CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 10 of 10

Thread: Smart-1 on VMware

  1. #1
    Join Date
    2006-03-11
    Posts
    61
    Rep Power
    17

    Default Smart-1 on VMware

    Recently I managed to get Smart-1 running on vmware workstation. Actually it was virtuall the same as an open server install except it has particular hard drive space requriements so you just need to make sure you give it plenty of hard disk even thought you wont actually use it all.

    However I did encounter one problem. The install does not assign the default IP address (mgmnt) to any of the interfaces. When creating the VM I added 4 interfaces as per the physical spec's of the appliance but it didnt set the default. I manaully added an IP to one of the interfaces via cli and then I could access the WebUI and do all the config etc and open up Smartdashboard. However one I reboot that IP address setting is lost again so i have manually assignt he IP again. This is only for testing purposes but im interested why it didnt set the default IP or save the Ip config and if there is a way to fix that. Reason im curious is becuase im evaluating using VMware as a temporary option if I evern have a hardware failure that means I will be waiting for a long period of time for replacment hardware to arrive.

    Thanks.

  2. #2
    Join Date
    2012-07-19
    Posts
    108
    Rep Power
    11

    Default Re: Smart-1 on VMware

    The Smart-1 appliance probably has renamed eth0 to Mgmt and basic installation would set up Mgmt to 192.168.1.1, but fails as Mgmt does not exist on your VM.
    Renaming the interface happens via linux' udev. See /etc/udev/rules.d/ in expert mode. Maybe the fact that your ip config doesn't stick has something to do with that.

    Also, try "dbget -ar interface" as expert to see what the box thinks should be configured (or look it up in /config/active).

  3. #3
    Join Date
    2014-02-10
    Posts
    4
    Rep Power
    0

    Default Re: Smart-1 on VMware

    Hi there, I'm trying to simulate the same Smart-1 (R75.40) on VM workstation 9. Problem I've got is during copying files it asks to 'Insert Next CD'. Which is absurd ad I have single ISO file on DVD. I have set aside 235Gig of HD for this VM and tried it multiple times but still getting the same error again and again. R75.40 SPLAT is working like a charm without any issue but my requirement is to simulate Smart-1 to replicate and test a physical environment. Any thoughts would be appreciated!

  4. #4
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,500
    Rep Power
    20

    Default Re: Smart-1 on VMware

    Simulating hardware directly with management is less critical than it is for a gateway.
    And, quite honestly, you're not going to be able to do it in VMware since the hardware types are different though I'm sure someone will come prove me wrong :)
    What are you hoping to "simulate" that you can't with a normal Open Server-type install?
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  5. #5
    Join Date
    2014-02-10
    Posts
    4
    Rep Power
    0

    Default Re: Smart-1 on VMware

    Quote Originally Posted by PhoneBoy View Post
    Simulating hardware directly with management is less critical than it is for a gateway.
    And, quite honestly, you're not going to be able to do it in VMware since the hardware types are different though I'm sure someone will come prove me wrong :)
    What are you hoping to "simulate" that you can't with a normal Open Server-type install?
    Hi Phoneboy, Thanks for reply and You may be right. I have also given up trying to install smart-1 on vm after repeated failures. Actually, I've got a project and requirements are explained below.

    We have two datacentres, A-DC being primary and B-DC DR. At the moment both have independent CP firewalls managed by local Management servers. These servers are not in HA mode (creepy). My job is to first put management servers in HA mode (management servers in A-DC being primary and B-DC as secondary). Secondly, I have to replicate around 400 rules from A-DC CP FW to B-DC FW (including objects) keeping around 100 existing FW rules in B-DC FW. A-DC FWs has around 600 rules and not all are need to be replicated across to B-DC.

    Software on management boxes are Smart1 R75.40 (primary) and Smart1 R75 (Secondary). To address this I thought to tackle this as following.

    1. upgrade_export database from B-DC management box and CP Merge it with A-DC Management Database.
    2. Cutover B-DC FW from B-DC Management box to A-DC Management Box (copy FW policy across also).
    3. Build B-DC Management server as Secondary.
    4. Copy rules required rules from A-DC FW policy and paste to B-DC FW policy ( this will be done via primary management box at A-DC).

    Problem,
    I've never used CP merge and want to simulate it before trying it in the production environment.
    So I'm trying to build a VM simulating A-DC management box. I have upgrade exported database from B-DC management box. Once I will have VM for A-DC Management server ready, I shall do cp merge B-DC database in it and will try to see how naming conflicts are handled etc.
    When I'm trying to build a R75.40.Splat (open server) VM and try to import database into it. It gives me following error.

    [Expert@cpmodule]# ./upgrade_import export_db.tgz

    This utility should be ran on Check Point Security Management Server, but no Security Management Server was found on that Machine.

    [Expert@cpmodule]#

    Any thoughts??

  6. #6
    Join Date
    2007-06-04
    Posts
    3,314
    Rep Power
    20

    Default Re: Smart-1 on VMware

    Sounds like haven't completed the first time wizard to tell that is a Management Server. When you install into vmware then will have 1 interface configured with 192.168.1.1/24. You need to change this IP to the correct IP and subnetmask, then connect in via WebUI to run through the First Time Configuration Wizard to say Check Point installation will be.

