Hello again
Here is output from show generic-object for working interoprable device created by GUI:
objectValidationState: null
color: "BLACK"
manualEncdomain: "d87e9442-eefa-4ba6-8472-2dcba5806642"
vpnAllowRelay: false
ipPoolOverrideHide: true
macAddress: ""
type: "gateway"
excludeExternalInterfacesFromEncDomain: false
thirdPartyEncryption: true
gtpRateLimit: 2048
enforceGtpRateLimit: false
dnsResolverInterval: 600
interfaces: []
backupGw: false
additionalProducts: null
snmp: null
enableMulticastAcceleration: false
ipPoolSecuremoteAllocationName: null
dag: false
ipPoolSecuremote: false
encdomain: "MANUAL"
addrTypeIndication: "IPV4"
autoTopologyCustomRecalculationTime: 10
osInfo:
objId: "b4a4923a-b997-445e-a4bd-068af7403c4b"
checkPointObjId: null
domainId: "41e821a0-3720-11e3-aa6e-0800200c9fde"
osBuildNum: 0
osspminor: 0
osType: 0
osVersionLevel: ""
osVerMajor: 0
osName: "Gaia"
osspmajor: 0
osVerMinor: 0
folderPath: "e5c2231d-1dc3-408c-8cb9-588b275c2d8c"
text: null
folder: "e5c2231d-1dc3-408c-8cb9-588b275c2d8c"
is_owned: false
ownedName: ""
dataSource: "NOT_MINUS_INSTALLED"
natSummaryText: ""
ipPoolAllocPerDestination: false
backupGateway: null
rangeEncdomain: null
supportIpPoolNat: false
cpProductsInstalled: false
edges: []
securityBladesTopologyMode: "TOPOLOGY_TABLE"
performEncryption: true
ipPoolGw2gw: false
certificates: []
ipPoolPerInterface: false
ipPoolExhaustRetInterval: 30
vpnRelayIfName: ""
connectra: false
supportIkeV2: true
firewall: "NOT_MINUS_INSTALLED"
connectraSettings: null
autoTopologyUseCustomRecalculationTime: false
ipaddr: "10.10.10.2"
ipPoolUnusedReturnInterval: 60
vpn:
objId: "00ace2ae-d15a-4615-b2d7-64b6850292ea"
checkPointObjId: null
domainId: "41e821a0-3720-11e3-aa6e-0800200c9fde"
singleVpnIp: ""
interfaceResolvingHaPrimaryIf: ""
clientlessVpnAskUserForCertificate: "NONE"
offerNattResponder: true
enableInternetRouting: false
forceNatT: false
vpnClientsSettingsForGateway:
objId: "01fa7fc8-960d-4378-a238-a01e1650d4a6"
checkPointObjId: null
domainId: "41e821a0-3720-11e3-aa6e-0800200c9fde"
usb1VpnClientSettings: null
endpointVpnClientSettings:
objId: "d5ea091b-4fb8-4a7e-afd1-3a65466570ca"
checkPointObjId: null
domainId: "41e821a0-3720-11e3-aa6e-0800200c9fde"
endpointVpnEnable: true
endpointVpnConnectivityMethod: "IPSEC"
folderPath: "e5c2231d-1dc3-408c-8cb9-588b275c2d8c"
text: null
folder: "e5c2231d-1dc3-408c-8cb9-588b275c2d8c"
is_owned: false
ownedName: ""
type: "vpn_clients_settings_for_gateway"
enableBasicVpnSecuremote: true
enableVpnWithEndpointSecurity: true
folderPath: "e5c2231d-1dc3-408c-8cb9-588b275c2d8c"
text: null
folder: "e5c2231d-1dc3-408c-8cb9-588b275c2d8c"
is_owned: false
ownedName: ""
fwWireLogOnlySyn: true
singleVpnIpRa: ""
thirdPartyEncryption: true
availableVpnIpListGw: []
isakmpUdpencapsulation:
objId: "f787c070-d69e-4ebf-a143-ee49cea5860f"
checkPointObjId: null
domainId: "41e821a0-3720-11e3-aa6e-0800200c9fde"
resource: "97aeb390-9aea-11d5-bd16-0090272ccb30"
active: true
folderPath: null
text: null
folder: null
is_owned: false
ownedName: ""
isakmpEmail: ""
isakmpIpcompSupport: false
accept3desForClientlessVpn: true
fwz: null
tunnelKeepaliveMethod: "TUNNEL_TEST"
dnsIpResolution: ""
useService: "97aeb443-9aea-11d5-bd16-0090272ccb30"
availableVpnIpList: []
isakmpDn: ""
isakmpDoDnsResolve: false
useCert: ""
multipleIspVpn: false
ipResolutionMechanismGw: "MAINIPVPN"
disableNoSaLogsForUser: true
replyFromSameIp: true
vpnTunnelMtu: 0
linkSelectionMode: "HIGHAVAILABILITY"
outgoingSourceIp: "AUTOMATIC"
ipsecCopyTosToInner: false
isakmpAllowedCert: []
interfaceResolvingHaPrimaryIfGw: ""
ipResolutionMechanism: "MAINIPVPN"
