Skip to main content

Posts

Showing posts with the label Checkpoint

Checkpoint Logs – Previously the Magical Smart Tracker!

The Smart Tracker lovers who prefer to have a separate window for checking logs.. you are in for a disappointment!! There is no separate Smart Tracker utility in Smart Console as Checkpoint R80.x boasts of a Unified Work pane and configuration wizard. It is handled by the “Logs and Monitoring” tab as below: The desired traffic log can be filtered as it was done earlier: Right-click on the source / destination / Origin (Gateway) / Application. Below the filter is being applied on: Source = 198.51.100.193 and Destination = 198.51.100.193 The filter can be defined by selecting the IP address or service port as below. Happy troubleshooting!!

Checkpoint R80.10 IPSEC VPN Configuration - Part 2

Continuing from Part 1.. (Apparently, I was too drowsy to paste the pictures in that article, last night :)) 6. Multiple Entry Points (MEPs) 7. Excluded Services : Select services that shouldn’t be encrypted over the tunnel: 8. Enter and enable PSK 9. Wired Mode: Usually kept at default 10. Define the renegotiation timers for phase 1 and phase 2 in Advanced tab:

Checkpoint R80.10 - Upgrade using Blink Utility

The year is 2018. The war between the Checkpoint community across the world and Checkpoint Software Technologies Ltd. regarding the future of Checkpoint R77.30, is in full swing. The general consensus of the Checkpoint community to extend R77.30 support timeline (from the current May 2019) seems to be falling on deaf ears!! In a desperate attempt to make hay while the sun is still shining, administrators seem to be moving towards R80.10, as soon as possible. To ease things a bit, Checkpoint has created a "Blink" Utility.  Here is how it works (Make sure that you read the constraints at the bottom of this article): You have newly ordered a Checkpoint Security Gateway* for eg. CP 4600. It came with a default image R77.30, which need to be upgraded to R80.10, without going through the hassles of clean install (May be because, you do NOT want to rely on the on-site technician, or because there is no Internet connectivity (hence no online CPUSE), or because you just want to te...

Checkpoint - Exporting Objects in CSV format

Be it a Network Operations Manager, Security Architect or a Security Auditor, the people up the hierarchy always harangue the Security Engineers to compile the list of firewall objects or rules or policies or the traffic statistics and so on.. This can turn out to be quite hectic especially if there are no built in features to systematically provide the output in a "layman-readable" format. Come, Checkpoint's "Object Explorer..."  which not only provides the output in the "layman-readable" format, but also provides in-built filtering mechanisms, thereby ensuring that the Security Engineer doesn't have to rely on Google for building his scarce Microsoft Excel data filtering skills. The following screenshots will show how easy it is, with Checkpoint R80.10 to generate the firewall configuration inventory. On the SmartConsole Unified Portal, navigate to Menu >> Open Object Explorer... Select the Categories you wish to see in your output: Click o...

Checkpoint WinSCP Issues - Changing Shell

Linux amateurs, Linux haters or simply easy goers.. whichever category you belong to, WinSCP is the natural tool for File Transfer within the device or to or from the device.  Not a big fan of Linux commands myself (though I seem have gained some serious expertise, thanks to my messing around with my Checkpoint installations and upgrades), I prefer using WinSCP wherever I can.  However, every now and then, WinSCP has its own way of complaining about the target shell compatibility, which it cannot connect. Something like this: How do I get around it? Simple, just login to your Checkpoint device, via CLISH, change to BASH shell and enter: " chsh -s /bin/bash admin" And that's it! Try connecting via WinSCP again and bamm.. you are in!! Happy WinSCPing :)

Checkpoint Security Gateway Offline CPUSE upgrade - R77.x to R80.x

Call me an old-fashioned Network Engineer or call it my penchant for rendering my Network skills a geeky touch, I prefer to perform my device upgrades the old fashioned way - via CLI - as and when possible. My approach towards Checkpoint upgrade is no different! Here we will perform the Checkpoint Security Gateway upgrade from R77.30 to R80.10 via Offline CPUSE (Checkpoint Upgrade Service Engine). The name should make it evident that we are not expecting the Gateway to communicate with the Checkpoint Cloud automatically or provide auto-recommendations for hotfixes or upgrades. A word of caution before you begin with the upgrade: Ensure that you have sufficient disk space. One way to ensure that is: 1. From your expert mode (bash), type " lvm_manager ". Select option 1 2. You will see the disk allocation to various partitions. Check for " lvm_log ". The optimum value for this should be 10 GB. A 7-8 GB space should suffice, but 5 GB will definitely prove to be insuffi...

