Standard OS deployment (non-SP)

Owned by Hawkeye Parker (Unlicensed)
Last updated: Dec 27, 2019 by Shay Naveh (Deactivated)

Intro

The steps should be taken in order to create a new Checkpoint gateway/management device.

There is a separate page for SP OS deployment.

CLI Reference

Deploy a virtual appliance 

Open a ticket at Jira  IT@indeni.com for new VM with the following parameters:

  •  vm name
  • cpu cores number Management 4 core /Gateway 4 core
  • memory size management 6 GB/gateway 4 GB
  • disk size Management 120 GB/gateway 100 GB
  • how many network interfaces management 1 / gateway 4 
  • link to ova/iso file (Upload in advance at : https://s3-eu-west-1.amazonaws.com/indeni-devices-files/ )
  • any other relevant data for deployment 

Admin Credentials

Change admin environment into the bash and create additional admin user indeni using WEB-UI or CLI

set user admin shell /bin/bash
set user admin password-hash $1$T9DDw21T$CM3kJ2kYOxGc6rPG3w9/B1
add user indeni uid 0 homedir /home/indeni
add rba user indeni roles adminRole
set user indeni gid 0 shell /bin/bash
set user indeni realname Indeni
set user indeni password-hash $1$zOYpq46l$rEsHJ7O8CdyX56IaL5ghP1

 Inactivity time out

set inactivity-timeout 720
add user indeni uid 0 homedir /home/indeni

CLI Configuration

 The rest of the configuration could be configured faster via CLI and Checkpoint Smart dashboard. 

NTP ( management and gateway) 

set ntp active on
set ntp server primary time2.google.com version 1


if service NTPD unable to start, please run following commands:

  1. [Expert@HostName]# tellpm process:ntpd

  2. Start the ntpd daemon:

    [Expert@HostName]# tellpm process:ntpd t

  3. Save the Gaia Database:

    [Expert@HostName]# dbset :save

Client VPN ( gateway only) 


in order to avoid error on the script vpn-ipafile-check, vi of the file $FWDIR/conf/ipassignment.conf should be run and remove all # in front. 


To check vpn client should be run   vpn ipafile_check $FWDIR/conf/ipassignment.conf detail

here the error"


Reading file records...
Users configured is 0 out of -1, consider increasing capacity through 'vpn ipafile_users_capacity'

to Fix the error on capacity please run

vpn ipafile_users_capacity set 2500

Correct file

[Expert@CP-R80.20-GW8-1:0]# vi $FWDIR/conf/ipassignment.conf
# ranges to specific groups when they connect using Office Mode or L2TP.
#
# The format of this file is simple: Each line specifies the target
# gateway, the IP address (or addresses) we wish to assign and the user
# (or group) name as in the following examples:
#
# Gateway Type IP Address User Name
# ============= ===== ======================================== =========================================
Paris-GW, 10.5.5.8, Jean
Brasilia, addr 10.6.5.8, wins=(192.168.3.2,192.168.3.3) Joao # comments are allowed
Miami, addr 10.7.5.8, dns=(192.168.3.7,192.168.3.8) CN=John,OU=users,O=cpmgmt.acme.com.gibeuu
10.1.1.2 range 100.107.105.110-100.107.105.119/24 Finance
* net 10.7.5.32/28 suffix=(acct.acme.com) Accounting
#
# Note that real records do not begin with a pound-sign (#), and the commas
# are optional. Invalid lines are treated as comments. Also, the
# user name may be followed by a pound-sign and a comment.
#
# The first item is the gateway name or address. On lines that assign
# multiple IP addresses to a group of users or a network (range or net
:


add aaa tacacs-servers priority 1 server 10.11.80.32 key indenirocks123! timeout 5
set aaa tacacs-servers state on
set aaa tacacs-servers user-uid 0

Tacacs ( management and gateway) 

add aaa tacacs-servers priority 1 server 10.11.80.32 key indenirocks123! timeout 5
set aaa tacacs-servers state on
set aaa tacacs-servers user-uid 0

Radius ( management and gateway) 


add aaa radius-servers priority 1 host 10.11.80.32 port 1812 secret indenirocks123! timeout 3
set aaa radius-servers NAS-IP 10.11.94.x (management ip)
set aaa radius-servers default-shell /etc/cli.sh
set aaa radius-servers super-user-uid 0

PBR ( No VSX ) ( gateway only)

set pbr table PBRTable1 static-route 172.16.12.0/24 nexthop gateway address 10.11.94.11 priority 1
set pbr rule priority 3 match from 172.12.4.0/24 to 172.15.5.0/24 interface eth0
set pbr rule priority 3 action table PBRTable1