ikeSendFrags: false
applyResolvingMechanismToSr: true
isakmpSubnetSupport: true
isakmpAuthmethods: []
enableRouting: true
vpnCompLevel: 2
useClientlessVpn: false
dnsIpResolutionGw: ""
replyToSameIp: true
vpnLinkResolverNotification: "NONE"
supportWireMode: false
ike:
objId: "95903133-3add-438c-92f8-1e844ff8f09c"
checkPointObjId: null
domainId: "41e821a0-3720-11e3-aa6e-0800200c9fde"
isakmpPhase1RekeyingTime: 1440
isakmpHashmethods: []
isakmpCrlreq: false
isakmpPhase1DhGroups:
- "97aeb629-9aea-11d5-bd16-0090272ccb30"
isakmpkeymanager: null
ikeEmptyUdpSocket: false
isakmpPhase2RekeyingKbytes: 50000
isakmpsharedkey: []
isakmpPhase2RekeyingTime: 3600
isakmpPhase2UseRekeyingKbytes: false
isakmpEncmethods: []
isakmpAggressiveSupport: false
folderPath: "e5c2231d-1dc3-408c-8cb9-588b275c2d8c"
text: null
folder: "e5c2231d-1dc3-408c-8cb9-588b275c2d8c"
is_owned: false
ownedName: "test2"
clientlessProcNum: 1
useInterfaceIp: true
tcpt:
objId: "b4a4923a-b997-445e-a4bd-068af7403c4b"
checkPointObjId: null
domainId: "41e821a0-3720-11e3-aa6e-0800200c9fde"
resource: "97aeb443-9aea-11d5-bd16-0090272ccb30"
cpmiInterface: "All IPs"
active: false
vpndInternalBindPort: 444
folderPath: null
text: null
folder: null
is_owned: false
ownedName: ""
isakmpDnsName: ""
ipsecReplayCounterWindowSize: 64
sslNe:
objId: "a0201a4b-3e2f-49c5-b67a-e7251cdbe026"
checkPointObjId: null
domainId: "41e821a0-3720-11e3-aa6e-0800200c9fde"
sslEnable: false
internalListeningPort: "b8f7c593-f9ee-4c55-b48a-6ce3be6760ac"
neoEnable: false
gwCertificate: "defaultCert"
endPointNameResolution:
objId: "f787c070-d69e-4ebf-a143-ee49cea5860f"
checkPointObjId: null
domainId: "41e821a0-3720-11e3-aa6e-0800200c9fde"
downloadNameResolutionSettingsToEndPoint: false
useSameSettingsAsGw: true
folderPath: null
text: null
folder: null
is_owned: false
ownedName: ""
clientType: "AUTODETECT"
folderPath: "e5c2231d-1dc3-408c-8cb9-588b275c2d8c"
text: null
folder: "e5c2231d-1dc3-408c-8cb9-588b275c2d8c"
is_owned: false
ownedName: ""
name: ""
ipsecDontFragment: true
rerouteEncryptedPackets: true
outgoingSingleIp: ""
ikeFetchCrlFailOpen: false
ipsecCopyTosToOuter: true
icon: "Unknown"
takeTunnelGranularityFromComm: true
fwWireLog: false
isakmpMatchpeer: []
useInterfaceIpGw: true
ipsecFragmentInner: false
isakmpAllowedCa: null
dpdAllowedToInitIke: true
isakmpUniversalProtocol: "WILDCARD_IDS"
ikeSupportNatT: true
color: "BLACK"
natdSendAllIfcs: false
displayName: ""
ikev2AcceptAllTs: false
respondFromSameIfc: false
offerNattInitator: false
comments: ""
sendSingleNatdSource: true
isakmpUniversalSupport: true
folderPath: "e5c2231d-1dc3-408c-8cb9-588b275c2d8c"
text: null
folder: "e5c2231d-1dc3-408c-8cb9-588b275c2d8c"
is_owned: false
ownedName: "test2"
features: []
systemTags: []
tags: []
customFields: []
metaInfo: null
dataSourceSettings: null
nat: null
ipaddr6: ""
addAdtrRule: false
floodgate: "NOT_MINUS_INSTALLED"
uid: "16fdac28-af5c-4581-94a2-ee3030968bcb"
folder:
uid: "e5c2231d-1dc3-408c-8cb9-588b275c2d8c"
name: "Global Objects"
domain:
uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
name: "SMC User"
meta-info:
metaOwned: false
lockStateResponse: null
validationState: "OK"
deletable: true
renameable: true
newObject: false
lastModifytime: 1549127325577
lastModifier: "mnemeth"
creationTime: 1549127325577
creator: "mnemeth"
tags: []
name: "test2"
icon: "NetworkObjects/gateway"
comments: ""
display-name: ""
customFields: []
_original_type: "CpmiGatewayPlain"
And here is the exact same device created by above script which is not working correctly ... I just changed this isakmpIpcompSupport': True to False because GUI object had this property False...
