Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
sorinstf
Contributor
Jump to solution

list all VPNs using certificate for phase1 and vpn cert store in mds

Hello, 

Here's the case study: MDS R81.20  with multiple CMA domains, each one having multiple gateways with IPSEC VPN tunnels. Some of the tunnels have PSK for phase 1, some of them are using Certificates. Most of the certs are signed by our internal PKI infrastructure, but some are MDS ICA signed. 

1) How to I get a list of VPN tunnel which are using certs for phase 1? So I could check the cert validity (is there any automated  way of getting this info?)

2) Where are the 3rd Party VPN certs stored in MDS? 

 

Thanks!

2 Solutions

Accepted Solutions
Nüüül
Advisor

Hello,

 

ICA Certs:

In the Checkmates Toolbox there is a good oneliner, as basic check...

https://community.checkpoint.com/t5/Scripts/Valid-Certificates-Overview-Oneliner/m-p/179954

when changing into the cma, it should also get you the certificates from the tenant.

 

I wrote something to get those states reported into monitoring engines like PRTG or Nagios compatible (like Centreon), which then can alarm/notify you, if thresholds are hit. But thats not finished yet

 

View solution in original post

spottex
Collaborator

Hi.

Just tried on another MDM and had the same issue as you. I was able to get around it with using the domain IP address.
Also using the domain IP to create the id.txt as well. So have a play around with that

mgmt_cli login user <username> -d "<CMA IP>" > id.txt
mgmt_cli -d <CMA IP> show vpn-communities-meshed limit 100 details-level "full" -s id.txt

 

View solution in original post

22 Replies
spottex
Collaborator

Sorry I'm not fast enough to sort this for you in the time I have...
but If you have some API skills or someone else can help you can refine the following or export to csv and filter in excel.

show vpn-communities-star limit 50 details-level "full"
show vpn-communities-mesh limit 50 details-level "full"

(I ran these from the GUI > Cli so didn't need to use the mgmt_cli)

You will need to filter the community name and the field "use-shared-secret"

true = PSK. 

false = Cert

Also research command ALL_DOMAINS_ON_THIS_SERVER to save you going into all the domains.

I think the certs are imported into the database and Check Point black magic files then rolled up and pushed out to the gateways

You can see them in GUIDBedit  Managed Object > Servers

the_rock
Legend
Legend

Those commands are good!

0 Kudos
sorinstf
Contributor

Hello , 

Many thanks for your quick reply. I tried both commands from MDS using mgmt_cli but they returned 0 objects ( before reaching out to CheckMates).  

[Expert@srv-r8120:0]# mgmt_cli -r true show vpn-communities-meshed
objects: []
total: 0

[Expert@mds-r8120-prod:0]# mgmt_cli -r true show vpn-communities-star
objects: []
total: 0

Then I tried from  GUI > cli as  you suggested and it worked! Of course the GUI Cli has limitations and I need to send the output to a text file to parse it.  What am I doing wrong? 

I choose the smallest domain with only 3 VPN tunnels, and it returned 1184 lines! That's not something you can easily search from that window. 

Good point with "use-shared-secret: - true/false - it looks like this is what I'm looking for. 

0 Kudos
spottex
Collaborator

If you still want to go down this path and use ssh ...

Per domain: 
mgmt_cli -d "your-domain" show vpn-communities-star limit 100 details-level "full"

Cross domain will not allow the use the detail-level "full"
mgmt_cli show vpn-communities-star limit 100 domains-to-process.1 "ALL_DOMAINS_ON_THIS_SERVER" ignore-warnings true

I'm an API Noob so cannot figure out how to filter output on just community name and use-shared-secret. Though I did try.

0 Kudos
sorinstf
Contributor

Hello, 

Oneliner script is amazing! thanks!  I go through each MDS domain using "mdsenv domain" and run it. I used to parse data from cpca_client lscert ....  even made a script to go through each domain ...a real pain as I had to remove empty lines and so on.  

With regards to showing vpn star/meshed config, I still have an issue. 

