🏆 Tool of the Year 2022
✔️ Works on all VPN gateway types
👉 Available as SmartConsole extension
One-liner (Bash) to show IPsec VPN site-to-site tunnels on Check Point security gateways.
In expert mode run:
echo;_vpn=1;if [[ -f /bin/enabled_blades ]];then if [[ `enabled_blades|tr 'A-Z' 'a-z'` != *'vpn'* ]];then _vpn=0;fi;elif [[ -f /opt/fw1/conf/active_blades.txt ]];then if [[ `grep VPN-S2S /opt/fw1/conf/active_blades.txt|awk '{print $NF}'` != '1' ]];then _vpn=0;fi;elif [[ -f /opt/fw1/conf/blades.json ]];then if [[ `jq '.data[]|select(.name=="VPN-S2S")|.enabled' /opt/fw1/conf/blades.json` != '1' ]];then _vpn=0;fi;fi;if [[ $_vpn == 1 ]];then _ha=0;if [[ `$CPDIR/bin/cpprod_util FwIsHighAvail` -eq '1' ]];then _ha=1;if [[ `cphaprob stat|grep \(local\)|tr 'A-Z' 'a-z'` == *'active'* ]];then _ha=0;fi;fi;if [[ $_ha == 0 ]];then if [[ -f /bin/timeout ]];then _stat=`timeout 5 stattest gettable 1.3.6.1.4.1.2620.1.9002.1 2 3 4 1 7 8 9 10 11`;else _stat=`stattest gettable 1.3.6.1.4.1.2620.1.9002.1 2 3 4 1 7 8 9 10 11`;fi;echo "$_stat"|tr ',' ' '|awk '{gsub(/\(.*\)/,"",$2)}1'|awk '{gsub("132","Initialized",$2)}1'|awk '{gsub("131","Down",$2)}1'|awk '{gsub("130","Phase_1",$2)}1'|awk '{gsub("129","Idle",$2)}1'|awk '{gsub("4","Destroyed",$2)}1'|awk '{gsub("3","UP",$2)}1'|awk '{gsub("0","Primary",$6)}1'|awk '{gsub("1","Backup",$6)}1'|awk '{gsub("2","On-demand",$6)}1'|awk '{gsub("0","?",$7)}1'|awk '{gsub("1","Alive",$7)}1'|awk '{gsub("2","!",$7)}1'|awk '{gsub("1","Regular",$8)}1'|awk '{gsub("2","DAIP",$8)}1'|awk '{gsub("3","ROBO",$8)}1'|awk '{gsub("4","LSV",$8)}1'|awk '{gsub("1","Regular",$9)}1'|awk '{gsub("2","Permanent",$9)}1'|sort|sed "s/^/$(hostname) <=> /"|sed '1 i\( , , , , , , , , , , )'|sed '1 i\FROM <=> TO STATE VPN_COMMUNITY PEER_IP SOURCE_IP LINK_PRIORITY PROB_STATE PEER_TYPE VPN_TYPE'|if [[ -f /bin/column ]];then column -t|sed "s/\bUP\b/\x1b[1;32m&\x1b[m/g;s/\bDown\b\|\bDestroyed\b/\x1b[1;31m&\x1b[m/g;s/\bBackup\b\|\bAlive\b\|\bInitialized\b\|\bPhase_1\b/\x1b[1;36m&\x1b[m/g"|sed '/^(.*)$/ s/./=/g'|sed '$a+'|sed '2h;$x'|sed "s/^/ /";echo -e "\033[1;2m Reset VPN tunnel to peer : vpn tu del PEER_IP\n Show VPN tunnel details : vpn tu tlist -p PEER_IP\033[m";else cat|sed '/^(.*)$/ s/./=/g';fi;else echo -e "\033[1;31mNot an active HA member.\033[m";fi;else echo -e "\033[1;31mNot a VPN gateway.\033[m";fi;unset _vpn _ha _stat;echo
Integrated with our ccc script.
To show the VPN topology see here.
To list VPN user tunnels see here.
