- Products
- Learn
- Local User Groups
- Partners
- More
Access Control and Threat Prevention Best Practices
5 November @ 5pm CET / 11am ET
Ask Check Point Threat Intelligence Anything!
October 28th, 9am ET / 3pm CET
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
Spark Management Portal and More!
Hello,
Here's the case study: MDS R81.20 with multiple CMA domains, each one having multiple gateways with IPSEC VPN tunnels. Some of the tunnels have PSK for phase 1, some of them are using Certificates. Most of the certs are signed by our internal PKI infrastructure, but some are MDS ICA signed.
1) How to I get a list of VPN tunnel which are using certs for phase 1? So I could check the cert validity (is there any automated way of getting this info?)
2) Where are the 3rd Party VPN certs stored in MDS?
Thanks!
Hello,
ICA Certs:
In the Checkmates Toolbox there is a good oneliner, as basic check...
https://community.checkpoint.com/t5/Scripts/Valid-Certificates-Overview-Oneliner/m-p/179954
when changing into the cma, it should also get you the certificates from the tenant.
I wrote something to get those states reported into monitoring engines like PRTG or Nagios compatible (like Centreon), which then can alarm/notify you, if thresholds are hit. But thats not finished yet
Hi.
Just tried on another MDM and had the same issue as you. I was able to get around it with using the domain IP address.
Also using the domain IP to create the id.txt as well. So have a play around with that
mgmt_cli login user <username> -d "<CMA IP>" > id.txt
mgmt_cli -d <CMA IP> show vpn-communities-meshed limit 100 details-level "full" -s id.txt
Sorry I'm not fast enough to sort this for you in the time I have...
but If you have some API skills or someone else can help you can refine the following or export to csv and filter in excel.
show vpn-communities-star limit 50 details-level "full"
show vpn-communities-mesh limit 50 details-level "full"
(I ran these from the GUI > Cli so didn't need to use the mgmt_cli)
You will need to filter the community name and the field "use-shared-secret"
true = PSK.
false = Cert
Also research command ALL_DOMAINS_ON_THIS_SERVER to save you going into all the domains.
I think the certs are imported into the database and Check Point black magic files then rolled up and pushed out to the gateways
You can see them in GUIDBedit Managed Object > Servers
Those commands are good!
Hello ,
Many thanks for your quick reply. I tried both commands from MDS using mgmt_cli but they returned 0 objects ( before reaching out to CheckMates).
[Expert@srv-r8120:0]# mgmt_cli -r true show vpn-communities-meshed
objects: []
total: 0
[Expert@mds-r8120-prod:0]# mgmt_cli -r true show vpn-communities-star
objects: []
total: 0
Then I tried from GUI > cli as you suggested and it worked! Of course the GUI Cli has limitations and I need to send the output to a text file to parse it. What am I doing wrong?
I choose the smallest domain with only 3 VPN tunnels, and it returned 1184 lines! That's not something you can easily search from that window.
Good point with "use-shared-secret: - true/false - it looks like this is what I'm looking for.
If you still want to go down this path and use ssh ...
Per domain:
mgmt_cli -d "your-domain" show vpn-communities-star limit 100 details-level "full"
Cross domain will not allow the use the detail-level "full"
mgmt_cli show vpn-communities-star limit 100 domains-to-process.1 "ALL_DOMAINS_ON_THIS_SERVER" ignore-warnings true
I'm an API Noob so cannot figure out how to filter output on just community name and use-shared-secret. Though I did try.
Hello,
Oneliner script is amazing! thanks! I go through each MDS domain using "mdsenv domain" and run it. I used to parse data from cpca_client lscert .... even made a script to go through each domain ...a real pain as I had to remove empty lines and so on.
With regards to showing vpn star/meshed config, I still have an issue.
1) once I login to MDS using ssh and type mdsenv Domain_Name - mgmt_cli show vpn-communities-star commands returns - 0 objects.
2) I'm able to login successfully to "System Data" domain using "> id.txt" option. When I run mgmt_cli -d Domain_VPN show vpn-communities-meshed limit 100 details-level "full" -s id.txt , I get
objects: []
total: 0
My MDS user account has access to Management CLI and read rights across all domains.
This is from Management API reference:.
Hi.
Just tried on another MDM and had the same issue as you. I was able to get around it with using the domain IP address.
Also using the domain IP to create the id.txt as well. So have a play around with that
mgmt_cli login user <username> -d "<CMA IP>" > id.txt
mgmt_cli -d <CMA IP> show vpn-communities-meshed limit 100 details-level "full" -s id.txt
This simple change from domain name to domain IP address did the trick! I appreciate you time and effort.
Just to give something back to the community:
Step one :
1) login to MDS using SSH then type: mgmt_cli login user justin_user domain domain_IP_addr > id.txt
2) use this command to extract VPN Star Domains using jq to parse json , extract VPN community and join it with Domain Name, for example.
mgmt_cli -d "domain_IP_address" show vpn-communities-star limit 200 details-level full -s id.txt --format json | $CPDIR/jq/jq -r '.objects[] | select(.type == "vpn-community-star" or .type == "interoperable-device") | [.["name"],.["domain"]["name"]] | join(";")' -r
As I'm no Linux guru, I was not able to extract only VPN Communities with ""use-shared-secret" : false"
Try this:
mgmt_cli -d "domain_IP_address" show vpn-communities-star limit 200 details-level full -s id.txt --format json | $CPDIR/jq/jq -r '.objects[] | "NAME,\(.name)","PreSharedKey,\(."use-shared-secret")"'
That's excellent!!! Many thanks!
