Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
danieledebernar
Explorer

Firewall Checkpoint L50 won't start

I reset the firewall to factory settings but it won't boot up properly and it doesn't show up in network resources or even its IP address. How can I solve this?

33 Replies
Chris_Atkinson
Employee Employee
Employee

Why was the device reset, was it not functioning correctly prior?

Have you attempted to access the device serial console?

Alternatively imaging the appliance via USB could be an option if you have the necessary files / entitlements.

Note 600 / 1100 series devices are no longer supported.

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend

Do you have console to it? If so, you can try hard reset it.

Andy

0 Kudos
danieledebernar
Explorer

I don't have the usb console cable and adapter to see it how can I get around it?

0 Kudos
the_rock
Legend
Legend

Do you have usb to RJ45 cable? Thats console cable...I always use one they gave me at Fortinet conference ages ago and works 100% of the time.

Andy

Like one below:

https://www.amazon.ca/Compatible-Console-FTDI-RJ45-Windows/dp/B07BK6P67K/ref=sr_1_5?crid=1BNLKXEOBVW...

0 Kudos
danieledebernar
Explorer

what software should I use? or do I go SSH with Putty?

0 Kudos
Alex-
Leader Leader
Leader

@Lesley is correct, if you factory reset, you can connect to LAN1 and get a DHCP IP.

From there, connect to https://192.168.1.1:4434

0 Kudos
the_rock
Legend
Legend

You open putty, select serial and then go to control panel, check device manager and verify what COM its using.

Andy

Or, as @Alex- suggested, configure your laptop to use any IP from 192.168.1.0/24 subnet, leave D as blank and it should connect to https://192.168.1.1:4434

But again, if NOT, then console is your only option, sorry mate.

 

0 Kudos
Lesley
Leader Leader
Leader

Able to connect with default IP?

Identity the network interface marked as LAN1. This
interface is preconfigured with the IP address 192.168.1.1.

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
danieledebernar
Explorer

 

This is situation with led Firewall. 

Immagine WhatsApp 2024-08-12 ore 18.11.05_22f68ad4.jpg

0 Kudos
G_W_Albrecht
Legend Legend
Legend

And this box still has support and services ? Looks like an old 600, long gone 😎

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin

There is a bug in older firmware that prevents the device from starting after a factory reset.
The only way to recover from this is upgrading to the latest firmware vua USB.

Please download the latest firmware from here (I believe the L50 is a 700 series): https://support.checkpoint.com/results/sk/sk137212#Downloads 
Install via a FAT32 USB drive per: https://support.checkpoint.com/results/sk/sk107592 

0 Kudos
danieledebernar
Explorer

 

 

 

This is situation I cannot check via console yet whether the firmware update was successful.

Immagine WhatsApp 2024-08-13 ore 10.57.08_398322e1.jpg

0 Kudos
PhoneBoy
Admin
Admin

When the lights stop flashing on the unit, it should be updated. 
You can then power cycle and reboot.
If the update was successful, you should get assigned a DHCP address after reboot.

You can manage the unit with a web browser (https://192.168.1.1:4434) and/or ssh.
Most likely, you can use Firewall/VPN functionality without an additional license as that typically is a perpetual license.
However, note it is an End of Support device.

 

 

0 Kudos
the_rock
Legend
Legend

Wait...is the console plug in the back? I dont know where you live, but Im sure any electronics computer store would have console cable like the one I sent you the link via Amazon.

Best,

Andy

0 Kudos
emmap
Employee
Employee

It's a 600, so this is the latest.

https://support.checkpoint.com/results/sk/sk123294

0 Kudos
danieledebernar
Explorer

I'm waiting for the console cable to arrive and then I want to figure out with what software can I check it for errors?

0 Kudos
G_W_Albrecht
Legend Legend
Legend

First check the license - you only have Firewall, IPSec VPN, QoS and Identity Awareness as unlimited blades, you will need a contract for TP, IPS & co.

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
danieledebernar
Explorer

I have no license as the firewall was used by another colleague so it is free I think it is limited

0 Kudos
G_W_Albrecht
Legend Legend
Legend

So how do you plan to use it ? IPS / TP mostly is the important part, without you have only features from e.g.  iptables.

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
danieledebernar
Explorer

I just want to administer it and manage it as iptables and filtering mode nothing more but if I can't get into it, I'm asking what software do I get into management with?

0 Kudos
G_W_Albrecht
Legend Legend
Legend

WinSCP + Putty

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
danieledebernar
Explorer

this is the situation how can I solve it now?

Immagine WhatsApp 2024-08-13 ore 15.12.08_db51d776.jpg

0 Kudos
the_rock
Legend
Legend

Can you see what IP is there? It should have 192.168.1.1 Im pretty sure...

0 Kudos
danieledebernar
Explorer

127.0.0.1 this is. in boot logs not present ip 192.168.1.1

0 Kudos
the_rock
Legend
Legend

I hate to say this, but I think its "toast", sorry. If you only see loopback IP address, not much you can do, plus if ICA is destroyed (as per screenshot you posted before), I have a gut feeling the only way to try fix this is to get console cable and try do hard reset, ie as you are powercycling the box, hold the metal pin for few seconds, release it, hope it comes back okay, so you can log into https://192.168.1.1:4434

Andy

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Will not help - it is the ICA issue from sk123499 after 1.1.2018...

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend

This is not true - the SMB licence depends on the device MAC, not IP, so the license has the MAC at the end as CK-00-1C-7F-xx-yy-zz and it looks like 127.0.0.1       never      CPAP-AP1570 CPWIFI-EU CPSB-FW CPSG-C-4-U CPSB-VPN ... CK-00-1C-7F-xx-yy-zz

So this is the source of using loopback IP, but i do not think this would work for eval as you need to use the head IP...

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
Legend
Legend

That may be the case, but not sure it matters if the box does not even start properly...

Andy

0 Kudos
PhoneBoy
Admin
Admin

The license is the least of our worries here.

The only way to get the box to start properly is to load the box with fixed firmware (done via USB drive) or to backdate the appliance as described by @G_W_Albrecht 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events