Backup your O/S Config in GAIA command line

Many people will open a command prompt in GAIA and will do a “show configuration” to see how they have their Check Point configured. They will then copy/paste that config into notepad to save for later.

However there is an easier way to do this. By using the command (From the CLISH prompt)

save configuration <filename>

The file will be placed in the home directory of the user you are logged in as.

Here is an example:

back

How to use command line for first time wizard in Check Point

I have been asked by many people how do I use the command line to get my system configured. By using another post I put on how to install my system with just a serial and Ethernet (See my post: How to install Check Point without getting on a plane) that will get the code on your box that you want.  Now using a serial connection we can get it configured using a template and a command ‘config_system‘.

Procedure:
1 ) Create the Template File:
[Expert@HostName:0]# config_system –create-template /path_to/name_of_template_file
2) Edit the template file you created- assign the desired values in the relevant fields. (See example file below)
 Note: to enable / disable IPv4 and IPv6, define the following fields:
      ipstat_v4 (manually / off)
      ipstat_v6 (manually / off)
      Starting from R80.10, these parameters have default values, but in                         older version you must configure them (manually or off).
3) save the file
4) Test to see if your file is good.
[Expert@HostName:0]# config_system –dry-run –config-file /path_to/name_of_template_file
5) Run the file
[Expert@HostName:0]# config_system -f /path_to/name_of_template_file
6) Reboot the machine to complete the configuration

Here are all the flags that you can use and what they do.

config

Example of how you edit the file using “True or False” answers:

# Mandatory parameters - change the values specific to your setup
hostname=NEW_GW
ftw_sic_key=

# Mandatory parameters - do not change
install_security_managment=false
install_security_gw=true
gateway_daip=false
install_ppak=true
gateway_cluster_member=false

Here is an example of a gateway configuration template for a cluster member ready to be connected to management. (For a single box ready for management change the line “gateway_cluster_member=true” to False)

After you use the config system command to create a template, you will have a file that looks like this(see below). Notice below what I have highlighted in BOLD.  If a cluster member is what you want make yours look like mine. Just change the fields appropriately (hostname, IPs etc…) Remember practice this first !

(To make the template see above)
#########################################################################
# #
# Products configuration #
# #
# For keys below set “true”/”false” after ‘=’ within the quotes #
#########################################################################

# Install Security Gateway.
install_security_gw=true

# Install Acceleration Blade (aka Performance Pack).
install_ppak=true

# Enable DAIP (dynamic ip) gateway.
# Should be “false” if CXL or Security Management enabled
gateway_daip=“false”

# Enable/Disable CXL.
gateway_cluster_member=true

# Install Security Management.
install_security_managment=false

# Optional parameters, only one of the parameters below can be “true”.
# If no primary of secondary specified, log server will be installed.
# Requires Security Management to be installed.
install_mgmt_primary=false
install_mgmt_secondary=false

# Provider-1 paramters
# e.g: install_mds_primary=true
# install_mds_secondary=false
# install_mlm=false
# install_mds_interface=eth0
install_mds_primary=
install_mds_secondary=
install_mlm=
install_mds_interface=

# In case of Smart1 SmartEvent appliance, choose
# Security Management only, log server will be installed automatically

#########################################################################
# #
# Products Parameters #
# #
# For keys below set value after ‘=’ #
#########################################################################

# Management administrator name
# Must be provided, if Security Management installed
mgmt_admin_name=

# Management administrator password
# Must be provided, if Security Management installed
mgmt_admin_passwd=

# Management GUI client allowed e.g. any, 1.2.3.4, 192.168.0.0/24
# Set to “any” if any host allowed to connect to managment
# Set to “range” if range of IPs allowed to connect to management
# Set to “network” if IPs from specific network allowed to connect
# to management
# Set to “this” if it’ a single IP
# Must be provided if Security Management installed
mgmt_gui_clients_radio=
#
# In case of “range”, provide the first and last IPs in dotted format
mgmt_gui_clients_first_ip_field=
mgmt_gui_clients_last_ip_field=
#
# In case of “network”, provide IP in dotted format and netmask length
# in range 0-32
mgmt_gui_clients_ip_field=
mgmt_gui_clients_subnet_field=
#
# In case of a single IP
mgmt_gui_clients_hostname=
# Secure Internal Communication key, e.g. “aaaa”
# Must be provided, if primary Security Management not installed
ftw_sic_key=sweet

#########################################################################
# #
# Operating System configuration – optional section #
# #
# For keys below set value after ‘=’ #
#########################################################################

