This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
G_W_Albrecht
Legend Legend
Legend
‎2018-02-08 01:24 AM
Jump to solution

Configuration transfer between different SMB models

When using SMB devices for remote company sites, ease of first time configuration is an important matter. When used with a central management by SMS / MDS, only some basic configuration is needed before first policy install. To be able to deploy locally managed SMB devices with (nearly) identical configuration would be much easier if a configured unit could be used to copy the needed settings to others.

 

But a R77.20.xx configuration file exported from WebGUI can only be restored to the same firmware version and the same model – 600/1100, 1200R and 700/1400 are three different models with its own firmware corresponding to the hardware changes. Backup / Restore between different models is supported from 6x0 to 7x0 and 11x0 to 14x0 appliances; only from 1200R a transfer is possible to all SMB HW types using firmware > R77.20.51 (see sk111334), as well as from 14xx to 15xx (see How to upgrade hardware from R77.20.87 to R80.20.15 or above ).

 

But it is always possible to dump a configuration by using a CLISH command :

[clish]# show config

will output a series of CLISH commands matching the current configuration, complete with comments explaining what is set using the next CLISH commands. Saving these lines from expert mode into a text file produces something very similar to an autoconf.clish (also see my article USB First Time Config using autoconf.clish files - How it works😞 

[Expert]# clish -A -i -c "show configuration" -v >> /var/log/config.txt

But be aware that this is not a supported nor intended method and you also have to cope with SK164018 - Missing configuration items in output of the 'show configuration' command on SMB appliances !

These saved CLISH commands usually are not able to replicate the configuration completely, as, for example, configuring an existing interface uses "set internet-connection", as used in "show configuration" output, but to define a new interface from scratch as needed in a new or reset box, you would have to issue "add internet-connection" instead. 

So you have to edit the text file and manually set the values needed for the next unit to deploy. It can then be read in in expert mode, see the next two lines:

[Expert]# clish -f /mnt/usb1/config.txt -v

[Expert]# clish -f /var/log/config.txt -v
 

First the config is read from USB1, the second example assumes it had been already transfered to directory /var/log/.

Details of the expert mode ‘clish’ command can be found in the CHECK POINT 600/700/1100/1200R/1400 APPLIANCE CLI Guide, Running CLISH Commands from Expert Mode, p.20. The produced text file does, of course, not contain a license, unlike the exported configuration file from WebGUI.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
2 Solutions

Accepted Solutions
G_W_Albrecht
Legend Legend
Legend
‎2018-02-09 05:48 AM
Jump to solution

Yes, that is true, but not so bad as the following: The only blade that can be enabled (set aside FW and IA here) is AntiSpam, no other Blades, WebServer or Rules configuration is available in CLISH. So locally managed SMB devices must be configured using the WebGUI (will be covered in part 3 soon) ! But it is very usable for centrally managed units and for the first setup of locally managed.

CORRECTION: This is no longer true in R81.10.10 CLI, see https://sc1.checkpoint.com/documents/SMB_R81.10.X/CLI/EN/Content/Topics/Configuring-Threat-Preventio...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2023-01-31 07:10 AM
In response to mcguppy
Jump to solution

I found out why that happens - you must run bashUser on and connect again, or you will get this error ( i had this error after a first part of the export file inside of it!). When logging in to CLI, you should enter in expert mode, that is crucial for the command to work !

Did not realize this shortcoming/bug as i use WinSCP - bashUser on is the first command issued 8)

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

0 Kudos
14 Replies
Pedro_Espindola
Advisor
‎2018-02-09 05:38 AM
Jump to solution

Also, adding services will fail. Services will no source port configured will generate a command with 'source-port "nil"', which will not be recognized and will fail. The correct syntax should be 'source-port "false"'

It will be necessary to replace these parts with the correct syntax.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-02-09 05:48 AM
Jump to solution

Yes, that is true, but not so bad as the following: The only blade that can be enabled (set aside FW and IA here) is AntiSpam, no other Blades, WebServer or Rules configuration is available in CLISH. So locally managed SMB devices must be configured using the WebGUI (will be covered in part 3 soon) ! But it is very usable for centrally managed units and for the first setup of locally managed.

