AnsweredAssumed Answered

How to add Interoperative Device via API

Question asked by Kim Moberg on May 1, 2018
Latest reply on Aug 3, 2018 by VENKAT S P

Like • Show 4 Likes4
Comment • 22

This is quite cool.

I am in first place trying to create a script using the SmartConsole CLI to setup lan2lan with an interoperative device.

How do I create a interoperative device, so that I can add my encryption domain to it?

my steps are:

Create a Network

Create a Interoperative Device

Add Network to topology for Interoperative Device

Create VPN community star with Center Gateways and Satellite Gateways

Set encryption phase 1 and phase 2

Exclude services - IKE_NAT_Travasal and IPSEC (group)

Set preshared secret

Set rekey for IKE and IPSEC under advanced

Set Disable NAT indside VPN community

Add firewall rule name, source and destination and set VPN community, set services & application and action = accept, + log and set install on cluster gateway.

Right now I am working on "Create an interoperative device" but I do not know which kind of object I need to select in the API?

Can you help?

Thanks

Kim

No one else has this question

Outcomes

22 Replies

Robert Decker May 1, 2018 4:30 AM
Mark Correct
Correct Answer
https://community.checkpoint.com/thread/6022-creating-multiple-remote-gateway-for-ipsec-vpn
1 person found this helpful
Like • Show 1 Like1
Actions
Robert Decker May 1, 2018 4:55 AM
Mark Correct
Correct Answer
Hi Kim,

I assume that the following step you'd like to accomplish is using that interoperable device as a center/satellite gateway in a VPN community object, right?
Ok, the following information that I'm going to provide costs your weight in gold. Me and @Marco Koch figured it out together.

In order to do this, you will need to use Management API together with dbedit API:
1. login into management API server using a login command, for example -
```
mgmt_cli login -u admin -p 123456 > id.txt
```
2. create your interoperable device, let's call it test123.
3. publish using a publish command.
4. now we should use dbedit API, follow these exact steps -
```
echo "modify network_objects test123 color red" >dbedit.txt
echo "update network_objects test123" >>dbedit.txt
echo "modify network_objects test123 color black" >>dbedit.txt
echo "update network_objects test123" >>dbedit.txt
echo "quit -update_all" >>dbedit.txt 
dbedit -local -f dbedit.txt
rm dbedit.txt
```
5. let's go back to management API: add pre-shared secret and satellite gateway to a VPN community named testVPN -
```
mgmt_cli -s id.txt set vpn-community-star name testVPN shared-secrets.external-gateway test123 shared-secrets.shared-secret "mysharedsecret123456789"
mgmt_cli -s id.txt set vpn-community-star name testVPN satellite-gateways.set test123
```
6. publish again using a publish command.
7. logout.

Enjoy,
Robert.
2 people found this helpful
Like • Show 0 Likes0
Actions
- Kim Moberg @ Robert Decker on May 1, 2018 5:14 AM
  Mark Correct
  Correct Answer
  Hi Robert,
  Thats a awsome work you have done.. oh may.. cost my weight in gold... :-)
  
  yes, I got a lot of site2site vpn between our Check Point gateway cluster and our wind parks which we administrate in our company.
  it is not that often we create a new site, but I would like to automate that process also to make sure each site2site vpn connection is created the same way every time.
  
  So all our satellite gateways are not Check Point because the OEM uses different brand for firewall/routers.
  
  I am not sure what bullet point 4 does. are you trying to change the color of the interoperative device?
  
  You comments and the this thread https://community.checkpoint.com/thread/6022-creating-multiple-remote-gateway-for-ipsec-vpn have given me something to work on.
  
  Thank you very much.
  
  Kim
  1 person found this helpful
  Like • Show 1 Like1
  Actions
  - Robert Decker @ Kim Moberg on May 1, 2018 5:28 AM
    Mark Correct
    Correct Answer
    The bullet point 4 is a workaround using dbedit API to make this whole process to work(change a property back and forth and save). No other way to do this at this point...
    Robert.
    1 person found this helpful
    Like • Show 1 Like1
    Actions
- Dameon Welch-Abernathy @ Robert Decker on May 1, 2018 6:49 AM
  Mark Correct
  Correct Answer
  Those dbedit steps seem nonsensical at first blush.
  But given my own experienice with dbedit, I completely believe you
  Like • Show 2 Likes2
  Actions
Kim Moberg May 1, 2018 7:12 AM
Mark Correct
Correct Answer
Robert,
In one of your examples that you linked you, you want to read our the uid of a encryption domain, and in my example it is "WP_Wieland_Internal_Network".

