- CheckMates
- :
- Products
- :
- Quantum
- :
- SMB Gateways (Spark)
- :
- Re: Configuration transfer between different SMB m...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Configuration transfer between different SMB models
When using SMB devices for remote company sites, ease of first time configuration is an important matter. When used with a central management by SMS / MDS, only some basic configuration is needed before first policy install. To be able to deploy locally managed SMB devices with (nearly) identical configuration would be much easier if a configured unit could be used to copy the needed settings to others.
But a R77.20.xx configuration file exported from WebGUI can only be restored to the same firmware version and the same model – 600/1100, 1200R and 700/1400 are three different models with its own firmware corresponding to the hardware changes. Backup / Restore between different models is supported from 6x0 to 7x0 and 11x0 to 14x0 appliances; only from 1200R a transfer is possible to all SMB HW types using firmware > R77.20.51 (see sk111334), as well as from 14xx to 15xx (see How to upgrade hardware from R77.20.87 to R80.20.15 or above ).
But it is always possible to dump a configuration by using a CLISH command :
[clish]# show config
will output a series of CLISH commands matching the current configuration, complete with comments explaining what is set using the next CLISH commands. Saving these lines from expert mode into a text file produces something very similar to an autoconf.clish (also see my article USB First Time Config using autoconf.clish files - How it works😞
[Expert]# clish -A -i -c "show configuration" -v >> /var/log/config.txt
But be aware that this is not a supported nor intended method and you also have to cope with SK164018 - Missing configuration items in output of the 'show configuration' command on SMB appliances !
These saved CLISH commands usually are not able to replicate the configuration completely, as, for example, configuring an existing interface uses "set internet-connection", as used in "show configuration" output, but to define a new interface from scratch as needed in a new or reset box, you would have to issue "add internet-connection" instead.
So you have to edit the text file and manually set the values needed for the next unit to deploy. It can then be read in in expert mode, see the next two lines:
[Expert]# clish -f /mnt/usb1/config.txt -v
[Expert]# clish -f /var/log/config.txt -v
First the config is read from USB1, the second example assumes it had been already transfered to directory /var/log/.
Details of the expert mode ‘clish’ command can be found in the CHECK POINT 600/700/1100/1200R/1400 APPLIANCE CLI Guide, Running CLISH Commands from Expert Mode, p.20. The produced text file does, of course, not contain a license, unlike the exported configuration file from WebGUI.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, that is true, but not so bad as the following: The only blade that can be enabled (set aside FW and IA here) is AntiSpam, no other Blades, WebServer or Rules configuration is available in CLISH. So locally managed SMB devices must be configured using the WebGUI (will be covered in part 3 soon) ! But it is very usable for centrally managed units and for the first setup of locally managed.
CORRECTION: This is no longer true in R81.10.10 CLI, see https://sc1.checkpoint.com/documents/SMB_R81.10.X/CLI/EN/Content/Topics/Configuring-Threat-Preventio...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found out why that happens - you must run bashUser on and connect again, or you will get this error ( i had this error after a first part of the export file inside of it!). When logging in to CLI, you should enter in expert mode, that is crucial for the command to work !
Did not realize this shortcoming/bug as i use WinSCP - bashUser on is the first command issued 😎
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also, adding services will fail. Services will no source port configured will generate a command with 'source-port "nil"', which will not be recognized and will fail. The correct syntax should be 'source-port "false"'
It will be necessary to replace these parts with the correct syntax.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, that is true, but not so bad as the following: The only blade that can be enabled (set aside FW and IA here) is AntiSpam, no other Blades, WebServer or Rules configuration is available in CLISH. So locally managed SMB devices must be configured using the WebGUI (will be covered in part 3 soon) ! But it is very usable for centrally managed units and for the first setup of locally managed.
CORRECTION: This is no longer true in R81.10.10 CLI, see https://sc1.checkpoint.com/documents/SMB_R81.10.X/CLI/EN/Content/Topics/Configuring-Threat-Preventio...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Absolutely! For OS configuration this procedure is extremely useful.
With the correct adaptations, it is also a big help with the rule base.
Thank you for sharing!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have tried to export config on a SMB 1800 running R81.10 (996000575).
I put the mentioned command in the expert mode:
[Expert]# clish -A -i -c "show configuration" -v >> /var/log/config.txt
this results in this message:
You can't start interactive session from another interactive session.
Exit expert mode and return to clish.
Exit expert mode let me not write the output of "show configuration" into a file.
What do I wrong?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found out why that happens - you must run bashUser on and connect again, or you will get this error ( i had this error after a first part of the export file inside of it!). When logging in to CLI, you should enter in expert mode, that is crucial for the command to work !
Did not realize this shortcoming/bug as i use WinSCP - bashUser on is the first command issued 😎
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did it work for you now ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry for the late answer. I helped myself with the feature of putty to copy all output to clipboard to export the config.
But I have just tried it again with "bashUser on" and yes, this works very well now.
Thank you very much for your help. I will use it like this in the future.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
In the SMB 1530/1550 appliances, how can I save the configuration from the CLI of the devices?
The "save config" does not work here.
The changes that are made, either from the WebUI or from the CLI, are saved automatically?
Greetings.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are correct. Settings from WEBUI/CLI are automatically saved and reflected to the configuration immediately when working with CLISH commands in Gaia Embedded.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Correct, this is one of the differences between Gaia and Embedded Gaia.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That is the topic here 😉 Use
[Expert]# clish -A -i -c "show configuration" -v >> /var/log/config.txt
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Checkpoint uses lua scripts for show configuration and other commands.
You have to find where the comman lua is
-> type lua = /pfrm2.0/bin/lua
if you then just type show followed by a tab for autocomplete you get all sorts of lua scripts which are the equivalent in CLISH
-> type showConfig.lua = /pfrm2.0/bin/cli/showConfig.lua
Now all we need is for your configuration
-> /pfrm2.0/bin/lua /pfrm2.0/bin/cli/showConfig.lua > /var/log/config.txt
And your entire configuration will end in that File config.txt
I was hoping to find the default gateway for the WAN Interface but no luck in the configuration. That's kind of weird.
Edit Internet connection WAN - Well I dig deeper 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In expert mode you can execute the lua scripts which are the show configuration in admin mode
/pfrm2.0/bin/lua /pfrm2.0/bin/cli/showConfig.lua > /var/log/config.txt
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes. Embedded GAiA has no save config...