How to use command line for first time wizard in Check Point

I have been asked by many people how do I use the command line to get my system configured. By using another post I put on how to install my system with just a serial and Ethernet (See my post: How to install Check Point without getting on a plane) that will get the code on your box that you want.  Now using a serial connection we can get it configured using a template and a command ‘config_system‘.

Procedure:
1 ) Create the Template File:
[Expert@HostName:0]# config_system –create-template /path_to/name_of_template_file
2) Edit the template file you created- assign the desired values in the relevant fields. (See example file below)
 Note: to enable / disable IPv4 and IPv6, define the following fields:
      ipstat_v4 (manually / off)
      ipstat_v6 (manually / off)
      Starting from R80.10, these parameters have default values, but in                         older version you must configure them (manually or off).
3) save the file
4) Test to see if your file is good.
[Expert@HostName:0]# config_system –dry-run –config-file /path_to/name_of_template_file
5) Run the file
[Expert@HostName:0]# config_system -f /path_to/name_of_template_file
6) Reboot the machine to complete the configuration

Here are all the flags that you can use and what they do.

config

Example of how you edit the file using “True or False” answers:

# Mandatory parameters - change the values specific to your setup
hostname=NEW_GW
ftw_sic_key=

# Mandatory parameters - do not change
install_security_managment=false
install_security_gw=true
gateway_daip=false
install_ppak=true
gateway_cluster_member=false

Here is an example of a gateway configuration template for a cluster member ready to be connected to management. (For a single box ready for management change the line “gateway_cluster_member=true” to False)

After you use the config system command to create a template, you will have a file that looks like this(see below). Notice below what I have highlighted in BOLD.  If a cluster member is what you want make yours look like mine. Just change the fields appropriately (hostname, IPs etc…) Remember practice this first !

(To make the template see above)
#########################################################################
# #
# Products configuration #
# #
# For keys below set “true”/”false” after ‘=’ within the quotes #
#########################################################################

# Install Security Gateway.
install_security_gw=true

# Install Acceleration Blade (aka Performance Pack).
install_ppak=true

# Enable DAIP (dynamic ip) gateway.
# Should be “false” if CXL or Security Management enabled
gateway_daip=“false”

# Enable/Disable CXL.
gateway_cluster_member=true

# Install Security Management.
install_security_managment=false

# Optional parameters, only one of the parameters below can be “true”.
# If no primary of secondary specified, log server will be installed.
# Requires Security Management to be installed.
install_mgmt_primary=false
install_mgmt_secondary=false

# Provider-1 paramters
# e.g: install_mds_primary=true
# install_mds_secondary=false
# install_mlm=false
# install_mds_interface=eth0
install_mds_primary=
install_mds_secondary=
install_mlm=
install_mds_interface=

# In case of Smart1 SmartEvent appliance, choose
# Security Management only, log server will be installed automatically

#########################################################################
# #
# Products Parameters #
# #
# For keys below set value after ‘=’ #
#########################################################################

# Management administrator name
# Must be provided, if Security Management installed
mgmt_admin_name=

# Management administrator password
# Must be provided, if Security Management installed
mgmt_admin_passwd=

# Management GUI client allowed e.g. any, 1.2.3.4, 192.168.0.0/24
# Set to “any” if any host allowed to connect to managment
# Set to “range” if range of IPs allowed to connect to management
# Set to “network” if IPs from specific network allowed to connect
# to management
# Set to “this” if it’ a single IP
# Must be provided if Security Management installed
mgmt_gui_clients_radio=
#
# In case of “range”, provide the first and last IPs in dotted format
mgmt_gui_clients_first_ip_field=
mgmt_gui_clients_last_ip_field=
#
# In case of “network”, provide IP in dotted format and netmask length
# in range 0-32
mgmt_gui_clients_ip_field=
mgmt_gui_clients_subnet_field=
#
# In case of a single IP
mgmt_gui_clients_hostname=
# Secure Internal Communication key, e.g. “aaaa”
# Must be provided, if primary Security Management not installed
ftw_sic_key=sweet

#########################################################################
# #
# Operating System configuration – optional section #
# #
# For keys below set value after ‘=’ #
#########################################################################

# Password (hash) of user admin.
# To get hash of admin password from configured system:
# dbget passwd:admin:passwd
# OR
# grep admin /etc/shadow | cut -d: -f2
#
# IMPORTANT! In order to preserve the literal value of each character
# in hash, inclose hash string within the quotes.
# e.g admin_hash=’put_here_your_hash_string’
#
# Optional parameter
admin_hash=”

# Interface name, optional parameter
iface=eth0

# Management interface IP in dotted format (e.g. 1.2.3.4),
# management interface mask length (in range 0-32, e,g 24 ) and
# default gateway.
# Pay attention, that if you run first time configuration remotely
# and you change IP, in order to maintain the connection,
# an old IP address will be retained as a secondary IP address.
# This secondary IP address can be delete later.
# Your session will be disconnected after first time condiguration
# process.
# Optional prameter, requires “iface” to be specified
# IPv6 address format: 0000:1111:2222:3333:4444:5555:6666:7777
# ipstat_v4 manually/off
ipstat_v4=manually
ipaddr_v4=192.168.10.10
masklen_v4=24
default_gw_v4=192.168.10.1

ipstat_v6=off
ipaddr_v6=
masklen_v6=
default_gw_v6=

# Host Name e.g host123, optional parameter
hostname=pocgw

# Domain Name e.g. checkpoint.com, optional parameter
domainname=

# Time Zone in format Area/Region (e.g America/New_York or Etc/GMT-5)
# Pay attention that GMT offset should be in classic UTC notation:
# GMT-5 is 5 hours behind UTC (i.e. west to Greenwich)
# Inclose time zone string within the quotes.
# Optional parameter
timezone=’Americas/Arizona

# NTP servers
# NTP parameters are optional
ntp_primary=192.168.10.5
ntp_primary_version=
ntp_secondary=
ntp_secondary_version=

# DNS – IP address of primary, secondary, tertiary DNS servers
# DNS parameters are optional.
primary=198.6.1.2
secondary=
tertiary=

See sk69701 for more information.

Author: Mark Bennett

I have traveled and consulted in 40 of the 50 states. Worked in industries from automotive, textiles, law enforcement, insurance, government, and health care. Forensics, Incident Response and Securing customer environments are my passions.