1) once I login to MDS using ssh and type mdsenv Domain_Name -  mgmt_cli show vpn-communities-star commands returns -  0 objects.

2) I'm able to login  successfully to "System Data" domain using "> id.txt" option.  When I run mgmt_cli -d Domain_VPN show vpn-communities-meshed limit 100 details-level "full" -s id.txt , I get 

objects: []
total: 0

My  MDS user account has access to Management CLI and read rights across all domains. 

 

This is from Management API reference:. 

Security Management Server and Multi-Domain Server
There are different domains for the Multi-Domain Server and the Security Management Server, and each domain has its own API calls:
  • Multi-Domain Server - The default login is to the System Data domain. This allows you to manage administrators, domains and other system objects.
    • To log in to a specific domain by name or IP address, use the domain parameter.
0 Kudos
spottex
Collaborator

Hi.

Just tried on another MDM and had the same issue as you. I was able to get around it with using the domain IP address.
Also using the domain IP to create the id.txt as well. So have a play around with that

mgmt_cli login user <username> -d "<CMA IP>" > id.txt
mgmt_cli -d <CMA IP> show vpn-communities-meshed limit 100 details-level "full" -s id.txt

 

sorinstf
Contributor

This simple change from domain name to domain IP address did the trick! I appreciate you time and effort. 

Just to give something back to the community: 

Step one :

1) login to MDS using SSH then type:  mgmt_cli login user justin_user domain domain_IP_addr  > id.txt

2) use this command to extract VPN Star Domains using jq to parse json , extract VPN community and join it with Domain Name, for example. 

 

mgmt_cli -d "domain_IP_address" show vpn-communities-star limit 200 details-level full -s id.txt --format json | $CPDIR/jq/jq -r '.objects[] | select(.type == "vpn-community-star" or .type == "interoperable-device") | [.["name"],.["domain"]["name"]] | join(";")' -r

 

 

As I'm no Linux guru, I was not able to extract only VPN Communities with ""use-shared-secret" : false"

 

0 Kudos
spottex
Collaborator

Try this:
mgmt_cli -d "domain_IP_address" show vpn-communities-star limit 200 details-level full -s id.txt --format json | $CPDIR/jq/jq -r '.objects[] | "NAME,\(.name)","PreSharedKey,\(."use-shared-secret")"'

0 Kudos
(1)
sorinstf
Contributor

That's excellent!!! Many thanks! 

Is there any possibility to have the output  on a single line? 

I would then export this in a text, run the script from a remote linux machine and grab it with scp.  Makes life easier 🙂

 

NAME,RAS-VPN-BMC
PreSharedKey,false
NAME,RAS-VPN-FTC
PreSharedKey,true
NAME,VPN-JAY-DMA
PreSharedKey,false
NAME,VPN-COR-HEV
PreSharedKey,true

 

0 Kudos
spottex
Collaborator

Nah I failed 🙂

Best effort I can do is the following.
mgmt_cli -d "domain_IP_address" show vpn-communities-star limit 200 details-level full -s id.txt --format json | $CPDIR/jq/jq -r '.objects[] | "NAME/PSK,\([.name,."use-shared-secret"])"' 

and to text

mgmt_cli -d "domain_IP_address" show vpn-communities-star limit 200 details-level full -s id.txt --format json | $CPDIR/jq/jq -r '.objects[] | "NAME/PSK,\([.name,."use-shared-secret"])"' > cert.txt

0 Kudos
the_rock
Legend
Legend

Is this expected?

Andy

 

[Expert@CP-management:0]# mgmt_cli -d "domain_IP_address" show vpn-communities-star limit 200 details-level full -s id.txt --format json | $CPDIR/jq/jq -r '.objects[] | "NAME,\(.name)","PreSharedKey,\(."use-shared-secret")"'
Failed to open login output file [id.txt]

0 Kudos
spottex
Collaborator

Create id file first

mgmt_cli login user <username> domain <domain-ip> id.txt

 

You don't actually need the domain switch if using id file:
mgmt_cli show vpn-communities-star limit 200 details-level full -s id.txt --format json | $CPDIR/jq/jq -r '.objects[] | "NAME/PSK,\([.name,."use-shared-secret"])"'

(1)
the_rock
Legend
Legend

Hm...so Im on regular mgmt, but not sure whats missing in that first command...

