################
echo
echo "Please enter a VPN community name you want to show generic object from"
read -p "Enter VPN community name eg. WP-name [ENTER] : " VPNname

echo

echo "You entered the following VPN community name"
echo $VPNname
echo
echo

vpnuid=$(mgmt_cli -s id.txt show-generic-objects name $VPNname -f json | ${CPDIR}/jq/jq -r '.objects[] | select (.type | contains("vpn-community-star")) | .uid')

echo "VPN community uid found for the entered VPN community is: $vpnuid"
echo

echo

echo "These are all the properties of the selected VPN community."
echo "you can read out all these properties for some kind of backup"
echo "one needs to write a script to read and set these information afterwards in another script or so."


mgmt_cli -s id.txt show generic-object uid $vpnuid

###########################################
# END OF FILE
###########################################

I will try to upload the script file. I think if you just paste it it might fail because of windows vs linux presenation of the code in the text above.

Result of the above script will look like this:

Please enter your username and password
Enter username and press [ENTER]: admin
Enter password and press [ENTER]:

Please enter a VPN community name you want to show generic object from
Enter VPN community name eg. WP-name [ENTER] : WP-Gettrup

You entered the following VPN community name
WP-Gettrup


VPN community uid found for the entered VPN community is: ef980fd9-8b9d-478d-8059-c7dd91154672


These are all the properties of the selected VPN community.
you can read out all these properties for some kind of backup
one needs to write a script to read and set these information afterwards in another script or so.
objectValidationState: null
color: "BLACK"
automaticRimSatellites: false
customerScriptSatellites: false
supportWireMode: false
customerScriptCenter: false
routeRetPackets: false
enableMep: false
participantsDomains: []
type: "intranet_community"
id: 16
satelliteGateways:
- "b3e7fa6d-f97d-4e44-ac16-da0295e7c86a"
disableNat: true
mepMechanism: "SRC"
allowAllEncryptedTraffic: false
topology: "STAR"
extGatewaysSharedSecret:
- objId: "3ec83db0-f51d-478a-8030-da2d5fe88172"
checkPointObjId: null
domainId: "41e821a0-3720-11e3-aa6e-0800200c9fde"
externalGateway: "b3e7fa6d-f97d-4e44-ac16-da0295e7c86a"
sharedSecret: ""
folderPath: "6dc0cdb9-08cd-47ae-bdff-11d9229a9c3e"
text: null
folder: "6dc0cdb9-08cd-47ae-bdff-11d9229a9c3e"
is_owned: false
ownedName: ""
participantGateways:
- "d147b287-cad8-4bbe-8abf-44090fe951f3"
disableNatOn: "BOTH"
permanentTunnelsDef: "NONE"
routeInjectionTrack: "LOG"
routeThroughCenter: "NONE"
selMechanism: "FIRST"
backupStickiness: false
meshedInCenter: false
permanentTunnelParticipantList: []
cryptography:
objId: "21e226f1-0543-4db8-b8ad-0d78f3f4a8ac"
checkPointObjId: null
domainId: "41e821a0-3720-11e3-aa6e-0800200c9fde"
cryptographyTypeSupport: "IKE_V2_ONLY"
cryptographyProfile: "CUSTOM_PROFILE"
folderPath: "6dc0cdb9-08cd-47ae-bdff-11d9229a9c3e"
text: null
folder: "6dc0cdb9-08cd-47ae-bdff-11d9229a9c3e"
is_owned: false
ownedName: ""
automaticRim: true
tunnelGranularity: "PER_SUBNET"
defaultMepRule:
objId: "b55da75b-cbdf-4090-81d8-28fff3d277fd"
checkPointObjId: null
domainId: "41e821a0-3720-11e3-aa6e-0800200c9fde"
icon: "Unknown"
source: []
color: "BLACK"
name: ""
priority3: []
priority2: []
priority1: []
displayName: ""
comments: ""
folderPath: "6dc0cdb9-08cd-47ae-bdff-11d9229a9c3e"
text: null
folder: "6dc0cdb9-08cd-47ae-bdff-11d9229a9c3e"
is_owned: false
ownedName: ""
tags: []
customFields: []
metaInfo: null
features: []
systemTags: []
vpnMepResolverNotification: "LOG"
addRoutedDomain: null
permanentTunnelList: []
allowAllEncryptedTrafficOn: "BOTH"
supportWireModeRouting: false
permanentTunnelUpTrack: "LOG"
permanentTunnelParticipants: "ALL_MEMBERS"
ikeP2:
objId: "07bb6dbd-005f-4cc1-865b-6ef443e485fd"
checkPointObjId: null
domainId: "41e821a0-3720-11e3-aa6e-0800200c9fde"
ikeP2UseSubnets: true
ikeP2UseRekeyKbytes: false
ikeP2RekeyTime: 28800
ikeP2UsePfs: false
ikeP2EncAlg: "AES_MINUS_256"
ikeP2RekeyKbytes: 50000
ikeP2HashAlg: "SHA1"
ikeP2Ipcomp: "NONE"
ikeP2PfsDhGrp: "97aeb629-9aea-11d5-bd16-0090272ccb30"
folderPath: "6dc0cdb9-08cd-47ae-bdff-11d9229a9c3e"
text: null
folder: "6dc0cdb9-08cd-47ae-bdff-11d9229a9c3e"
is_owned: false
ownedName: ""
ikeP1:
objId: "17d527c7-caa2-4d12-91e3-eee716b8ce7f"
checkPointObjId: null
domainId: "41e821a0-3720-11e3-aa6e-0800200c9fde"
ikeP1EncAlg: "AES_MINUS_256"
ikeP1UseAggressive: false
ikeP1UseSharedSecret: true
ikeP1UseSharedSecretForDaip: false
ikeP1UseAggressiveForDaip: false
ikeP1RekeyTime: 60
ikeP1DhGrp: "97aeb62e-9aea-11d5-bd16-0090272ccb30"
ikeP1HashAlg: "SHA1"
folderPath: "6dc0cdb9-08cd-47ae-bdff-11d9229a9c3e"
text: null
folder: "6dc0cdb9-08cd-47ae-bdff-11d9229a9c3e"
is_owned: false
ownedName: ""
manualMepRules: []
excludeSrv:
- "97aeb475-9aea-11d5-bd16-0090272ccb30"
- "07ec4cae-7c50-4b2e-81ed-d75643ab5694"
permanentTunnelDownTrack: "LOG"
uid: "ef980fd9-8b9d-478d-8059-c7dd91154672"
folder:
uid: "6dc0cdb9-08cd-47ae-bdff-11d9229a9c3e"
name: "Global Objects"
domain:
uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
name: "SMC User"
meta-info:
metaOwned: false
lockStateResponse: null
validationState: "OK"
deletable: true
renameable: true
newObject: false
lastModifytime: 1527840038038
lastModifier: "admin"
creationTime: 1527840022948
creator: "admin"
tags: []
name: "WP-Gettrup"
icon: "VPNCommunities/Star"
comments: "Auto generated Site2site VPN community between HQ and a Windpark ZXY "
display-name: "WP-Gettrup"
customFields: []
_original_type: "StarCommunity"