CORRECTION: This is no longer true in R81.10.10 CLI, see https://sc1.checkpoint.com/documents/SMB_R81.10.X/CLI/EN/Content/Topics/Configuring-Threat-Preventio...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Pedro_Espindola
Advisor
‎2018-02-09 08:40 AM
Jump to solution

Absolutely! For OS configuration this procedure is extremely useful.

With the correct adaptations, it is also a big help with the rule base.

Thank you for sharing!

0 Kudos
mcguppy
Participant
‎2023-01-31 01:33 AM
Jump to solution

I have tried to export config on a SMB 1800 running R81.10 (996000575).

I put the mentioned command in the expert mode:

[Expert]# clish -A -i -c "show configuration" -v >> /var/log/config.txt

 

this results in this message:

You can't start interactive session from another interactive session.
Exit expert mode and return to clish.

 

Exit expert mode let me not write the output of "show configuration" into a file.

 

What do I wrong?

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2023-01-31 07:10 AM
In response to mcguppy
Jump to solution

I found out why that happens - you must run bashUser on and connect again, or you will get this error ( i had this error after a first part of the export file inside of it!). When logging in to CLI, you should enter in expert mode, that is crucial for the command to work !

Did not realize this shortcoming/bug as i use WinSCP - bashUser on is the first command issued 8)

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2023-02-01 11:25 PM
In response to mcguppy
Jump to solution

Did it work for you now ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
mcguppy
Participant
‎2023-02-06 12:55 PM
In response to G_W_Albrecht
Jump to solution

Sorry for the late answer. I helped myself with the feature of putty to copy all output to clipboard to export the config.

But I have just tried it again with "bashUser on" and yes, this works very well now. 

Thank you very much for your help. I will use it like this in the future.

0 Kudos
Matlu
Advisor
‎2023-11-29 08:55 AM
Jump to solution

Hello,

In the SMB 1530/1550 appliances, how can I save the configuration from the CLI of the devices?

The "save config" does not work here.

The changes that are made, either from the WebUI or from the CLI, are saved automatically?

Greetings.

0 Kudos
Tom_Hinoue
Advisor
Advisor
‎2023-11-29 04:26 PM
In response to Matlu
Jump to solution

You are correct. Settings from WEBUI/CLI are automatically saved and reflected to the configuration immediately when working with CLISH commands in Gaia Embedded.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-11-29 04:29 PM
In response to Matlu
Jump to solution

Correct, this is one of the differences between Gaia and Embedded Gaia.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2023-11-30 02:16 AM
In response to Matlu
Jump to solution

That is the topic here 😉 Use

[Expert]# clish -A -i -c "show configuration" -v >> /var/log/config.txt
CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Ju_Ka
Explorer
‎2024-11-15 04:45 AM
In response to Matlu
Jump to solution

Hello,

Checkpoint uses lua scripts for show configuration and other commands.

You have to find where the comman lua is

-> type lua = /pfrm2.0/bin/lua

if you then just type show followed by a tab for autocomplete you get all sorts of lua scripts which are the equivalent in CLISH

-> type showConfig.lua = /pfrm2.0/bin/cli/showConfig.lua

 

Now all we need is for your configuration

-> /pfrm2.0/bin/lua /pfrm2.0/bin/cli/showConfig.lua  > /var/log/config.txt

And your entire configuration will end in that File config.txt

 

I was hoping to find the default gateway for the WAN Interface but no luck in the configuration. That's kind of weird.

Edit Internet connection WAN - Well I dig deeper 🙂

0 Kudos
Ju_Ka
Explorer
‎2024-11-15 04:53 AM
In response to Matlu
Jump to solution

In expert mode you can execute the lua scripts which are the show configuration in admin mode

/pfrm2.0/bin/lua /pfrm2.0/bin/cli/showConfig.lua > /var/log/config.txt

 

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2024-11-19 01:13 AM
In response to Matlu
Jump to solution

Yes. Embedded GAiA has no save config...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events