Hi Robert,

Thats a awsome work you have done.. oh may.. cost my weight in gold... 🙂

yes, I got a lot of site2site vpn between our Check Point gateway cluster and our wind parks which we administrate in our company.

it is not that often we create a new site, but I would like to automate that process also to make sure each site2site vpn connection is created the same way every time.

So all our satellite gateways are not Check Point because the OEM uses different brand for firewall/routers.

I am not sure what bullet point 4 does. are you trying to change the color of the interoperative device?

You comments and the this thread https://community.checkpoint.com/thread/6022-creating-multiple-remote-gateway-for-ipsec-vpn have given me something to work on.

Thank you very much.

Kim

The bullet point 4 is a workaround using dbedit API to make this whole process to work(change a property back and forth and save). No other way to do this at this point...

Robert.

Those dbedit steps seem nonsensical at first blush.

But given my own experienice with dbedit, I completely believe you    

you should run this whole stuff inside a bash script, not as individual commands on the prompt.

instead of "/opt/CPshrd-R80/jq/jq" please use "${CPDIR}/jq/jq".

Also, verify that WP_Wieland_Internal_Network really exists (did you published it?)

works fine for me.

Robert,

I found out the "network" is case sensitive. so I have to write exactly how it was named. 

if I query show-generic-object name "WP_Wieland_Internal_Network" it fails, because I don't have a network named [WP_Wieland_Internal_Network] but I have one named [WP_Wieland_Internal_network].

below picture shows me the first command works because I get a reply with a unit uid.

mgmt_cli show-generic-objects name WP_Wieland_Internal_network -f json

but if I then pipe it to the jq command-line JSON processor, it fails. 

yes I cannot run it without telling what to filter on in a JSON result.

So when you see the below picture the full query does't finish and waiting for something.

Do you have any idea of why that happens?

Thans

Kim

First of all, you login to the API server - 

mgmt_cli login -u user -p password > sid.txt

This command redirects the current working session details into a text file.

All following commands use this information using a special '-s' switch, for example - 

mgmt_cli add host name my_host ip-address 1.1.1.1. -s sid.txt

Finally, when you finish (published all the changes), you must logout - 

mgmt_cli logout -s sid.txt

This is the correct flow when working with management APIs - 

login -> work -> publish/discard -> logout

Robert.

Robert, 

Great help.. I really appreciate it.

I manage to get the first 3 steps done, and now trying to add satellite-gateway, BUT this time it fails.

So now I have been trying to work though my script to auto create network, interoperative device and add encryption network to it, and also create my VPN community with center gateway.

my script keeps failing when I want to set satellite-gateway.

I have tried your variants and none of them works.

####################################################################
# Set VPN community Star named testVPN with the correct agreed
# preshared key.
#
###################################################################
interoperative_device=$(mgmt_cli -s id.txt show-generic-objects name interdev_2 -f json | ${CPDIR}/jq/jq -r '.objects[] | select (.type | contains("CpmiGatewayPlain")) | .uid')
echo $interoperative_device

mgmt_cli -s id.txt add vpn-community-star name testVPN center-gateways "gwcluster"

mgmt_cli -s id.txt set vpn-community-star name testVPN satellite-gateways.add $interoperative_device
mgmt_cli publish -s id.txt

#mgmt_cli -s id.txt set vpn-community-star name testVPN shared-secrets.external-gateway test123 shared-secrets.shared-secret "mysharedsecret123456789"
#mgmt_cli -s id.txt set vpn-community-star name testVPN satellite-gateways.set test123

This is the newly created uid '804a42eb-3d35-45d6-98ab-c7da93124fa8' for the interoperative_device variable which I will use while setting. This is because I cannot find the interoperative device named interdev_2 by picking it in the GUI of the vpn community star named testVPN.

804a42eb-3d35-45d6-98ab-c7da93124fa8
code: "err_validation_failed"
message: "Validation failed with 1 blocking-error"
blocking-errors:
- message: "Field Satellite Gateways references invalid objects"

---------------------------------------------
Time: [09:32:39] 2/5/2018
---------------------------------------------
"Publish operation" in progress (60%)

---------------------------------------------
Time: [09:32:49] 2/5/2018
---------------------------------------------
"Publish operation" succeeded (100%)
tasks:
- task-id: "01234567-89ab-cdef-b7d1-7cb2b19faf9a"
task-name: "Publish operation"
status: "succeeded"
progress-percentage: 100
suppressed: false
task-details:
- publishResponse:
numberOfPublishedChanges: 1
mode: "async"
revision: "eb57bfe8-84ad-44be-afdf-c1c400bdbf56"

message: "OK"

What are the correct why to add satellite-gateways?