# Password (hash) of user admin.
# To get hash of admin password from configured system:
# dbget passwd:admin:passwd
# OR
# grep admin /etc/shadow | cut -d: -f2
#
# IMPORTANT! In order to preserve the literal value of each character
# in hash, inclose hash string within the quotes.
# e.g admin_hash=’put_here_your_hash_string’
#
# Optional parameter
admin_hash=”

# Interface name, optional parameter
iface=eth0

# Management interface IP in dotted format (e.g. 1.2.3.4),
# management interface mask length (in range 0-32, e,g 24 ) and
# default gateway.
# Pay attention, that if you run first time configuration remotely
# and you change IP, in order to maintain the connection,
# an old IP address will be retained as a secondary IP address.
# This secondary IP address can be delete later.
# Your session will be disconnected after first time condiguration
# process.
# Optional prameter, requires “iface” to be specified
# IPv6 address format: 0000:1111:2222:3333:4444:5555:6666:7777
# ipstat_v4 manually/off
ipstat_v4=manually
ipaddr_v4=192.168.10.10
masklen_v4=24
default_gw_v4=192.168.10.1

ipstat_v6=off
ipaddr_v6=
masklen_v6=
default_gw_v6=

# Host Name e.g host123, optional parameter
hostname=pocgw

# Domain Name e.g. checkpoint.com, optional parameter
domainname=

# Time Zone in format Area/Region (e.g America/New_York or Etc/GMT-5)
# Pay attention that GMT offset should be in classic UTC notation:
# GMT-5 is 5 hours behind UTC (i.e. west to Greenwich)
# Inclose time zone string within the quotes.
# Optional parameter
timezone=’Americas/Arizona

# NTP servers
# NTP parameters are optional
ntp_primary=192.168.10.5
ntp_primary_version=
ntp_secondary=
ntp_secondary_version=

# DNS – IP address of primary, secondary, tertiary DNS servers
# DNS parameters are optional.
primary=198.6.1.2
secondary=
tertiary=

See sk69701 for more information.

How to update CPUSE from the command line.

My friend  and fellow SE (William Garner) had a condition where he needed to do a CPUSE update from the command line, which he did and he wrote up a procedure on how to do it.  By luck of the draw I ran into a situation where CPUSE needed to be updated as well.  So I thought I would post this simple and effective procedure on how to do it.

Important to Note:  If you are updating from build 839 and above continue with steps below, if not refer to sk106696.

Download the package. Download package at sk92449 (Section 3-A)

Transfer the package to machine into /some_path_to_updated_DA/ directory.

UnPack the package:

[Expert@HostName]# cd /some_path_to_updated_DA/
[Expert@HostName]# tar -zxvf DeploymentAgent_<build>.tgz

Install the Deployment Agent RPM (the currently running Deployment Agent will be stopped automatically):

[Expert@HostName]# rpm -Uhv – -force CPda-00-00.i386.rpm

Start the Deployment Agent:

[Expert@HostName]# $DADIR/bin/dastart

 

How to know what Jumbo Hotfix is installed on your Check Point device

I have been asked ‘how do you see what Jumbo HF you are currently on’. There is a simple command you can run from your device to tell you. If you are running R77 with at least Take 38 do this:

Short answer:
As Expert type: installed_jumbo_take –n

This should return with a simple number like 128. That means you are on Jumbo Hotfix accumulator 128.
If no argument is specified ( -n above), then the command will print:RXX.XX Jumbo Hotfix Accumulator take_N is installed, see skXXXXX”.

Long Answer:
For Take 38 and above

The same command applies to Jumbo that was installed using Gaia CPUSE and using Legacy CLI.

[Expert@HostName:0]# installed_jumbo_take [-n | -h]

If no argument is specified, then the command will print: “RXX.XX Jumbo Hotfix Accumulator take_N is installed, see skXXXXX”.
If “-n” argument is specified, then the command will print only the number of the Take (value “0” means that a reference to the Jumbo Hotfix Accumulator was not found in Check Point registry).
If “-h” argument is specified, then the command will print the usage help.

On VSX Gateway, this command must be run from the context of VS0 (run “vsenv” command).

For Take 37 and lower

If Jumbo Hotfix Accumulator was installed using Gaia CPUSE:

[Expert@HostName]# $CPDIR/bin/cpprod_util CPPROD_GetValue “CPUpdates/6.0/BUNDLE_GULLI_HF_BASE_008” SU_Build_Take 0

If Jumbo Hotfix Accumulator was installed using Legacy CLI:

[Expert@HostName]# $CPDIR/bin/cpprod_util CPPROD_GetValue “Check Point Mini Suite/setup/GULLI_HF_BASE_008” Take 0