Unable to generate CPINFO

Anthony S.KLeave a comment

Sometimes generation of CPINFO may not be successful. This could be several things because newer CPINFO utility will ask for SR number or perform an update.

In order to overcome this, flags need to be defined. Below is the command:

  • cpinfo -z -d -i -o <filename>
  • flag -z means to zip / compress
  • flag -d means to not perform CPINFO utility update
  • flag -i means escape interactive mode (which usually the culprit on cpinfo not able to be generated)
  • flag -o is to output to specified output file

Cheers,

ASK

Unable to generate CPINFO

Configure NAT64 on Checkpoint Standalone

Anthony S.KLeave a comment

It has been awhile. Today i am going to talk about how to configure NAT64 in Checkpoint. There are certain condition to meet.

  1. Enable IPv6 support in webui

ipv6-1

  1. Require R77.30 and above
  2. Install addon R77.30 which support NAT64 feature

refer to:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk105412

After the pre-requisite has been completed, under the smart dashboard configuration, configure following (this assume that the router or any device in front of checkpoint has been configured as IPv6 addresses and checkpoint itself has external facing interface has IPv6 configured)

ipv6-2

The rule above – not all services require to be used (please use services which are related to your configuration -> ssh, smtp, etc..)

NAT rule:

ipv6-3

For the translated source (embedded NAT64), do use a range of IPv4. This range must be routable and not in use on the IPv4 side of the network. For example if your sync network is using 1.1.1.0/24, you can use other IP beside the IP that configured for the sync interfaces.

Push policy, test from external, the IPv6 should be translated to IPv4 and will be shown in smart view tracker that the translated.

ipv6-4

Cheers,

ASK

Configure NAT64 on Checkpoint Standalone

Static NAT does not work

Anthony S.KLeave a comment

Recently faced with issue whereby the NAT does not work on Checkpoint gateway R77.30 Gaia.

Troubleshooting done:

  • Check the NAT configuration (OK)
  • Using automatic static NAT does not work
  • Using manual NAT with proxy ARP configured does not work
  • Global properties already shown merge proxy arp configuration ticked
  • Router ARP showing <incomplete>
  • Output of fw ctl arp show the arp record is there
  • tcpdump output of the firewall external interface show that the ARP message “who has <static nat IP> tell <router>

If all the the things have been checked and working, ensure under cpconfig -> cluster membership is disable if the firewall is a standalone.

Cheers.

Static NAT does not work

Checkpoint ports to be opened (minimum)

Anthony S.KLeave a comment

Some ports to be taken note of which will help to establish communication between SMS and security gateway bare minimum:
Gateway to Management – port 256 (to get topology information from SMS, to fetch  rulebase from SMS, to install rulebase from SMS )

– port 257 (to send firewall logs to SMS)

management to fw – port 18191 (to push policy from SMS to gateway, certificate revocation)

– port 18211 (pushing certificate from ICA to gateway from SMS)

– port 18192 (Checkpoint AMON from gateway to SMS)

Cheers..

Checkpoint ports to be opened (minimum)

Smart view monitor showing one of the gateways ‘disconnected’ message

Anthony S.KLeave a comment

In any circumstances that smart view monitor showing one of the gareways ‘disconnected’ message even though the gateway communication with management is OK and has no problem, most likely this is cause by the cache inside management (which could happen during migration or gateway having a downtime) and the status still stuck inside the management cache.

To resolve this, perform a cache cleanup on the management using following command:

  1. Connect to the command line on Security Management server (over SSH, or console).
  2. Log in to the Expert mode.
  3. Stop Check Point services:

[Expert@HostName]# cpstop

  1. Backup and remove the current cache files:

[Expert@HostName]# mkdir -v /var/log/GUI_cache_bkp
[Expert@HostName]# mv $FWDIR/conf/applications.C* /var/log/GUI_cache_bkp/
[Expert@HostName]# mv $FWDIR/conf/CPMILinksMgr.db* /var/log/GUI_cache_bkp/

  1. Start Check Point services:

[Expert@HostName]# cpstart

  1. Wait for 5-10 minutes for the cache to rebuild.
  2. Connect with SmartDashboard to Security Management Server.

Cheers

Smart view monitor showing one of the gateways ‘disconnected’ message

Remote Access VPN unable to get IP address

Anthony S.KLeave a comment

In any case during the remote access VPN, when user trying to connect and get following error message on the VPN client,

remoteaccessvpn

and the settings are corrects – community, domain, user group, dhcp pool all have been defined, then this could mean there is a problem with the license of the firewall not having a VPN blade license.

Once license has been added, it should work.

Cheers

Remote Access VPN unable to get IP address

cpwd_admin list showing “No processes in WD database”

Anthony S.KLeave a comment

In any case encounter following error message:

“No process in WD database” upon doing cpwd_admin list, the resolution is to set the host name with the related interface IP address.

Before set the hostname and associate IP address, the clish command of show host names or cat /etc/hosts should be in following:

<hostname> <IP address>

localhost ::1

after set the host name and associated IP address it will be:

<hostname> <IP address>

localhost 127.0.0.1

localhost ::1

the command in clish is – set host name <hostname> ipv4-address <IP address> -> save config and reboot

in expert mode – vi /etc/hosts and modify the list. Reboot the machine.

 

Cheers

 

cpwd_admin list showing “No processes in WD database”