Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
jpathan
Participant
Jump to solution

Security Policy Management without SmartConsole

Hello everyone, I am pretty new to Checkpoint and have a ton of questions, but 1 in particular I have not been able to gain any traction with. 

 

So I understand that you have the Gaia Gui for device management and then have the SmartConsole for firewall policies. Is there a way to manage the firewall polices without having to download or use the SmartConsole? A browser based SmartConsole perhaps?? I have a project/environment where downloading and installing the SmartConsole is not an option. I am hoping someone might have a solution for this, if there is not one, then I would have to scratch checkpoint as an option, I really want to avoid this if possible. Thank you in advance!

 

Currently running virtual R80.40

 

  

0 Kudos
1 Solution

Accepted Solutions
funkylicious
Advisor

You can take a look at this if you want to go the hard way and use API/CLI, some good examples are present here.

https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/My-Security-Management-Setup-Scri...

View solution in original post

16 Replies
PhoneBoy
Admin
Admin

Your options are:

1. API/CLI, though there are a few things that still require SmartConsole to configure.
2. Manage the gateway with Smart-1 Cloud, where I believe we have SmartConsole available via a web browser (check the Infinity Portal).

R81 is expected to offer some sort of web-based interface for editing the policy, though it is not expected to be a full replacement for SmartConsole.

jpathan
Participant

Thank you for your response, it was very helpful to get me on my way to testing this. I did run into some issues unfortunately. I was able to get the process started, but I am not able to get it connected to the infinity portal. I have tried resetting the token 3 times, I have given it time to process each time. Checked the following link which was informative: 

https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Check-Point-SmartCloud-Admin-...

 

Sharing the following and hopes it helps. 

========

gw> ping updates.checkpoint.com
PING e17340.dscd.akamaiedge.net (72.246.34.110) 56(84) bytes of data.
64 bytes from a72-246-34-110.deploy.static.akamaitechnologies.com (72.246.34.110): icmp_seq=1 ttl=56 time=30.5 ms
64 bytes from a72-246-34-110.deploy.static.akamaitechnologies.com (72.246.34.110): icmp_seq=2 ttl=56 time=27.0 ms

========

gw> show security-gateway maas
MaaS Status: Enabled
MaaS Tunnel State: Down
Unable to connect to MaaS at XXXXXXX-wtc4oie2.maas.checkpoint.com

=======

gw> show dns
 
DNS setup
Name                  Value
 
Domain
DNS server            75.75.75.75
DNS server            75.75.76.76
DNS server            8.8.8.8
gw> ping hotmail.com
PING hotmail.com (204.79.197.212) 56(84) bytes of data.
64 bytes from a-0010.a-msedge.net (204.79.197.212): icmp_seq=1 ttl=120 time=23.0 ms
64 bytes from a-0010.a-msedge.net (204.79.197.212): icmp_seq=2 ttl=120 time=26.3 ms

=========

gw> traceroute xxxxxxx-wtc4oie2.maas.checkpoint.com
traceroute to xxxxxxx-wtc4oie2.maas.checkpoint.com (3.225.12.239), 30 hops max, 40 byte packets
1 10.0.1.1 (10.0.1.1) 1.467 ms 1.018 ms 1.409 ms
2 xx.120.16.5 (xx.120.16.5) 16.668 ms 16.695 ms 16.172 ms
3 ae-xxxxxxx.comcast.net (xx.85.254.25) 16.789 ms 17.280 ms 17.197 ms
4 ae-xxxxxxx.comcast.net (xx.108.83.145) 18.273 ms 10.742 ms 19.492 ms
5 ae-xxxxxxx.comcast.net (xx.85.244.57) 26.940 ms 26.486 ms 26.552 ms
6 be-xxxxxxx.ibone.comcast.net (xx.86.92.61) 29.839 ms 29.664 ms 29.950 ms
7 be-xxxxxxx.ibone.comcast.net (xx.86.89.206) 29.120 ms 29.404 ms 29.260 ms
8 23.30.207.150 (23.30.207.150) 26.570 ms 26.674 ms 25.245 ms
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
gw>

========

Checked my firewall policies as well, everything is permitted. I am out of ideas on what could be causing this. Any thoughts on what I have may have missed?Thank you for helping me get this ball rolling, I really appreciate the help.  

0 Kudos
Tal_Paz-Fridman
Employee
Employee

Hi 

Smart-1 Cloud is an excellent idea. Adding @Dror_Aharony to try and and help with the issue you encountered.

Another option - at least until Smart-1 Cloud issue is resolved, is to download Portable SmartConsole which does not require installation. You can also place it on a remote secure machine and connect to it using RDP. 

jpathan
Participant

Tal_Paz-Fridman, this may be the solution I need, I will need to research this a bit more. Thank you for the response!

0 Kudos
jpathan
Participant

Tal_Paz-Fridman, this may be what I need. Sounds like the most appropriate solution, I will investigate this further to confirm. Thank you for the response and will update everyone if this happens to meet my companies needs. 

0 Kudos
Anat_Eytan-Davi
Employee Alumnus
Employee Alumnus

 Hi,

Thank you for sharing the above, looks like you have followed the troubleshooting options in the admin guide, thank you.

I will contact you offline and see how I can assist and what might be the issue.

Anat.

