CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 16 of 16

Thread: Checkpoint 1100 device - VPN tab not working

  1. #1
    Join Date
    2006-07-13
    Location
    Belfast
    Posts
    122
    Rep Power
    12

    Default Checkpoint 1100 device - VPN tab not working

    Hello,

    I have bought 27 Checkpoint 1100's

    How do i turn on the VPN feature under Security Dashboard: Control and monitor Software Blades configurations and status

    Its greyed out and i have already applied the license correctly (i think)

    Thanks

    Kevin

  2. #2
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,321
    Rep Power
    8

    Default Re: Checkpoint 1100 device - VPN tab not working

    Quote Originally Posted by oharek View Post
    Hello,

    I have bought 27 Checkpoint 1100's

    How do i turn on the VPN feature under Security Dashboard: Control and monitor Software Blades configurations and status

    Its greyed out and i have already applied the license correctly (i think)

    Thanks

    Kevin

    Wait, are you talking about SmartConsole or are you talking about opening the WebUI on the firewall itself?

    Also how are you planning on managing this? From a management server or from the local webui on the firewall?


    Pretty sure you're talking about the WebUI on the firewall itself. Assuming so, yeah set the management to local.
    Security Management -> Local

    this also means you will not be able to manage the policy from a checkpoint management server. I haven't used the new cloud management option so that might act differently if your planing on using that.
    Last edited by jflemingeds; 2016-06-30 at 16:56.

  3. #3
    Join Date
    2006-07-13
    Location
    Belfast
    Posts
    122
    Rep Power
    12

    Default Re: Checkpoint 1100 device - VPN tab not working

    Quote Originally Posted by jflemingeds View Post
    Wait, are you talking about SmartConsole or are you talking about opening the WebUI on the firewall itself?

    Also how are you planning on managing this? From a management server or from the local webui on the firewall?


    Pretty sure you're talking about the WebUI on the firewall itself. Assuming so, yeah set the management to local.
    Security Management -> Local

    this also means you will not be able to manage the policy from a checkpoint management server. I haven't used the new cloud management option so that might act differently if your planing on using that.

    WebUI on the firewall itself

    i had it set to central so maybe i will set it to local


    The scenario is I have 27 sites on ADSL (because i cant get them onto my corporate network)

    So i want to stick this Checkpoint 1100 at each site and create some sort of Site to Site VPN to each one. I was thinking about managing all 27 of them from the Checkpoint Manager 3050 device

    Any ideas are welcome on how i should approach this

    Thanks

  4. #4
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,321
    Rep Power
    8

    Default Re: Checkpoint 1100 device - VPN tab not working

    Quote Originally Posted by oharek View Post
    WebUI on the firewall itself

    i had it set to central so maybe i will set it to local


    The scenario is I have 27 sites on ADSL (because i cant get them onto my corporate network)

    So i want to stick this Checkpoint 1100 at each site and create some sort of Site to Site VPN to each one. I was thinking about managing all 27 of them from the Checkpoint Manager 3050 device

    Any ideas are welcome on how i should approach this

    Thanks
    So the VPN tab is only used when you're using local management. With central management the VPN is configured from Smartconsole on your management server. The management server will need to be accessible from the internet as well. I think all you need to do is grab an extra IP on the inet connection the management server is on and then enable the nat option on the management server.

    Are these your only checkpoint devices?

  5. #5
    Join Date
    2006-07-13
    Location
    Belfast
    Posts
    122
    Rep Power
    12

    Default Re: Checkpoint 1100 device - VPN tab not working

    Think i'll try this next week - looks like a good approach

  6. #6
    Join Date
    2006-07-13
    Location
    Belfast
    Posts
    122
    Rep Power
    12

    Default Re: Checkpoint 1100 device - VPN tab not working

    I had to install an addon for the Checkpoint Mgr 3050 - even though i had R77.30 on it i needed an R77.20 addon for the Checkpoint 1100 appliances

    Then i got the SIC established and pushed out a central policy to the first device

    It worked ok

    Now i just have to work out what policy i want to push to each device and lock it down according


    thanks to everyone above for your help
    Kevin

  7. #7
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,321
    Rep Power
    8

    Default Re: Checkpoint 1100 device - VPN tab not working

    Quote Originally Posted by oharek View Post
    I had to install an addon for the Checkpoint Mgr 3050 - even though i had R77.30 on it i needed an R77.20 addon for the Checkpoint 1100 appliances

    Then i got the SIC established and pushed out a central policy to the first device

    It worked ok

    Now i just have to work out what policy i want to push to each device and lock it down according


    thanks to everyone above for your help
    Kevin
    This seems really strange to me. Just to be %100, you installed the R77.20 addon on top of R77.30? If I recall R77.30 did support the 1100. I think the addon for R77.30 added support for the 1200R.