When I want to filter on json format, my gateway management server cannot execute the command.. nothing happens.
is it because of high load?

vpn_enc_domain=$(mgmt_cli -s id.txt show-generic-objects name WP_Wieland_Internal_Network -f json | /opt/CPshrd-R80/jq/jq -r '.objects[] | select (.type | contains("network")) | .uid')

Result of running this command provides this error.

mgmt_cli -s id.txt add generic-object create "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain" name "interdev_2" ipaddr "10.1.1.2" thirdPartyEncryption "True" osInfo.osName "Gaia" vpn.create "com.checkpoint.objects.classes.dummy.CpmiVpn" vpn.owned-object.vpnClientsSettingsForGateway.create "com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.create "com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.owned-object.endpointVpnEnable "True" vpn.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiIke" vpn.owned-object.sslNe.create "com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender" vpn.owned-object.sslNe.owned-object.sslEnable "False" vpn.owned-object.sslNe.owned-object.gwCertificate "defaultCert" manualEncdomain $vpn_enc_domain encdomain "MANUAL"

Best regards
Kim
Like • Show 0 Likes0
Actions
- Robert Decker @ Kim Moberg on May 1, 2018 7:30 AM
  Mark Correct
  Correct Answer
  you should run this whole stuff inside a bash script, not as individual commands on the prompt.
  instead of "/opt/CPshrd-R80/jq/jq" please use "${CPDIR}/jq/jq".
  Also, verify that WP_Wieland_Internal_Network really exists (did you published it?)
  works fine for me.
  Like • Show 0 Likes0
  Actions
  - Kim Moberg @ Robert Decker on May 1, 2018 9:10 AM
    Mark Correct
    Correct Answer
    Robert,
    I found out the "network" is case sensitive. so I have to write exactly how it was named.
    if I query show-generic-object name "WP_Wieland_Internal_Network" it fails, because I don't have a network named [WP_Wieland_Internal_Network] but I have one named [WP_Wieland_Internal_network].
    
    below picture shows me the first command works because I get a reply with a unit uid.
    mgmt_cli show-generic-objects name WP_Wieland_Internal_network -f json
    
    but if I then pipe it to the jq command-line JSON processor, it fails.
    yes I cannot run it without telling what to filter on in a JSON result.
    
    So when you see the below picture the full query does't finish and waiting for something.
    
    Do you have any idea of why that happens?
    
    Thans
    
    Kim
    1 person found this helpful
    Like • Show 1 Like1
    Actions
Kim Moberg May 1, 2018 8:00 AM
Mark Correct
Correct Answer
Robert,
The network exist because I have used it on a test site.
My plan is to create a .sh script with global variables with all the names and ip adresses.
When I run it I expect it to work :-)
Right now I am just trying to build up the logic one step at the time.
Best regards
Kim
Like • Show 0 Likes0
Actions

Kim Moberg May 1, 2018 10:34 AM

Hi Robert

Seems to be it doesnt hold the active session or that I log in with a user

If I add -u admin then I am promoted for password, and after entering the password, the variable returns the “uid” that I can use later.

mgmt_cli -u admin

How to solve this session issue?

Actions

Robert Decker @ Kim Moberg on May 1, 2018 10:52 AM

First of all, you login to the API server -

mgmt_cli login -u user -p password > sid.txt

This command redirects the current working session details into a text file.

All following commands use this information using a special '-s' switch, for example -

mgmt_cli add host name my_host ip-address 1.1.1.1. -s sid.txt

Finally, when you finish (published all the changes), you must logout -

mgmt_cli logout -s sid.txt

This is the correct flow when working with management APIs -

login -> work -> publish/discard -> logout

Robert.

1 person found this helpful

Actions

Kim Moberg @ Robert Decker on May 2, 2018 1:41 AM

Robert,

Great help.. I really appreciate it.

I manage to get the first 3 steps done, and now trying to add satellite-gateway, BUT this time it fails.

So now I have been trying to work though my script to auto create network, interoperative device and add encryption network to it, and also create my VPN community with center gateway.

my script keeps failing when I want to set satellite-gateway.

I have tried your variants and none of them works.

####################################################################
# Set VPN community Star named testVPN with the correct agreed
# preshared key.
#
###################################################################
interoperative_device=$(mgmt_cli -s id.txt show-generic-objects name interdev_2 -f json | ${CPDIR}/jq/jq -r '.objects[] | select (.type | contains("CpmiGatewayPlain")) | .uid')
echo $interoperative_device

mgmt_cli -s id.txt add vpn-community-star name testVPN center-gateways "gwcluster"
mgmt_cli -s id.txt set vpn-community-star name testVPN satellite-gateways.add $interoperative_device
mgmt_cli publish -s id.txt

#mgmt_cli -s id.txt set vpn-community-star name testVPN shared-secrets.external-gateway test123 shared-secrets.shared-secret "mysharedsecret123456789"
#mgmt_cli -s id.txt set vpn-community-star name testVPN satellite-gateways.set test123

This is the newly created uid '804a42eb-3d35-45d6-98ab-c7da93124fa8' for the interoperative_device variable which I will use while setting. This is because I cannot find the interoperative device named interdev_2 by picking it in the GUI of the vpn community star named testVPN.

804a42eb-3d35-45d6-98ab-c7da93124fa8
code: "err_validation_failed"
message: "Validation failed with 1 blocking-error"
blocking-errors:
- message: "Field Satellite Gateways references invalid objects"

---------------------------------------------
Time: [09:32:39] 2/5/2018
---------------------------------------------
"Publish operation" in progress (60%)

---------------------------------------------
Time: [09:32:49] 2/5/2018
---------------------------------------------
"Publish operation" succeeded (100%)
tasks:
- task-id: "01234567-89ab-cdef-b7d1-7cb2b19faf9a"
task-name: "Publish operation"
status: "succeeded"
progress-percentage: 100
suppressed: false
task-details:
- publishResponse:
numberOfPublishedChanges: 1
mode: "async"
revision: "eb57bfe8-84ad-44be-afdf-c1c400bdbf56"
message: "OK"

What are the correct why to add satellite-gateways?

When I use "mgmt_cli -s id.txt set vpn-community-star name testVPN satellite-gateways.add $interoperative_device" or should I use "mgmt_cli -s id.txt set vpn-community-star name testVPN satellite-gateways.set $interoperative_device" or "mgmt_cli -s id.txt set vpn-community-star name testVPN satellite-gateways.uid $interoperative_device"

I can use these parametres

satellite-gateways

List: Object v

Parameter name	Value	Description
name	string	Object name. Should be unique in the domain.
uid	string	Object unique identifier.
type	string	Type of the object.
domain	Object v	Information about the domain the object belongs to.

Collection of Gateway objects representing satellite gateways identified by the name or UID. How much details are returned depends on the details-level field of the request. This table shows the level of detail shown when details-level is set to standard.

Hope you can give me a hint, what to do.

Thanks

Kim

Actions

Kim Moberg @ Kim Moberg on May 2, 2018 2:58 AM
Mark Correct
Correct Answer
Error 40 :-)

I didn't notice that I had to exchange the static value test123 to my interoperative device name interdev_2.
When I changed it, it worked.
```
echo "modify network_objects test123 color red" >dbedit.txt
echo "update network_objects test123" >>dbedit.txt
echo "modify network_objects test123 color black" >>dbedit.txt
echo "update network_objects test123" >>dbedit.txt
echo "quit -update_all" >>dbedit.txt 
dbedit -local -f dbedit.txt
rm dbedit.txt
```
Have to work on a variable to automatically update this value.
2 people found this helpful
Like • Show 1 Like1
Actions

Al Johnson May 8, 2018 6:02 PM
Mark Correct
Correct Answer
So, I'm trying to accomplish much the same thing in an effort to create many interoperable devices.
Is there no way to create the actual interoperable device via the API? From what I've read int the API docs and in this thread, it appears that the Interoperable Device creation step must be done via the GUI.

Am I missing something or is this not yet available via the API?
Like • Show 1 Like1
Actions
- Dameon Welch-Abernathy @ Al Johnson on May 8, 2018 6:08 PM
  Mark Correct
  Correct Answer
  The API is missing some of the objects that can be created via SmartConsole, true.
  Assuming the object type isn't legacy, I expect this will be addressed in later releases (not necessarily R80.20).
  Depending on what objects you want to create and what options you want to set, it may be possible through the use of "generic-objects" today.
  1 person found this helpful
  Like • Show 2 Likes2
  Actions
- Robert Decker @ Al Johnson on May 8, 2018 10:40 PM
  Mark Correct
  Correct Answer
  Please read this thread again, you have a complete working example using the generic-objects API, as Dameon indicated.
  Robert.
  Like • Show 1 Like1
  Actions
- Kim Moberg @ Al Johnson on May 8, 2018 11:28 PM
  Mark Correct
  Correct Answer
  Hi AI
  I know the Check Point working on the API are doing their best to release new features to the API.
  But it took me quite short time to figure out how it works with generic-objects API. The challenge is there is not documentation on how to use it.
  Dameon Welch-Abernathy and Robert Decker have been very helpful here.. so I would recommend to raise a question here in the forum.
  
  Anyways I have raised another question in Develop Hub which might help you, on how to find possibility to extract and use the information from a json export of a generic-object API.
  
  How to find generic-object that is not defined in the API?
  Like • Show 0 Likes0
  Actions
VENKAT S P Aug 2, 2018 3:53 PM
Mark Correct
Correct Answer
The dbedit API works perfect when on the Management server.
When i tried the same on the MDS i get:
Object Not Found
Error in line: 1
any tweaks required?
Like • Show 0 Likes0
Actions
- Dameon Welch-Abernathy @ VENKAT S P on Aug 2, 2018 4:14 PM
  Mark Correct
  Correct Answer
  Without knowing what exactly you tried, it's difficult to provide guidance.
  Like • Show 0 Likes0
  Actions
  - VENKAT S P @ Dameon Welch-Abernathy on Aug 3, 2018 12:25 AM
    Mark Correct
    Correct Answer
    [Expert@Mgmt1:0]# mgmt_cli login user admin password XXX domain YYY > id.txt
    [Expert@Mgmt1:0]# mgmt_cli -s id.txt add generic-object create "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain" name "INTEROP1" ipaddr "10.10.10.10" thirdPartyEncryption "True" osInfo.osName "Gaia" vpn.create "com.checkpoint.objects.classes.dummy.CpmiVpn" vpn.owned-object.vpnClientsSettingsForGateway.create "com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.create "com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.owned-object.endpointVpnEnable "True" vpn.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiIke" vpn.owned-object.sslNe.create "com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender" vpn.owned-object.sslNe.owned-object.sslEnable "False" vpn.owned-object.sslNe.owned-object.gwCertificate "defaultCert" vpn.owned-object.takeTunnelGranularityFromComm "False" vpn.owned-object.isakmpUniversalProtocol "GRE_TUNNEL" vpn.owned-object.isakmpUniversalSupport "True" vpn.owned-object.isakmpSubnetSupport "False" interfaces.add.1.create "com.checkpoint.objects.classes.dummy.CpmiInterface" interfaces.add.1.owned-object.officialname "eth0" interfaces.add.1.owned-object.ipaddr "1.1.1.1" interfaces.add.1.owned-object.netmask "255.255.255.255"
    [Expert@Mgmt1:0]# mgmt_cli -s id.txt publish
    
    ---------------------------------------------
    Time: [01:24:49] 3/8/2018
    ---------------------------------------------
    "Publish operation" in progress (60%)
    
    ---------------------------------------------
    Time: [01:24:59] 3/8/2018
    ---------------------------------------------
    "Publish operation" succeeded (100%)
    tasks:
    - task-id: "01234567-89ab-cdef-9484-837185050dbd"
    task-name: "Publish operation"
    status: "succeeded"
    progress-percentage: 100
    suppressed: false
    task-details:
    - publishResponse:
    numberOfPublishedChanges: 1
    mode: "async"
    revision: "47d47ca3-458e-48af-8f2b-4e65f5a64711"
    [Expert@Mgmt1:0]#
    [Expert@Mgmt1:0]# more db.db
    modify network_objects INTEROP1 color red
    update network_objects INTEROP1
    modify network_objects INTEROP1 color blue
    update network_objects INTEROP1
    quit -update_all
    [Expert@Mgmt1:0]# dbedit -local -f db.db
    Object Not Found
    Error in line: 1
    [Expert@Mgmt1:0]#
    Like • Show 0 Likes0
    Actions
- Robert Decker @ VENKAT S P on Aug 3, 2018 12:52 AM
  Mark Correct
  Correct Answer
  You are not supposed to create ordinary objects on the MDS, you can create only domain objects, or assign global policy per domain.
  And of course, administrators.
  Robert.
  Like • Show 0 Likes0
  Actions
  - VENKAT S P @ Robert Decker on Aug 3, 2018 8:38 AM
    Mark Correct
    Correct Answer
    OK. I just modified my script to get into particular mdsenv before the dbedit. It worked.
    1 person found this helpful
    Like • Show 3 Likes3
    Actions

How to add Interoperative Device via API

Outcomes

Related Content

Recommended Content

Incoming Links