PDA

View Full Version : Checkpoint 1100 device - VPN tab not working



oharek
2016-06-30, 16:36
Hello,

I have bought 27 Checkpoint 1100's

How do i turn on the VPN feature under Security Dashboard: Control and monitor Software Blades configurations and status

Its greyed out and i have already applied the license correctly (i think)

Thanks

Kevin

jflemingeds
2016-06-30, 16:51
Hello,

I have bought 27 Checkpoint 1100's

How do i turn on the VPN feature under Security Dashboard: Control and monitor Software Blades configurations and status

Its greyed out and i have already applied the license correctly (i think)

Thanks

Kevin


Wait, are you talking about SmartConsole or are you talking about opening the WebUI on the firewall itself?

Also how are you planning on managing this? From a management server or from the local webui on the firewall?


Pretty sure you're talking about the WebUI on the firewall itself. Assuming so, yeah set the management to local.
Security Management -> Local

this also means you will not be able to manage the policy from a checkpoint management server. I haven't used the new cloud management option so that might act differently if your planing on using that.

oharek
2016-07-01, 07:28
Wait, are you talking about SmartConsole or are you talking about opening the WebUI on the firewall itself?

Also how are you planning on managing this? From a management server or from the local webui on the firewall?


Pretty sure you're talking about the WebUI on the firewall itself. Assuming so, yeah set the management to local.
Security Management -> Local

this also means you will not be able to manage the policy from a checkpoint management server. I haven't used the new cloud management option so that might act differently if your planing on using that.


WebUI on the firewall itself

i had it set to central so maybe i will set it to local


The scenario is I have 27 sites on ADSL (because i cant get them onto my corporate network)

So i want to stick this Checkpoint 1100 at each site and create some sort of Site to Site VPN to each one. I was thinking about managing all 27 of them from the Checkpoint Manager 3050 device

Any ideas are welcome on how i should approach this

Thanks

jflemingeds
2016-07-01, 09:45
WebUI on the firewall itself

i had it set to central so maybe i will set it to local


The scenario is I have 27 sites on ADSL (because i cant get them onto my corporate network)

So i want to stick this Checkpoint 1100 at each site and create some sort of Site to Site VPN to each one. I was thinking about managing all 27 of them from the Checkpoint Manager 3050 device

Any ideas are welcome on how i should approach this

Thanks

So the VPN tab is only used when you're using local management. With central management the VPN is configured from Smartconsole on your management server. The management server will need to be accessible from the internet as well. I think all you need to do is grab an extra IP on the inet connection the management server is on and then enable the nat option on the management server.

Are these your only checkpoint devices?

oharek
2016-07-01, 11:57
Think i'll try this next week - looks like a good approach

oharek
2016-07-06, 16:57
I had to install an addon for the Checkpoint Mgr 3050 - even though i had R77.30 on it i needed an R77.20 addon for the Checkpoint 1100 appliances

Then i got the SIC established and pushed out a central policy to the first device

It worked ok

Now i just have to work out what policy i want to push to each device and lock it down according


thanks to everyone above for your help
Kevin
:D

jflemingeds
2016-07-06, 21:09
I had to install an addon for the Checkpoint Mgr 3050 - even though i had R77.30 on it i needed an R77.20 addon for the Checkpoint 1100 appliances

Then i got the SIC established and pushed out a central policy to the first device

It worked ok

Now i just have to work out what policy i want to push to each device and lock it down according


thanks to everyone above for your help
Kevin
:D

This seems really strange to me. Just to be %100, you installed the R77.20 addon on top of R77.30? If I recall R77.30 did support the 1100. I think the addon for R77.30 added support for the 1200R.

Regardless, I really don't think you should be installing the R77.20 addon on R77.30 if so. Did someone at checkpoint tell you to do that?

oharek
2016-07-08, 04:05
Yes - Checkpoint support said for me to install the addon

Install addon to manage 1100 / 1200R Appliances running R77.20
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk105412&partition=General&product=Security


Initially when I went to do smart provisioning I only had an option to drop in R75.20 as the device but when I did the addon then I had the option to drop in R77.20 as the device which is was is actually installed on the CP1100

jflemingeds
2016-07-08, 10:01
Yes - Checkpoint support said for me to install the addon

Install addon to manage 1100 / 1200R Appliances running R77.20
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk105412&partition=General&product=Security


Initially when I went to do smart provisioning I only had an option to drop in R75.20 as the device but when I did the addon then I had the option to drop in R77.20 as the device which is was is actually installed on the CP1100

ah crap, well i got bit by confusing version numbers.

yup that is correct. What I was confused on was I thought you installed the R77.20MGMT addon on R77.30MGMT server. What you said makes perfect sense now. I forgot R77.30 doesn't support R77.20 Gaia Embedded out of the box.

oharek
2016-07-08, 16:29
I am now at the stage where i have the Checkpoint Mgr 3050 SIC established with the remote device.

