This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Giridhar_Sasidh
Participant
‎2017-08-29 11:59 AM

command to check particular segment is already part of any encryption domain

Hi Experts,

In checkpoint is there any command available to check whether a particular segment is being used in any existing vpn encryption domain so that the new segment can be used for a new vpn domain.

Command  " vpn overlap_encdom communities –s " is used for checking existing overlapping


Thanks,

Giridhar

13 Replies
Timothy_Hall
Legend Legend
Legend
‎2017-08-29 01:41 PM

Sort of, you can dump all the known VPN domains and their associated peers from the vpn_routing table which is used by vpnd to determine if traffic is "interesting" to a VPN tunnel or not and the subsequent VPN peer selection.  Once you have this data dumped you can use grep to find what you are looking for; note that the externally routable IP address of our firewall and the external routable IP addresses of all known VPN peers are included in the output as well which can be a bit confusing.  In this example our firewall's "routable" address is 172.31.128.251 and a VPN peer's routable address is 6.7.8.9. 

This is something I whipped up awhile back for a client:

# fw tab -t vpn_routing -u -f | awk '{ print $18 "  " $19 "  " $20 "  " $21 "  " $22 "  " $23 }'  | awk NF | sort -n
 Using cptfmt
Formatting table's data - this might take a while...

: (+)====================================(+); Table_Name: vpn_routing; : (+);
From: 172.16.10.0; To: 172.16.10.255; Peer: 6.7.8.9;
From: 172.31.128.251; To: 172.31.128.251; Peer: 192.0.2.181;
From: 192.0.2.0; To: 192.0.2.255; Peer: 192.0.2.181;
From: 6.7.8.9; To: 6.7.8.9; Peer: 6.7.8.9;

I don't think it would be too tough to come up some kind of script based on this that could prompt for the source and dest IP and then tell you which VPN peers match (if any).

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Tomer_Sole
Mentor
Mentor
‎2017-08-29 03:40 PM
In response to Timothy_Hall

You mean you would like to check for a given IP or IP range which gateways have them in their VPN encryption domains, so that you will not add the same segment in more than one Gateway's encryption domain? Is that what you're looking for?

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2017-08-29 04:22 PM
In response to Tomer_Sole

Something like this for example:

vpn check_traffic [ src IP ] dst IP

"dst IP" is mandatory and will resolve to the VPN peer object name possessing that destination IP address in its VPN domain and also report the matched VPN Community in simplified mode.  Hopefully only one VPN peer/Community is reported and if more than one matches a warning should be thrown, although that function is already served to some degree by vpn overlap_encdom.

It would also be nice if optionally "src IP" could be passed as well, and the command would ensure that the src IP provided actually falls within the local gateway's VPN domain as well.  Basically a test to see if a src ip and dst ip combo would be considered "interesting" (to borrow a Cisco term) and to which VPN peer and Community it matches.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Kishorilal_CJ
Participant
‎2018-08-22 10:30 PM
In response to Timothy_Hall

Hello

Even i was looking for this command to find out if given IP / network is already existed in vpn encryption domain, but I could not execute this commend either in CLish/expert mode

Kindly confirm if I am missing something here, currently using R77.30

XXXVSX11:1> vpn check_traffic X.X.X.X
Unknown command "check_traffic"

Thanks in advance

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2018-08-23 05:09 AM
In response to Kishorilal_CJ

The check_traffic option to the vpn command does not actually exist, it was a hypothetical exercise to show what could potentially be useful in a future release.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Kishorilal_CJ
Participant
‎2018-08-23 05:22 AM
In response to Timothy_Hall

Hello

Thanks for quicker response!!!

0 Kudos
Giridhar_Sasidh
Participant
‎2017-08-29 06:31 PM
In response to Tomer_Sole

Yes..Exactly Tomer..

0 Kudos
Kishorilal_CJ
Participant
‎2018-08-23 06:37 AM
In response to Timothy_Hall

Hello

I got reply with no update missing something here

fw tab -t vpn_routing -u -f | awk '{ print $18 "  " $19 "  " $20 "  " $21 "  " $22 "  " $23 }'  | awk NF | sort -n
 Using cptfmt
Formatting table's data - this might take a while...

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2018-08-23 12:40 PM
In response to Kishorilal_CJ

Does running just this produce any output:

fw tab -t vpn_routing -u -f

My guess is no.  Are any VPN tunnels actually up when you are running this command?

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Giridhar_Sasidh
Participant
‎2017-08-29 06:38 PM

Thanks Tim...This is very useful...   

0 Kudos
Tomer_Sole
Mentor
Mentor
‎2017-08-29 10:54 PM

Thank you for this feedback, we will consider it. 

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2018-08-23 01:04 PM

You can use this oneliner to show VPN routes:

Show VPN Routing on CLI 

Regards

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Kishorilal_CJ
Participant
‎2018-08-27 11:04 PM
In response to HeikoAnkenbrand

Hello

found something which helps for my requirement

fw tab -t vpn_routing -u -f | awk  --field-separator=";" '/192.168.1/ {print $2, $3,$6}'

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events