CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Page 1 of 2 12 LastLast
Results 1 to 20 of 26

Thread: R80.10 in VMware

  1. #1
    Join Date
    2017-09-10
    Posts
    38
    Rep Power
    0

    Default R80.10 in VMware

    Hello

    I am trying to to build an R80.10 VM in VMware workstation. I have the Given the following Specs.
    RAM: 8gb
    HD: 100GB
    Gaia r80.10

    and I chose linux 2.6.x kernel for the OS.

    The problem I am having is when I log in to the Gaia portal for first time installation I am getting a blank white screen.

    Thanks in advance.

  2. #2
    Join Date
    2008-07-31
    Location
    Netherlands, Europe
    Posts
    1,139
    Rep Power
    12

    Default Re: R80.10 in VMware

    Try using a different browser.
    Regards, Maarten.
    Triple MDS on R77.30, MDS on R80.10, VSX, GAIA.

  3. #3
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    253
    Rep Power
    12

    Default Re: R80.10 in VMware

    Quote Originally Posted by msjouw View Post
    Try using a different browser.
    Be sure to clear the browser cache periodically, too. I've had the web UI break badly when I tried to set up a new firewall with the same address as one I had built before.

    I miss sysconfig. Web UIs are junky, and it sucks that Check Point now requires you to use another box with a GUI to set up a firewall. There are far fewer stupid issues like this with text-mode setup.
    Zimmie

  4. #4
    Join Date
    2006-09-26
    Posts
    3,155
    Rep Power
    16

    Default Re: R80.10 in VMware

    Quote Originally Posted by Bob_Zimmerman View Post
    Be sure to clear the browser cache periodically, too. I've had the web UI break badly when I tried to set up a new firewall with the same address as one I had built before.

    I miss sysconfig. Web UIs are junky, and it sucks that Check Point now requires you to use another box with a GUI to set up a firewall. There are far fewer stupid issues like this with text-mode setup.
    Agreed. the browser initial install is completely STUPID. What happened if you have to rebuild the box remotely without remote hand-on. I miss both sysconfig and lynx.

  5. #5
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,623
    Rep Power
    9

    Default Re: R80.10 in VMware

    You've been able to config a firewall without webui for a very long time.

    config_system is the latest way for R77.30. Haven't tried R8x.

  6. #6
    Join Date
    2014-09-02
    Posts
    342
    Rep Power
    10

    Default Re: R80.10 in VMware

    config_system still works, and can actually be quite powerful when used properly

    -E

  7. #7
    Join Date
    2017-09-10
    Posts
    38
    Rep Power
    0

    Default Re: R80.10 in VMware

    Hello

    Thanks for your help.

    I changed the browser to IE. I also increased the number of cores to 2 it worked.
    When I used the 6gb RAM it worked but it is too slow. I suggest using 8gb RAM, 100gb HD, and 2 cores.


    Ravindra

  8. #8
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    253
    Rep Power
    12

    Default Re: R80.10 in VMware

    Quote Originally Posted by jflemingeds View Post
    You've been able to config a firewall without webui for a very long time.

    config_system is the latest way for R77.30. Haven't tried R8x.
    Huh. I did not know about that one. Looks like it is non-interactive, so still not quite a replacement for sysconfig. Takes something like an autoinstall file for the BSDs. Now we just need it to be able to learn the location over the network and pull the file from a central repo of some kind. Then, I could build config files for all of my systems and rebuild them far more rapidly.

    Does it support any kind of logic in the files, or are they just static key=value sets?
    Zimmie

  9. #9
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,623
    Rep Power
    9

    Default Re: R80.10 in VMware

    Quote Originally Posted by Bob_Zimmerman View Post
    Huh. I did not know about that one. Looks like it is non-interactive, so still not quite a replacement for sysconfig. Takes something like an autoinstall file for the BSDs. Now we just need it to be able to learn the location over the network and pull the file from a central repo of some kind. Then, I could build config files for all of my systems and rebuild them far more rapidly.

    Does it support any kind of logic in the files, or are they just static key=value sets?
    Well, really you can just find the commands. The whole system is just shell script so all the heavy lifting is done with external commands. I think you can take it down to a single command or to. That being said i think you can also pass the info to isomorphic and burn a fully configured firewall.