objectValidationState: null
color: "BLACK"
manualEncdomain: "d87e9442-eefa-4ba6-8472-2dcba5806642"
vpnAllowRelay: false
ipPoolOverrideHide: true
macAddress: ""
type: "gateway"
excludeExternalInterfacesFromEncDomain: false
thirdPartyEncryption: true
gtpRateLimit: 2048
enforceGtpRateLimit: false
dnsResolverInterval: 600
interfaces: []
backupGw: false
additionalProducts: null
snmp:
objId: "471f5a48-9650-423a-982b-63440b53d9b0"
checkPointObjId: null
domainId: "41e821a0-3720-11e3-aa6e-0800200c9fde"
sysContact: ""
sysDescr: ""
readCommunity: ""
sysLocation: ""
sysName: ""
writeCommunity: ""
folderPath: "e5c2231d-1dc3-408c-8cb9-588b275c2d8c"
text: null
folder: "e5c2231d-1dc3-408c-8cb9-588b275c2d8c"
is_owned: false
ownedName: "test2"
enableMulticastAcceleration: false
ipPoolSecuremoteAllocationName: null
dag: false
ipPoolSecuremote: false
encdomain: "MANUAL"
addrTypeIndication: "IPV4"
autoTopologyCustomRecalculationTime: 10
osInfo:
objId: "431b7a78-ae8b-4e69-9b9c-0d89840f53e2"
checkPointObjId: null
domainId: "41e821a0-3720-11e3-aa6e-0800200c9fde"
osBuildNum: 0
osspminor: 0
osType: 0
osVersionLevel: ""
osVerMajor: 0
osName: "Gaia"
osspmajor: 0
osVerMinor: 0
folderPath: "e5c2231d-1dc3-408c-8cb9-588b275c2d8c"
text: null
folder: "e5c2231d-1dc3-408c-8cb9-588b275c2d8c"
is_owned: false
ownedName: ""
dataSource: "NOT_MINUS_INSTALLED"
natSummaryText: ""
ipPoolAllocPerDestination: false
backupGateway: null
rangeEncdomain: null
supportIpPoolNat: false
cpProductsInstalled: false
edges: []
securityBladesTopologyMode: "TOPOLOGY_TABLE"
performEncryption: true
ipPoolGw2gw: false
certificates: []
ipPoolPerInterface: false
ipPoolExhaustRetInterval: 30
vpnRelayIfName: ""
connectra: false
supportIkeV2: true
firewall: "NOT_MINUS_INSTALLED"
connectraSettings: null
autoTopologyUseCustomRecalculationTime: false
ipaddr: "10.10.10.2"
ipPoolUnusedReturnInterval: 60
vpn:
objId: "06e8963e-cce6-44f5-926f-15f482109854"
checkPointObjId: null
domainId: "41e821a0-3720-11e3-aa6e-0800200c9fde"
singleVpnIp: ""
interfaceResolvingHaPrimaryIf: ""
clientlessVpnAskUserForCertificate: "NONE"
offerNattResponder: true
enableInternetRouting: false
forceNatT: false
vpnClientsSettingsForGateway:
objId: "48c0e8f1-a320-45a2-8043-3b3ac22deeae"
checkPointObjId: null
domainId: "41e821a0-3720-11e3-aa6e-0800200c9fde"
usb1VpnClientSettings: null
endpointVpnClientSettings:
objId: "6d30bba1-3bd4-41a6-a6ae-5d777ac929ae"
checkPointObjId: null
domainId: "41e821a0-3720-11e3-aa6e-0800200c9fde"
endpointVpnEnable: true
endpointVpnConnectivityMethod: "IPSEC"
folderPath: "e5c2231d-1dc3-408c-8cb9-588b275c2d8c"
text: null
folder: "e5c2231d-1dc3-408c-8cb9-588b275c2d8c"
is_owned: false
ownedName: ""
type: "vpn_clients_settings_for_gateway"
enableBasicVpnSecuremote: true
enableVpnWithEndpointSecurity: true
folderPath: "e5c2231d-1dc3-408c-8cb9-588b275c2d8c"
text: null
folder: "e5c2231d-1dc3-408c-8cb9-588b275c2d8c"
is_owned: false
ownedName: ""
fwWireLogOnlySyn: true
singleVpnIpRa: ""
thirdPartyEncryption: true
availableVpnIpListGw: []
