9200 1st Time Wizard WebUI - hangs

Perry_McGrew

Wanted to see what experiences others may have had with these 9000 series GWs. The 9200 came installed on R81.20. I set up the USB-C console connection using the https://welcome.checkpoint.com. I went through the 1st time setup and when it got to the "Preparing your device screen", all the lines just had spinning circles and stayed at 0%. (see attached screenshot) I let it run for hours before finally giving up. Refreshed the browser and it returned me to the 1st time setup start. Went through it again (different browser) with the same outcome.

Since I am "old school" I also tried connection to the Mgmt port to go use the 192.168.1.1 and do the setup that way. I found the Mgmt Interface had no IP.

Since I wanted to get the device updated to R82 + current JHF, I created bootable flash drive using ISOMORPHIC and the R82 T777 ISO. I wanted the base install to be as current as possible to prep for ClusterXL to ElasticXL conversion tool that apparently will be out around R82.10 release.

After I updated the 9200 to R82. I tried the Mgmt 192.168.1.1 connection and the standard 1st Time Wizard I am used to seeing came up. Finished that and 9200 seems to be fine. I updated the Deployment Agent and then imported / installed JHF 41 which matches my current CP Mgt server and legacy 5800s. I copied / pasted the applicable 5800 show configuration into the 9200 CLI. It seems ready to go. I did enter a TAC case over the spinning webui -- I got a reply to use the CLI.

So not quite sure of the benefit of the newer 1st time setup WebUI process which requires an internet connection on the Laptop connected to new 9200.

PhoneBoy

Did they open an R&D task on this to investigate?

the_rock

Just my logical thinking...is it possible that this is expected behavior, say if your laptop had Internet connectivity, but firewall does NOT? I can only assume that would be needed for this sort of wizard...just my educated guess.

Andy

Best,
Andy

emmap

It seems to want to do it all through the serial port, the gateway shouldn't need to have any config put on it beforehand to get internet access. It's new to me though, I've never tried this setup method.

the_rock

Right, but if Internet access was not needed, its odd why it did not work, unless something is fundamentally wrong with the appliance...

Andy

Best,
Andy

emmap

It's a new system, it might be the console drivers, the OS or something else on the laptop used to do it, or a backend issue. Needs some figuring out.

the_rock

Yep, agree with all that.

Best,
Andy

Vincent_Bacher

Wow. https://welcome.checkpoint.com .
In our organization, we never have direct access via the console, only via console switches somewhere in a data center, so I didn't even know that this was possible.

I would doubt that the device needs Internet access to use the FTW in this way.
In my youthful naivety, I'll just take the liberty of describing my impressions:

To me, it looks as if the web app simply establishes a connection to the appliance in order to check, for example, whether it is really the device selected in the pop-up (in this case, the 9000 series).
It queries the usual parameters and then “feeds” the cli version of the FTW (config_system) via the USB interface.
If I were to develop such an app, I would collect all parameters, including the expert password, and then create a config.txt file via the USB-cli connection, run config_system -t config.txt, and then present the cli output in a nice, colorful graphic format.
In short: Maybe this is just a case of a device that got stuck when starting the setup process?
On the other hand, my theory above could also be completely wrong. In that case, I take it all back.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite

the_rock

That all sounds logical to me, Vincent.

Best,
Andy

Perry_McGrew

I would agree. Maybe I interpreted the instructions wrong. But if launch the "welcome" URL w/o the USB Console you will get the URL, "welcome.checkpoint.com/#/v1/appliances/first-time-wizard", it states:

You must perform the required configuration steps from a desktop/laptop computer (running Windows OS and Chrome browser) that you connect to the appliance.

When the Laptop / 9200 USB-C console connection is active, (needed to first install the platform specific USB_serial_driver_QuantumII from a SK) the CP website connection it will pop up a option to choose the appliance type and lead you through a 1st time install process. I tried it 2x and it hung at the same screen I uploaded.

I was not getting any timely feedback from TAC, so I decided to proceed and update the base image to R82 T777 using ISOMORPHIC tool while waiting for TAC response. I need to get these 9200's deployed next week.

When it was finished with the R82 install, I just connected the laptop to the RJ45 Console port and tried the traditional 192.168.1.1. The familiar WebUI opened up and I was able to do and complete the usual 1st Time Wizard setup. I did NOT try that new method that is launched from that URL (or scanning the QR code) that requires Internet connection from the laptop.

I appreciate the feedback from everyone. I'll update this post if I get a definitive answer from TAC. Just happy the traditional method worked!

-Perry

the_rock

Definitely, happy as well that worked for you, Perry,

Andy

Best,
Andy

Lesley

Maybe it was shipped with a diferent image? Or someone tested some new wizard and forgot to wipe it?

I have seen couple cases that new hardware is already configured, different password or IP.

https://community.checkpoint.com/t5/Security-Gateways/Brand-new-appliance-with-non-default-IP-on-Mgm...

-------
Please press "Accept as Solution" if my post solved it 🙂

the_rock

Hey Perry,

Just curious, did you ever figure out original issue?

Best,
Andy

Perry_McGrew

Good morning Andy,

No. I had opened a TAC case that did not go very far. I really did not have the time to wait either. It seemed odd that the Mgt interface had no IP address so the WebUI using 192.168.1.1 was not available. I had Console access and rebooted the 9200 -- saw that it was R81.20. After logging in w/ admin/admin and changing the PW, I did the "show interfaces" and there were no IPs on any of the interfaces. While the TAC case was open, I went ahead and updated both 9200s to R82 T777 using Isomorphic. When it came back up, I first tried using the Mgt Interface and 192.168.1.1 connection and 1st time Wizard launched. I just went ahead and finished the setup on this 9200. On the 2nd 9200, I just went ahead and did the Isomorphic update to R82 T777 and connected the Mgt interface and successfully launched the standard WebUI 1st time setup wizard process.

I have attached the only document that shipped with the 9200. You definitely need a connection to the CP device and the Internet to perform its process. I tried at least 2 times and it hung in the same place each time - where it is configuring the device. I let it run for hours,

So in the end, I never got the root cause. Maybe CP does not have all the bugs worked out on this process -- it gave no indication of a failure or "timed out". Of course, TAC closes the case when there's no timely progress. Our production 5800's are EoL. The 9200s are now setup in ClusterXL and planning on swap at the end of the month.

-Perry

the_rock

Those look like pretty straight forward instructions...o well, lets hope we have info on how this is done soon.

Best,
Andy

Are you a member of CheckMates?

9200 1st Time Wizard WebUI - hangs