This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Greg_Harbers
Collaborator
‎2020-05-21 10:31 PM

Zero touch and 1500 appliances

Hi All,

Has anyone done anything with the zerotouch deployment service and 1500 series appliances, specifically around defined addresses on vlan sub interfaces.

the clish script I am deploying sets ntp servers, dns settings, adminstrators etc all successfully, and creates some vlan sub interfaces. These  parts all work perfectly, however thus far any attempt to set an ip address on the vlan interfaces fails, and the interfaces are always assigned a 192.168.x.x address

eg, zero touch script has this...

add interface LAN1 vlan 100
set interface LAN1.100 state on
set dhcp server interface "LAN1.100" disable
set interface "LAN1.100" ipv4-address "10.100.100.1" subnet-mask "255.255.255.0"
set interface "LAN1.100" description "Trusted_VLAN100"

I end up with this...

set interface "LAN1.100" ipv4-address "192.168.200.1" subnet-mask "255.255.255.0"
add interface "ASSIGNMENT.SEPARATE_NETWORK" vlan "100" ipv4-address "192.168.200.1" mask-length "24"
set interface "LAN1.100" mtu "1500" 802dot1x-authentication "off" 802dot1x-re-authentication-frequency "0" lan-mac-filtering "on"
set dhcp server interface "LAN1.100" dns "auto"
set interface "LAN1.100" exclude-from-dns-proxy "off"
set interface "LAN1.100" lan-access "accept" lan-access-track "log"
set dhcp server interface "LAN1.100" assign-addresses-for-known-hosts-only "off"
set dhcp server interface "LAN1.100" lease-time "4"
set dhcp server interface "LAN1.100" include-ip-pool "192.168.200.1-192.168.200.254"
set interface "LAN1.100" hotspot "off"

 

Once the gateway is built and I run this command from clish

set interface "LAN1.100" ipv4-address "10.100.100.1" subnet-mask "255.255.255.0"

I will get this....

set interface "LAN1.100" ipv4-address "10.100.100.1" subnet-mask "255.255.255.0"
add interface "ASSIGNMENT.SEPARATE_NETWORK" vlan "100" ipv4-address "10.100.100.1" mask-length "24"
set interface "LAN1.100" mtu "1500" 802dot1x-authentication "off" 802dot1x-re-authentication-frequency "0" lan-mac-filtering "on"
set dhcp server interface "LAN1.100" dns "auto"
set interface "LAN1.100" exclude-from-dns-proxy "off"
set interface "LAN1.100" lan-access "accept" lan-access-track "log"
set dhcp server interface "LAN1.100" assign-addresses-for-known-hosts-only "off"
set dhcp server interface "LAN1.100" lease-time "4"
set dhcp server interface "LAN1.100" include-ip-pool "192.168.200.1-192.168.200.254"
set interface "LAN1.100" hotspot "off"

One thing I need to determine is if this problem is just limited to vlan interfaces, or all interfaces, will test that and update when I have know the results

Any assistance would be appreciated

Regards

Greg

 

0 Kudos
3 Replies
alexeyn
Employee
Employee
‎2020-05-24 04:35 AM

Hi Greg,

Have you tried to delete LAN1 switch before assigning vlan? (delete switch LAN1_Switch)

Are those commands work for different LAN interface?

 

Thanks,

Alexey

0 Kudos
Greg_Harbers
Collaborator
‎2020-05-24 01:45 PM
In response to alexeyn

Hi Alexei,

This is what I have in the script....

delete interface LAN1_Switch
set interface LAN1 unassigned
set interface LAN1 state on
set dhcp server interface LAN1 disable

add interface LAN1 vlan 100
set interface LAN1.100 state on
add interface LAN1 vlan 101
set interface LAN1.101 state on

set dhcp server interface "LAN1.100" disable
set interface "LAN1.100" ipv4-address "10.100.100.1" subnet-mask "255.255.255.0"
set interface "LAN1.100" description "VLAN100"

set dhcp server interface "LAN1.612" disable
set interface "LAN1.101" ipv4-address "10.100.110.1" subnet-mask "255.255.255.0"
set interface "LAN1.101" description "VLAN101"

Note that the vlan interfaces are being created correctly, it is simply the addressing and descriptions that are not being applied. Once the device has completed the build and I logon via the console, I am able to paste the commands in as above and the addresses and descriptions are applied.

Thanks

Greg

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2020-05-24 11:47 PM
In response to Greg_Harbers

A typo in the second VLAN?

set dhcp server interface "LAN1.612" disable
set interface "LAN1.101" ipv4-address "10.100.110.1" subnet-mask "255.255.255.0"
set interface "LAN1.101" description "VLAN101"

Regards, Maarten
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events