isakmpUdpencapsulation:
objId: "471f5a48-9650-423a-982b-63440b53d9b0"
checkPointObjId: null
domainId: "41e821a0-3720-11e3-aa6e-0800200c9fde"
resource: "97aeb390-9aea-11d5-bd16-0090272ccb30"
active: true
folderPath: null
text: null
folder: null
is_owned: false
ownedName: ""
isakmpEmail: ""
isakmpIpcompSupport: false
accept3desForClientlessVpn: true
fwz: null
tunnelKeepaliveMethod: "TUNNEL_TEST"
dnsIpResolution: ""
useService: "97aeb443-9aea-11d5-bd16-0090272ccb30"
availableVpnIpList: []
isakmpDn: ""
isakmpDoDnsResolve: false
useCert: ""
multipleIspVpn: false
ipResolutionMechanismGw: "MAINIPVPN"
disableNoSaLogsForUser: true
replyFromSameIp: true
vpnTunnelMtu: 0
linkSelectionMode: "HIGHAVAILABILITY"
outgoingSourceIp: "AUTOMATIC"
ipsecCopyTosToInner: false
isakmpAllowedCert: []
interfaceResolvingHaPrimaryIfGw: ""
ipResolutionMechanism: "MAINIPVPN"
ikeSendFrags: false
applyResolvingMechanismToSr: true
isakmpSubnetSupport: true
isakmpAuthmethods: []
enableRouting: true
vpnCompLevel: 2
useClientlessVpn: false
dnsIpResolutionGw: ""
replyToSameIp: true
vpnLinkResolverNotification: "NONE"
supportWireMode: false
ike:
objId: "d48f659f-8efd-49dd-9339-48ba59de2ad0"
checkPointObjId: null
domainId: "41e821a0-3720-11e3-aa6e-0800200c9fde"
isakmpPhase1RekeyingTime: 1440
isakmpHashmethods: []
isakmpCrlreq: false
isakmpPhase1DhGroups:
- "97aeb629-9aea-11d5-bd16-0090272ccb30"
isakmpkeymanager: null
ikeEmptyUdpSocket: false
isakmpPhase2RekeyingKbytes: 50000
isakmpsharedkey: []
isakmpPhase2RekeyingTime: 3600
isakmpPhase2UseRekeyingKbytes: false
isakmpEncmethods: []
isakmpAggressiveSupport: false
folderPath: "e5c2231d-1dc3-408c-8cb9-588b275c2d8c"
text: null
folder: "e5c2231d-1dc3-408c-8cb9-588b275c2d8c"
is_owned: false
ownedName: "test2"
clientlessProcNum: 1
useInterfaceIp: true
tcpt:
objId: "431b7a78-ae8b-4e69-9b9c-0d89840f53e2"
checkPointObjId: null
domainId: "41e821a0-3720-11e3-aa6e-0800200c9fde"
resource: "97aeb443-9aea-11d5-bd16-0090272ccb30"
cpmiInterface: "All IPs"
active: false
vpndInternalBindPort: 444
folderPath: null
text: null
folder: null
is_owned: false
ownedName: ""
isakmpDnsName: ""
ipsecReplayCounterWindowSize: 64
sslNe:
objId: "c1293112-01c6-4448-82c7-1be64593dad3"
checkPointObjId: null
domainId: "41e821a0-3720-11e3-aa6e-0800200c9fde"
sslEnable: false
internalListeningPort: "b8f7c593-f9ee-4c55-b48a-6ce3be6760ac"
neoEnable: false
gwCertificate: "defaultCert"
endPointNameResolution:
objId: "471f5a48-9650-423a-982b-63440b53d9b0"
checkPointObjId: null
domainId: "41e821a0-3720-11e3-aa6e-0800200c9fde"
downloadNameResolutionSettingsToEndPoint: false
useSameSettingsAsGw: true
folderPath: null
text: null
folder: null
is_owned: false
ownedName: ""
clientType: "AUTODETECT"
folderPath: "e5c2231d-1dc3-408c-8cb9-588b275c2d8c"
text: null
folder: "e5c2231d-1dc3-408c-8cb9-588b275c2d8c"
is_owned: false
ownedName: ""
name: ""
ipsecDontFragment: true
rerouteEncryptedPackets: true
outgoingSingleIp: ""
ikeFetchCrlFailOpen: false
ipsecCopyTosToOuter: true
icon: "Unknown"
takeTunnelGranularityFromComm: true