    What is the output of the cpconfig command on the Box?

    You should be using migrate commands rather then upgrade_export and upgrade_import as on R75.x

    Also cp_merge only works between Management Servers of the same software version.
    You will therefore need to export your B Management Server using the R75.40 Migration Tools, import into an R75.40 Management Server VM and then run the cp_merge on the B VM.

    1.) migrate export your Management Server A and migrate import into an R75.40 Virtual Machine with the same IP and hostname
    2.) migrate export your Management Server B using the R75.40 Migration Tools and then migrate import into a second R75.40 Virtual Machine
    3.) manually create the user groups on Server B in Server A
    4.) use the fwm dbexport command to export the userdatabase on Server B, transfer file to Server A
    5.) use the fwm dimport to import the userdatabase from Server B into Server A
    6.) transfer the $FWDIR/conf/objects_5_0.C file from Server B to a directory on Server A
    7.) use the cp_merge utility to merge the transferred objects_5_0.C file into Server A
    8.) use the cp_merge utility to export the Security Policy from Server B, and then transfer these to Server A
    9.) use the cp_merge utility to import the exported Policy from Server B into Server A

    At that point you have a Server A on R75.40 that has the Policy and Objects etc from Server B included as well.



    Once ready to go ahead would reset SIC on B DC Gateways and attach to the Server A, Management Server.
    Relicense B DC Gateways to Server A IP address
    Install Policy from Server A to B DC Gateways.

    Rebuild Server B as a Secondary Management Server, establish SIC with Server A
    Providing connectivity etc is in place correctly then Server B should synchronise with Server A and collect Policy, Objects etc

  7. #7
    Join Date
    2014-02-10
    Posts
    4
    Rep Power
    0

    Default Re: Smart-1 on VMware

    Thanks for your detailed input. you are correct and I didn't run 1st time wizard and was trying to import before that (a lesson). I shall try out all steps you mentioned and would come up with more questions at later stages. Just curious on difference between migrate export/import and cp_merge import/export for policy and object files. In your steps you mentioned to use cp_merge export/import not migrate import/export. Are they achieving same things and what way are they different from each other. Thanks again for your feedback.

  8. #8
    Join Date
    2007-06-04
    Posts
    3,314
    Rep Power
    20

    Default Re: Smart-1 on VMware

    They are completely seperate utilities.

    migrate export/import

    This takes a complete copy of your Database, Policies, Users, Internal CA, all the Certificates etc and exports a complete copy of your Management Server into a single file that can use to import into another machine. You can install versions of the management migration tools for the version that you want to export a compatible version for.

    ie, when upgrading from R75.40 to R77, you would install the R77 Management Migration Tools and use the migrate export to export an R77 compatible system.

    You then install an R77 System and then import the exported file to have a complete copy of the R75.40 Management System but running R77.

    The migrate import completely OVERWRITES the existing configuration in your R77 system, replacing what was in the system before the import with the contents of the file.

    cp_merge

    This allows you to copy the individual policies from an R75.40 Management Server and then import the invididual policy into another R75.40 Management Server.
    It requires you to seperate export the user database, manually create the user groups in the target system
    It then allows you to MERGE your objects_5_0.C file from the first Management Server into the second Managemenet Server.

    You end up with a Management Server that contains the contents of BOTH your First and Second Management Server.



    To merge your two Management Servers then they need to be on the same Version of Software,
    You then need to use the cp_merge utility to export the Second Management Server configuration and then merge the contents into your First Management Server.

    If you migrate export your Second Management and migrate import that into your First Management Server then you had better have a backup of the First Management Server as you would have just WIPED your First Management Servers configuration and REPLACED with the Second Management Server configuration.

  9. #9
    Join Date
    2014-02-10
    Posts
    4
    Rep Power
    0

    Default Re: Smart-1 on VMware

    Its been a while we had this discussion. Just a question around merging objects_5_0.C file from Management Server B to Management Server A. Some of the objects has same names but different IP on both management servers. When I use cp_merge utility to merge the transferred objects_5_0.C file into Server A, objects of Server A are retained. I am thinking to rename all these objects on Management Server B and push policy to its gateways and then go ahead with merging object files. Any thoughts on this approach?

  10. #10
    Join Date
    2007-06-04
    Posts
    3,314
    Rep Power
    20

    Default Re: Smart-1 on VMware

    Thats exactly how I have done this myself in the past.

Similar Threads

  1. VMWare Tools on Smart Center Host?
    By EBrander in forum Interoperability
    Replies: 2
    Last Post: 2011-03-16, 12:01
  2. HA in vmware
    By newtocp in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 0
    Last Post: 2010-06-27, 11:00
  3. IPS-1 on VMware
    By docstephano in forum IPS-1
    Replies: 14
    Last Post: 2010-03-03, 08:29
  4. Replies: 2
    Last Post: 2010-01-27, 09:28
  5. vmware ?
    By karia in forum General Exam Topics
    Replies: 5
    Last Post: 2007-01-19, 03:48

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •