Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Participant

1400 series limitations

Jump to solution

Hello checkmates,

While migrating a Cisco ASA to a locally managed Checkpoint 1450 appliance running R77.20.86, I came across a few issues which I can only explain as limitations on this appliance/cut down version of Gaia. these are listed below.

- Unable to create admin account with Bin/Bash shell - either via webui or clish - "set user username shell" command is not accepted
- Unable to selectively specify a local encryption domain on a per site-to-site VPN, you can select specific remote       encryption domains but not local
- Unable to turn off NAT-T on a per site-to-site VPN site
- After deleting a newly formed sa and ipsec tunnel through "vpn tu" the vpn never came back up, performed an upgrade to .87 to no avail. for some reason the unit was attempting to use UDP/4500 (NAT-T) when it was connected directly on the internet

followed various debug guides such as 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

but the output from the firewall was not helpful, could this be an issue of running local management on the box? 

 

I read a thread on Checkmates where G_W_Albrecht suggests that "1430 remote gateways locally weakens them" and that there is "limitations on the number of S2S tunnels"

https://community.checkpoint.com/t5/General-Topics/IPSec-VPN-between-CP1430-e-CP3200-Drops-randomly/...

Has anyone come across these or similar issues?

0 Kudos
Reply
1 Solution

Accepted Solutions
Highlighted
Champion
Champion
1. you need to login to the account and use: bashUser on / bashUser off
2. not possible with Check Point. (new R80.40 will support it but not on 1450)
3. possible
4. depends on the external IP, when this a RFC1918 address it is NATted, therefore will try NAT-T
Regards, Maarten

View solution in original post

5 Replies
Highlighted
Champion
Champion
1. you need to login to the account and use: bashUser on / bashUser off
2. not possible with Check Point. (new R80.40 will support it but not on 1450)
3. possible
4. depends on the external IP, when this a RFC1918 address it is NATted, therefore will try NAT-T
Regards, Maarten

View solution in original post

Highlighted
Participant

Thanks for the quick reply Maarten

1 - is this only possible through cli or is there an option in the webui?

3 - I believe you can disable it globally on the 1450 but can you do it per S2S? if so can you please point me in the right direction?

4- In this case the External IP was a Public IP so would not have expected it to NAT-T

0 Kudos
Reply
Highlighted
Champion
Champion
1. only CLI
3. Looking at all I know about embedded, I would not expect anything to be enabled per VPN
4. weird indeed.
Regards, Maarten
0 Kudos
Reply
Highlighted
Champion
Champion

A locally managed 1430 GW will have the same performance as a cheaper, locally managed 730 GW, The full 1430 hardware resources are only used when managed centrally.

1 - only possible through cli !

3:

sk162472: How to force NAT-T on Gaia Embedded devices

sk105380: Check Point R77.20.xx for 600 / 700 / 1100 / 1200R / 1400 / 910 Appliance Features and Kno...

 

0 Kudos
Reply
Highlighted
Participant

Very interesting thanks guys,

0 Kudos
Reply