Вы находитесь на странице: 1из 4

11/13/13

Solution ID: sk69701

Support, Support Requests, Training, Documentation, and Knowledge base for CheckPoint products and services

Global Sites

for CheckPoint products and services Global Sites My Account How to run the First Time Configuration
for CheckPoint products and services Global Sites My Account How to run the First Time Configuration

How to run the First Time Configuration Wizard through CLI in Gaia

Product: Security Gateway, Security Management Version: R75.40, R75.40VS, R76 Last Modified: 12-Aug-2013

Solution

Check Point Security Gateway and Check Point Security Management require running the First Time Configuration Wizard in order to be configured correctly. The First

To invoke the First Time Configuration Wizard through CLI, run the config_systemcommand from the Expert shell.

1. Run:

[Expert@HostName]#config_system-t<file_name>

This will create an empty template file for system configuration.

2. Open the file you created with a text editor and fill the appropriate fields.

3. Run:

[Expert@HostName]#config_system-f<file_name>

This will run the First Time Configuration Wizard with the information provided in the filename.

The system is ready now.

Table of Contents:

Abstractin the filename. The system is ready now. Table of Contents: Purpose of 'config_system' Usage Run

Purpose of 'config_system'The system is ready now. Table of Contents: Abstract Usage Run stages How to create configuration

Usageof Contents: Abstract Purpose of 'config_system' Run stages How to create configuration file or configuration

Run stagesContents: Abstract Purpose of 'config_system' Usage How to create configuration file or configuration string How

How to create configuration file or configuration stringAbstract Purpose of 'config_system' Usage Run stages How to run first time configuration from command line

How to run first time configuration from command lineHow to create configuration file or configuration string Example of configuration file for StandAlone machine

Example of configuration file for StandAlone machinestring How to run first time configuration from command line Abstract In order to complete interactive

Abstract

In order to complete interactive First Time Wizard configuration process, customers use Web interface. There are many customers with large device install-base that

configured easily using "clish" shell) through serial/remote terminal connection.

In order to fulfill this specific customers' requirements, 'config_system' utility was developed (which is a Bash shell script /bin/config_system).

Important note: the 'config_system' utility is not intended for ongoing system configuration.

Purpose of 'config_system'

The main purpose of 'config_system' utility is to provide easy and convenient command line interface to complete system's First Time configuration during system de interactive configuration tools (like 'sysconfig' utility that is used in SecurePlatform OS).

Usage

[Expert@HostName]#config_system--help

Usage:config_system<options>

whereconfig_systemoptionsinclude:

-f|--config-file<path> Readfirsttimewizardconfiguration from<path>. -s|--config-string<string> Readfirsttimewizardconfiguration fromstring.

-t|--create-template<path> Writefirsttimewizard configuration templatefilein<path>.

--dry-run

-l|--list-params

Verifythatfirsttimewizard

configurationfileisvalid.

Listconfigurableparameters.

11/13/13

Support, Support Requests, Training, Documentation, and Knowledge base for CheckPoint products and services

Ifboth,configurationfileandstring,wereprovided,configuration stringwillbeignored. Configurationstringshouldconsistofparametersseparatedby'&'.

Eachparametershouldincludekeyfollowedbyvaluee.g.param1=value.

Forthelistofallconfigurableparametersandtheirdescriptions,

createconfigurationtemplatefilewithconfig_system-t<path>.

[Expert@HostName]#

Run stages

There are few controllable stages of 'config_system' run process:

1. Receive a string or a configuration file from the user customer as an input.

2. Parse the input.

3. Validate the input.

4. For each parameter call relevant I/S (tcl scripts) that was developed for Web version of First Time Wizard.

Pay attention!

The 'config_system' utility does not install or configure system directly. This utility actually calls different infrastructures that were developed for Web version of Fir 'config_system' run - products should be configured identically by the same I/S.

For historical reasons, all logic was developed on the client side of FTW, thus had to be duplicated in 'config_system' as well. This can lead to inconsistency if logic

How to create configuration file or configuration string

The easiest way to create an input file or a configuration string is to create a template file and fill the relevant fields in this template according to the fields' descripti

In order to dump a template, run:

[Expert@HostName]#config_system--create-template template_file

Now, user can edit the template_file. In order to check that configuration file is valid, and all answers are proper, user can perform a validation process.

Syntax below will allow to read the configuration file and to perform the validation, while skipping the system configuration stage:

[Expert@HostName]#config_system--config-filetemplate_file--dry-run

From validated configuration file a configuration string can be created. Configuration string should consist of parameters separated by '&' character. Each parameter should include key followed by the value, e.g., param1=true&param2=true&param3=false&param4=deadbeef.

