Procedures to Replace failed Checkpoint Cluster Member Appliance - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Wednesday, January 29, 2014

Procedures to Replace failed Checkpoint Cluster Member Appliance

The UTM 272 is running R75.40. We found when it failed over to active, the load will push temperature higher than 60, which caused it shutdown itself.

Called Checkpoint Support and get RMA order.

Here is the procedures to replace it:

1. Console in.

Check Point SecurePlatform R71.30
For Web User Interface access connect to https://192.168.1.1:4434

login: admin
Password: 
Last login: Thu Jan 23 00:24:59 on ttyS0

? for list of commands
sysconfig for system and products configuration

[cpmodule]# cpconfig
Welcome to Check Point Appliance

You can not use the 'sysconfig' and 'cpconfig' utilities until you successfully complete
the First Time Wizard in the Administration web GUI.

Press Enter to continue...

2. Disabling/bypassing the First Time Configuration Wizard based on sk71000

[cpmodule]# expert
Enter expert password: 

You are in expert mode now.

[Expert@cpmodule]# 
[Expert@cpmodule]# touch /opt/spwm/conf/wizard_accepted 
[Expert@cpmodule]# reboot

Are you sure? (y/n) y

INIT: Sending processes the TERM signal

3. [cpmodule]# cpconfig

Welcome to Check Point Configuration Program
=================================================
Please read the following license agreement. 
Hit 'ENTER' to continue... 

       Software License Agreement & Limited Hardware Warranty
              Check Point Software Technologies Ltd.
...

Do you accept all the terms of this license agreement (y/n) ? y


Select installation type:
-------------------------

(1) Stand Alone - install Check Point Security Gateway and Security Management.
(2) Distributed - install Check Point Security Gateway, Security Management and/or Log Server.

Enter your selection  (1-2/a-abort) [1]: 2

Select installation type:
-------------------------

(1) Check Point Security Gateway.
(2) Security Management.
(3) Security Management and Check Point Security Gateway.
(4) Enterprise Log Server.
(5) Check Point Security Gateway and Enterprise Log Server.

Enter your selection  (1-5/a-abort) [1]: 1

Select installation type:
-------------------------

(1) Check Point Security Gateway.
(2) Security Management.
(3) Security Management and Check Point Security Gateway.
(4) Enterprise Log Server.
(5) Check Point Security Gateway and Enterprise Log Server.

Enter your selection  (1-5/a-abort) [1]: 1
Is this a Dynamically Assigned IP Address gateway installation ? (y/n) [n] ? 
Would you like to install a Check Point clustering product (CPHA, CPLS or State Synchronization)? (y/n) [n] ? y
IP forwarding disabled
Hardening OS Security: IP forwarding will be disabled during boot.
Generating default filter
Default Filter installed
Hardening OS Security: Default Filter will be applied during boot.
This program will guide you through several steps where you
will define your Check Point products configuration.
At any later time, you can reconfigure these parameters by
running cpconfig

Configuring Licenses and contracts...
=====================================
Host             Expiration  Signature                             Features            

Contract Coverage:

There is no contract coverage for the above licenses.
Note: The recommended way of managing licenses is using SmartUpdate.
cpconfig can be used to manage local licenses only on this machine.

Do you want to add licenses (y/n) [y] ? n


Configuring Random Pool...
==========================
Automatically collecting random data to be used in
various cryptographic operations.

    [....................]  

Automatic collection of random data is done.



Configuring Secure Internal Communication...
============================================
The Secure Internal Communication is used for authentication between
Check Point components

Trust State: Uninitialized
Enter Activation Key: 
Retype Activation Key: 

The Secure Internal Communication was successfully initialized

initial_module:
Compiled OK.

Hardening OS Security: Initial policy will be applied
until the first policy is installed

In order to complete the installation
you must reboot the machine.
Do you want to reboot? (y/n) [y] ? 



Choose a configuration item ('e' to exit):
------------------------------------------------------------------
1) Host name                    7) DHCP Server Configuration
2) Domain name                  8) DHCP Relay Configuration
3) Domain name servers          9) Export Setup
4) Time and Date               10) Products Installation
5) Network Connections         11) Products Configuration
6) Routing
------------------------------------------------------------------
(Note: configuration changes are automatically saved)
Your choice: 5

4. [cpmodule]# sysconfig
Choose a configuration item ('e' to exit):
------------------------------------------------------------------
1) Host name                    7) DHCP Server Configuration
2) Domain name                  8) DHCP Relay Configuration
3) Domain name servers          9) Export Setup
4) Time and Date               10) Products Installation
5) Network Connections         11) Products Configuration
6) Routing
------------------------------------------------------------------
(Note: configuration changes are automatically saved)
Your choice:


5. [cpmodule]# webui enable 4434
Shutting down cp_http_server_wd: [  OK  ]
Running cp_http_server_wd: [  OK  ]

6. Select Upgrade Path

7. Restore Image to R75 through Image Management Webui


8. Go to checkpoint website to download upgrade package from R75 to R75.40 Gaia.
http://dl3.checkpoint.com/paid/3c/Check_Point_Upgrade_for_R75.40.Splat_to_Gaia.tgz?HashKey=1390855121_58594d4de69e0eb524bb08b1bed646bc&xtn=.tgz

Note: Use Internet Explorer rather than Chrome since chrome will change file extention from .tgz to .gz, which is not accepted by Upgrade tab.

Note: Before update package, run Cpconfig and Sysconfig first.

9. Change host name, DNS, NTP configuration, SNMP, add interfaces info and static routes

10. Reset SIC and Rebuid Secure Internal Communication


11. Install Policy.

12. Failover test.


No comments:

Post a Comment