Checkpoint Smart Update - Licensing

So you have bought a car and filled it to the brim.. Can you drive? Of course, you can!  But would you drive? No you wouldn't... (License and Registration, pal!!) The same goes for all the proprietary devices. And Checkpoint doesn't wish to be left out of it! Following are the steps for licensing Security Gateways via Smart Update. [ Pre-requisites: 1. You already have the license ".lic" file. 2. There is already a SIC - Secure Internal Communication established between the Management Server and Security Gateway. 3. You will land in the following page, after logging into Smart Update. 4. Switch to Licenses & Contracts tab: 5. Attach the downloaded licenses: 6. The summary of the license file will be displayed below: 7. Select the Security Gateway to which you wish to attach the license: 8. The confirmation dialog box, indicates the IP address and the expiration date of the license. 9. It is a good idea to verify the same, via CLI, as follows: And viola!! The Gatew...

Checkpoint R80.10 - Smart Update

It's a fine sunny morning and you are in a particularly good mood with the prospect of configuring few dozen rules on your newly upgraded Checkpoint R80.10 Management Server. You bring up your new Smart Console window: You press the login button and bammm... You go to the Checkpoint Licensing center (I will cover Checkpoint licensing in a separate article, later), get the CPLicenseFile.lic and download it. Now begins a hunt for our beloved Smart Update.. You don't find it!! That's where Google comes in "Smart Update for checkpoint R80.10".. and this is where you land (overly optimistic, if you know what I mean ) Here is how you fix the Licensing issue: 1. Locate and double-click the below file in the below directory: C:\Program Files\CheckPoint\SmartConsole\<Version>\PROGRAM\ SmartDistributor  OR C:\Program Files (x86)\CheckPoint\SmartConsole\<Version>\PROGRAM\ SmartDistributor  For Example 2. You will find the legacy Smart Update (with R77.x changed...

Checkpoint Objects

Objects  are the central piece of most of the firewalls that currently exist – be it the traditional stateful firewalls or the over-used term “Next-Generation” firewall. Objects are the containers for IP addresses, subnets, services i.e. ports. The rationale being: Create an object Use that object in the Firewall rules, NAT policies, VPN communities etc. In case the IP address / port needs to be changed, simple make that change in the object , so that the changes get automatically reflected in all the firewall rules, NAT policies, VPN communities that use the object. This is the sole purpose of the objects’ existence (besides making the IP addresses or ports, more admin friendly) Multiple network or service objects are grouped together in a Network or Service group Depending on the type of the value that goes into the object, Checkpoint has multiple types of objects. Network Object Host Object Network Group Service Object The Checkpoint objects in R80.x can be created from the main...

Checkpoint R80.10 IPSEC VPN Configuration - Part 1

Pre-requisites: A basic understanding of IPSec VPNs What parameters go into building an IPSec VPN.  1. Configuration of Interoperable device: In the Checkpoint realm, any device that must be paired with the Security Gateway, is called an “Interoperable device”. In case of IPSec VPN, if your Checkpoint Gateway is forming a VPN with a non-Checkpoint firewall, that non-Checkpoint firewall will be called an “Interoperable device”. The Interoperable device can be configured as below:  3. Configuration of VPN community Parameters Declare Center and Satellite (peer) Gateways between which VPN will be configured. 2. Encrypted traffic allowed between the gateways 3. Define phase 1 and phase 2 tunnel parameters: 4. Define Tunnel management parameters: Usually not changed and kept at default, as below: 5. VPN routing : Self explanatory We shall continue the remaining configuration in Part 2 of this tutorial.