Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Kim_Moberg
Advisor

How to add Interoperative Device via API

This is quite cool.

I am in first place trying to create a script using the SmartConsole CLI to setup lan2lan with an interoperative device. 

How do I create a interoperative device, so that I can add my encryption domain to it?

 

my steps are:

 

Create a Network 

Create a Interoperative Device

Add Network to topology for Interoperative Device

Create VPN community star with Center Gateways and Satellite Gateways

Set encryption phase 1 and phase 2

Exclude services - IKE_NAT_Travasal and IPSEC (group)

Set preshared secret

Set rekey for IKE and IPSEC under advanced

Set Disable NAT indside VPN community

Add firewall rule name, source and destination and set VPN community, set services & application and action = accept, + log and set install on cluster gateway.

 

Right now I am working on "Create an interoperative device" but I do not know which kind of object I need to select in the API?

 

 

Can you help?

 

Thanks

Kim

Best Regards
Kim
22 Replies
Robert_Decker
Advisor

Hi Kim,

I assume that the following step you'd like to accomplish is using that interoperable device as a center/satellite gateway in a VPN community object, right?

Ok, the following information that I'm going to provide costs your weight in gold. Me and @Marco Koch figured it out together.

In order to do this, you will need to use Management API together with dbedit API:

1. login into management API server using a login command, for example - 

mgmt_cli login -u admin -p 123456 > id.txt

2. create your interoperable device, let's call it test123.

3. publish using a publish command.

4. now we should use dbedit API, follow these exact steps - 

echo "modify network_objects test123 color red" >dbedit.txt
echo "update network_objects test123" >>dbedit.txt
echo "modify network_objects test123 color black" >>dbedit.txt
echo "update network_objects test123" >>dbedit.txt
echo "quit -update_all" >>dbedit.txt
dbedit -local -f dbedit.txt
rm dbedit.txt
‍‍‍‍‍‍‍

5. let's go back to management API: add pre-shared secret and satellite gateway to a VPN community named testVPN -

mgmt_cli -s id.txt set vpn-community-star name testVPN shared-secrets.external-gateway test123 shared-secrets.shared-secret "mysharedsecret123456789"
mgmt_cli -s id.txt set vpn-community-star name testVPN satellite-gateways.set test123

6. publish again using a publish command.

7. logout.

Enjoy,

Robert.

0 Kudos
Kim_Moberg
Advisor

Hi Robert,

Thats a awsome work you have done.. oh may.. cost my weight in gold... 🙂

yes, I got a lot of site2site vpn between our Check Point gateway cluster and our wind parks which we administrate in our company.

it is not that often we create a new site, but I would like to automate that process also to make sure each site2site vpn connection is created the same way every time.

So all our satellite gateways are not Check Point because the OEM uses different brand for firewall/routers.

I am not sure what bullet point 4 does. are you trying to change the color of the interoperative device?

You comments and the this thread https://community.checkpoint.com/thread/6022-creating-multiple-remote-gateway-for-ipsec-vpn have given me something to work on.

Thank you very much.

Kim

Best Regards
Kim
Robert_Decker
Advisor

The bullet point 4 is a workaround using dbedit API to make this whole process to work(change a property back and forth and save). No other way to do this at this point...

Robert.

PhoneBoy
Admin
Admin

Those dbedit steps seem nonsensical at first blush.

But given my own experienice with dbedit, I completely believe you    

Kim_Moberg
Advisor

Robert,

In one of your examples that you linked you, you want to read our the uid of a encryption domain, and in my example it is "WP_Wieland_Internal_Network".

When I want to filter on json format, my gateway management server cannot execute the command.. nothing happens.

is it because of high load? 

vpn_enc_domain=$(mgmt_cli -s id.txt show-generic-objects name WP_Wieland_Internal_Network -f json | /opt/CPshrd-R80/jq/jq -r '.objects[] | select (.type | contains("network")) | .uid')

Result of running this command provides this error.

mgmt_cli -s id.txt add generic-object create "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain" name "interdev_2" ipaddr "10.1.1.2" thirdPartyEncryption "True" osInfo.osName "Gaia" vpn.create "com.checkpoint.objects.classes.dummy.CpmiVpn" vpn.owned-object.vpnClientsSettingsForGateway.create "com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.create "com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.owned-object.endpointVpnEnable "True" vpn.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiIke" vpn.owned-object.sslNe.create "com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender" vpn.owned-object.sslNe.owned-object.sslEnable "False" vpn.owned-object.sslNe.owned-object.gwCertificate "defaultCert" manualEncdomain $vpn_enc_domain encdomain "MANUAL"

Best regards

Kim

Best Regards
Kim
0 Kudos
Robert_Decker
Advisor

you should run this whole stuff inside a bash script, not as individual commands on the prompt.

instead of "/opt/CPshrd-R80/jq/jq" please use "${CPDIR}/jq/jq".

Also, verify that WP_Wieland_Internal_Network really exists (did you published it?)

works fine for me.

0 Kudos
Kim_Moberg
Advisor

Robert,

I found out the "network" is case sensitive. so I have to write exactly how it was named. 

if I query show-generic-object name "WP_Wieland_Internal_Network" it fails, because I don't have a network named [WP_Wieland_Internal_Network] but I have one named [WP_Wieland_Internal_network].

below picture shows me the first command works because I get a reply with a unit uid.

mgmt_cli show-generic-objects name WP_Wieland_Internal_network -f json

 

but if I then pipe it to the jq command-line JSON processor, it fails. 

yes I cannot run it without telling what to filter on in a JSON result.

So when you see the below picture the full query does't finish and waiting for something.

Do you have any idea of why that happens?

Thans

Kim

Best Regards
Kim
Kim_Moberg
Advisor

Robert,

The network exist because I have used it on a test site.

My plan is to create a .sh script with global variables with all the names and ip adresses.

When I run it I expect it to work 🙂

Right now I am just trying to build up the logic one step at the time.

Best regards

Kim


Best Regards
Kim
0 Kudos
Kim_Moberg
Advisor

Hi Robert

Seems to be it doesnt hold the active session or that I log in with a user

If I add -u admin then I am promoted for password, and after entering the password, the variable returns the “uid” that I can use later.

mgmt_cli -u admin

How to solve this session issue?


Best Regards
Kim
0 Kudos
Robert_Decker
Advisor

First of all, you login to the API server - 

mgmt_cli login -u user -p password > sid.txt

This command redirects the current working session details into a text file.

All following commands use this information using a special '-s' switch, for example - 

mgmt_cli add host name my_host ip-address 1.1.1.1. -s sid.txt

Finally, when you finish (published all the changes), you must logout - 

mgmt_cli logout -s sid.txt

This is the correct flow when working with management APIs - 

login -> work -> publish/discard -> logout

Robert.

Kim_Moberg
Advisor

Robert, 

Great help.. I really appreciate it.

I manage to get the first 3 steps done, and now trying to add satellite-gateway, BUT this time it fails.

So now I have been trying to work though my script to auto create network, interoperative device and add encryption network to it, and also create my VPN community with center gateway.

my script keeps failing when I want to set satellite-gateway.

I have tried your variants and none of them works.

####################################################################
# Set VPN community Star named testVPN with the correct agreed
# preshared key.
#
###################################################################
interoperative_device=$(mgmt_cli -s id.txt show-generic-objects name interdev_2 -f json | ${CPDIR}/jq/jq -r '.objects[] | select (.type | contains("CpmiGatewayPlain")) | .uid')
echo $interoperative_device

mgmt_cli -s id.txt add vpn-community-star name testVPN center-gateways "gwcluster"

mgmt_cli -s id.txt set vpn-community-star name testVPN satellite-gateways.add $interoperative_device
mgmt_cli publish -s id.txt

#mgmt_cli -s id.txt set vpn-community-star name testVPN shared-secrets.external-gateway test123 shared-secrets.shared-secret "mysharedsecret123456789"
#mgmt_cli -s id.txt set vpn-community-star name testVPN satellite-gateways.set test123

This is the newly created uid '804a42eb-3d35-45d6-98ab-c7da93124fa8' for the interoperative_device variable which I will use while setting. This is because I cannot find the interoperative device named interdev_2 by picking it in the GUI of the vpn community star named testVPN.

