command to check particular segment is already par...

Giridhar_Sasidh · ‎2017-08-29

Hi Experts,

In checkpoint is there any command available to check whether a particular segment is being used in any existing vpn encryption domain so that the new segment can be used for a new vpn domain.

Command " vpn overlap_encdom communities –s " is used for checking existing overlapping

Thanks,

Giridhar

Timothy_Hall · ‎2017-08-29

Sort of, you can dump all the known VPN domains and their associated peers from the vpn_routing table which is used by vpnd to determine if traffic is "interesting" to a VPN tunnel or not and the subsequent VPN peer selection. Once you have this data dumped you can use grep to find what you are looking for; note that the externally routable IP address of our firewall and the external routable IP addresses of all known VPN peers are included in the output as well which can be a bit confusing. In this example our firewall's "routable" address is 172.31.128.251 and a VPN peer's routable address is 6.7.8.9.

This is something I whipped up awhile back for a client:

# fw tab -t vpn_routing -u -f | awk '{ print $18 " " $19 " " $20 " " $21 " " $22 " " $23 }' | awk NF | sort -n
Using cptfmt
Formatting table's data - this might take a while...

: (+)====================================(+); Table_Name: vpn_routing; : (+);
From: 172.16.10.0; To: 172.16.10.255; Peer: 6.7.8.9;
From: 172.31.128.251; To: 172.31.128.251; Peer: 192.0.2.181;
From: 192.0.2.0; To: 192.0.2.255; Peer: 192.0.2.181;
From: 6.7.8.9; To: 6.7.8.9; Peer: 6.7.8.9;

I don't think it would be too tough to come up some kind of script based on this that could prompt for the source and dest IP and then tell you which VPN peers match (if any).

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com

Tomer_Sole · ‎2017-08-29

You mean you would like to check for a given IP or IP range which gateways have them in their VPN encryption domains, so that you will not add the same segment in more than one Gateway's encryption domain? Is that what you're looking for?

Timothy_Hall · ‎2017-08-29

Something like this for example:

vpn check_traffic [ src IP ] dst IP

"dst IP" is mandatory and will resolve to the VPN peer object name possessing that destination IP address in its VPN domain and also report the matched VPN Community in simplified mode. Hopefully only one VPN peer/Community is reported and if more than one matches a warning should be thrown, although that function is already served to some degree by vpn overlap_encdom.

It would also be nice if optionally "src IP" could be passed as well, and the command would ensure that the src IP provided actually falls within the local gateway's VPN domain as well. Basically a test to see if a src ip and dst ip combo would be considered "interesting" (to borrow a Cisco term) and to which VPN peer and Community it matches.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com

Kishorilal_CJ · ‎2018-08-22

Hello

Even i was looking for this command to find out if given IP / network is already existed in vpn encryption domain, but I could not execute this commend either in CLish/expert mode

Kindly confirm if I am missing something here, currently using R77.30

XXXVSX11:1> vpn check_traffic X.X.X.X
Unknown command "check_traffic"

Thanks in advance

Timothy_Hall · ‎2018-08-23

The check_traffic option to the vpn command does not actually exist, it was a hypothetical exercise to show what could potentially be useful in a future release.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com

Kishorilal_CJ · ‎2018-08-23

Hello

Thanks for quicker response!!!

Giridhar_Sasidh · ‎2017-08-29

Yes..Exactly Tomer..

Kishorilal_CJ · ‎2018-08-23

Hello

I got reply with no update missing something here

fw tab -t vpn_routing -u -f | awk '{ print $18 " " $19 " " $20 " " $21 " " $22 " " $23 }' | awk NF | sort -n
Using cptfmt
Formatting table's data - this might take a while...

Timothy_Hall · ‎2018-08-23

Does running just this produce any output:

fw tab -t vpn_routing -u -f

My guess is no. Are any VPN tunnels actually up when you are running this command?

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com

Giridhar_Sasidh · ‎2017-08-29

Thanks Tim...This is very useful...

Tomer_Sole · ‎2017-08-29

Thank you for this feedback, we will consider it.

HeikoAnkenbrand · ‎2018-08-23

You can use this oneliner to show VPN routes:

Show VPN Routing on CLI

Regards

Heiko

Kishorilal_CJ · ‎2018-08-27

Hello

found something which helps for my requirement

fw tab -t vpn_routing -u -f | awk --field-separator=";" '/192.168.1/ {print $2, $3,$6}'

command to check particular segment is already part of any encryption domain