Is there any possibility to have the output on a single line?
I would then export this in a text, run the script from a remote linux machine and grab it with scp. Makes life easier 🙂
NAME,RAS-VPN-BMC
PreSharedKey,false
NAME,RAS-VPN-FTC
PreSharedKey,true
NAME,VPN-JAY-DMA
PreSharedKey,false
NAME,VPN-COR-HEV
PreSharedKey,true
Nah I failed 🙂
Best effort I can do is the following.
mgmt_cli -d "domain_IP_address" show vpn-communities-star limit 200 details-level full -s id.txt --format json | $CPDIR/jq/jq -r '.objects[] | "NAME/PSK,\([.name,."use-shared-secret"])"'
and to text
mgmt_cli -d "domain_IP_address" show vpn-communities-star limit 200 details-level full -s id.txt --format json | $CPDIR/jq/jq -r '.objects[] | "NAME/PSK,\([.name,."use-shared-secret"])"' > cert.txt
Is this expected?
Andy
[Expert@CP-management:0]# mgmt_cli -d "domain_IP_address" show vpn-communities-star limit 200 details-level full -s id.txt --format json | $CPDIR/jq/jq -r '.objects[] | "NAME,\(.name)","PreSharedKey,\(."use-shared-secret")"'
Failed to open login output file [id.txt]
Create id file first
mgmt_cli login user <username> domain <domain-ip> id.txt
You don't actually need the domain switch if using id file:
mgmt_cli show vpn-communities-star limit 200 details-level full -s id.txt --format json | $CPDIR/jq/jq -r '.objects[] | "NAME/PSK,\([.name,."use-shared-secret"])"'
Hm...so Im on regular mgmt, but not sure whats missing in that first command...
[Expert@CP-management:0]# mgmt_cli login user admin 172.16.10.252 id.txt
Password:
code: "generic_err_invalid_syntax"
message: "Login request message processing failed"
[Expert@CP-management:0]#
Disregard, layer 8 issue LOL
Got it now
Andy
[Expert@CP-management:0]# mgmt_cli login user admin domain 172.16.10.252 > id.txt
Password: [Expert@CP-management:0]# mgmt_cli show vpn-communities-star letails-level full -s id.txt --format json | $CPDIR/jq/jq -r '.objects[] | "NAME/PSK,\([.name,."use-shared-secret"])"'
[Expert@CP-management:0]#
I suspect what you're trying to do is renew those certificates before they expired.
Hopefully very soon, we will have a script published in SupportCenter that, when run on MDS or regular management, will:
The specified operation will be performed on all managed Security Gateways, Cluster Members, and Virtual Systems.
For R81.20, this will require JHF 54 or above.
It will also be available for R81 and R81.10 and will require a specific JHF level.
Let's hope so! Many thanks for the heads up!
There are too many certificates (LOL). SIC + IKE + Management = 3
If you are also using Identity Awareness, extra certs to take care of : broker.portal, web portal. = 2.
Hello,
ICA Certs:
In the Checkmates Toolbox there is a good oneliner, as basic check...
https://community.checkpoint.com/t5/Scripts/Valid-Certificates-Overview-Oneliner/m-p/179954
when changing into the cma, it should also get you the certificates from the tenant.
I wrote something to get those states reported into monitoring engines like PRTG or Nagios compatible (like Centreon), which then can alarm/notify you, if thresholds are hit. But thats not finished yet
Thanks for that, will try on my lab mgmt.
Andy
Thanks so much for sharing that, super useful.
From my lab:
Current Date and Time
----------------------------------------------------------------------
05 May 2024 09:05:52 -04:00 EDT
Check Point Internal Certificate Authority (ICA) Experation Date
----------------------------------------------------------------------
18 Jan 2038 22:14:07 -05:00 EST
Current Valid IKE & SIC Certificates signed by ICA
----------------------------------------------------------------------
Nr. Objectname Type Serial Not Valid After
1 azurefw IKE 19056 20 Feb 2027 13:51:25
2 CPAZUREcluster IKE 82773 20 Feb 2027 13:52:04
3 cp_mgmt SIC 66461 03 Jan 2029 08:46:27
4 cp_mgmt SIC 80400 03 Jan 2029 08:46:36
5 cp_mgmt SIC 80670 03 Jan 2029 08:46:43
6 cpazuremgmt SIC 96588 03 Jan 2029 08:46:36
7 azurefw SIC 39123 03 Jan 2029 09:32:43
8 CPAZUREcluster1 SIC 75718 18 Jan 2029 08:34:45
9 CPAZUREcluster2 SIC 78289 18 Jan 2029 08:36:03
[Expert@cpazuremgmt:0]#
Many thanks for the onliner tool !
I look forward to any Check Point PRTG integration!!! Plese leave a message if there is anything I can help with testing 🙂
Amazing tool indeed.
Get it done and submit it...you might win something 🙂
https://community.checkpoint.com/t5/Toolbox-Contest-2024/con-p/toolbox2024
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
23 | |
16 | |
12 | |
9 | |
8 | |
8 | |
7 | |
7 | |
7 | |
5 |
Tue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionThu 30 Oct 2025 @ 03:00 PM (CET)
Cloud Security Under Siege: Critical Insights from the 2025 Security Landscape - EMEAThu 30 Oct 2025 @ 02:00 PM (EDT)
Cloud Security Under Siege: Critical Insights from the 2025 Security Landscape - AMERAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY