The best option we were thinking is GET all the properties of VPN, parse and compare through a custom script.
Agreed, probably easier. The filtering capabilities provided by the SEMPv2 engine are decent, but if you want more advanced Boolean expressions or whatnot, probably much better to fetch everything locally, and then run your query there. Plus, allows you to run multiple queries on your “static” dataset without having to query SEMP repeatedly.