804a42eb-3d35-45d6-98ab-c7da93124fa8
code: "err_validation_failed"
message: "Validation failed with 1 blocking-error"
blocking-errors:
- message: "Field Satellite Gateways references invalid objects"

---------------------------------------------
Time: [09:32:39] 2/5/2018
---------------------------------------------
"Publish operation" in progress (60%)


---------------------------------------------
Time: [09:32:49] 2/5/2018
---------------------------------------------
"Publish operation" succeeded (100%)
tasks:
- task-id: "01234567-89ab-cdef-b7d1-7cb2b19faf9a"
task-name: "Publish operation"
status: "succeeded"
progress-percentage: 100
suppressed: false
task-details:
- publishResponse:
numberOfPublishedChanges: 1
mode: "async"
revision: "eb57bfe8-84ad-44be-afdf-c1c400bdbf56"

message: "OK"

What are the correct why to add satellite-gateways?

When I use "mgmt_cli -s id.txt set vpn-community-star name testVPN satellite-gateways.add $interoperative_device" or should I use "mgmt_cli -s id.txt set vpn-community-star name testVPN satellite-gateways.set $interoperative_device"   or "mgmt_cli -s id.txt set vpn-community-star name testVPN satellite-gateways.uid $interoperative_device"

I can use these parametres

satellite-gatewaysList: Object v
Parameter nameValueDescription
namestringObject name. Should be unique in the domain.
uidstringObject unique identifier.
typestringType of the object.
domainObject vInformation about the domain the object belongs to.
Collection of Gateway objects representing satellite gateways identified by the name or UID. How much details are returned depends on the details-level field of the request. This table shows the level of detail shown when details-level is set to standard.

 

Hope you can give me a hint, what to do.

Thanks

Kim

Best Regards
Kim
0 Kudos
Kim_Moberg
Advisor

Error 40 🙂

I didn't notice that I had to exchange the static value test123 to my interoperative device name interdev_2.

When I changed it, it worked.  

echo "modify network_objects test123 color red" >dbedit.txt
echo "update network_objects test123" >>dbedit.txt
echo "modify network_objects test123 color black" >>dbedit.txt
echo "update network_objects test123" >>dbedit.txt
echo "quit -update_all" >>dbedit.txt
dbedit -local -f dbedit.txt
rm dbedit.txt

Have to work on a variable to automatically update this value.

Best Regards
Kim
AlJo
Contributor

So, I'm trying to accomplish much the same thing in an effort to create many interoperable devices.

Is there no way to create the actual interoperable device via the API?   From what I've read int the API docs and in this thread, it appears that the Interoperable Device creation step must be done via the GUI.

Am I missing something or is this not yet available via the API?

PhoneBoy
Admin
Admin

The API is missing some of the objects that can be created via SmartConsole, true.

Assuming the object type isn't legacy, I expect this will be addressed in later releases (not necessarily R80.20).

Depending on what objects you want to create and what options you want to set, it may be possible through the use of "generic-objects" today.

Robert_Decker
Advisor

Please read this thread again, you have a complete working example using the generic-objects API, as Dameon indicated.

Robert.

Kim_Moberg
Advisor

Hi AI

I know the Check Point working on the API are doing their best to release new features to the API.

But it took me quite short time to figure out how it works with generic-objects API. The challenge is there is not documentation on how to use it.

