Missing API possibility to set vpn-community-star ...

Kim_Moberg · ‎2018-05-02

Hi

First of all, thank you for fantastic help from both Dameon Welch Abernathy and Robert Decker for getting me started with using Check Point R80 API.

It have been a blast to actually being able to make a useful script which can help one in daily work, and especially save not doing the same two times. 🙂

In my other check mate entry on how to create a interoperative device https://community.checkpoint.com/thread/7668-how-to-add-interoperative-device-via-api I have actually been able to solve 4-5 of my manual steps. And I am happy to share with your my result so other might be inspired to other work themselves..

Today I have found a limitation to setting encryption object on my vpn-community. Some of the fields are available and other aren't.

For example I am not able to set Perfect Forward Secrecy with DH group. It simply doesn't exist while trying to print out JSON using mgmt_cli -u admin show vpn-community-star <name of community> where I have this setting enabled.

UNABLE TO RUN QUERY
[Expert@gwmgmt:0]# mgmt_cli -u admin show vpn-community-star name "WP-Blaesbjerg"
Password:
code: "generic_internal_error"
message: "Internal error. For more info search for incident [1cde990d-5ab2-433c-af65-0b3b2750ecec] in log file"

It simply doesn't exist in the API

Missing possiblity to set
mgmt_cli -u admin set vpn-community-star name testVPN ike-phase-2.diffie-hellman-group "group 5"

I cannot automate via API to set exclude services in the set vpn-community-star

And unable to set advanced settings as rekey keys for IKE and IPSEC and also disable NAT.

Do you have any workaround for setting these parameter or when can one expect to have these features enabled in the next version of API??

Thanks

Kim

Best Regards
Kim

PhoneBoy · ‎2018-05-02

Hopefully Robert Decker‌ or similar can find the necessary "Generic Object" workaround for you

Agree it would all be better if it were natively part of the API.

I did not spot these settings in the current R80.20 Public EA (at least in the docs).

Robert_Decker · ‎2018-05-02

This is right, not all VPN community settings are currenly available via Management API.

Our R&D is working to close these gaps.

Most of the times the Management APIs provide the most common settings of objects.

Sometimes, dbedit API may be used to fill in the missing settings.

Robert.

Kim_Moberg · ‎2018-05-03

Hi team and Robert Decker‌

I know you are doing a great work of migrating dbedit field into the R80 API.

Lets couple of days have given new insight and possibilities. Looking forward which new features are available in R80.20 when available in GA version.

I have have been playing around with the command set generic-object and been trying to figure out how to extract information via the dbedit API - is this correct?

First of all I had to find the uid of my just created vpn-community:

This I have done by running the following script:

mgmt_cli -u admin show-generic-objects name "VPN-community_name" -f json

OUTPUT:

objects:
- uid: "724ec5b5-9345-4b42-bb8e-16531d2947af"
name: "WP-Gettrup"
type: "vpn-community-star"
domain:
uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
name: "SMC User"
domain-type: "domain"
from: 1
to: 1
total: 1

What I need here, is the uid from the json output, and this uid I will parse into a variable:

# Find uid from vpn-commmunity-star unit name to variable vpnuid
vpnuid=$(mgmt_cli -s id.txt show-generic-objects name "VPN-community_name" -f json | ${CPDIR}/jq/jq -r '.objects[] | select (.type | contains("vpn-community-star")) | .uid')

Now that I have saved the vpn community uid, I want to use this uid to change vpn community settings.

I just need to find out what are the field names are and how to use them in the vpn community dialog to set these settings.

Running this command I am able to show in json format all available fields

mgmt_cli -u admin show generic-object uid 724ec5b5-9345-4b42-bb8e-16531d2947af

OUTPUT:

objectValidationState: null
color: "BLACK"
automaticRimSatellites: false
customerScriptSatellites: false
supportWireMode: false
customerScriptCenter: false
routeRetPackets: false
enableMep: false
participantsDomains: []
type: "intranet_community"
id: 137
...

...

from output I have then pin pointed which fields I need to set.