  10. #10
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,222
    Rep Power
    13

    Default Re: R80.10 in VMware

    Quote Originally Posted by Bob_Zimmerman View Post
    Huh. I did not know about that one. Looks like it is non-interactive, so still not quite a replacement for sysconfig. Takes something like an autoinstall file for the BSDs. Now we just need it to be able to learn the location over the network and pull the file from a central repo of some kind. Then, I could build config files for all of my systems and rebuild them far more rapidly.
    Isn't that part of the CDT?

    sk111158: Central Deployment Tool (CDT)
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  11. #11
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    253
    Rep Power
    12

    Default Re: R80.10 in VMware

    Quote Originally Posted by ShadowPeak.com View Post
    Isn't that part of the CDT?

    sk111158: Central Deployment Tool (CDT)
    Not quite. Ideally, what I want is something like OpenBSD's autoinstall(8) functionality. You can netboot OpenBSD's RAMdisk, serve out a 'next-server' via DHCP, and the installer will go to http://<next-server>/<MAC address>-install.conf and use that file to answer the questions from the normally-interactive installer.

    I can set up a server-side script on the next-server which will take the GET request, grab the MAC address, and build the install.conf file for that MAC dynamically (e.g., to give it a MAC-based name). You can use the install.conf file to install site-local OpenBSD sets, which can then run arbitrary scripts (e.g., to connect the new client to a CFEngine server for further configuration).

    Using this method, I can deploy new OpenBSD systems without ever once touching the physical console (or VM console or whatever else). The Central Deployment Tool works over CPUSE, so as far as I can tell, it requires the system already be up and talking with the SmartCenter.

    Check Point's "appliances" are flakey, and I need to RMA them relatively frequently. My company keeps buying them for some reason, so I'm interested in ways to make rebuilding "the same" appliance on a different physical instance require less interaction. Interactive CLI setup is vastly, vastly faster than web-based setup. Unattended setup with a manual, static "answers file" is faster still. Unattended setup with a script which can fill in the hostname and such for me is even faster than that.
    Zimmie

  12. #12
    Join Date
    2014-09-02
    Posts
    342
    Rep Power
    10

    Default Re: R80.10 in VMware

    One word: ISOmorphic

    If I understand you correctly, it should do most (if not all) of what you're looking for. Check SK65205

    While I hate to have to kick people over to SK, since the tool can only be [legally] downloaded from Check Point anyway, there's really no need for me to re-hash everything here. I will summarize, though:

    Historically, ISOmorphic was the simple tool used to build a bootable USB stick from a Check Point ISO image. One of the cool features of older versions, was that you could update the "image" by simply copying a new ISO to the drive (without having to "extract" the whole thing). Essentially, the boot files simply mounted the ISO and ran the installer. Of course, not all drives worked, and appliances could be finicky about things like which USB port you were using.

    ISOmorphic has since been updated quite a bit, and current versions allow you to build the bootable USB stick, but also include hotfixes, set initial configurations, set comprehensive config_system options, and even run a clish script at the end. It gets really cool when you start populating the drive with multiple, unique system configurations that will auto-install based on mac address.

    The windows installer/GUI will help set everything up, and even guide the configuration of individual system setups. However, you can eventually make things easier (for large-scale deployment) by simply looking at the resulting file-structure and duplicating/modifying as desired (hint: individual folders are created per mac address, with config files inside).

    There's way more than I can re-write here, but take a look at the SK. It's pretty spelled out fairly well, and it has worked pretty well in our use cases.

    Of course, if you still have questions/problems, please bring them up.

    Have fun!

    -E

  13. #13
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    253
    Rep Power
    12

    Default Re: R80.10 in VMware

    Quote Originally Posted by EricAnderson View Post
    One word: ISOmorphic

    If I understand you correctly, it should do most (if not all) of what you're looking for. Check SK65205

    While I hate to have to kick people over to SK, since the tool can only be [legally] downloaded from Check Point anyway, there's really no need for me to re-hash everything here. I will summarize, though:

    Historically, ISOmorphic was the simple tool used to build a bootable USB stick from a Check Point ISO image. One of the cool features of older versions, was that you could update the "image" by simply copying a new ISO to the drive (without having to "extract" the whole thing). Essentially, the boot files simply mounted the ISO and ran the installer. Of course, not all drives worked, and appliances could be finicky about things like which USB port you were using.

    ISOmorphic has since been updated quite a bit, and current versions allow you to build the bootable USB stick, but also include hotfixes, set initial configurations, set comprehensive config_system options, and even run a clish script at the end. It gets really cool when you start populating the drive with multiple, unique system configurations that will auto-install based on mac address.

    The windows installer/GUI will help set everything up, and even guide the configuration of individual system setups. However, you can eventually make things easier (for large-scale deployment) by simply looking at the resulting file-structure and duplicating/modifying as desired (hint: individual folders are created per mac address, with config files inside).

    There's way more than I can re-write here, but take a look at the SK. It's pretty spelled out fairly well, and it has worked pretty well in our use cases.

    Of course, if you still have questions/problems, please bring them up.

    Have fun!