Best Regards
Kim
Kim_Moberg
Advisor
‎2018-10-24 08:41 AM
In response to Kim_Moberg

on your show generic-object information on your VPN community, you will find the UID for your remote vpn network. this is names as SatelliteGateways:

In the above example: 

satelliteGateways:
- "b3e7fa6d-f97d-4e44-ac16-da0295e7c86a"

You can now run the same query again the API using this uid

mgmt_cli -r true show generic-object uid b3e7fa6d-f97d-4e44-ac16-da0295e7c86a

now look for manualEncdomain:


manualEncdomain: "e1ac3862-885d-4b91-982a-2bd51d0286a9"

So now we need to run the query again the manualEncdomain:

mgmt_cli -r true show generic-object uid e1ac3862-885d-4b91-982a-2bd51d0286a9

now look for the following information:

This is your remote encryption domain information

ipaddr: "192.0.2.0"

netmask: "255.255.255.0"

So to reverse the the steps

Check out how I solved to setup of a remote interoperative device via the API combined with Generic-object and GPEDIT as well as the API.

https://community.checkpoint.com/thread/7668-how-to-add-interoperative-device-via-api 

All the best

Kim

Best Regards
Kim
0 Kudos
Rickard_K
Participant
‎2018-10-25 12:05 AM
In response to Kim_Moberg

Thank you very much Kim!

My initial plan was to use the Rest API. But I understand that the mgmt_cli tool works on Linux and it also looks like it's possible to get structured data back in JSON so that's perfect!

0 Kudos
John_Tammaro1
Contributor
Contributor
‎2018-10-26 12:06 AM

You can also get some of this information from the standard Check Point SNMP MIB :

But not everything ... and if you want to use the API to create VPN's then obviosly this is no good in that regard.

Thanks

John Tammaro

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events