Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Show VPN topology on gateways

Champion
Champion

📕 Referenced in the book Max Power 2020
ℹ️ Supported from R80.30+

SmartConsole Extension to show the installed VPN topology on gateways.
Extension URL: https://dannyjung.de/vpntopo.json

vpn topology.png

import_vpntopo.png
vpntopo.png

Uses the One-liner developed in this thread.

SMB / VSX gateways aren't supported yet (need to implement loading of VS environment and changing to VS)

-- More SmartConsole Extensions --

Run Gaia Healthcheck
Remote Access VPN Statistics
Show advanced interface summary
Show interface topology on gateways

11 Replies
Highlighted

Very cool! 

So basically reading CPProdUtil and adding that great information to SmartConsole - I like! And you can probably extend it to additional buttons that take data from CPProdUtil and that you find useful.

If this was just a regular gateway, not a cluster, you could also get it from the Management API Command "show simple-gateway" and the property vpn-settings.vpn-domain https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/show-simple-gateway~v1.6%20

I also like the many validations that you added, such as no relevant gateways.

Worth to mention this requires R80.30 and above. Below that version, we get this:

 

... another reason to upgrade already 😀  R80.30 is the most popular version already.

Might be better if you include a "welcome" / "please go to Gateways page and find a new tab called VPN Topology" type of page after I click OK.

You do that by adding this to your manifest:

	{
		"location": "post-enable-popup",
		"relevant-types": ["extension"],
		"ui-element": {
			"caption": "My Fancy Extension",
			"tooltip": "",
			"action": {
				"browser-window": {
						"height": "320",
						"width": "600"
					},
				"details-level": "uid",
				"method": "get",
				"trigger-id": "post-installation-popup",
				"url": "instructions.html"
			}
		}
	}],

I then went to the Gateways page and found the new bottom pane with the button. I can see why you made that button - because clicking it pops up a request to commit changes so it's definitely better to have it only happening when the user clicks a button.

2020-04-14 10_10_46-SmartConsole (Cloud Demo Server [ID_759557341]).png

If I click "cancel" and don't approve the change the button changes its text to "{" so you may want to handle that as well

Reply
0 Kudos
Highlighted

Champion
Champion

Thanks @Tomer_Sole , I really appreciate your feedback!

As it's all just basic HTML I already have plans to use CSS stylesheets and SVGs in future for better appearance in SmartConsole.

Reply
0 Kudos
Highlighted

I just tried it in my lab environment and clicking the button makes my SmartConsole hang and I have to force close it (task never shows up in SmartConsole, neither as done or error). Same happens btw. for your other extension. My version is R80.40 JHF 25 for mgmt and gw.

I troubleshooted it a bit and extracted the relevant code from the .htm.

edited post (my fault):

If I only run the cpprod_util, the command is working and also with mgmt_cli it runs the task. Here the output from cpprod_util

Spoiler

$CPDIR/bin/cprid_util -server "10.2.231.52" -verbose rexec -rcmd /bin/bash -c "base64 -id <<< aWYgW1sgYCRDUERJUi9iaW4vY3Bwcm9kX3V0aWwgRndJc0ZpcmV3YWxsTW9kdWxlIDI+L2Rldi9udWxsYCAhPSAqJzEnKiBdXTsgdGhlbiBlY2hvOyB0cHV0IGJvbGQ7IHRwdXQgc2V0YWIgMTsgZWNobyAnIE5vdCBhIGZpcmV3YWxsIGdhdGV3YXkhICc7IHRwdXQgc2dyMDsgZWNobzsgZWxzZSBpZiBbWyBgZ3JlcCBSODAuNDAgL2V0Yy9jcC1yZWxlYXNlIHwgd2MgLWxgICE9IDAgXV07IHRoZW4gZWNobzsgdHB1dCBib2xkOyB0cHV0IHNldGFiIDE7IGVjaG8gLW4gJyBJbmZvOiBWUE4gRG9tYWluIGZvciBHYXRld2F5IENvbW11bml0aWVzIGFyZSBjdXJyZW50bHkgbm90IGRpc3BsYXllZCBjb3JyZWN0bHkgYnkgdGhpcyB0b29sISAnOyB0cHV0IHNncjA7IGVjaG87IGZpOyBmdyB0YWIgLXQgdnBuX3JvdXRpbmcgLXUgfCBhd2sgJ05SPjMgeyQwPXN1YnN0cigkMCwyLDI4KTsgZ3N1YigiLCAiLCAiIik7IGdzdWIoIjsgIiwgIiIpOyBnc3ViKCIuLiIsICIweCYgIik7IHByaW50fScgfCB4YXJncyBwcmludGYgIiVkLiVkLiVkLiVkICVkLiVkLiVkLiVkICVkLiVkLiVkLiVkXG4iIHwgYXdrICd7cHJpbnQgJDMiLiIkMSIgLSAiJDJ9JyB8IHNvcnQgLXQgLiAtayAgMSwxbiAtayAyLDJuIC1rIDMsM24gLWsgNCw0biAtayA1LDVuIC1rIDYsNm4gLWsgNyw3biAtayA4LDhuIHwgc2VkICdzL14veC8nIHwgc2VkICdzL1wuL1xuXHQvNCcgfCBhd2sgJyF4WyQwXSsrJyB8IHNlZCAnL3gvcy8kL1xuXHRFbmNyeXB0aW9uIGRvbWFpbi8nIHwgc2VkICdzL3gvXG5WUE4gR2F0ZXdheSA+IC8nIHwgaWYgW1sgJChjYXQgL2V0Yy9jcC1yZWxlYXNlKSAhPSAqIkVtYmVkZGVkIiogXV07IHRoZW4gZWdyZXAgLUMgOTk5OSAtLWNvbG9yPWF1dG8gJCdWUE4gR2F0ZXdheXxFbmNyeXB0aW9uIGRvbWFpbic7IGVsc2UgY2F0ICQxIHwgc2VkICdzL15cdC8vJzsgZmk7IGVjaG87IGZpOyBpZiBbWyBgZ3JlcCBSODAuNDAgL2V0Yy9jcC1yZWxlYXNlIHwgd2MgLWxgICE9IDAgXV07IHRoZW4gdHB1dCBib2xkOyB0cHV0IHNldGFiIDE7IGVjaG8gLW4gJyBJbmZvOiBWUE4gRG9tYWluIGZvciBHYXRld2F5IENvbW11bml0aWVzIGFyZSBjdXJyZW50bHkgbm90IGRpc3BsYXllZCBjb3JyZWN0bHkgYnkgdGhpcyB0b29sISAnOyB0cHV0IHNncjA7IGVjaG87IGVjaG87IGZp | sh"
Info: VPN Domain for Gateway Communities are currently not displayed correctly by this tool!

VPN Gateway > 10.2.231.51
Encryption domain
10.2.231.51 - 10.2.231.53
192.168.220.0 - 192.168.220.255
192.168.221.1 - 192.168.221.3
192.168.229.1 - 192.168.229.2

Info: VPN Domain for Gateway Communities are currently not displayed correctly by this tool!

 

Reply
0 Kudos
Highlighted

can you share the hang offline immediately after the hang occurs?

%LocalAppData%\Check Point\R80.40 as zip folder

$MDS_FWDIR/log/cpm*.elg* as zip folder

Reply
0 Kudos
Highlighted

@Tomer_Sole: I sent them to you via email.

Reply
0 Kudos
Highlighted

Collaborator

hi, thanks for your work. is it possible to use your extensions in my smart-console? if i want to add, i got error that manifest is not valid.

thanks, daniel

Reply
0 Kudos
Highlighted

Champion
Champion

This extension is supported from R80.30+ onwards. You probably tried to import it in an older version.

Reply
0 Kudos
Highlighted

Collaborator

ok, iam running R80.20.

Reply
0 Kudos
Highlighted

Participant

Hi Danny,

We using R80.40 in our test environment and latest build smartconsole but i try to run script smartconsole freeze and not responding.
We need to special setting for this script and other once ? Additional info; Windows 10 x64 1909 build my computer os.

Edit: Perfectly running now. Thanks for help and script Danny.

 

Reply
0 Kudos
Highlighted

Contributor

Curious what exactly are the connectivity requirements?  Does the CP Manager SSH need to SSH to the gateways?

We have a few clusters in GCP where the cluster IP configured in SmartConsole is actually a public IP address.  But we don't allow inbound SSH to the gateways via internet for obvious security reasons.  

Reply
0 Kudos
Highlighted

Champion
Champion

There are no connectivity requirements, just use it as it is.

Reply
0 Kudos