When I use "mgmt_cli -s id.txt set vpn-community-star name testVPN satellite-gateways.add $interoperative_device" or should I use "mgmt_cli -s id.txt set vpn-community-star name testVPN satellite-gateways.set $interoperative_device"   or "mgmt_cli -s id.txt set vpn-community-star name testVPN satellite-gateways.uid $interoperative_device"

I can use these parametres

Hope you can give me a hint, what to do.

Thanks

Kim

Error 40 🙂

I didn't notice that I had to exchange the static value test123 to my interoperative device name interdev_2.

When I changed it, it worked.  

echo "modify network_objects test123 color red" >dbedit.txt
echo "update network_objects test123" >>dbedit.txt
echo "modify network_objects test123 color black" >>dbedit.txt
echo "update network_objects test123" >>dbedit.txt
echo "quit -update_all" >>dbedit.txt 
dbedit -local -f dbedit.txt
rm dbedit.txt

Have to work on a variable to automatically update this value.

The API is missing some of the objects that can be created via SmartConsole, true.

Assuming the object type isn't legacy, I expect this will be addressed in later releases (not necessarily R80.20).

Depending on what objects you want to create and what options you want to set, it may be possible through the use of "generic-objects" today.

Please read this thread again, you have a complete working example using the generic-objects API, as Dameon indicated.

Robert.

Hi AI

I know the Check Point working on the API are doing their best to release new features to the API.

But it took me quite short time to figure out how it works with generic-objects API. The challenge is there is not documentation on how to use it.

Dameon Welch Abernathy and Robert Decker have been very helpful here.. so I would recommend to raise a question here in the forum.

Anyways I have raised another question in Develop Hub which might help you, on how to find possibility to extract and use the information from a json export of a generic-object API.

https://community.checkpoint.com/thread/7703-how-to-find-generic-object-that-is-not-defined-in-the-a... 

Without knowing what exactly you tried, it's difficult to provide guidance.

[Expert@Mgmt1:0]# mgmt_cli login user admin password XXX domain YYY > id.txt
[Expert@Mgmt1:0]# mgmt_cli -s id.txt add generic-object create "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain" name "INTEROP1" ipaddr "10.10.10.10" thirdPartyEncryption "True" osInfo.osName "Gaia" vpn.create "com.checkpoint.objects.classes.dummy.CpmiVpn" vpn.owned-object.vpnClientsSettingsForGateway.create "com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.create "com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.owned-object.endpointVpnEnable "True" vpn.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiIke" vpn.owned-object.sslNe.create "com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender" vpn.owned-object.sslNe.owned-object.sslEnable "False" vpn.owned-object.sslNe.owned-object.gwCertificate "defaultCert" vpn.owned-object.takeTunnelGranularityFromComm "False" vpn.owned-object.isakmpUniversalProtocol "GRE_TUNNEL" vpn.owned-object.isakmpUniversalSupport "True" vpn.owned-object.isakmpSubnetSupport "False" interfaces.add.1.create "com.checkpoint.objects.classes.dummy.CpmiInterface" interfaces.add.1.owned-object.officialname "eth0" interfaces.add.1.owned-object.ipaddr "1.1.1.1" interfaces.add.1.owned-object.netmask "255.255.255.255"
[Expert@Mgmt1:0]# mgmt_cli -s id.txt publish

---------------------------------------------
Time: [01:24:49] 3/8/2018
---------------------------------------------
"Publish operation" in progress (60%)

---------------------------------------------
Time: [01:24:59] 3/8/2018
---------------------------------------------
"Publish operation" succeeded (100%)
tasks:
- task-id: "01234567-89ab-cdef-9484-837185050dbd"
task-name: "Publish operation"
status: "succeeded"
progress-percentage: 100
suppressed: false
task-details:
- publishResponse:
numberOfPublishedChanges: 1
mode: "async"
revision: "47d47ca3-458e-48af-8f2b-4e65f5a64711"

[Expert@Mgmt1:0]#

[Expert@Mgmt1:0]# more db.db
modify network_objects INTEROP1 color red
update network_objects INTEROP1
modify network_objects INTEROP1 color blue
update network_objects INTEROP1
quit -update_all
[Expert@Mgmt1:0]# dbedit -local -f db.db
Object Not Found
Error in line: 1
[Expert@Mgmt1:0]#

You are not supposed to create ordinary objects on the MDS, you can create only domain objects, or assign global policy per domain.

And of course, administrators.

Robert.

OK. I just modified my script to get into particular mdsenv before the dbedit. It worked.