PDA

View Full Version : ISOmorphic in R77.20



PhoneBoy
2014-07-10, 13:05
ISOmorphic is a tool provided by Check Point to prepare a USB thumb drive with a Check Point installation ISO.
This allows you to "fresh install" a Check Point Appliance very easily.
More details is sk65205 (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk65205).

One nifty feature added that is available with R77.20 and above is the ability to not only install a specific installation image, but also pre-configure the appliance with basic networking.
You can configure one interface with an IPv4 address/netmask/default route.
You can also add potentially multiple network configurations differentiated by device MAC address, which means that the same USB key installed in different appliances would install different "basic networking" configurations.
You can also specify a "default" networking configuration which applies to appliances who MAC doesn't have a specific configuration.

jerryroy1
2015-09-01, 19:20
ISOmorphic is a tool provided by Check Point to prepare a USB thumb drive with a Check Point installation ISO.
This allows you to "fresh install" a Check Point Appliance very easily.
More details is sk65205 (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk65205).

One nifty feature added that is available with R77.20 and above is the ability to not only install a specific installation image, but also pre-configure the appliance with basic networking.
You can configure one interface with an IPv4 address/netmask/default route.
You can also add potentially multiple network configurations differentiated by device MAC address, which means that the same USB key installed in different appliances would install different "basic networking" configurations.
You can also specify a "default" networking configuration which applies to appliances who MAC doesn't have a specific configuration.

I don't see an .iso image available for the 1100 series (1140 specifically). Does this mean Isomorphic is not an option for the 1100 series? (see sk97766 (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk97766))

Are there any other tools available?

RayPesek
2015-09-01, 20:25
The 1100 takes its firmware via the web interface. It holds both the new version and the previous version on the box. What are you trying to do precisely?

vonunov
2015-09-01, 21:50
The 1100 can use USB similarly, but you only have to copy the image file instead of 'burning' it as with ISOMorphic. See page 99: http://downloads.checkpoint.com/dc/download.htm?ID=40945

jerryroy1
2015-09-16, 13:41
I was able to follow the process with a USB and do a new code upgrade. Can I not do this with a config file?

jerryroy1
2015-09-17, 18:47
Is there a way to configure the 1140 via the GUI and export a text file via the command line and use it on another device? (Slight changes like Hostname, Nat, Subnets for settings for different locations)

"The Checkpoint 1100 Appliance Administration Guide" Page 45 says I can configure a file and upload via scp. Here is the code snippet: Is there a "tool" Available for this? :)



set time-zone GMT+01:00(Amsterdam/Berlin/Bern/Rome/Stockholm/Vienna)
set ntp server primary 10.1.1.10
set ntp server secondary

set user admin type admin password aaaa
set interface WAN ipv4-address 10.1.1.134 subnet-mask 255.255.255.192 default-gw 10.1.1.129

delete interface LAN1_Switch

set dhcp server interface LAN1 disable
set interface LAN1 ipv4-address 10.4.6.3 subnet-mask 255.255.255.0

add interface LAN1 vlan 2
set dhcp server interface LAN1:2 disable
set interface LAN1:2 ipv4-address 10.4.3.3 subnet-mask 255.255.255.0

set dhcp server interface LAN2 disable
set interface LAN2 ipv4-address 192.168.254.254 subnet-mask 255.255.255.248
set interface LAN2 state on

set admin-access interfaces WAN access allow

set hostname DEMOgw01
set sic_init password aaaa
fetch certificate mgmt-ipv4-address 10.1.1.82 gateway-name DEMOgw01
fetch policy mgmt-ipv4-address 10.1.1.82

Cory Webb
2015-09-17, 20:55
Is there a way to configure the 1140 via the GUI and export a text file via the command line and use it on another device? (Slight changes like Hostname, Nat, Subnets for settings for different locations)

"The Checkpoint 1100 Appliance Administration Guide" Page 45 says I can configure a file and upload via scp. Here is the code snippet: Is there a "tool" Available for this? :)



set time-zone GMT+01:00(Amsterdam/Berlin/Bern/Rome/Stockholm/Vienna)
set ntp server primary 10.1.1.10
set ntp server secondary

set user admin type admin password aaaa
set interface WAN ipv4-address 10.1.1.134 subnet-mask 255.255.255.192 default-gw 10.1.1.129

delete interface LAN1_Switch

set dhcp server interface LAN1 disable
set interface LAN1 ipv4-address 10.4.6.3 subnet-mask 255.255.255.0

add interface LAN1 vlan 2
set dhcp server interface LAN1:2 disable
set interface LAN1:2 ipv4-address 10.4.3.3 subnet-mask 255.255.255.0

set dhcp server interface LAN2 disable
set interface LAN2 ipv4-address 192.168.254.254 subnet-mask 255.255.255.248
set interface LAN2 state on

set admin-access interfaces WAN access allow

set hostname DEMOgw01
set sic_init password aaaa
fetch certificate mgmt-ipv4-address 10.1.1.82 gateway-name DEMOgw01
fetch policy mgmt-ipv4-address 10.1.1.82


In regular Gaia the system configuration can be saved by running "save configuration <script name>" from Clish. Then you can use WinSCP or any other file transfer program to pull the <script name> off the box and load it to a new machine, but since the 1100's run embedded-Gaia not sure if it would work for them, but should be easy enough to lab out

jerryroy1
2015-09-18, 12:44
I tried "save configuration <script name>" but no go.