    Regardless, I really don't think you should be installing the R77.20 addon on R77.30 if so. Did someone at checkpoint tell you to do that?

  8. #8
    Join Date
    2006-07-13
    Location
    Belfast
    Posts
    122
    Rep Power
    12

    Default Re: Checkpoint 1100 device - VPN tab not working

    Yes - Checkpoint support said for me to install the addon

    Install addon to manage 1100 / 1200R Appliances running R77.20
    https://supportcenter.checkpoint.com...oduct=Security


    Initially when I went to do smart provisioning I only had an option to drop in R75.20 as the device but when I did the addon then I had the option to drop in R77.20 as the device which is was is actually installed on the CP1100

  9. #9
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,321
    Rep Power
    8

    Default Re: Checkpoint 1100 device - VPN tab not working

    Quote Originally Posted by oharek View Post
    Yes - Checkpoint support said for me to install the addon

    Install addon to manage 1100 / 1200R Appliances running R77.20
    https://supportcenter.checkpoint.com...oduct=Security


    Initially when I went to do smart provisioning I only had an option to drop in R75.20 as the device but when I did the addon then I had the option to drop in R77.20 as the device which is was is actually installed on the CP1100
    ah crap, well i got bit by confusing version numbers.

    yup that is correct. What I was confused on was I thought you installed the R77.20MGMT addon on R77.30MGMT server. What you said makes perfect sense now. I forgot R77.30 doesn't support R77.20 Gaia Embedded out of the box.

  10. #10
    Join Date
    2006-07-13
    Location
    Belfast
    Posts
    122
    Rep Power
    12

    Default Re: Checkpoint 1100 device - VPN tab not working

    I am now at the stage where i have the Checkpoint Mgr 3050 SIC established with the remote device.

    Then i create a new policy on the Checkpoint Mgr 3050 to push out to the Checkpoint 1120 remote device. i cant get this bit to work yet.

    According to the centrally managed admin guides i should be using Smart Provisioning - i have had a go but no luck yet in getting a policy onto the remote device
    I am thinking the just need access to a few subnets back in the office for only a few applications

    Any ideas - maybe if their was a working example online that would be good. Once i get one working i cant start to roll out the other 26

  11. #11
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,321
    Rep Power
    8

    Default Re: Checkpoint 1100 device - VPN tab not working

    Quote Originally Posted by oharek View Post
    I am now at the stage where i have the Checkpoint Mgr 3050 SIC established with the remote device.

    Then i create a new policy on the Checkpoint Mgr 3050 to push out to the Checkpoint 1120 remote device. i cant get this bit to work yet.

    According to the centrally managed admin guides i should be using Smart Provisioning - i have had a go but no luck yet in getting a policy onto the remote device
    I am thinking the just need access to a few subnets back in the office for only a few applications

    Any ideas - maybe if their was a working example online that would be good. Once i get one working i cant start to roll out the other 26
    Do you see the gateway attempting the connect to the management server? Its it completing a tcp hand shake? If no debug that first. I haven't used Smart Provisioning so i'm not %100 on how it works. We're just using a normal management server and creating a 1100 and having it fetch the goodies before shipping out.

    Again, haven't used smart provisioning, maybe someone else can chime in if the process is different.

    This is how we do it without.

    1.
    Create FW object and set sic password, needs to be same hostname as below and push policy to it in dashboard.

    2. clish commands on gateway
    set hostname $1100_name
    set sic_init password $SUPER_SECRET
    fetch certificate mgmt-ipv4-address $MGMT_EXTERNAL_IP gateway-name $1100_name
    fetch policy mgmt-ipv4-address $MGMT_EXTERNAL_IP

    of course replace $MGMT_EXTERNAL_IP, $SUPER_SECRET and $1100_name


    Oh and ours are all dynamic IP and sometimes the WAN interface has a private subnet and isn't directly accessible so keep in mind it's all pull from the 1100.