# IKE (Phase 1) and IPsec (Phase 2) renegotiate IKE/IPsec security associations every...

ikeP1.ikeP1RekeyTime "60"

ikeP2.ikeP2RekeyTime "28800"

#enable Perfect Forward Secrecy true/false
ikeP2.ikeP2UsePfs true

#Disable NAT inside the VPN community
disableNat: false/true

Now I can use these fields and insert values. and they are set. It doesn't seems like I have to manipulate with dbedit database to effectuate.

mgmt_cli -u admin set generic-object uid 724ec5b5-9345-4b42-bb8e-16531d2947af ikeP1.ikeP1RekeyTime "60" ikeP2.ikeP2RekeyTime "28800" ikeP2.ikeP2UsePfs true disableNat true

I have now put everything together in a script which looks like this.

#/bin/bash
# ask for credentials from user
echo "Please enter your username and password"
read -p "Enter username and press [ENTER]: " USER
read -s -p "Enter password and press [ENTER]: " PASS
echo
mgmt_cli login user ${USER} password ${PASS} > id.txt
# in case of an error: print to screen the error message and abort
if [ $? -ne 0 ]; then
echo "Login command failed."
cat id.txt
exit 1
fi
# Find uid from vpn-commmunity-star unit name to variable vpnuid
vpnuid=$(mgmt_cli -s id.txt show-generic-objects name "VPN-community_name" -f json | ${CPDIR}/jq/jq -r '.objects[] | select (.type | contains("vpn-community-star")) | .uid')
mgmt_cli -s id.txt set generic-object uid 724ec5b5-9345-4b42-bb8e-16531d2947af ikeP1.ikeP1RekeyTime "60" ikeP2.ikeP2RekeyTime "28800" ikeP2.ikeP2UsePfs true disableNat true
# Publish the creation of a interoperative device as specified.
mgmt_cli publish -s id.txt

# Finalize publish all the changes. We must logout. The correct flow when working with management API
# Login -> work -> publish/discard -> logout
mgmt_cli logout -s id.txt

I haven't been able to set Phase 2 DH group - whether it is group 2 or group 5. Though I had to use the uid, but none of these works. I don't know how to set excluded services.

#use DH group 5
ikeP2.ikeP2PfsDhGrp "97aeb629-9aea-11d5-bd16-0090272ccb30"

#Exclude services

excludeSrv:
- "97aeb475-9aea-11d5-bd16-0090272ccb30"
- "aa49fc3b-2b4a-4da9-834f-d8f353d7042d"
- "4bbb59d5-0c05-484d-8306-4ae459b50105"
- "18ec9eaa-1657-4240-ab97-5f234623336b"

Robert Decker‌ do you know how I can set Phase 2 DH groups correct and how I also can set excluded services?

I hope this inspire others to work with the APi.

Thanks

Kim

Best Regards
Kim

Robert_Decker · ‎2018-05-03

Well done, Kim, you are a great learner.

Regarding excluded services: in order to add or remove a service, you need to know its uid.

Then, for my VPN community object with uid 2dd89767-a346-4799-a981-334f25ad0b1c, to remove a service IKE_NAT_TRAVERSAL with uid 07ec4cae-7c50-4b2e-81ed-d75643ab5694, I use -

 mgmt_cli -r true set generic-object uid 2dd89767-a346-4799-a981-334f25ad0b1c excludeSrv.remove 07ec4cae-7c50-4b2e-81ed-d75643ab5694‍

and to add it again, I use -

mgmt_cli -r true set generic-object uid 2dd89767-a346-4799-a981-334f25ad0b1c excludeSrv.add 07ec4cae-7c50-4b2e-81ed-d75643ab5694‍

Same goes for DH groups, you need the uid. For example, for GH group with name "Group 2 (1024 bit)", I use -

mgmt_cli -r true show generic-objects name "Group 2 (1024 bit)"‍

which gives me uid - 97aeb629-9aea-11d5-bd16-0090272ccb30.

Now, again use set generic-object to set the value -

mgmt_cli -r true set generic-object uid 2dd89767-a346-4799-a981-334f25ad0b1c ikeP2.ikeP2PfsDhGrp "97aeb629-9aea-11d5-bd16-0090272ccb30"‍

Robert.

Cegeka_Networki · ‎2021-03-30

It has been 3 years and still there is no way to set these settings via the api?
Very disappointing in a world where everything is being automated via Ansible/API's

_Val_ · ‎2021-03-30

Feel free to open RFE for this feature

Are you a member of CheckMates?

Missing API possibility to set vpn-community-star objects