How to run first time configuration from command line

Now, the system can be configured:

According to the configuration file:from command line Now, the system can be configured: [Expert@HostName]#config_system--config-filetemplate_file or

[Expert@HostName]#config_system--config-filetemplate_file

or according to the configuration string:[Expert@HostName]#config_system--config-filetemplate_file [Expert@HostName]#config_system--config-string

[Expert@HostName]#config_system--config-string

"hostname=myhost&domainname=nnm.com&timezone='America/Indiana/Indianapolis'&ftw_sic_key=aaaa&install_security_gw=true&gateway_daip=fa

Example of configuration file for StandAlone machine (Security Gateway same machine)

#########################################################################

#

#

#

Productsconfiguration

#

#

#

#

Forkeysbelowset"$TRUE"/"$FALSE"after'=' withinthequotes #

#########################################################################

#Install$TAG_GW.

install_security_gw=true

#Install$TAG_PPAK(akaPerformancePack).

11/13/13

install_ppak=true

Support, Support Requests, Training, Documentation, and Knowledge base for CheckPoint products and services

#EnableDAIP(dynamicip)gateway.

#Shouldbe"$FALSE"ifCXLor$TAG_MGMTenabled

gateway_daip="false"

#Enable/DisableCXL.

gateway_cluster_member=false

#Install$TAG_MGMT.

install_security_managment=true

#Optionalparameters,onlyoneoftheparametersbelowcanbe"true".

#Ifnoprimaryofsecondaryspecified,logserverwillbeinstalled.

#Requires$TAG_MGMTtobeinstalled.

install_mgmt_primary=true

install_mgmt_secondary=false

#########################################################################

#

#

#

ProductsParameters

#

#

#

#

Forkeysbelowsetvalueafter'='

#

#########################################################################

#Managementadministratorname

#Mustbeprovided,if$TAG_MGMTinstalled

mgmt_admin_name=aa

#Managementadministratorpassword

#Mustbeprovided,if$TAG_MGMTinstalled

mgmt_admin_passwd=aaaa

#ManagementGUIclientallowede.g.any,1.2.3.4,192.168.0.0/24

#Setto"any"ifanyhostallowedtoconnecttomanagment

#Setto"range"ifrangeofIPsallowedtoconnecttomanagement

#Setto"network"ifIPsfromspecificnetworkallowedtoconnect

#tomanagement

#Mustbeprovidedif$TAG_MGMTinstalled

mgmt_gui_clients_radio=any

#

#Incaseof"range",providethefirstandlastIPsindottedformat

mgmt_gui_clients_first_ip_field=

mgmt_gui_clients_last_ip_field=

#

#Incaseof"network",provideIPindottedformatandnetmasklength

#inrange0-32

mgmt_gui_clients_ip_field=

mgmt_gui_clients_subnet_field=

#SecureInternalCommunicationkey,e.g."aaaa"

#Mustbeprovided,ifprimary$TAG_MGMTnotinstalled

ftw_sic_key=

#########################################################################

#

#

#

OperatingSystemconfiguration-optionalsection

#

#

#

#

Forkeysbelowsetvalueafter'='

#

#########################################################################

#Password(hash)ofuseradmin.

#Togethashofadminpasswordfromconfiguredsystem:

#

"dbgetpasswd:admin:passwd:

#OR

#

grepadmin/etc/shadow|cut-d:-f2

#

#IMPORTANT!Inordertopreservetheliteralvalueofeachcharacter

#inhash,inclosehashstringwithinthequotes.

#

e.gadmin_hash='put_here_your_hash_string'

#

#Optionalparameter

admin_hash='$1$NhTH9uHl$2DA3nYpEVxxpJ2hHLKY6c/'

#Interfacename,optionalparameter

iface=eth0

#ManagementinterfaceIPindottedformat(e.g.1.2.3.4),

#managementinterfacemasklength(inrange0-32,e,g24)and

#defaultgateway. #Payattention,thatifyourunfirsttimeconfigurationremotely #andyouchangeIP,inordertomaintaintheconnection, #anoldIPaddresswillberetained asasecondaryIPaddress. #ThissecondaryIPaddresscanbedeletelater. #Yoursessionwillbedisconnectedafterfirsttimecondiguration #process. #Optionalprameter,requires"iface"tobespecified

ipaddr=192.168.100.

masklen=24

default_gw=192.168.100.254

#HostNamee.ghost123,optionalparameter

11/13/13

hostname=bisli

Support, Support Requests, Training, Documentation, and Knowledge base for CheckPoint products and services

#DomainNamee.g.checkpoint.com,optionalparameter

domainname=checkpoint.com

#TimeZoneinformatArea/Region(e.gAmerica/New_YorkorEtc/GMT-5)

#PayattentionthatGMToffsetshouldbeinclassicUTCnotation:

#GMT-5is5hoursbehindUTC(i.e.westtoGreenwich)

#Inclosetimezonestringwithinthequotes.

#Optionalparameter

timezone='Asia/Jerusalem'

#NTPservers #NTPparametersareoptional

ntp_primary=1.1.1.1

ntp_secondary=2.2.2.2

#DNS-IPaddressofprimary,secondary,tertiaryDNSservers #DNSparametersareoptional.

primary=192.168.1.1

secondary=192.168.2.2

tertiary=3.3.3.3

****Note:Afterthisscriptcompletes,arebootshouldbedoneforthisdevicetocompletetheconfiguration*****

©2013 Check Point Software Technologies Ltd. All rights reserved.

Check Point Software Technologies, Inc. is a wholly owned subsidiary of Check Point Software Technologies Ltd.