Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Pearl

One-liner to show VPN topology on gateways

ℹ️ Also available as SmartConsole Extension.

In expert mode run:

if [[ `$CPDIR/bin/cpprod_util FwIsFirewallModule 2>/dev/null` != *'1'* ]]; then echo; tput bold; tput setab 1; echo ' Not a firewall gateway! '; tput sgr0; echo; else if [[ `grep R80.40 /etc/cp-release | wc -l` != 0 ]]; then echo; tput bold; tput setab 1; echo -n ' Info: VPN Domain for Gateway Communities are currently not displayed correctly by this tool! '; tput sgr0; echo; fi; fw tab -t vpn_routing -u | awk 'NR>3 {$0=substr($0,2,28); gsub(", ", ""); gsub("; ", ""); gsub("..", "0x& "); print}' | xargs printf "%d.%d.%d.%d %d.%d.%d.%d %d.%d.%d.%d\n" | awk '{print $3"."$1" - "$2}' | sort -t . -k  1,1n -k 2,2n -k 3,3n -k 4,4n -k 5,5n -k 6,6n -k 7,7n -k 8,8n | sed 's/^/x/' | sed 's/\./\n\t/4' | awk '!x[$0]++' | sed '/x/s/$/\n\tEncryption domain/' | sed 's/x/\nVPN Gateway > /' | if [[ $(cat /etc/cp-release) != *"Embedded"* ]]; then egrep -C 9999 --color=auto $'VPN Gateway|Encryption domain'; else cat $1 | sed 's/^\t//'; fi; echo; fi; if [[ `grep R80.40 /etc/cp-release | wc -l` != 0 ]]; then tput bold; tput setab 1; echo -n ' Info: VPN Domain for Gateway Communities are currently not displayed correctly by this tool! '; tput sgr0; echo; echo; fi

The One-liner is working on all gateways running on Check Point GAiA, Embedded GAiA (SMB appliances) and also integrated with our ccc script.

Thanks to Tim Hall's preliminary work in this thread and reference in his book 📕Max Power 2020.
Thanks to AlexeyB's preliminary work in this thread.
Thanks to Pawel's SMB support and testing in this thread.

-- More One-liners --

One-liner for Address Spoofing Troubleshooting
One-liner for Remote Access VPN Statistics
One-liner to show Geo Policy on gateways
FW Monitor SuperTool

5 Replies
Highlighted

Nice

0 Kudos
Highlighted

Nice:-)

Tags (1)
0 Kudos
Highlighted

Very nice, only improvement would be to show the peer's name next to the IP (when there are a lot of peers, it simplifies things).

Thanks for generating this type of one liners.

Paul G.,

CCSM

0 Kudos
Highlighted
Pearl

Hi Paul,

the only place I found on gateways to match a VPN peer's IP address to the object name as configured in SmartConsole is $FWDIR/state/local/FW1/local.objects . Unluckily I haven't found a way yet to extract the object name of an IP as the file structure isn't documented.

0 Kudos
Highlighted

Hi Danny, thanks for the reply.

What I'm looking for is basically the same info that shows up in vpn tu when you select option 1.

It shows "Peer 10.10.10.1, peerfwname SAS:

  IKE SA <......>

Don't need the IKE SA, but based on the knowledge that is shown there, it seems like it's ex-tractable somehow.

 

Thank you,

PG