Using Command Line to Do First Time Wizard on Checkpoint Appliance without WebUI - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Tuesday, May 5, 2015

Using Command Line to Do First Time Wizard on Checkpoint Appliance without WebUI

Three years ago, I got a problem to do first time configuration wizard at SPLAT platform using WebUI remotely because CheckPoint by default set mgmt interface ip to 192.168.1.1. I have no way to change this mgmt interface ip address  and has to use a special trick to touch some files to bypass the first time wizard requirement before I can type some other CheckPoint commands such as Sysconfig or CPCONFIG.





Basicall you will have to touch wizard_accepted file from expert mode based on Checkpoint KB 71000 First Time Configuration Wizard on Check Point appliances
  • SecurePlatform OS:
    touch /opt/spwm/conf/wizard_accepted
  • Gaia OS:
    touch /etc/.wizard_accepted
This year, I had a Gaia R76 4200 appliance installed at remote site. Console access is ready, and mgmt interface is connected to network. Unfortunately, it is pre-configed to 192.168.1.1 as well. I managed to configed it using my way to bring it up.

1. Steps to run first time wizard at Gaia using command line

1.1 Confirm CPCONFIG is not availabe without run First Time Wizard first. 

gw-379eb9> cpconfig
In order to configure your system, please access the Web UI and finish the First Time Wizard.

1.2 Set Up Expert Password

gw-379eb9> set expert-password 
gw-379eb9> expert
Enter expert password:

1.3 Touch the magic file

[Expert@gw-379eb9:0]# touch /etc/.wizard_accepted
[Expert@gw-379eb9:0]# exit
exit

1.4 Change Mgmt Interface IP Address for Remote WebUI Access

gw-379eb9> set interface Mgmt ipv4-address 10.9.2.15 mask-length 24
gw-379eb9> set static-route default nexthop gateway address 10.9.2.1 on
gw-379eb9> set static-route default nexthop gateway address 192.168.1.254 off
gw-379eb9> save config

1.5 CPCONFIG for CheckPoint Product Configuration

gw-379eb9> cpconfig


Welcome to Check Point Configuration Program
=================================================
Please read the following license agreement.
Hit 'ENTER' to continue...



Software License Agreement & Limited Hardware Warranty
Check Point Software Technologies Ltd.

PART I - SOFTWARE LICENSE AGREEMENT

This License Agreement (the "Agreement") is an agreement between you (both the i
ndividual installing the Product and any legal entity on whose behalf such indiv
idual is acting) (hereinafter "You" or "Your") and Check Point Software Technolo
gies Ltd. (hereinafter "Check Point").

TAKING ANY STEP TO SET-UP, USE OR INSTALL THE PRODUCT CONSTITUTES YOUR ASSENT TO
 AND ACCEPTANCE OF THIS AGREEMENT. WRITTEN APPROVAL IS NOT A PREREQUISITE TO THE
 VALIDITY OR ENFORCEABILITY OF THIS AGREEMENT AND NO SOLICITATION OF ANY SUCH WR
ITTEN APPROVAL BY OR ON BEHALF OF YOU SHALL BE CONSTRUED AS AN INFERENCE TO THE
.......


Select installation type:
-------------------------

(1) Stand Alone - install Check Point Security Gateway and Security Management.
(2) Distributed - install Check Point Security Gateway, Security Management and/or Log Server.

Enter your selection  (1-2/a-abort) [1]: 2


Select installation type:
-------------------------

(1) Check Point Security Gateway.
(2) Security Management.
(3) Security Management and Check Point Security Gateway.
(4) Enterprise Log Server.
(5) Check Point Security Gateway and Enterprise Log Server.

Enter your selection  (1-5/a-abort) [1]: 1
Is this a Dynamically Assigned IP Address gateway installation ? (y/n) [n] ? n
Would you like to install a Check Point clustering product (CPHA, CPLS or State Synchronization)? (y/n) [n] ? y
IP forwarding disabled
Hardening OS Security: IP forwarding will be disabled during boot.
Generating default filter
Default Filter installed
Hardening OS Security: Default Filter will be applied during boot.
This program will guide you through several steps where you
will define your Check Point products configuration.
At any later time, you can reconfigure these parameters by
running cpconfig



Configuring Licenses and contracts...
=====================================
Host             Expiration  Signature                             Features          

Contract Coverage:

There is no contract coverage for the above licenses.
Note: The recommended way of managing licenses is using SmartUpdate.
cpconfig can be used to manage local licenses only on this machine.

Do you want to add licenses (y/n) [y] ? n


Configuring Administrator...
============================
No Check Point products Administrator is currently
defined for this Security Management Server.

Do you want to add an administrator (y/n) [y] ? n


No administrator is currently defined.
Are you sure you want to continue? (y/n) [n] ? n

Do you want to add an administrator (y/n) [y] ? y
Administrator name: admin
Password:
Verify Password:

Administrator admin was added successfully and has
Read/Write Permission for all products with Permission to Manage Administrators


Configuring GUI Clients...
==========================
GUI Clients are trusted hosts from which
Administrators are allowed to log on to this Security Management Server.

No GUI Clients defined
Do you want to add a GUI Client (y/n) [y] ? n


Configuring Random Pool...
==========================
Automatically collecting random data to be used in
various cryptographic operations.
.....


After all basic configuration completed, the appliance will be rebooted then you will be able to access it through WebUI, SSH or connect it to Smart Dashboard.

2. Checkpoint KB 69701 :

Run First Time Wizard at Command line using config_system command:

Checkpoint offers another command config_system to do First Time Wizard using a template file. It seems more complicated way to do compare CPCONFIG's wizard way. 

  • [Expert@HostName]# config_system -t <file_name>

           This will create an empty template file for system configuration.

  • Open the file you created with a text editor and fill the appropriate fields.

  • [Expert@HostName]# config_system -f <file_name>

This will run the First Time Configuration Wizard with the information provided in the filename.



Reference:

1. First Time Configuration Wizard on Check Point appliances
2. How to run the First Time Configuration Wizard through CLI in Gaia

No comments:

Post a Comment