Skip to main content

Posts

Checkpoint WinSCP Issues - Changing Shell

Linux amateurs, Linux haters or simply easy goers.. whichever category you belong to, WinSCP is the natural tool for File Transfer within the device or to or from the device.  Not a big fan of Linux commands myself (though I seem have gained some serious expertise, thanks to my messing around with my Checkpoint installations and upgrades), I prefer using WinSCP wherever I can.  However, every now and then, WinSCP has its own way of complaining about the target shell compatibility, which it cannot connect. Something like this: How do I get around it? Simple, just login to your Checkpoint device, via CLISH, change to BASH shell and enter: " chsh -s /bin/bash admin" And that's it! Try connecting via WinSCP again and bamm.. you are in!! Happy WinSCPing :)

Checkpoint Security Gateway Offline CPUSE upgrade - R77.x to R80.x

Call me an old-fashioned Network Engineer or call it my penchant for rendering my Network skills a geeky touch, I prefer to perform my device upgrades the old fashioned way - via CLI - as and when possible. My approach towards Checkpoint upgrade is no different! Here we will perform the Checkpoint Security Gateway upgrade from R77.30 to R80.10 via Offline CPUSE (Checkpoint Upgrade Service Engine). The name should make it evident that we are not expecting the Gateway to communicate with the Checkpoint Cloud automatically or provide auto-recommendations for hotfixes or upgrades. A word of caution before you begin with the upgrade: Ensure that you have sufficient disk space. One way to ensure that is: 1. From your expert mode (bash), type " lvm_manager ". Select option 1 2. You will see the disk allocation to various partitions. Check for " lvm_log ". The optimum value for this should be 10 GB. A 7-8 GB space should suffice, but 5 GB will definitely prove to be insuffi...

Checkpoint Smart Update - Licensing

So you have bought a car and filled it to the brim.. Can you drive? Of course, you can!  But would you drive? No you wouldn't... (License and Registration, pal!!) The same goes for all the proprietary devices. And Checkpoint doesn't wish to be left out of it! Following are the steps for licensing Security Gateways via Smart Update. [ Pre-requisites: 1. You already have the license ".lic" file. 2. There is already a SIC - Secure Internal Communication established between the Management Server and Security Gateway. 3. You will land in the following page, after logging into Smart Update. 4. Switch to Licenses & Contracts tab: 5. Attach the downloaded licenses: 6. The summary of the license file will be displayed below: 7. Select the Security Gateway to which you wish to attach the license: 8. The confirmation dialog box, indicates the IP address and the expiration date of the license. 9. It is a good idea to verify the same, via CLI, as follows: And viola!! The Gatew...

Checkpoint R80.10 - Smart Update

It's a fine sunny morning and you are in a particularly good mood with the prospect of configuring few dozen rules on your newly upgraded Checkpoint R80.10 Management Server. You bring up your new Smart Console window: You press the login button and bammm... You go to the Checkpoint Licensing center (I will cover Checkpoint licensing in a separate article, later), get the CPLicenseFile.lic and download it. Now begins a hunt for our beloved Smart Update.. You don't find it!! That's where Google comes in "Smart Update for checkpoint R80.10".. and this is where you land (overly optimistic, if you know what I mean ) Here is how you fix the Licensing issue: 1. Locate and double-click the below file in the below directory: C:\Program Files\CheckPoint\SmartConsole\<Version>\PROGRAM\ SmartDistributor  OR C:\Program Files (x86)\CheckPoint\SmartConsole\<Version>\PROGRAM\ SmartDistributor  For Example 2. You will find the legacy Smart Update (with R77.x changed...

Checkpoint Objects

Objects  are the central piece of most of the firewalls that currently exist – be it the traditional stateful firewalls or the over-used term “Next-Generation” firewall. Objects are the containers for IP addresses, subnets, services i.e. ports. The rationale being: Create an object Use that object in the Firewall rules, NAT policies, VPN communities etc. In case the IP address / port needs to be changed, simple make that change in the object , so that the changes get automatically reflected in all the firewall rules, NAT policies, VPN communities that use the object. This is the sole purpose of the objects’ existence (besides making the IP addresses or ports, more admin friendly) Multiple network or service objects are grouped together in a Network or Service group Depending on the type of the value that goes into the object, Checkpoint has multiple types of objects. Network Object Host Object Network Group Service Object The Checkpoint objects in R80.x can be created from the main...

Checkpoint R80.10 IPSEC VPN Configuration - Part 1

Pre-requisites: A basic understanding of IPSec VPNs What parameters go into building an IPSec VPN.  1. Configuration of Interoperable device: In the Checkpoint realm, any device that must be paired with the Security Gateway, is called an “Interoperable device”. In case of IPSec VPN, if your Checkpoint Gateway is forming a VPN with a non-Checkpoint firewall, that non-Checkpoint firewall will be called an “Interoperable device”. The Interoperable device can be configured as below:  3. Configuration of VPN community Parameters Declare Center and Satellite (peer) Gateways between which VPN will be configured. 2. Encrypted traffic allowed between the gateways 3. Define phase 1 and phase 2 tunnel parameters: 4. Define Tunnel management parameters: Usually not changed and kept at default, as below: 5. VPN routing : Self explanatory We shall continue the remaining configuration in Part 2 of this tutorial.