I ran "bashUser off" and then "clish" then got into expert mode and tried again but does not recognize the command. Any other ideas?

jerryroy1
2015-09-18, 14:59
Is there a complete list of all the commands and their syntax available for the 1140 command line?

I would like to see all the available "set", "fetch" and all available commands

TIA!

Found them myself but these are not made in expert mode.


HM-LAB1-DHCP> set
Incomplete command
HM-LAB1-DHCP> set

external ports access
expert - Expert password set
property - Set advanced properties
sic_init - Set SIC password
serial-port-baudrate - Set serial console baudrate
aggregate - display Route Aggregation configuration commands
as - display Autonomous System Number configuration commands
router-options - Set Router Options
bgp - display BGP configuration commands
igmp - display IGMP configuration commands
kernel-routes - display Kernel Routes configuration commands
max-path-splits - Maximum Path Splits
nexthop-selection - Nexthop Selection Algorithm
ospf - display OSPFv2 configuration commands
pim - display PIM configuration commands
protocol-rank - Protocol Rank
rip - display RIP configuration commands
router-id - display Router ID configuration commands
static-mroute - Show Static Mroute
trace - Trace Options
tracefile - Tracefile
access-rule
ad-server - Active directory server object
additional-hw-settings - Additional hardware and operating system settings
address-range - Address range object
admin-access - Administrator access
administrators - Administrators RADIUS authentication
administrator
aggressive-aging - Connections aggressive aging
antispam - Policy for Anti-Spam blade
application-control - Default APPI policy and configuration
application-group - User defined application group
application - Database of user-defined URLs
bridge - Bridge configured in the device
cloud-deployment - Cloud Deployment Settings
cloud-services - Cloud Services
date - Date in the format YYYY-MM-DD
device-details - Device details
dhcp-relay - DHCP Relay advanced options
dhcp
dns - Configure DNS and Domain settings for the device
domainname - Identification string that defines a realm of administrative autonomy, authority, or control in the Internet
dynamic-dns - Configure a persistent domain name for the device
fw
group - Network Objects Group model
host - Address range object
hotspot - Hotspot settings
https-categorization - HTTPS categorization
interface - Local network
internet-connection - Internet Connection
internet
ip-fragments-params - IP fragments parameters
ips
local-group - Local Users Group
local-user - Configure a local database of users
log-servers-configuration - Log servers configuration
loginMessages - loginMessages
nat-rule
nat - NAT global
netflow
network - Address range object
ntp - NTP
proxy - Configure proxy settings for connecting with Check Point update and license servers
qos-rule - QoS rule base rule configuration
qos - QoS blade basic configuration
radius-server - Users RADIUS server
reach-my-device - Reach My Device
remote-access
security-management - Security management settings
serial-port - Serial port
server
service-group - A group of services
service-icmp - Service objects
service-protocol - Service objects
service-tcp - Service objects
service-udp - Service objects
snmp - SNMP general configuration options
static-route - Static routes
streaming-engine-settings - Streaming engine settings
switch - Switch
threat-prevention-advanced - Advanced settings for Threat Prevention
threat-prevention
timezone-dst
timezone - Timezone location
time - Time in the format HH:MM
ui-settings - Web Interface Settings and Customizations
usb-modem-watchdog - Uses the internet probing (if probing is enabled) to automatically detect and fix 3G/4G internet connectivity problems
user-awareness - User awareness configuration table
vpn - Configure remote VPN sites
wlan
routemap - Routemap
HM-LAB1-DHCP> set

Cory Webb
2015-09-18, 22:20
There was a post about this a few weeks ago that may help:

https://www.cpug.org/forums/showthread.php/20688-Large-Deployment-provisioning-process?highlight=smartprovisioning

jerryroy1
2015-11-06, 18:58
My autoconf.clish file keeps saying error on the following line

Bad parameter starting at 'set user admin type admin password aaaa'

Any ideas?

When I try and run the command on the box, it does not show 'set user as a valid command. Was this changed?

jflemingeds
2015-11-06, 21:58
My autoconf.clish file keeps saying error on the following line

Bad parameter starting at 'set user admin type admin password aaaa'

Any ideas?

When I try and run the command on the box, it does not show 'set user as a valid command. Was this changed?

i think its set administrator.

If you want to see for sure, add a user via the webpage then issue a show configuration from clish and see what it created.

Gaia embedded.. oh how you drive me crazy.