Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Automate extracting list of active VPN Tunnels to file

I need to provide another application a list of all of the active VPN tunnel gateway IP addresses every hour. To my knowledge the SonicOS API cannot provide information about active VPN tunnels.

So instead, I'm trying to build a tool that will connect to the CLI, run the "show vpn tunnels" command and save this to file. Then I'll need to write a tool to parse the file to extract the policy name and GW IP.

For the life of me I cannot get this to work--I'm using plink. I get it to connect, authenticate, etc. However, when I try to pass a command, it just results with "FATAL ERROR: Remote side unexpectedly closed network connection".

I know this is more of a plink issue (maybe?), but I'm hoping there is a solution out there to get this list of information automagically. Any ideas?

For specifics, here's my proof of concept plink command:

plink.exe -batch -m cmd.txt swconc -pw wxyz result.txt 2>&1

swconc is the putty profile that contains the IP, username, etc. I intend to switch to using public key instead of username/password, but first I need to prove this will work.

The cmd.txt is my command instructions. I'm literally trying the most basic command (help, in this case) and it does the same thing. My output file literally says "FATAL ERROR: Remote side unexpectedly closed network connection"

Category: Developer Hub
Reply
Tagged:

Answers

  • @sapphireviper , if you have a Gen7 device, everything is an API so this should be possible.

    I tested my TZ's and both provide active tunnels with the following API.

    /api/sonicos/dynamic-file/getStatsData.json?restype=11&datatype=1



    I don't believe the same is possible in Gen6 but it likely is plink that is the problem (it probably is sending commands too fast or has certain settings that need to be tweaked).

  • Thanks for the help, I'll check into this. My guess is we're not using a Gen 7 device. Here's what I'm doing this with:

    firmware-version "SonicOS Enhanced 6.5.1.2-52n"

    rom-version 5.7.1.7

    safemode-version 6.2.5.7

    model "NSA 4650"

  • JaimeJaime SonicWall Employee

    Hi @sapphireviper,

    Are you familiar with Python? If so, I have something that may help you. I wrote a script that can automate sending commands to a firewall over SSH Management. You can modify it to send the commands you want and manipulate the response data.

    https://github.com/jaimeesc/snwl_send_ssh_commands_on_interval_example

    Hope that helps.

  • Thanks! I'll check it out! I found a rudimentary way yesterday evening to get there using Powershell + Posh-SSH. It is probably just a different stack doing something similar as the python script you shared. I'm not well versed in either Python or Powershell--I'll take a look at the Python side and go from there. Thank you!

  • SonicAdmin80SonicAdmin80 Cybersecurity Overlord ✭✭✭

    You could get this kind for information with SNMP as well.

  • JaimeJaime SonicWall Employee

    I've been working on a tool for serial console automation. You can get the active VPNs using this script. You'll need to modify the script to configure the serial interface to use, SonicOS credentials, and a couple of other configuration variables.

    I added a report_active_tunnels() function for you that displays the filtered output to the terminal window. You can optionally do other stuff with that info, like send an email, write to a file, etc.

    You can modify the if __name__ == '__main__': block to schedule functions to run on an interval and can manually run functions once before scheduled tasks run. Use the existing ones as examples.

    https://github.com/jaimeesc/snwl-serial-commands

  • JaimeJaime SonicWall Employee

    Hi, just checking in. Did my responses help?

  • ArkwrightArkwright Community Legend ✭✭✭✭✭

    I did something similar with Net::Expect::SSH to get SSLVPN license usage counts. I really, really wish this information [amongst others] was available with SNMP.

Sign In or Register to comment.