This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
jamesdean-1
Participant
‎2025-01-09 03:58 PM

Initial config on Smart-1 600-S

Hi all,

I know this is probably impossible but just trying to save some leg work and money. 

 

We have a Smart-1 600-S located overseas, it has been factory reset and is connected to a switch using eth1 interface. I tried putting that switchport into an access vlan with 192.168.1.2 on the switch, but I could not access 192.168.1.1. I have then come to realise, that likely only mgmt port will be accessible on 192.168.1.1, is this correct? Can any genius come up with a way I can access this device remotely on eth1 after factory reset? It will take a month to get someone onsite even for a simple thing like plugging a cable in unfortunately.

 

TIA

0 Kudos
17 Replies
PhoneBoy
Admin
Admin
‎2025-01-09 04:13 PM

If you can't reach the device by IP, you should be able to reach it via Console and/or LOM.
Are either of those options?
If so, you can see what interface 192.168.1.1 is actually assigned to and change it via clish commands.

Otherwise, without some sort of console access to the appliance, you're going to have a hard time fixing it remotely.

0 Kudos
jamesdean-1
Participant
‎2025-01-09 04:37 PM
In response to PhoneBoy

Unfortunately not, this device just has two cables in it, one the power cord, and the other is the ethernet between eth1 on the smart1 and the cisco switch. All I know is it was factory reset, so I have to assume its now got 192.168.1.1, but from the documentation I believe that is only accessible via mgmt port, there is no-one near this device to plug into the console port for us 

0 Kudos
the_rock
Legend
Legend
‎2025-01-09 05:22 PM
In response to jamesdean-1

Im afraid you might be out of luck : - (. What @PhoneBoy is true about LOM card, but after its factory reset, that would also need to be configured. 

You are correct that mgmt IP by default would have that IP address, 192.168.1.1

So there is absolutely no one that could physically connect to the appliance and console into it?

Andy

0 Kudos
jamesdean-1
Participant
‎2025-01-09 06:18 PM
In response to the_rock

Ok thanks, we suspected as much, we do have a remote hands arrangement, just a language barrier and a several weeks of raising purchase orders to deal with to get them there 😛

0 Kudos
the_rock
Legend
Legend
‎2025-01-09 06:20 PM
In response to jamesdean-1

Fair enough. Hope it all works out.

Andy

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2025-01-11 07:16 AM
In response to the_rock

LOM config stays even you do factory reset of OS. You have to reset LOM IP/credentials to default values manually using CLI or WebUI.

Kind regards,
Jozko Mrkvicka
0 Kudos
the_rock
Legend
Legend
‎2025-01-11 09:49 AM
In response to JozkoMrkvicka

Are you 100% sure about that? Because I was on the phone once with customer and TAC as well and they had to do factory reset of 6200 appliance and all settings were wiped out, including LOM  as well. I will say though, I cant recall if it gave them an option to preserve the config for LOM, as I did see that before.

Andy

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2025-01-11 07:18 AM
In response to jamesdean-1

It is impossible just to move cable from eth1 to Mgmt ? Then you should be able to reach 192.168.1.1/24.

Kind regards,
Jozko Mrkvicka
0 Kudos
oa_munich
Contributor
‎2025-01-11 03:20 AM

Probably not helpful at this stage, but I keep a PiKVM https://github.com/pikvm/pikvm at all remote sites with a console, HDMI and a USB-C cable, as well as a 5G/LTE modem around, so that the local staff could connect the device to pretty much any box. I have it initiate a VPN connection and can ssh into the box once connected. Pays for itself with a single site fall out, saved us from a few last minute weekend flights.

0 Kudos
jamesdean-1
Participant
‎2025-01-21 07:50 PM

Well this was a disaster, we got someone on site, plugged into via console and all the network config was still in place (and credentials), I enabled mgmt port and put 192.168.1.1 on it, then got them to connect via browser and it asked to go through first time wizard which we did, it completed fine, went back to console and confirmed the IP address was still there on bond1, however I could not ping it from the gateway in the same subnet, I tried setting management interface to eth1 which it did not allow me to do (was now set as mgmt) and unfortunately the tech had to bolt and I did not get any further.

 

bond1 is up, both members, lacp is formed and the switch sees the lacp packets, however I am not learning any mac address from the interfaces. Since I know the mac of that interface, I added both a static mac and arp entry to the router but still no joy. 

 

The reason for not connecting mgmt to the switch was they aren't allowed to connect or move any cabling. Ill need to get them back onsite, however I am not really sure what I am going to do next time, why wont bond1 with a valid IP and mask on it respond to something in the same subnet? config is identical to our other device. 

 

0 Kudos
the_rock
Legend
Legend
‎2025-01-22 03:04 AM
In response to jamesdean-1

I would check routing, make sure arp is there, see why connection fails...verify interface is configured properly.

Andy

0 Kudos
jamesdean-1
Participant
‎2025-01-22 03:39 AM
In response to the_rock

Unfortunately ARP is not there, I am on the switch which is in the same subnet and I do not have an ARP, I took a screenshot of the interface config on the smart-1 so I know that is correct. Interfaces are up, vlan is forwarding but not learning a mac, it's very bizarre. Gave it a reboot as well. 

 

 

0 Kudos
the_rock
Legend
Legend
‎2025-01-22 04:14 AM
In response to jamesdean-1

No luck after reboot either??

0 Kudos
jamesdean-1
Participant
‎2025-01-22 12:48 PM
In response to the_rock

No the reboot didn't achieve anything, I was hoping that the device just didn't respond on any interface other than Mgmt until the first time wizard was completed, so that was completed, no difference, then rebooted, no difference.  

0 Kudos
the_rock
Legend
Legend
‎2025-01-22 04:37 PM
In response to jamesdean-1

Then Im really not sure unless I saw it for myself. If someone was on site, say they tried connecting directly to mgmt interface with IP from same subnet on their laptop, would be easy to tell based on whether that works.

Andy

0 Kudos
jamesdean-1
Participant
‎2025-01-22 05:04 PM
In response to the_rock

Yep that does work, mgmt port was connected to his laptop and we could browse to 192.168.1.1 and it prompted to run through the first time wizard, I then verified via console connection the IP address for bond interface was still there. I'm going to arrange a cable to be installed from mgmt to the switch so I should be able to ssh to the device and work on it remotely 

0 Kudos
the_rock
Legend
Legend
‎2025-01-22 05:07 PM
In response to jamesdean-1

Sounds totally reasonable and logical to me @jamesdean-1 

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events