  12. #12
    Join Date
    2006-07-13
    Location
    Belfast
    Posts
    122
    Rep Power
    12

    Default Re: Checkpoint 1100 device - VPN tab not working

    Sorry to be a pain but i have got stuck on this.

    I can push to the device with the CP 3050 connected to a subnet behind CORP-ASA-BRET

    But i want the CP 1100 which sits outside our network on an isdn line to talk back to a subnet connected to ASA-BRET-TELEM

    Its not fetching the policy even though i can push to it. Maybe thats why its not working.

    Is their any working examples on the Checkpoint site, or elsewhere maybe

    thanks
    Kevin
    Attached Thumbnails Attached Thumbnails Click image for larger version. 

Name:	Capture.PNG 
Views:	22 
Size:	9.4 KB 
ID:	1150  
    Last edited by oharek; 2016-08-06 at 07:49.

  13. #13
    Join Date
    2007-06-04
    Posts
    3,221
    Rep Power
    15

    Default Re: Checkpoint 1100 device - VPN tab not working

    Quote Originally Posted by oharek View Post
    Sorry to be a pain but i have got stuck on this.

    I can push to the device with the CP 3050 connected to a subnet behind CORP-ASA-BRET

    But i want the CP 1100 which sits outside our network on an isdn line to talk back to a subnet connected to ASA-BRET-TELEM

    Its not fetching the policy even though i can push to it. Maybe thats why its not working.

    Is their any working examples on the Checkpoint site, or elsewhere maybe

    thanks
    Kevin
    Let me understand correctly.

    You want the 1100 to talk to the Mangement Server on a different IP address, ie so is behind CORP-ASA-BRET rather then ASA-BRET-TELEM.
    Assuming that the 3050 actual IP isn't changing then presumably you are doing some form of NAT as go through the appropriate gateway which are on different Public IP ranges?
    Have you told the 1100 of the different IP that should be using now.
    Is the appropriate NAT in place on the Gateways?

  14. #14
    Join Date
    2006-07-13
    Location
    Belfast
    Posts
    122
    Rep Power
    12

    Default Re: Checkpoint 1100 device - VPN tab not working

    The Mangement Server sits on the DMZ behind CORP-ASA-BRET

    I have a NAT on the Mangement Server (which doesnt change) so the CP1100 device (public IP) can talk back to it

    I can push to it and create the sic but cant fetch the policy

    I want the CP1100 device to talk back to a subnet behind ASA-BRET-TELEM (another firewall on my network)

    NAT is on the external firewall and thats working ok

    Not too sure what this means .... Have you told the 1100 of the different IP that should be using now

  15. #15
    Join Date
    2015-08-26
    Posts
    77
    Rep Power
    2

    Default Re: Checkpoint 1100 device - VPN tab not working

    Does anyone know if there is a way to hash the sic password in the autoconf.clish file?

  16. #16
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    596
    Rep Power
    4

    Default Re: Checkpoint 1100 device - VPN tab not working

    Quote Originally Posted by jerryroy1 View Post
    Does anyone know if there is a way to hash the sic password in the autoconf.clish file?
    What's the reason behind this?

Similar Threads

  1. been working on this for a while 600 / 1100
    By jflemingeds in forum Check Point Series 80/1100 Appliances
    Replies: 3
    Last Post: 2016-03-21, 07:31
  2. Will a 600/1100 device with expire "never" blades ever revert back to (30 day trial)
    By roveer in forum Check Point Series 80/1100 Appliances
    Replies: 2
    Last Post: 2016-01-14, 21:09
  3. Replies: 1
    Last Post: 2015-05-14, 22:34
  4. ping from CheckPoint 1100 with vpn
    By cpdm13 in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 3
    Last Post: 2015-04-27, 05:01
  5. Topology table on Checkpoint 1100 series cluster
    By laf_c in forum Check Point Series 80/1100 Appliances
    Replies: 10
    Last Post: 2014-10-27, 09:33

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •