Written by Michael Ibarra, Security Engineer, Mid-Atlantic Region
November 10, 2022
Overview
Deploying a new Check Point appliance requires completing the First-Time Configuration Wizard (FTW). This GUI-driven set of steps prepares the appliance for further configuration using CLISH or the web-based UI and is a mandatory part of deploying any new appliance.
Ideally, the FTW would be run after the appliance has booted after installation from an ISO, connected to a network and ready for all subsequent configuration. But this is not always possible. For instance, there may be times when an appliance must be fully configured without an active network connection, web browser session, or other means of loading a responsive web GUI. For instance, in an untrusted or highly sensitive environment, deploying an NDR sensor with only serial console access is advantageous. But, without a web UI session available, completing the FTW is not possible.
The FTW-CLI tool solves this challenge by generating the necessary "answer file" the FTW needs to complete the configuration. This is done through a simple BASH script, prompting the user for input, and storing the values in a separate file. An embedded script, config-system, uses this file to complete the FTW steps, readying the system for remaining configuration and production-use.
Usage
Begin by downloading the latest version of the ftw-cli here. Other resources and references are available under the section at the end of this guide.
Follow these steps to use the tool:
- Install GAIA using ISOmorphic or a bootable ISO on your physical or virtual hardware.
- Connect via SSH or serial console to the system.
- Download and extract the contents of the latest release of the ftw-cli tool.
- Either (1) copy the ftw_cli_run.sh file to /home/admin via SFTP, or (2) use vi to create a new, empty file and paste the contents of ftw_cli_run.sh inside. Then, save using :wq!.
- Navigate to the directory where you saved ftw_cli_run.sh.
- Run chmod +x ftw_cli_run.sh to make the script executable.
- Run the script using ./ftw_cli_run.sh.
The ftw-cli tool consists of two sections: general system and platform-specific configuration. These sections are separated by a prompt:
Are you installing Management, Security Gateway, Standalone (Combined), or MDS?
(1) Management
(2) Security Gateway
(3) Standalone
(4) MDS
Enter 1-4:
Reaching this question denotes you've arrived at a series of if/then steps that ultimately determine whether you will end up with a management server, gateway, or MDS appliance.
After you've reached the end of the platform-specific configuration, an answer file with the syntax ftw_config_[date-created]-[time-created] will exist in the same directory as ftw_cli_run.sh. An example of this file's contents is below.
[Expert@gw-3bdcf5:0]# cat ftw_config_20221110-111246
ipstat_v4=manually
ipstat_v6=off
hostname=ih-gw01
domainname=ibarralabs.com
primary=10.5.1.10
secondary=1.1.1.1
tertiary=1.0.0.1
ntp_primary_version=4
ntp_secondary_version=4
ntp_primary=ntp.checkpoint.com
ntp_primary=ntp2.checkpoint.com
timezone='America/New_York'
install_security_gw=true
gateway_daip=false
ftw_sic_key=p@55w0rd
download_info=true
upload_info=true
upload_crash_data=true
reboot_if_required=true
Example Configuration - Security Gateway (SMS-Managed, Non-ClusterXL)
- Proceed through the general system configuration steps (see below as an example).
[Expert@gw-3bdcf5:0]# ./ftw_cli_run.sh
Welcome to the FTW CLI script!
Change current management interface (eth0)? Enter y/n: n
Configure IPv4 for management interface? Enter y/n: y
Change current IP address (10.5.1.101/24) for eth0? Enter y/n: n
Configure IPv6 for management interface? Enter y/n: n
Enter hostname: ih-gw01
Enter domain name: ibarralabs.com
Enter primary DNS server: 10.5.1.10
Enter secondary DNS server (Enter to skip): 1.1.1.1
Enter tertiary DNS server (Enter to skip): 1.0.0.1
Use a proxy server? Enter y/n: n
Configure NTP? Enter y/n: y
Change current NTP version (4)? Enter y/n: n
Change Check Point default NTP servers? Enter y/n: n
Enter timezone (in tz database format, e.g., America/Los_Angeles): America/New_York
- Proceed through the platform-specific configuration steps (see below as an example).
Are you installing Management, Security Gateway, Standalone (Combined), or MDS?
(1) Management
(2) Security Gateway
(3) Standalone
(4) MDS
Enter 1-4: 2
Proceeding with Security Gateway install...
Is this a single gateway or cluster member?
(1) Single Gateway
(2) Cluster Member
Enter 1-2: 1
Single Gateway selected
Using a dynamically-assigned IP (DAIP) (default is no)? Enter y/n: n
Change admin password entered during install? Enter y/n: n
Enter SIC key:
Enter SIC key again:
Would you like to connect this device to Smart-1 Cloud (auth token required)? Enter y/n: n
Change defaults for communicating with User Center? Enter y/n: y
Download info from User Center? Enter y/n: y
Upload info to User Center? Enter y/n: y
Upload crash data (which may contain PII)? Enter y/n: y
Should the device reboot (if required) when config is complete? Enter y/n: y
That's it! Checking generated config values...
dos2unix: converting file ftw_config_20221110-111246 to Unix format ...
Config validated successfully!
Proceed with applying config? Enter y/n:
- Upon entering y, config-system will proceed to apply the configuration written to the answer file and, if necessary, reboot the system. Entering n will cancel the operation but will provide a command to manually apply the config, should you choose to proceed (see example below).
Proceed with applying config? Enter y/n: n
Config apply canceled.
To run manually, issue this command from Expert mode:
config_system -f ftw_config_20221110-111246
[Expert@gw-3bdcf5:0]#
- After the appliance has finished rebooting, the appliance will be ready for remaining configuration and production-use.
Example Configuration - Secure Management Server (Logging Only, Secondary)
- Begin by proceeding through the general system configuration steps (reference example scenario above).
- Proceed through the platform-specific configuration steps (see below as an example).
Are you installing Management, Security Gateway, Standalone (Combined), or MDS?
(1) Management
(2) Security Gateway
(3) Standalone
(4) MDS
Enter 1-4: 1
Proceeding with Management install...
Is this a Primary, Secondary, or Dedicated/Separate SmartEvent or Logging server?
(1) Primary
(2) Secondary
(3) Dedicated SmartEvent/Logging
Enter 1-3: 3
Dedicated SmartEvent/Logging selected
Change GAIA default "admin" username? Enter y/n: n
Change default web UI access (permits any source)? Enter y/n: n
Enter SIC key:
Enter SIC key again:
Change defaults for communicating with User Center? Enter y/n: y
Download info from User Center? Enter y/n: y
Upload info to User Center? Enter y/n: y
Upload crash data (which may contain PII)? Enter y/n: y
Should the device reboot (if required) when config is complete? Enter y/n: y
That's it! Checking generated config values...
dos2unix: converting file ftw_config_20221110-112558 to Unix format ...
Config validated successfully!
Proceed with applying config? Enter y/n:
Example Configuration - Multi-Domain Server (Primary)
- Begin by proceeding through the general system configuration steps (reference example scenario above).
- Proceed through the platform-specific configuration steps (see below as an example).
Are you installing Management, Security Gateway, Standalone (Combined), or MDS?
(1) Management
(2) Security Gateway
(3) Standalone
(4) MDS
Enter 1-4: 4
Proceeding with MDS install...
Is this a Primary, Secondary, or Dedicated/Separate Logging server?
(1) Primary
(2) Secondary
(3) Dedicated Logging
Enter 1-3: 1
Primary selected
Change GAIA default "admin" username? Enter y/n: n
Please define the MDS Leading VIP interface. Options are below:
(0) eth0
(1) eth1
(2) lo
Enter desired interface (0-2): 0
Change default web UI access (permits any source)? Enter y/n: n
Change defaults for communicating with User Center? Enter y/n: y
Download info from User Center? Enter y/n: y
Upload info to User Center? Enter y/n: y
Upload crash data (which may contain PII)? Enter y/n: y
Should the device reboot (if required) when config is complete? Enter y/n: y
That's it! Checking generated config values...
dos2unix: converting file ftw_config_20221110-122230 to Unix format ...
Config validated successfully!
Proceed with applying config? Enter y/n:
Summary
Through utilizing a simple BASH script--and not requiring any in-depth programming or scripting skills--we can sidestep the requirement of needing a web browser session to complete the setup of a newly deployed Check Point appliance--whether bare metal, virtualized, or in the cloud.
Further, because BASH is natively supported on nearly every Linux distribution, cross-platform compatibility and extensibility using other tools (Python, Ansible, etc.) make this a foundational approach to any new deployment.
Troubleshooting
My config fails validation! What should I do?
This shouldn't happen, but I wrote this script accounting for only the QA scenarios I could think of. It's possible something has slipped through.
Check your answer file's contents using cat from Expert mode and compare the values present with those listed in this table. Re-run validation using the command config_system --dry-run -f ftw_config_[date-created]-[time-created] and take note of the errors listed.
If all else fails, please create a new issue here. I (and other users) will thank you for it!
Some parts of my config applied, but others didn't. What's going on?
This can happen if the validation script either ignores or otherwise misses an entry you made. Other field types aren't explicitly checked for validity, like IP address syntax (four octets separated by decimals, or values >255) or tz database values. These are up to you to confirm, so check them twice before hitting Enter during the wizard (though you can always modify the answer file and manually run it with config_system).
Check your answer file's contents using cat from Expert mode and compare the values present with those listed in this table.
This script doesn't cover a platform config scenario I need. How do I submit a feature request?
Please create a new issue here. I'll do my best to add it to the script as I have time!
Reference