[Expert@CP-management:0]# mgmt_cli login user admin 172.16.10.252 id.txt
Password:
code: "generic_err_invalid_syntax"
message: "Login request message processing failed"

[Expert@CP-management:0]#

0 Kudos
the_rock
Legend
Legend

Disregard, layer 8 issue LOL

Got it now

Andy

 

[Expert@CP-management:0]# mgmt_cli login user admin domain 172.16.10.252 > id.txt
Password: [Expert@CP-management:0]# mgmt_cli show vpn-communities-star letails-level full -s id.txt --format json | $CPDIR/jq/jq -r '.objects[] | "NAME/PSK,\([.name,."use-shared-secret"])"'
[Expert@CP-management:0]#

 

 

0 Kudos
(1)
PhoneBoy
Admin
Admin

I suspect what you're trying to do is renew those certificates before they expired.
Hopefully very soon, we will have a script published in SupportCenter that, when run on MDS or regular management, will:

  • Show certificate information
  • Renew certificates based on the specified criteria

The specified operation will be performed on all managed Security Gateways, Cluster Members, and Virtual Systems.
For R81.20, this will require JHF 54 or above.
It will also be available for R81 and R81.10 and will require a specific JHF level.

(2)
sorinstf
Contributor

Let's hope so! Many thanks for the heads up!

There are too many certificates (LOL). SIC + IKE + Management = 3 

If you are also using Identity Awareness, extra certs to take care of : broker.portal, web portal.  = 2. 

Nüüül
Advisor

Hello,

 

ICA Certs:

In the Checkmates Toolbox there is a good oneliner, as basic check...

https://community.checkpoint.com/t5/Scripts/Valid-Certificates-Overview-Oneliner/m-p/179954

when changing into the cma, it should also get you the certificates from the tenant.

 

I wrote something to get those states reported into monitoring engines like PRTG or Nagios compatible (like Centreon), which then can alarm/notify you, if thresholds are hit. But thats not finished yet

 

the_rock
Legend
Legend

Thanks for that, will try on my lab mgmt.

Andy

0 Kudos
the_rock
Legend
Legend

Thanks so much for sharing that, super useful.

From my lab:

Current Date and Time
----------------------------------------------------------------------
05 May 2024 09:05:52 -04:00 EDT


Check Point Internal Certificate Authority (ICA) Experation Date
----------------------------------------------------------------------
18 Jan 2038 22:14:07 -05:00 EST


Current Valid IKE & SIC Certificates signed by ICA
----------------------------------------------------------------------
Nr. Objectname Type Serial Not Valid After
1 azurefw IKE 19056 20 Feb 2027 13:51:25
2 CPAZUREcluster IKE 82773 20 Feb 2027 13:52:04
3 cp_mgmt SIC 66461 03 Jan 2029 08:46:27
4 cp_mgmt SIC 80400 03 Jan 2029 08:46:36
5 cp_mgmt SIC 80670 03 Jan 2029 08:46:43
6 cpazuremgmt SIC 96588 03 Jan 2029 08:46:36
7 azurefw SIC 39123 03 Jan 2029 09:32:43
8 CPAZUREcluster1 SIC 75718 18 Jan 2029 08:34:45
9 CPAZUREcluster2 SIC 78289 18 Jan 2029 08:36:03

[Expert@cpazuremgmt:0]#

0 Kudos
sorinstf
Contributor

Many thanks for the onliner tool !

I look forward to any Check Point PRTG integration!!!  Plese leave a message if there is anything I can help with testing 🙂 

the_rock
Legend
Legend

Amazing tool indeed.

0 Kudos
PhoneBoy
Admin
Admin

Get it done and submit it...you might win something 🙂
https://community.checkpoint.com/t5/Toolbox-Contest-2024/con-p/toolbox2024 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events