    -E
    The first step of using ISOmorphic is "Run this as Administrator", any my employer doesn't grant users admin access to our work machines. They also have janky "endpoint protection" software which disallows mounting external drives because cloud storage is obviously the future and why would anybody ever need a physical thumb drive. Fiber cuts? Who's ever heard of those?

    I know how to bypass the restrictions, but I don't want to be the security guy bypassing the security measures. There's a reason I want to be able to do this over the network.
    Zimmie

  14. #14
    Join Date
    2014-09-02
    Posts
    342
    Rep Power
    10

    Default Re: R80.10 in VMware

    I hear you, and understand the restrictions (and resulting frustrations). I like the idea of a network-based config as well, and it may even be possible in one way or another with hacks to ISOmorphic (think remote-mounting of the ISOmorphic data). I won't argue the point, but an interesting aspect strikes me...

    One could run the firewall configuration processes (ISOmorphic and all customization) on a completely isolated/offline machine. One could even argue that maintaining gateway configurations only on an "island" machine, the thumb drive(s) use for installation, and the gateways themselves would be more secure than maintaining the configs (possibly including hashed passwords) on an unprotected network store. That network store could even be susceptible to "unauthorized" manipulation, and even injection of admin accounts into the canned/scripted configurations.

    Again, not trying to argue anything with you, but it may help add fuel/perspective to your discussions/plans.

    -E

  15. #15
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,480
    Rep Power
    16

    Default Re: R80.10 in VMware

    There are a couple new developments in this area "coming soon":

    1. A new tool called "Blink" that will reimage a gateway in about 5-7 minutes with relevant hotfixes and a simple configuration screen. It can also be fully unattended by adding a configuration file to the image.
    2. An update to CDT (Central Deployment Tool) that will have "RMA" support in order to reproduce a previous gateway (complete with patches). Later, CDT will use Blink to do this in order to increase speed of deployment.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  16. #16
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,222
    Rep Power
    13

    Default Re: R80.10 in VMware

    Quote Originally Posted by PhoneBoy View Post
    1. A new tool called "Blink" that will reimage a gateway in about 5-7 minutes with relevant hotfixes and a simple configuration screen. It can also be fully unattended by adding a configuration file to the image.
    Will the reimage process be quantum-locked and only able to move forward if it is not currently being observed by any living entity (or another reimage process)? Might make one weep...
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  17. #17
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    253
    Rep Power
    12

    Default Re: R80.10 in VMware

    Quote Originally Posted by cciesec2006 View Post
    Agreed. the browser initial install is completely STUPID. What happened if you have to rebuild the box remotely without remote hand-on. I miss both sysconfig and lynx.
    I had forgotten about this until running some VSX upgrades in a lab just now.

    You are required to use the web UI to set up a new GAiA box. (Yes, you can use config_system or customize your install image using ISOmorphic; I'm talking about stock, interactive setup).

    Once you enable VSX, you are forbidden from using the web UI on that box again.

    So dumb.
    Zimmie

  18. #18
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,028
    Rep Power
    14

    Default Re: R80.10 in VMware

    Quote Originally Posted by Bob_Zimmerman View Post
    Once you enable VSX, you are forbidden from using the web UI on that box again.

    So dumb.
    yet there is a very important reason to block webUI after enabling VSX. I do agree initial WebUI setup seems to be unnecessary
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  19. #19
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,623
    Rep Power
    9

    Default Re: R80.10 in VMware

    Quote Originally Posted by Bob_Zimmerman View Post
    I had forgotten about this until running some VSX upgrades in a lab just now.

    You are required to use the web UI to set up a new GAiA box. (Yes, you can use config_system or customize your install image using ISOmorphic; I'm talking about stock, interactive setup).

    Once you enable VSX, you are forbidden from using the web UI on that box again.

    So dumb.
    Iím not following the bit about being required to use the webui.

  20. #20
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,028
    Rep Power
    14

    Default Re: R80.10 in VMware

    Quote Originally Posted by jflemingeds View Post
    Iím not following the bit about being required to use the webui.
    WebUI setup wizard must be run once a new Gaia installation is made.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

Page 1 of 2 12 LastLast

Similar Threads

  1. HA in vmware
    By newtocp in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 0
    Last Post: 2010-06-27, 11:00
  2. IPS-1 on VMware
    By docstephano in forum IPS-1
    Replies: 14
    Last Post: 2010-03-03, 08:29
  3. R65 and VMware
    By lnx32 in forum Interoperability
    Replies: 17
    Last Post: 2008-09-11, 10:18
  4. COS and XOS on VMware
    By usman_a in forum Crossbeam
    Replies: 8
    Last Post: 2008-08-17, 13:07
  5. vmware ?
    By karia in forum General Exam Topics
    Replies: 5
    Last Post: 2007-01-19, 03:48

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •