Automating the First-Time Configuration Wizard

crescentwire — Tue, 02 May 2023 13:56:47 GMT

Written by Michael Ibarra, Security Engineer, Mid-Atlantic Region

November 10, 2022

Overview

Deploying a new Check Point appliance requires completing the First-Time Configuration Wizard (FTW). This GUI-driven set of steps prepares the appliance for further configuration using CLISH or the web-based UI and is a mandatory part of deploying any new appliance.

Ideally, the FTW would be run after the appliance has booted after installation from an ISO, connected to a network and ready for all subsequent configuration. But this is not always possible. For instance, there may be times when an appliance must be fully configured without an active network connection, web browser session, or other means of loading a responsive web GUI. For instance, in an untrusted or highly sensitive environment, deploying an NDR sensor with only serial console access is advantageous. But, without a web UI session available, completing the FTW is not possible.

The FTW-CLI tool solves this challenge by generating the necessary "answer file" the FTW needs to complete the configuration. This is done through a simple BASH script, prompting the user for input, and storing the values in a separate file. An embedded script, config-system, uses this file to complete the FTW steps, readying the system for remaining configuration and production-use.

Usage

Begin by downloading the latest version of the ftw-cli here. Other resources and references are available under the section at the end of this guide.

Follow these steps to use the tool:

Install GAIA using ISOmorphic or a bootable ISO on your physical or virtual hardware.
Connect via SSH or serial console to the system.
Download and extract the contents of the latest release of the ftw-cli tool.
Either (1) copy the ftw_cli_run.sh file to /home/admin via SFTP, or (2) use vi to create a new, empty file and paste the contents of ftw_cli_run.sh inside. Then, save using :wq!.
Navigate to the directory where you saved ftw_cli_run.sh.
Run chmod +x ftw_cli_run.sh to make the script executable.
Run the script using ./ftw_cli_run.sh.

The ftw-cli tool consists of two sections: general system and platform-specific configuration. These sections are separated by a prompt:

Are you installing Management, Security Gateway, Standalone (Combined), or MDS? (1) Management (2) Security Gateway (3) Standalone (4) MDS Enter 1-4:

Reaching this question denotes you've arrived at a series of if/then steps that ultimately determine whether you will end up with a management server, gateway, or MDS appliance.

After you've reached the end of the platform-specific configuration, an answer file with the syntax ftw_config_[date-created]-[time-created] will exist in the same directory as ftw_cli_run.sh. An example of this file's contents is below.

[Expert@gw-3bdcf5:0]# cat ftw_config_20221110-111246 ipstat_v4=manually ipstat_v6=off hostname=ih-gw01 domainname=ibarralabs.com primary=10.5.1.10 secondary=1.1.1.1 tertiary=1.0.0.1 ntp_primary_version=4 ntp_secondary_version=4 ntp_primary=ntp.checkpoint.com ntp_primary=ntp2.checkpoint.com timezone='America/New_York' install_security_gw=true gateway_daip=false ftw_sic_key=p@55w0rd download_info=true upload_info=true upload_crash_data=true reboot_if_required=true

Example Configuration - Security Gateway (SMS-Managed, Non-ClusterXL)

Proceed through the general system configuration steps (see below as an example).

[Expert@gw-3bdcf5:0]# ./ftw_cli_run.sh Welcome to the FTW CLI script! Change current management interface (eth0)? Enter y/n: n Configure IPv4 for management interface? Enter y/n: y Change current IP address (10.5.1.101/24) for eth0? Enter y/n: n Configure IPv6 for management interface? Enter y/n: n Enter hostname: ih-gw01 Enter domain name: ibarralabs.com Enter primary DNS server: 10.5.1.10 Enter secondary DNS server (Enter to skip): 1.1.1.1 Enter tertiary DNS server (Enter to skip): 1.0.0.1 Use a proxy server? Enter y/n: n Configure NTP? Enter y/n: y Change current NTP version (4)? Enter y/n: n Change Check Point default NTP servers? Enter y/n: n Enter timezone (in tz database format, e.g., America/Los_Angeles): America/New_York

Proceed through the platform-specific configuration steps (see below as an example).

Are you installing Management, Security Gateway, Standalone (Combined), or MDS? (1) Management (2) Security Gateway (3) Standalone (4) MDS Enter 1-4: 2 Proceeding with Security Gateway install... Is this a single gateway or cluster member? (1) Single Gateway (2) Cluster Member Enter 1-2: 1 Single Gateway selected Using a dynamically-assigned IP (DAIP) (default is no)? Enter y/n: n Change admin password entered during install? Enter y/n: n Enter SIC key: Enter SIC key again: Would you like to connect this device to Smart-1 Cloud (auth token required)? Enter y/n: n Change defaults for communicating with User Center? Enter y/n: y Download info from User Center? Enter y/n: y Upload info to User Center? Enter y/n: y Upload crash data (which may contain PII)? Enter y/n: y Should the device reboot (if required) when config is complete? Enter y/n: y That's it! Checking generated config values... dos2unix: converting file ftw_config_20221110-111246 to Unix format ... Config validated successfully! Proceed with applying config? Enter y/n:

Upon entering y, config-system will proceed to apply the configuration written to the answer file and, if necessary, reboot the system. Entering n will cancel the operation but will provide a command to manually apply the config, should you choose to proceed (see example below).