Then i create a new policy on the Checkpoint Mgr 3050 to push out to the Checkpoint 1120 remote device. i cant get this bit to work yet.

According to the centrally managed admin guides i should be using Smart Provisioning - i have had a go but no luck yet in getting a policy onto the remote device
I am thinking the just need access to a few subnets back in the office for only a few applications

Any ideas - maybe if their was a working example online that would be good. Once i get one working i cant start to roll out the other 26

jflemingeds
2016-07-08, 17:29
I am now at the stage where i have the Checkpoint Mgr 3050 SIC established with the remote device.

Then i create a new policy on the Checkpoint Mgr 3050 to push out to the Checkpoint 1120 remote device. i cant get this bit to work yet.

According to the centrally managed admin guides i should be using Smart Provisioning - i have had a go but no luck yet in getting a policy onto the remote device
I am thinking the just need access to a few subnets back in the office for only a few applications

Any ideas - maybe if their was a working example online that would be good. Once i get one working i cant start to roll out the other 26

Do you see the gateway attempting the connect to the management server? Its it completing a tcp hand shake? If no debug that first. I haven't used Smart Provisioning so i'm not %100 on how it works. We're just using a normal management server and creating a 1100 and having it fetch the goodies before shipping out.

Again, haven't used smart provisioning, maybe someone else can chime in if the process is different.

This is how we do it without.

1.
Create FW object and set sic password, needs to be same hostname as below and push policy to it in dashboard.

2. clish commands on gateway
set hostname $1100_name
set sic_init password $SUPER_SECRET
fetch certificate mgmt-ipv4-address $MGMT_EXTERNAL_IP gateway-name $1100_name
fetch policy mgmt-ipv4-address $MGMT_EXTERNAL_IP

of course replace $MGMT_EXTERNAL_IP, $SUPER_SECRET and $1100_name


Oh and ours are all dynamic IP and sometimes the WAN interface has a private subnet and isn't directly accessible so keep in mind it's all pull from the 1100.

oharek
2016-08-06, 07:46
Sorry to be a pain but i have got stuck on this.

I can push to the device with the CP 3050 connected to a subnet behind CORP-ASA-BRET

But i want the CP 1100 which sits outside our network on an isdn line to talk back to a subnet connected to ASA-BRET-TELEM

Its not fetching the policy even though i can push to it. Maybe thats why its not working.

Is their any working examples on the Checkpoint site, or elsewhere maybe

thanks
Kevin

mcnallym
2016-08-07, 00:20
Sorry to be a pain but i have got stuck on this.

I can push to the device with the CP 3050 connected to a subnet behind CORP-ASA-BRET

But i want the CP 1100 which sits outside our network on an isdn line to talk back to a subnet connected to ASA-BRET-TELEM

Its not fetching the policy even though i can push to it. Maybe thats why its not working.

Is their any working examples on the Checkpoint site, or elsewhere maybe

thanks
Kevin

Let me understand correctly.

You want the 1100 to talk to the Mangement Server on a different IP address, ie so is behind CORP-ASA-BRET rather then ASA-BRET-TELEM.
Assuming that the 3050 actual IP isn't changing then presumably you are doing some form of NAT as go through the appropriate gateway which are on different Public IP ranges?
Have you told the 1100 of the different IP that should be using now.
Is the appropriate NAT in place on the Gateways?

oharek
2016-08-07, 06:18
The Mangement Server sits on the DMZ behind CORP-ASA-BRET

I have a NAT on the Mangement Server (which doesnt change) so the CP1100 device (public IP) can talk back to it

I can push to it and create the sic but cant fetch the policy

I want the CP1100 device to talk back to a subnet behind ASA-BRET-TELEM (another firewall on my network)

NAT is on the external firewall and thats working ok

Not too sure what this means .... Have you told the 1100 of the different IP that should be using now

jerryroy1
2017-03-01, 14:16
Does anyone know if there is a way to hash the sic password in the autoconf.clish file?

laf_c
2017-03-02, 03:35
Does anyone know if there is a way to hash the sic password in the autoconf.clish file?

What's the reason behind this?