This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
crescentwire
Employee
Employee
‎2023-05-02 06:56 AM

Automating the First-Time Configuration Wizard

Written by Michael Ibarra, Security Engineer, Mid-Atlantic Region

November 10, 2022

Overview

Deploying a new Check Point appliance requires completing the First-Time Configuration Wizard (FTW). This GUI-driven set of steps prepares the appliance for further configuration using CLISH or the web-based UI and is a mandatory part of deploying any new appliance.

Ideally, the FTW would be run after the appliance has booted after installation from an ISO, connected to a network and ready for all subsequent configuration. But this is not always possible. For instance, there may be times when an appliance must be fully configured without an active network connection, web browser session, or other means of loading a responsive web GUI. For instance, in an untrusted or highly sensitive environment, deploying an NDR sensor with only serial console access is advantageous. But, without a web UI session available, completing the FTW is not possible.

The FTW-CLI tool solves this challenge by generating the necessary "answer file" the FTW needs to complete the configuration. This is done through a simple BASH script, prompting the user for input, and storing the values in a separate file. An embedded script, config-system, uses this file to complete the FTW steps, readying the system for remaining configuration and production-use.

Usage

Begin by downloading the latest version of the ftw-cli here. Other resources and references are available under the section at the end of this guide.

Follow these steps to use the tool:

  1. Install GAIA using ISOmorphic or a bootable ISO on your physical or virtual hardware.
  2. Connect via SSH or serial console to the system.
  3. Download and extract the contents of the latest release of the ftw-cli tool.
  4. Either (1) copy the ftw_cli_run.sh file to /home/admin via SFTP, or (2) use vi to create a new, empty file and paste the contents of ftw_cli_run.sh inside. Then, save using :wq!.
  5. Navigate to the directory where you saved ftw_cli_run.sh.
  6. Run chmod +x ftw_cli_run.sh to make the script executable.
  7. Run the script using ./ftw_cli_run.sh.

The ftw-cli tool consists of two sections: general system and platform-specific configuration. These sections are separated by a prompt:

 

Are you installing Management, Security Gateway, Standalone (Combined), or MDS?

(1) Management
(2) Security Gateway
(3) Standalone
(4) MDS

Enter 1-4:

 

Reaching this question denotes you've arrived at a series of if/then steps that ultimately determine whether you will end up with a management server, gateway, or MDS appliance.

After you've reached the end of the platform-specific configuration, an answer file with the syntax ftw_config_[date-created]-[time-created] will exist in the same directory as ftw_cli_run.sh. An example of this file's contents is below.

 

[Expert@gw-3bdcf5:0]# cat ftw_config_20221110-111246 
ipstat_v4=manually
ipstat_v6=off
hostname=ih-gw01
domainname=ibarralabs.com
primary=10.5.1.10
secondary=1.1.1.1
tertiary=1.0.0.1
ntp_primary_version=4
ntp_secondary_version=4
ntp_primary=ntp.checkpoint.com
ntp_primary=ntp2.checkpoint.com
timezone='America/New_York'
install_security_gw=true
gateway_daip=false
ftw_sic_key=p@55w0rd
download_info=true
upload_info=true
upload_crash_data=true
reboot_if_required=true

 

Example Configuration - Security Gateway (SMS-Managed, Non-ClusterXL)

  1. Proceed through the general system configuration steps (see below as an example).

 

[Expert@gw-3bdcf5:0]# ./ftw_cli_run.sh 

Welcome to the FTW CLI script!

Change current management interface (eth0)? Enter y/n: n

Configure IPv4 for management interface? Enter y/n: y

Change current IP address (10.5.1.101/24) for eth0? Enter y/n: n

Configure IPv6 for management interface? Enter y/n: n

Enter hostname: ih-gw01
Enter domain name: ibarralabs.com

Enter primary DNS server: 10.5.1.10
Enter secondary DNS server (Enter to skip): 1.1.1.1
Enter tertiary DNS server (Enter to skip): 1.0.0.1

Use a proxy server? Enter y/n: n

Configure NTP? Enter y/n: y

Change current NTP version (4)? Enter y/n: n

Change Check Point default NTP servers? Enter y/n: n

Enter timezone (in tz database format, e.g., America/Los_Angeles): America/New_York

 

  1. Proceed through the platform-specific configuration steps (see below as an example).

 

Are you installing Management, Security Gateway, Standalone (Combined), or MDS?

(1) Management
(2) Security Gateway
(3) Standalone
(4) MDS

Enter 1-4: 2

Proceeding with Security Gateway install...

Is this a single gateway or cluster member?

(1) Single Gateway
(2) Cluster Member

Enter 1-2: 1

Single Gateway selected

Using a dynamically-assigned IP (DAIP) (default is no)? Enter y/n: n
Change admin password entered during install? Enter y/n: n

Enter SIC key: 
Enter SIC key again: 

Would you like to connect this device to Smart-1 Cloud (auth token required)? Enter y/n: n

Change defaults for communicating with User Center? Enter y/n: y

Download info from User Center? Enter y/n: y
Upload info to User Center? Enter y/n: y
Upload crash data (which may contain PII)? Enter y/n: y
Should the device reboot (if required) when config is complete? Enter y/n: y
That's it! Checking generated config values...

dos2unix: converting file ftw_config_20221110-111246 to Unix format ...