Proceed with applying config? Enter y/n: n Config apply canceled. To run manually, issue this command from Expert mode: config_system -f ftw_config_20221110-111246 [Expert@gw-3bdcf5:0]#

After the appliance has finished rebooting, the appliance will be ready for remaining configuration and production-use.

Example Configuration - Secure Management Server (Logging Only, Secondary)

Begin by proceeding through the general system configuration steps (reference example scenario above).
Proceed through the platform-specific configuration steps (see below as an example).

Are you installing Management, Security Gateway, Standalone (Combined), or MDS? (1) Management (2) Security Gateway (3) Standalone (4) MDS Enter 1-4: 1 Proceeding with Management install... Is this a Primary, Secondary, or Dedicated/Separate SmartEvent or Logging server? (1) Primary (2) Secondary (3) Dedicated SmartEvent/Logging Enter 1-3: 3 Dedicated SmartEvent/Logging selected Change GAIA default "admin" username? Enter y/n: n Change default web UI access (permits any source)? Enter y/n: n Enter SIC key: Enter SIC key again: Change defaults for communicating with User Center? Enter y/n: y Download info from User Center? Enter y/n: y Upload info to User Center? Enter y/n: y Upload crash data (which may contain PII)? Enter y/n: y Should the device reboot (if required) when config is complete? Enter y/n: y That's it! Checking generated config values... dos2unix: converting file ftw_config_20221110-112558 to Unix format ... Config validated successfully! Proceed with applying config? Enter y/n:

Example Configuration - Multi-Domain Server (Primary)

Begin by proceeding through the general system configuration steps (reference example scenario above).
Proceed through the platform-specific configuration steps (see below as an example).

Are you installing Management, Security Gateway, Standalone (Combined), or MDS? (1) Management (2) Security Gateway (3) Standalone (4) MDS Enter 1-4: 4 Proceeding with MDS install... Is this a Primary, Secondary, or Dedicated/Separate Logging server? (1) Primary (2) Secondary (3) Dedicated Logging Enter 1-3: 1 Primary selected Change GAIA default "admin" username? Enter y/n: n Please define the MDS Leading VIP interface. Options are below: (0) eth0 (1) eth1 (2) lo Enter desired interface (0-2): 0 Change default web UI access (permits any source)? Enter y/n: n Change defaults for communicating with User Center? Enter y/n: y Download info from User Center? Enter y/n: y Upload info to User Center? Enter y/n: y Upload crash data (which may contain PII)? Enter y/n: y Should the device reboot (if required) when config is complete? Enter y/n: y That's it! Checking generated config values... dos2unix: converting file ftw_config_20221110-122230 to Unix format ... Config validated successfully! Proceed with applying config? Enter y/n:

Summary

Through utilizing a simple BASH script--and not requiring any in-depth programming or scripting skills--we can sidestep the requirement of needing a web browser session to complete the setup of a newly deployed Check Point appliance--whether bare metal, virtualized, or in the cloud.

Further, because BASH is natively supported on nearly every Linux distribution, cross-platform compatibility and extensibility using other tools (Python, Ansible, etc.) make this a foundational approach to any new deployment.

Troubleshooting

My config fails validation! What should I do?

This shouldn't happen, but I wrote this script accounting for only the QA scenarios I could think of. It's possible something has slipped through.

Check your answer file's contents using cat from Expert mode and compare the values present with those listed in this table. Re-run validation using the command config_system --dry-run -f ftw_config_[date-created]-[time-created] and take note of the errors listed.

If all else fails, please create a new issue here. I (and other users) will thank you for it!

Some parts of my config applied, but others didn't. What's going on?

This can happen if the validation script either ignores or otherwise misses an entry you made. Other field types aren't explicitly checked for validity, like IP address syntax (four octets separated by decimals, or values >255) or tz database values. These are up to you to confirm, so check them twice before hitting Enter during the wizard (though you can always modify the answer file and manually run it with config_system).

Check your answer file's contents using cat from Expert mode and compare the values present with those listed in this table.

This script doesn't cover a platform config scenario I need. How do I submit a feature request?

Please create a new issue here. I'll do my best to add it to the script as I have time!

Reference

sk71000 - Overview of the First-Time Configuration Wizard
sk69701 - Overview of using config_system
GAIA R81 Administration Guide - Detailed use of config_system

Re: Automating the First-Time Configuration Wizard

_Val_ — Tue, 02 May 2023 14:17:42 GMT

Hi, great article, but why is it in the employees only space? Any reason NOT to share it with the customers?

Re: Automating the First-Time Configuration Wizard

crescentwire — Tue, 02 May 2023 14:34:55 GMT

Hey Val, I posted it here temporarily while Dameon approves and moves it to the whitepaper repository. But yes, the goal is to make it publicly available! 😁

Re: Automating the First-Time Configuration Wizard

PhoneBoy — Tue, 02 May 2023 14:38:47 GMT

"Four eyes" review 🙂

topic Re: Automating the First-Time Configuration Wizard in Firewall and Security Management

Automating the First-Time Configuration Wizard

Overview

Usage

Example Configuration - Security Gateway (SMS-Managed, Non-ClusterXL)

Example Configuration - Secure Management Server (Logging Only, Secondary)

Example Configuration - Multi-Domain Server (Primary)

Summary

Troubleshooting

Reference

Re: Automating the First-Time Configuration Wizard

Re: Automating the First-Time Configuration Wizard

Re: Automating the First-Time Configuration Wizard