- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: list all VPNs using certificate for phase1 and...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
list all VPNs using certificate for phase1 and vpn cert store in mds
Hello,
Here's the case study: MDS R81.20 with multiple CMA domains, each one having multiple gateways with IPSEC VPN tunnels. Some of the tunnels have PSK for phase 1, some of them are using Certificates. Most of the certs are signed by our internal PKI infrastructure, but some are MDS ICA signed.
1) How to I get a list of VPN tunnel which are using certs for phase 1? So I could check the cert validity (is there any automated way of getting this info?)
2) Where are the 3rd Party VPN certs stored in MDS?
Thanks!
- Labels:
-
Site to Site VPN
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
ICA Certs:
In the Checkmates Toolbox there is a good oneliner, as basic check...
https://community.checkpoint.com/t5/Scripts/Valid-Certificates-Overview-Oneliner/m-p/179954
when changing into the cma, it should also get you the certificates from the tenant.
I wrote something to get those states reported into monitoring engines like PRTG or Nagios compatible (like Centreon), which then can alarm/notify you, if thresholds are hit. But thats not finished yet
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi.
Just tried on another MDM and had the same issue as you. I was able to get around it with using the domain IP address.
Also using the domain IP to create the id.txt as well. So have a play around with that
mgmt_cli login user <username> -d "<CMA IP>" > id.txt
mgmt_cli -d <CMA IP> show vpn-communities-meshed limit 100 details-level "full" -s id.txt
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry I'm not fast enough to sort this for you in the time I have...
but If you have some API skills or someone else can help you can refine the following or export to csv and filter in excel.
show vpn-communities-star limit 50 details-level "full"
show vpn-communities-mesh limit 50 details-level "full"
(I ran these from the GUI > Cli so didn't need to use the mgmt_cli)
You will need to filter the community name and the field "use-shared-secret"
true = PSK.
false = Cert
Also research command ALL_DOMAINS_ON_THIS_SERVER to save you going into all the domains.
I think the certs are imported into the database and Check Point black magic files then rolled up and pushed out to the gateways
You can see them in GUIDBedit Managed Object > Servers
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Those commands are good!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello ,
Many thanks for your quick reply. I tried both commands from MDS using mgmt_cli but they returned 0 objects ( before reaching out to CheckMates).
[Expert@srv-r8120:0]# mgmt_cli -r true show vpn-communities-meshed
objects: []
total: 0
[Expert@mds-r8120-prod:0]# mgmt_cli -r true show vpn-communities-star
objects: []
total: 0
Then I tried from GUI > cli as you suggested and it worked! Of course the GUI Cli has limitations and I need to send the output to a text file to parse it. What am I doing wrong?
I choose the smallest domain with only 3 VPN tunnels, and it returned 1184 lines! That's not something you can easily search from that window.
Good point with "use-shared-secret: - true/false - it looks like this is what I'm looking for.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you still want to go down this path and use ssh ...
Per domain:
mgmt_cli -d "your-domain" show vpn-communities-star limit 100 details-level "full"
Cross domain will not allow the use the detail-level "full"
mgmt_cli show vpn-communities-star limit 100 domains-to-process.1 "ALL_DOMAINS_ON_THIS_SERVER" ignore-warnings true
I'm an API Noob so cannot figure out how to filter output on just community name and use-shared-secret. Though I did try.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Oneliner script is amazing! thanks! I go through each MDS domain using "mdsenv domain" and run it. I used to parse data from cpca_client lscert .... even made a script to go through each domain ...a real pain as I had to remove empty lines and so on.
With regards to showing vpn star/meshed config, I still have an issue.
1) once I login to MDS using ssh and type mdsenv Domain_Name - mgmt_cli show vpn-communities-star commands returns - 0 objects.
2) I'm able to login successfully to "System Data" domain using "> id.txt" option. When I run mgmt_cli -d Domain_VPN show vpn-communities-meshed limit 100 details-level "full" -s id.txt , I get
objects: []
total: 0
My MDS user account has access to Management CLI and read rights across all domains.
This is from Management API reference:.
Security Management Server and Multi-Domain Server
There are different domains for the Multi-Domain Server and the Security Management Server, and each domain has its own API calls:
Multi-Domain Server - The default login is to the System Data domain. This allows you to manage administrators, domains and other system objects.
To log in to a specific domain by name or IP address, use the domain parameter.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi.
Just tried on another MDM and had the same issue as you. I was able to get around it with using the domain IP address.
Also using the domain IP to create the id.txt as well. So have a play around with that
mgmt_cli login user <username> -d "<CMA IP>" > id.txt
mgmt_cli -d <CMA IP> show vpn-communities-meshed limit 100 details-level "full" -s id.txt
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This simple change from domain name to domain IP address did the trick! I appreciate you time and effort.
Just to give something back to the community:
Step one :
1) login to MDS using SSH then type: mgmt_cli login user justin_user domain domain_IP_addr > id.txt
2) use this command to extract VPN Star Domains using jq to parse json , extract VPN community and join it with Domain Name, for example.
mgmt_cli -d "domain_IP_address" show vpn-communities-star limit 200 details-level full -s id.txt --format json | $CPDIR/jq/jq -r '.objects[] | select(.type == "vpn-community-star" or .type == "interoperable-device") | [.["name"],.["domain"]["name"]] | join(";")' -r
As I'm no Linux guru, I was not able to extract only VPN Communities with ""use-shared-secret" : false"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
mgmt_cli -d "domain_IP_address" show vpn-communities-star limit 200 details-level full -s id.txt --format json | $CPDIR/jq/jq -r '.objects[] | "NAME,\(.name)","PreSharedKey,\(."use-shared-secret")"'
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's excellent!!! Many thanks!
Is there any possibility to have the output on a single line?
I would then export this in a text, run the script from a remote linux machine and grab it with scp. Makes life easier 🙂
NAME,RAS-VPN-BMC
PreSharedKey,false
NAME,RAS-VPN-FTC
PreSharedKey,true
NAME,VPN-JAY-DMA
PreSharedKey,false
NAME,VPN-COR-HEV
PreSharedKey,true
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nah I failed 🙂
Best effort I can do is the following.
mgmt_cli -d "domain_IP_address" show vpn-communities-star limit 200 details-level full -s id.txt --format json | $CPDIR/jq/jq -r '.objects[] | "NAME/PSK,\([.name,."use-shared-secret"])"'
and to text
mgmt_cli -d "domain_IP_address" show vpn-communities-star limit 200 details-level full -s id.txt --format json | $CPDIR/jq/jq -r '.objects[] | "NAME/PSK,\([.name,."use-shared-secret"])"' > cert.txt
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is this expected?
Andy
[Expert@CP-management:0]# mgmt_cli -d "domain_IP_address" show vpn-communities-star limit 200 details-level full -s id.txt --format json | $CPDIR/jq/jq -r '.objects[] | "NAME,\(.name)","PreSharedKey,\(."use-shared-secret")"'
Failed to open login output file [id.txt]
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Create id file first
mgmt_cli login user <username> domain <domain-ip> id.txt
You don't actually need the domain switch if using id file:
mgmt_cli show vpn-communities-star limit 200 details-level full -s id.txt --format json | $CPDIR/jq/jq -r '.objects[] | "NAME/PSK,\([.name,."use-shared-secret"])"'
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hm...so Im on regular mgmt, but not sure whats missing in that first command...
[Expert@CP-management:0]# mgmt_cli login user admin 172.16.10.252 id.txt
Password:
code: "generic_err_invalid_syntax"
message: "Login request message processing failed"
[Expert@CP-management:0]#
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Disregard, layer 8 issue LOL
Got it now
Andy
[Expert@CP-management:0]# mgmt_cli login user admin domain 172.16.10.252 > id.txt
Password: [Expert@CP-management:0]# mgmt_cli show vpn-communities-star letails-level full -s id.txt --format json | $CPDIR/jq/jq -r '.objects[] | "NAME/PSK,\([.name,."use-shared-secret"])"'
[Expert@CP-management:0]#
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I suspect what you're trying to do is renew those certificates before they expired.
Hopefully very soon, we will have a script published in SupportCenter that, when run on MDS or regular management, will:
- Show certificate information
- Renew certificates based on the specified criteria
The specified operation will be performed on all managed Security Gateways, Cluster Members, and Virtual Systems.
For R81.20, this will require JHF 54 or above.
It will also be available for R81 and R81.10 and will require a specific JHF level.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Let's hope so! Many thanks for the heads up!
There are too many certificates (LOL). SIC + IKE + Management = 3
If you are also using Identity Awareness, extra certs to take care of : broker.portal, web portal. = 2.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
ICA Certs:
In the Checkmates Toolbox there is a good oneliner, as basic check...
https://community.checkpoint.com/t5/Scripts/Valid-Certificates-Overview-Oneliner/m-p/179954
when changing into the cma, it should also get you the certificates from the tenant.
I wrote something to get those states reported into monitoring engines like PRTG or Nagios compatible (like Centreon), which then can alarm/notify you, if thresholds are hit. But thats not finished yet
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for that, will try on my lab mgmt.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks so much for sharing that, super useful.
From my lab:
Current Date and Time
----------------------------------------------------------------------
05 May 2024 09:05:52 -04:00 EDT
Check Point Internal Certificate Authority (ICA) Experation Date
----------------------------------------------------------------------
18 Jan 2038 22:14:07 -05:00 EST
Current Valid IKE & SIC Certificates signed by ICA
----------------------------------------------------------------------
Nr. Objectname Type Serial Not Valid After
1 azurefw IKE 19056 20 Feb 2027 13:51:25
2 CPAZUREcluster IKE 82773 20 Feb 2027 13:52:04
3 cp_mgmt SIC 66461 03 Jan 2029 08:46:27
4 cp_mgmt SIC 80400 03 Jan 2029 08:46:36
5 cp_mgmt SIC 80670 03 Jan 2029 08:46:43
6 cpazuremgmt SIC 96588 03 Jan 2029 08:46:36
7 azurefw SIC 39123 03 Jan 2029 09:32:43
8 CPAZUREcluster1 SIC 75718 18 Jan 2029 08:34:45
9 CPAZUREcluster2 SIC 78289 18 Jan 2029 08:36:03
[Expert@cpazuremgmt:0]#
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Many thanks for the onliner tool !
I look forward to any Check Point PRTG integration!!! Plese leave a message if there is anything I can help with testing 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Amazing tool indeed.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Get it done and submit it...you might win something 🙂
https://community.checkpoint.com/t5/Toolbox-Contest-2024/con-p/toolbox2024