Dameon Welch Abernathy and Robert Decker have been very helpful here.. so I would recommend to raise a question here in the forum.

Anyways I have raised another question in Develop Hub which might help you, on how to find possibility to extract and use the information from a json export of a generic-object API.

https://community.checkpoint.com/thread/7703-how-to-find-generic-object-that-is-not-defined-in-the-a... 

Best Regards
Kim
0 Kudos
VENKAT_S_P
Collaborator

The dbedit API works perfect when on the Management server.

When i tried the same on the MDS i get:

Object Not Found

Error in line: 1

any tweaks required?

0 Kudos
PhoneBoy
Admin
Admin

Without knowing what exactly you tried, it's difficult to provide guidance.

0 Kudos
VENKAT_S_P
Collaborator

[Expert@Mgmt1:0]# mgmt_cli login user admin password XXX domain YYY > id.txt
[Expert@Mgmt1:0]# mgmt_cli -s id.txt add generic-object create "com.checkpoint.objects.classes.dummy.CpmiGatewayPlain" name "INTEROP1" ipaddr "10.10.10.10" thirdPartyEncryption "True" osInfo.osName "Gaia" vpn.create "com.checkpoint.objects.classes.dummy.CpmiVpn" vpn.owned-object.vpnClientsSettingsForGateway.create "com.checkpoint.objects.classes.dummy.CpmiVpnClientsSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.create "com.checkpoint.objects.classes.dummy.CpmiEndpointVpnClientSettingsForGateway" vpn.owned-object.vpnClientsSettingsForGateway.owned-object.endpointVpnClientSettings.owned-object.endpointVpnEnable "True" vpn.owned-object.ike.create "com.checkpoint.objects.classes.dummy.CpmiIke" vpn.owned-object.sslNe.create "com.checkpoint.objects.classes.dummy.CpmiSslNetworkExtender" vpn.owned-object.sslNe.owned-object.sslEnable "False" vpn.owned-object.sslNe.owned-object.gwCertificate "defaultCert" vpn.owned-object.takeTunnelGranularityFromComm "False" vpn.owned-object.isakmpUniversalProtocol "GRE_TUNNEL" vpn.owned-object.isakmpUniversalSupport "True" vpn.owned-object.isakmpSubnetSupport "False" interfaces.add.1.create "com.checkpoint.objects.classes.dummy.CpmiInterface" interfaces.add.1.owned-object.officialname "eth0" interfaces.add.1.owned-object.ipaddr "1.1.1.1" interfaces.add.1.owned-object.netmask "255.255.255.255"
[Expert@Mgmt1:0]# mgmt_cli -s id.txt publish


---------------------------------------------
Time: [01:24:49] 3/8/2018
---------------------------------------------
"Publish operation" in progress (60%)


---------------------------------------------
Time: [01:24:59] 3/8/2018
---------------------------------------------
"Publish operation" succeeded (100%)
tasks:
- task-id: "01234567-89ab-cdef-9484-837185050dbd"
task-name: "Publish operation"
status: "succeeded"
progress-percentage: 100
suppressed: false
task-details:
- publishResponse:
numberOfPublishedChanges: 1
mode: "async"
revision: "47d47ca3-458e-48af-8f2b-4e65f5a64711"

[Expert@Mgmt1:0]#

[Expert@Mgmt1:0]# more db.db
modify network_objects INTEROP1 color red
update network_objects INTEROP1
modify network_objects INTEROP1 color blue
update network_objects INTEROP1
quit -update_all
[Expert@Mgmt1:0]# dbedit -local -f db.db
Object Not Found
Error in line: 1
[Expert@Mgmt1:0]#

0 Kudos
Robert_Decker
Advisor

You are not supposed to create ordinary objects on the MDS, you can create only domain objects, or assign global policy per domain.

And of course, administrators.

Robert.

0 Kudos
VENKAT_S_P
Collaborator

OK. I just modified my script to get into particular mdsenv before the dbedit. It worked. 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events