This website uses cookies. By browsing this website, you consent to the use of cookies. Learn more.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Highlighted
Giridhar_Sasidh
Iron
‎2017-08-29 11:59 AM

command to check particular segment is already part of any encryption domain

Hi Experts,

In checkpoint is there any command available to check whether a particular segment is being used in any existing vpn encryption domain so that the new segment can be used for a new vpn domain.

Command  " vpn overlap_encdom communities –s " is used for checking existing overlapping


Thanks,

Giridhar

13 Replies
Highlighted
Timothy_Hall
Ruby
‎2017-08-29 01:41 PM

Sort of, you can dump all the known VPN domains and their associated peers from the vpn_routing table which is used by vpnd to determine if traffic is "interesting" to a VPN tunnel or not and the subsequent VPN peer selection.  Once you have this data dumped you can use grep to find what you are looking for; note that the externally routable IP address of our firewall and the external routable IP addresses of all known VPN peers are included in the output as well which can be a bit confusing.  In this example our firewall's "routable" address is 172.31.128.251 and a VPN peer's routable address is 6.7.8.9. 

This is something I whipped up awhile back for a client:

# fw tab -t vpn_routing -u -f | awk '{ print $18 "  " $19 "  " $20 "  " $21 "  " $22 "  " $23 }'  | awk NF | sort -n
 Using cptfmt
Formatting table's data - this might take a while...

: (+)====================================(+); Table_Name: vpn_routing; : (+);
From: 172.16.10.0; To: 172.16.10.255; Peer: 6.7.8.9;
From: 172.31.128.251; To: 172.31.128.251; Peer: 192.0.2.181;
From: 192.0.2.0; To: 192.0.2.255; Peer: 192.0.2.181;
From: 6.7.8.9; To: 6.7.8.9; Peer: 6.7.8.9;

I don't think it would be too tough to come up some kind of script based on this that could prompt for the source and dest IP and then tell you which VPN peers match (if any).

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

R80.40 addendum for book "Max Power 2020" now available
for free download at http://www.maxpowerfirewalls.com
Highlighted
Tomer_Sole
Mod
Mod
‎2017-08-29 03:40 PM

You mean you would like to check for a given IP or IP range which gateways have them in their VPN encryption domains, so that you will not add the same segment in more than one Gateway's encryption domain? Is that what you're looking for?

0 Kudos
Highlighted
Timothy_Hall
Ruby
‎2017-08-29 04:22 PM

Something like this for example:

vpn check_traffic [ src IP ] dst IP

"dst IP" is mandatory and will resolve to the VPN peer object name possessing that destination IP address in its VPN domain and also report the matched VPN Community in simplified mode.  Hopefully only one VPN peer/Community is reported and if more than one matches a warning should be thrown, although that function is already served to some degree by vpn overlap_encdom.

It would also be nice if optionally "src IP" could be passed as well, and the command would ensure that the src IP provided actually falls within the local gateway's VPN domain as well.  Basically a test to see if a src ip and dst ip combo would be considered "interesting" (to borrow a Cisco term) and to which VPN peer and Community it matches.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

R80.40 addendum for book "Max Power 2020" now available
for free download at http://www.maxpowerfirewalls.com
0 Kudos
Highlighted
Kishorilal_CJ
Iron
‎2018-08-22 10:30 PM

Hello

Even i was looking for this command to find out if given IP / network is already existed in vpn encryption domain, but I could not execute this commend either in CLish/expert mode

Kindly confirm if I am missing something here, currently using R77.30

XXXVSX11:1> vpn check_traffic X.X.X.X
Unknown command "check_traffic"

Thanks in advance

0 Kudos
Highlighted
Timothy_Hall
Ruby
‎2018-08-23 05:09 AM

The check_traffic option to the vpn command does not actually exist, it was a hypothetical exercise to show what could potentially be useful in a future release.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

R80.40 addendum for book "Max Power 2020" now available
for free download at http://www.maxpowerfirewalls.com
0 Kudos
Highlighted
Kishorilal_CJ
Iron
‎2018-08-23 05:22 AM

Hello

Thanks for quicker response!!!

0 Kudos
Highlighted
Giridhar_Sasidh
Iron
‎2017-08-29 06:31 PM

Yes..Exactly Tomer..

0 Kudos
Highlighted
Kishorilal_CJ
Iron
‎2018-08-23 06:37 AM

Hello

I got reply with no update missing something here

fw tab -t vpn_routing -u -f | awk '{ print $18 "  " $19 "  " $20 "  " $21 "  " $22 "  " $23 }'  | awk NF | sort -n
 Using cptfmt
Formatting table's data - this might take a while...

0 Kudos
Highlighted
Timothy_Hall
Ruby
‎2018-08-23 12:40 PM

Does running just this produce any output:

fw tab -t vpn_routing -u -f

My guess is no.  Are any VPN tunnels actually up when you are running this command?

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

R80.40 addendum for book "Max Power 2020" now available
for free download at http://www.maxpowerfirewalls.com
Highlighted
Giridhar_Sasidh
Iron
‎2017-08-29 06:38 PM

Thanks Tim...This is very useful...   

0 Kudos
Highlighted
Tomer_Sole
Mod
Mod
‎2017-08-29 10:54 PM

Thank you for this feedback, we will consider it. 

0 Kudos
Highlighted
HeikoAnkenbrand
Ruby
‎2018-08-23 01:04 PM

You can use this oneliner to show VPN routes:

Show VPN Routing on CLI 

Regards

Heiko

Highlighted
Kishorilal_CJ
Iron
‎2018-08-27 11:04 PM

Hello

found something which helps for my requirement

fw tab -t vpn_routing -u -f | awk  --field-separator=";" '/192.168.1/ {print $2, $3,$6}'

0 Kudos