fwWireLog: false
isakmpMatchpeer: []
useInterfaceIpGw: true
ipsecFragmentInner: false
isakmpAllowedCa: null
dpdAllowedToInitIke: true
isakmpUniversalProtocol: "WILDCARD_IDS"
ikeSupportNatT: true
color: "BLACK"
natdSendAllIfcs: false
displayName: ""
ikev2AcceptAllTs: false
respondFromSameIfc: false
offerNattInitator: false
comments: ""
sendSingleNatdSource: true
isakmpUniversalSupport: true
folderPath: "e5c2231d-1dc3-408c-8cb9-588b275c2d8c"
text: null
folder: "e5c2231d-1dc3-408c-8cb9-588b275c2d8c"
is_owned: false
ownedName: "test2"
features: []
systemTags: []
tags: []
customFields: []
metaInfo: null
dataSourceSettings: null
nat: null
ipaddr6: ""
addAdtrRule: false
floodgate: "NOT_MINUS_INSTALLED"
uid: "054e4752-3c98-4a59-bf7e-6e7ff99fcab5"
folder:
uid: "e5c2231d-1dc3-408c-8cb9-588b275c2d8c"
name: "Global Objects"
domain:
uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
name: "SMC User"
meta-info:
metaOwned: false
lockStateResponse: null
validationState: "OK"
deletable: true
renameable: true
newObject: false
lastModifytime: 1549127013761
lastModifier: "mnemeth-API"
creationTime: 1549127013761
creator: "mnemeth-API"
tags: []
name: "test2"
icon: "NetworkObjects/gateway"
comments: ""
display-name: ""
customFields: []
_original_type: "CpmiGatewayPlain"
If you pass these both objects to editor and compare it, you will find that the objects ARE ALMOST THE SAME!. What is different are obviously UIDs of components, time of creation, admin username (I am using -API for scripts) and correct object has no snmp section while script obkect has snmp section. So... what can be wrong with second object, or other question, what to change in script to be correct???
Another strange thing is, when I run this command from command line from SmartConsole, the same object will be almost correct. But only almost... For first it will NOT be visible fro VPN Community, but if you assign VPN Community to the object, it will be OK and if you remove it again, after this it will be now visible from VPN Community too.
And If I create same object through dbedit with something like this (template for jinja2):
create gateway_plain {{ peerName }}
modify network_objects {{ peerName }} DAG false
modify network_objects {{ peerName }} color {{ color }}
modify network_objects {{ peerName }} VPN VPN
modify network_objects {{ peerName }} VPN:third_party_encryption true
modify network_objects {{ peerName }} VPN:IKE IKE
modify network_objects {{ peerName }} SNMP NULL
modify network_objects {{ peerName }} type gateway
modify network_objects {{ peerName }} add_adtr_rule false
modify network_objects {{ peerName }} ipaddr {{ peerIP }}
modify network_objects {{ peerName }} encdomain manual
modify network_objects {{ peerName }} manual_encdomain network_objects:{{ cryptoDomainGrp }}
update_all
It will work without any issue...
So it seems, that 4 different methods of creating the same Interoperable device (GUI, command line API, WEB API and dbedit) have different results... Strange, isnt't it?
Michael Nemeth