0 Kudos
jpathan
Participant

In regards to the 1st statement made, you mentioned the following: 

1. API/CLI, though there are a few things that still require SmartConsole to configure.

- Would you by chance happen to know what features I would be missing if I took this route? 

Due to reasons of security and NDA, I am not able to explain the entire setup in detail. But I was looking at the possibility of using Wine for Ubuntu, for example, and dropping in the portable smartconsole file, but due to the .exe required, not an option either. So I am back to square one and am looking to see what limitations might be in place with CLI only. If you can answer this question, that would be great, but coming back full circle, this is my only solution moving forward. Thank you sir!

0 Kudos
funkylicious
Advisor

You can take a look at this if you want to go the hard way and use API/CLI, some good examples are present here.

https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/My-Security-Management-Setup-Scri...

Bob_Zimmerman
Authority
Authority

Short version:

  • Setting up the environment in the first place will probably need SmartConsole.
  • Basic operational work is doable over the API. Building new hosts, networks, adding new rules, and so on.
  • Troubleshooting needs SmartConsole or another log system.

Most of the features I have noticed missing from the API are related to creating certain types of objects. For example, R80.40 just added the ability to create simple clusters and VPN communities. To the best of my knowledge, there is no way to manage VSX or LSM/SmartProvisioning over the API at all.

The API also does not provide any access to logs. You need to either use SmartConsole, or set up your log server to export logs to something else (Elastic, Splunk, whatever). Log exporter (sk122323) is a great tool and lets you dump the logs as they come in. If you don't want to build a separate log server environment, though, you will need SmartConsole to see them.

jpathan
Participant

Bob_Zimmerman

To your point, I think building it out first and then downloading the script file/configuration file would be the easiest way to do it. The one advantage I have it when deploying these checkpoint devices, the configurations can be identical except for the customer network address on Prem and Peer IP address. Otherwise everything else can be the same. Can you or anyone on here let me know how to pull the script file from the checkpoint once I have configured it using the smartconsole, do I log into it via ssh and go into expert mode or can I get it directly from the primary CLI. I will begin looking for it, but you guys have been truly helpful and I really appreciate the quick response and insight you have all shared. Thank you again guys! I have learned more today vs the last 4 to 5 days running around like a monkey with a hammer. 

0 Kudos
G_W_Albrecht
Legend Legend
Legend

In a nutshell: It will not work without the SmartDashboard apps ☹️. These make important things very easy (e.g. what is the current status of all my gateways), and what can be done without it may only multiply your workload. And not using SmartLog in a large production environment, no SmartEvent, no real time monitoring, Audit Log...

Honestly, trying this looks like much wasted time to me...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Bob_Zimmerman
Authority
Authority

I think there may be a misunderstanding here. Check Point firewalls don't really have a configuration file or script. They have a policy which lives in a database on a management server. This database can be exported for backup purposes, but I would not use it as a template to build multiple devices. In particular, the database export contains cryptographic keys which could be used to impersonate another machine created from the export (the idea is to let you keep the same trust relationships after importing the dumped database).

If you're deploying a lot of mostly-identical gateways, the "right way" to do that with Check Point's tools is to have one central management server (or a set of them for HA) and to use SmartLSM (old name; LSM stands for Large Scale Management) or SmartProvisioning. This feature allows you to build a template gateway with variables like "Internal network" and "cash registers", which you can use in policies. There is then a separate tool to track all of the individual gateways which should get the template and to fill in the variables for each of them. I have personally seen this tool used to manage hundreds of firewalls for a retailer. I don't think any of this (besides changing rules) can be done over the API right now, though.

Edited to add: There are, of course, other ways to manage large environments. They're all generally much more effort than using LSM/SmartProvisioning.

0 Kudos
PhoneBoy
Admin
Admin

Editing certain gateway object properties either require the generic-object API or even the legacy dbedit.
VSX objects can not be created via the API.
Some other legacy object types cannot be created via API as well.
Editing VPN users requires generic-object API, at least until we add official APIs in an upcoming R80.40 JHF.
If you use HTTPS Inspection, there are a handful of options that require SmartDashboard.
Same can be said for DLP, Mobile Access in legacy mode.

Basically if you cannot use SmartConsole at all, you should only use R80.40 as it has the most complete API support.

0 Kudos
jpathan
Participant

PhoneBoy

Thank you again for your response and sharing what you know. You mentioned VSX objects can not be created via the API, with the upcoming release you mentioned "R80.40 JHF", would this also resolve the VSX objects possibly or just the VPN generic-objects?  I want to make sure I do not misinterpret anything when I speak to the rest of my R&D team. 

0 Kudos
G_W_Albrecht
Legend Legend
Legend

This meant that maybe VPN users API will be included in a R80.40 Jumbo. If you look here: sk121360: Check Point APIs Homepage there is still a lot left to do - and VSX is a very special topic indeed...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
_Val_
Admin
Admin

VSX will be included into APIs eventually, but it is not on the short term roadmap, AFAIK. @PhoneBoy listed most of the limitations for R80.40, whihc is the latest generally available release. 


As far as I understand, you are looking for a way to manage your CheckPoint security systems from a browser and to avoid installing SmartConsole clients in your environment. If this is the case, consider Smart-1 Cloud service. It is a MaaS solution, and you will access it through a browser only. If you want to continue running local Security Management Servers in your environment, there is no way around having SmartConsole deployed for some years ahead.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events