Config validated successfully!

Proceed with applying config? Enter y/n:

 

  1. Upon entering y, config-system will proceed to apply the configuration written to the answer file and, if necessary, reboot the system. Entering n will cancel the operation but will provide a command to manually apply the config, should you choose to proceed (see example below).

 

Proceed with applying config? Enter y/n: n

Config apply canceled.

To run manually, issue this command from Expert mode:

config_system -f ftw_config_20221110-111246
[Expert@gw-3bdcf5:0]#

 

  1. After the appliance has finished rebooting, the appliance will be ready for remaining configuration and production-use.

Example Configuration - Secure Management Server (Logging Only, Secondary)

  1. Begin by proceeding through the general system configuration steps (reference example scenario above).
  2. Proceed through the platform-specific configuration steps (see below as an example).

 

Are you installing Management, Security Gateway, Standalone (Combined), or MDS?

(1) Management
(2) Security Gateway
(3) Standalone
(4) MDS

Enter 1-4: 1

Proceeding with Management install...

Is this a Primary, Secondary, or Dedicated/Separate SmartEvent or Logging server?

(1) Primary
(2) Secondary
(3) Dedicated SmartEvent/Logging

Enter 1-3: 3

Dedicated SmartEvent/Logging selected

Change GAIA default "admin" username? Enter y/n: n

Change default web UI access (permits any source)? Enter y/n: n

Enter SIC key: 
Enter SIC key again: 

Change defaults for communicating with User Center? Enter y/n: y

Download info from User Center? Enter y/n: y
Upload info to User Center? Enter y/n: y
Upload crash data (which may contain PII)? Enter y/n: y
Should the device reboot (if required) when config is complete? Enter y/n: y
That's it! Checking generated config values...

dos2unix: converting file ftw_config_20221110-112558 to Unix format ...

Config validated successfully!

Proceed with applying config? Enter y/n:

 

Example Configuration - Multi-Domain Server (Primary)

  1. Begin by proceeding through the general system configuration steps (reference example scenario above).
  2. Proceed through the platform-specific configuration steps (see below as an example).

 

Are you installing Management, Security Gateway, Standalone (Combined), or MDS?

(1) Management
(2) Security Gateway
(3) Standalone
(4) MDS

Enter 1-4: 4 

Proceeding with MDS install...

Is this a Primary, Secondary, or Dedicated/Separate Logging server?

(1) Primary
(2) Secondary
(3) Dedicated Logging

Enter 1-3: 1

Primary selected

Change GAIA default "admin" username? Enter y/n: n

Please define the MDS Leading VIP interface. Options are below: 

(0) eth0
(1) eth1
(2) lo

Enter desired interface (0-2): 0

Change default web UI access (permits any source)? Enter y/n: n

Change defaults for communicating with User Center? Enter y/n: y

Download info from User Center? Enter y/n: y
Upload info to User Center? Enter y/n: y
Upload crash data (which may contain PII)? Enter y/n: y
Should the device reboot (if required) when config is complete? Enter y/n: y
That's it! Checking generated config values...

dos2unix: converting file ftw_config_20221110-122230 to Unix format ...

Config validated successfully!

Proceed with applying config? Enter y/n:

 

Summary

Through utilizing a simple BASH script--and not requiring any in-depth programming or scripting skills--we can sidestep the requirement of needing a web browser session to complete the setup of a newly deployed Check Point appliance--whether bare metal, virtualized, or in the cloud.

Further, because BASH is natively supported on nearly every Linux distribution, cross-platform compatibility and extensibility using other tools (Python, Ansible, etc.) make this a foundational approach to any new deployment.

Troubleshooting

My config fails validation! What should I do?

This shouldn't happen, but I wrote this script accounting for only the QA scenarios I could think of. It's possible something has slipped through.

Check your answer file's contents using cat from Expert mode and compare the values present with those listed in this table. Re-run validation using the command config_system --dry-run -f ftw_config_[date-created]-[time-created] and take note of the errors listed.

If all else fails, please create a new issue here. I (and other users) will thank you for it!

Some parts of my config applied, but others didn't. What's going on?

This can happen if the validation script either ignores or otherwise misses an entry you made. Other field types aren't explicitly checked for validity, like IP address syntax (four octets separated by decimals, or values >255) or tz database values. These are up to you to confirm, so check them twice before hitting Enter during the wizard (though you can always modify the answer file and manually run it with config_system).

Check your answer file's contents using cat from Expert mode and compare the values present with those listed in this table.

This script doesn't cover a platform config scenario I need. How do I submit a feature request?

Please create a new issue here. I'll do my best to add it to the script as I have time!

Reference

Labels
3 Replies
_Val_
Admin
Admin
‎2023-05-02 07:17 AM

Hi, great article, but why is it in the employees only space? Any reason NOT to share it with the customers?

0 Kudos
crescentwire
Employee
Employee
‎2023-05-02 07:34 AM
In response to _Val_

Hey Val, I posted it here temporarily while Dameon approves and moves it to the whitepaper repository. But yes, the goal is to make it publicly available! 😁

0 Kudos
PhoneBoy
Admin
Admin
‎2023-05-02 07:38 AM
In response to crescentwire

"Four eyes" review 🙂

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events