This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
JonSnow1
Explorer
‎2026-03-21 03:13 PM

Running First Time Wizard in CLI for Secondary SMS

Hi

Our secondary SMS [Smart-1 410 running R81.20 GAIA] died and Check Point sent a replacement to our data centre, and the staff there installed the new appliance in the rack for us. I have remote access to the console but I am not able to physically go to the data centre in the next week so I really need to run the first time config wizard through the CLI, as per page 47 of the R81.20 install and upgrade guide.

The replacement appliance had R80.10 installed by default, and I was able to configure this as a secondary SMS by running the first time config wizard through the CLI using the following command [I've replaced names, passwords, etc with x's]:

config_system -s "hostname=xxxxxxxx&domainname=xxxxxxxxxxxx.com&timezone='Europe/London'&ftw_sic_key=xxxxxxxx&install_security_gw=false&install_security_managment=true&install_mgmt_primary=false&install_mgmt_secondary=true&mgmt_gui_clients_radio=any&admin_hash=xxxxxxxx&default_gw_v4=192.168.1.1&download_info=true&download_from_checkpoint_non_security=true&ipaddr_v4=192.168.1.2&masklen_v4=24&ipstat_v4=manually&mgmt_admin_name=admin&mgmt_admin_passwd=xxxxxxxx&upload_info=true"

This command was successful and I was able to get access to the webgui and download the R80.40 clean install and upgrade image for CPUSE [my plan was to upgrade to R80.40, then upgrade to R81.20]. I upgraded to R80.40 successfully, but when I verified the R81.20 clean install and upgrade image it said a clean install was allowed, but an upgrade was not compatible as file /opt/CPShrd-R80.40/conf/sic_cert.p12 was missing.

I decided to just do a clean install of R81.20 and run the first time config wizard from the CLI again. But when I entered the same command as I used before it failed with reason "Missing parameter: maintenance_hash".

The parameter "maintenance_hash" is not mentioned in the R81.20 Install and Upgrade guide and I couldn't find anything online, so I decided to take a guess and enter maintenance_hash=password, so the new config string became: 

config_system -s "hostname=xxxxxxxx&domainname=xxxxxxxxxxxx.com&timezone='Europe/London'&ftw_sic_key=xxxxxxxx&install_security_gw=false&install_security_managment=true&install_mgmt_primary=false&install_mgmt_secondary=true&mgmt_gui_clients_radio=any&admin_hash=xxxxxxxx&default_gw_v4=192.168.1.1&download_info=true&download_from_checkpoint_non_security=true&ipaddr_v4=192.168.1.2&masklen_v4=24&ipstat_v4=manually&mgmt_admin_name=admin&mgmt_admin_passwd=xxxxxxxx&upload_info=true&maintenance_hash=password"

This config string was accepted and the config started, but it then displayed "Configuring OS Parameters: Error:Invalid Salted Hash".

It then displayed "Configuring Products" and after some time it went back to the login screen.

However, I now cannot log in through the console port as the old password no longer works. I've tried the old password followed by the maintenance hash password but that doesn't work either, nor does the maintenance hash password on it's own.

So, I guess I have to get the data centre staff to reboot the appliance for me and I reset to factory defaults through the boot menu and start all over again. But can anyone confirm what a valid config string for "maintenance_hash" would be so I don't run into this problem again please?

Alternatively, does anyone know a solution to the missing "sic_cert.p12" file that prevented me from upgrading from R80.40 to R81.20? 

Thanks

 

0 Kudos
2 Replies
simonemantovani
MVP Silver
MVP Silver
‎2026-03-23 12:44 AM

Hello

From my experience, in this moment you need to reset the management to factory default; if this is the secondary SMS (in an HA environment), you only need to complete the installation directly to R81.20 and the First Time Wizard, then set a new SIC and re-establish SIC between primary and secondary management (the secondary management is like an empty box, everything is synced form the primary once you establish SIC).

When I perform the FTW through CLI I usually use this command first:

config_system -t <config file>

It creates a configuration file, with all the possible options defined, you need to remove the options you don't need, and for the maintenance password it reports the command you need to create the hash to configure it within the configuration file; when you've created the file, check it from errors with the command: config_system --dry-run -f <config file>

 

0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2026-03-23 01:26 AM

Could  you not have set an IP address and default route via your console connection and connect to the WebUI to do the first time wizard as normal?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events