This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kim_Moberg
Advisor
‎2018-07-27 06:25 AM

VPN tunnel Reset via API

Hi

I was thinking if there have been any considerations of inplementing any was to reset vpn tunnel via th mgmt API interface?

Heiko Ankenbrand did provide a great hint to to use vpn tu via commandline.

https://community.checkpoint.com/docs/DOC-3021-show-vpn-routing-on-cli 

Commands are:

vpn tu del ipsec all  

vpn tu del ipsec ip-addr 

vpn tu del ipsec ip-addr username 

vpn tu del all  

vpn tu del ip-addr 

vpn tu del ip-addr username


I was thinking since smart monitor can do this from the manager why not also being able to do so from the mgmt API?

We have a lot if ipsec vpn which on Remote site have a lte router in front of a Cisco router. This LTE router being reset daily at midnight but due to missing dead Peer detection old sessions not being reset after reboot of the LTE router.

This cause sometimes we manually need to reset vpn tunnels.

This we would like to deligate to users who are not firewall experts, and do not want to allow them smart monitor or expert access.

Therefore we would like to build a portal where they can login and check connection status’s and reset vpn id wanted.

Would that we easy to implement and easy to solve?


Thanks

Best regards

Kim

Best Regards
Kim
8 Replies
Robert_Decker
Advisor
‎2018-07-27 06:38 AM

Tomer Sole‌, we should add this to API future developments list, per product owner.

Robert.

PhoneBoy
Admin
Admin
‎2018-07-28 07:56 PM

This might be useful for the gateway API currently under development (i.e. where you will be able to query the gateway directly with REST API).

Alexander Kim

Alexander_Kim
Employee Alumnus
Employee Alumnus
‎2018-07-28 10:38 PM
In response to PhoneBoy

Sounds nice. I will talk with VPN guys, offer them the i/s.

There could be more useful commands, the whole "vpn" binary.

Thanks

Tomer_Sole
Mentor
Mentor
‎2018-07-28 11:34 PM

you can do that today using run-script API.

Check Point - Management API reference 

0 Kudos
Kim_Moberg
Advisor
‎2018-07-28 11:48 PM
In response to Tomer_Sole

Thanks Tom

But then I will need to use those scripts to parse via mgmt smartconsole.

If I would my own website for internal use I will have to:

  • Create a ssh to active cluster node
  • Login as expert 
  • Run-script with vpn tu del <peer address>
  • Sign out expert mode
  • Clos ssh session


This have to be done either vi asp .net or php and before that I would need to find the peer that might have an issue.

What I was thinking talking from smart monitor.

You got some kind of ping running showing the connection is open.

And you have the name of the vpn community as well as the peer address

If it was a API entry in Json I would being able to request these informations in a couple of requests.

Best Regards
Kim
0 Kudos
Tomer_Sole
Mentor
Mentor
‎2018-07-29 12:28 AM
In response to Kim_Moberg

That's true. With R80.10 Management API you can only send all VPN calls to one place (the Management) rather than login to every gateway.

Kim_Moberg
Advisor
‎2019-01-18 01:01 PM
In response to Kim_Moberg

It is fantastic to see Gaia API is now in GA.

I have already checked it out and I see a great potential of providing API to Secure gateways.

What I have looking for a long time is to include VPN shell functionality into the Gaia API.

Did not see the features available yet but have been in dialog with Alexander Kim if it could be included in a feature roadmap release and that was possible.

This is my idea basically.

To include the CLISH VPN shell and tu commands into the API. I have been freely translating how a possible API for this method fundation could look like.

https://{{ip}}/gaia_api/vpn/show-tunnels-ike  (features show all peers, or peers ip)

https://{{ip}}/gaia_api/vpn/show-tunnels-IPsec  (features show all peers, or peers ip)

https://{{ip}}/gaia_api/vpn/delete-ipsec-tunnel-all

https://{{ip}}/gaia_api/vpn/delete-ipsec-tunnel-peer

https://{{ip}}/gaia_api/vpn/delete-ipsec-peer-username

https://{{ip}}/gaia_api/vpn/delete-all-tunnels

https://{{ip}}/gaia_api/vpn/delete-peer-username

Any order ideas?

Thanks

Kim

Best Regards
Kim
Claudio_Bolcato
Contributor
‎2022-09-28 11:56 PM
In response to Kim_Moberg

Hi everyone, is there any update on this topic? My operation team would need a solution like that. I'm not happy to give them write access just for resetting tunnels.

Thanks in advance

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top