SYSLOG ( management and gateway) 

add syslog log-remote-address 10.11.80.30 level all
set syslog filename /var/log/messages
set syslog cplogs off
set syslog mgmtauditlogs on
set syslog auditlog permanent
set syslog uncompressmessages off


SNMP ( management and gateway) 


set snmp mode default
set snmp agent on
set snmp agent-version any
set snmp community indeni read-only
add snmp traps receiver 10.11.80.31 version v3
add snmp usm user indeni security-level authNoPriv auth-pass-phrase-hashed 3cc0146304616beac7296b1bb8a536f6 authentication-protocol MD5
add snmp usm user indenisnmp security-level authNoPriv auth-pass-phrase-hashed 3cc0146304616beac7296b1bb8a536f6 authentication-protocol MD5
set snmp traps trap authorizationError enable
set snmp traps trap biosFailure enable
set snmp traps trap coldStart enable
set snmp traps trap configurationChange enable
set snmp traps trap configurationSave enable
set snmp traps trap fanFailure enable
set snmp traps trap highVoltage enable
set snmp traps trap linkUpLinkDown enable
set snmp traps trap lowDiskSpace enable
set snmp traps trap lowVoltage enable
set snmp traps trap overTemperature enable
set snmp traps trap powerSupplyFailure enable
set snmp traps trap raidVolumeState enable
set snmp traps trap vrrpv2AuthFailure enable
set snmp traps trap vrrpv2NewMaster enable
set snmp traps trap vrrpv3NewMaster enable
set snmp traps trap vrrpv3ProtoError enable
set snmp traps trap-user indeni
set snmp location "CP-R80.20-MGMT4-1"
set snmp traps advanced coldStart reboot-only off


DNS ( management and gateway) 

set dns suffix indeni.com
set dns primary 8.8.8.8
set dns secondary 8.8.4.4
set domainname indeni.com


OSPF  (gateway only)

set router-id 10.11.94.x ( management IP)

set ospf interface eth0 (management) area backbone on

also, you have to open in Smart dashboard the following rule

have to open any to broadcast in checkpoint policy

Any to those IP\ allow IGMP

'ALLSYSTEMS.MCAST.NET' (224.0.0.1)

'OSPF-ALL.MCAST.NET' (224.0.0.5)

'OSPF-DSIG.MCAST.NET' (224.0.0.6


In addition, to populate the specific subnet you add the following lines:

set ospf instance default area backbone on
set ospf instance default interface bond1 area backbone on
set ospf instance default interface bond1 priority 1
set ospf instance default interface eth0 area backbone on
set ospf instance default interface eth0 priority 1
set ospf instance default interface eth1 area backbone on
set ospf instance default area backbone range 10.1.1.0/24 on 
set ospf instance default area backbone range 20.1.1.0/24 on
set ospf instance default area 44 on
set ospf instance default area 44 range 20.1.1.0/24 on
set ospf instance default area 44 stub-network 20.1.1.0/24 on
set ospf instance default area 44 stub-network 20.1.1.0/24 stub-network-cost 1

BGP (gateway only)

set as 1
set routemap bgp id 1 on
set routemap bgp id 1 allow
set routemap bgp id 1 match protocol direct
set routemap bgp id 2 on
set routemap bgp id 2 allow
set routemap bgp id 2 match protocol bgp
set routemap bgpin id 1 on
set routemap bgpin id 1 allow
set routemap bgpin id 1 match protocol bgp
set bgp external remote-as 5 on
set bgp external remote-as 5 peer 10.11.94.72 on
set bgp external remote-as 5 peer 10.11.94.72 multihop on
set bgp external remote-as 5 export-routemap bgp preference 1 family inet on
set bgp external remote-as 5 import-routemap bgpin preference 1 family inet on


Subinterface  (gateway only)

add interface eth2 vlan 5
set interface eth2.5 state on
set interface eth2.5 ipv4-address 55.55.55.12 mask-length 24


LoopBack (gateway only)

set interface lo ipv4-address 127.0.0.1 mask-length 8
add interface lo loopback 101.101.101.49/24
set interface loop00 comments "LOOPBACK1"
set interface loop00 state on
set interface loop00 ipv4-address 101.101.101.49 mask-length 24


Alias (gateway only)

add interface eth2.5 alias 66.66.66.12/24


Bonding (gateway only)


If you need to delete IP is the only way delete on the database. 

find : grep ':bond 0' /config/db/initial

Delete:  grep ':bond 0' /config/db/initial | cut -d " " -f 1 | xargs -n 1 dbset

save:dbset :save

Add bonding group

add bonding group 1
add bonding group 1 interface eth1
set bonding group 1 mode active-backup
set interface bond1 state on
set interface bond1 ipv4-address 14.1.1.2 mask-length 24