Re: Gateway on EVE-NG

Moudar · ‎2024-04-15

Hi,

I have just installed a gateway on EVE-NG. Everything looks fine but I cannot login to do the first time wizard.

I got the IP address on eth0:192.168.40.185.

I can ping it, and I can ssh to the gateway with no problem.

But when try to open https://192.168.40.185, I get this:

the_rock · ‎2024-04-15

Can you send output of ifconfig -a and route?

Moudar · ‎2024-04-15

ifconfig is deprecated!

show interface eth0:

Interface eth0
    state on
    mac-addr 50:00:00:05:00:00
    type ethernet
    link-state link up
    mtu 1500
    auto-negotiation on
    speed 1000M
    ipv6-autoconfig Not configured
    monitor-mode Not configured
    duplex full
    link-speed 1000M/full
    comments
    ipv4-address 192.168.40.185/24
    ipv6-address Not Configured
    ipv6-local-link-address Not Configured

show route all:

A-GW-2> show route all
Codes: C - Connected, S - Static, R - RIP, B - BGP (D - Default),
       O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA),
       IS - IS-IS (L1 - Level 1, L2 - Level 2, IA - InterArea, E - External),
       A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed,
       NP - NAT Pool, U - Unreachable, i - Inactive

C               127.0.0.0/8         is directly connected, lo
C               192.168.40.0/24     is directly connected, eth0

I got 3 other interfaces and all are "state off"

the_rock · ‎2024-04-15

Its from expert mode, ifconfig works fine, as well as route command. Anyway, what you sent is sort of same...so if that interface is up, can you check if same happens if you try another browser? Make sure if fw is not connected to mgmt, its most likely running initial policy, which WILL block web UI access, though since its port 443, technically it should work, but as a test, you can run fw unloadlocal from expert mode and try again.

Andy

Moudar · ‎2024-04-15

Tried all browsers: Firefox, chrome, and Edge. Same problem!

[Expert@A-GW-2:0]# ifconfig -a
eth0        Link encap:Ethernet  HWaddr 50:00:00:05:00:00
            inet addr:192.168.40.185  Bcast:192.168.40.255  Mask:255.255.255.0
            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
            RX packets:537 errors:0 dropped:0 overruns:0 frame:0
            TX packets:331 errors:0 dropped:0 overruns:0 carrier:0
            collisions:0 txqueuelen:1000
            RX bytes:47046 (45.9 KiB)  TX bytes:35435 (34.6 KiB)

eth1        Link encap:Ethernet  HWaddr 50:00:00:05:00:01
            BROADCAST MULTICAST  MTU:1500  Metric:1
            RX packets:0 errors:0 dropped:0 overruns:0 frame:0
            TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
            collisions:0 txqueuelen:1000
            RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

eth2        Link encap:Ethernet  HWaddr 50:00:00:05:00:02
            BROADCAST MULTICAST  MTU:1500  Metric:1
            RX packets:0 errors:0 dropped:0 overruns:0 frame:0
            TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
            collisions:0 txqueuelen:1000
            RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

eth3        Link encap:Ethernet  HWaddr 50:00:00:05:00:03
            BROADCAST MULTICAST  MTU:1500  Metric:1
            RX packets:0 errors:0 dropped:0 overruns:0 frame:0
            TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
            collisions:0 txqueuelen:1000
            RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

gretap0     Link encap:Ethernet  HWaddr 00:00:00:00:00:00
            BROADCAST MULTICAST  MTU:1462  Metric:1
            RX packets:0 errors:0 dropped:0 overruns:0 frame:0
            TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
            collisions:0 txqueuelen:1000
            RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

gre0        Link encap:UNSPEC  HWaddr 00-00-00-00-56-F7-38-90-00-00-00-00-00-00-00-00
            NOARP  MTU:1476  Metric:1
            RX packets:0 errors:0 dropped:0 overruns:0 frame:0
            TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
            collisions:0 txqueuelen:1000
            RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

lo          Link encap:Local Loopback
            inet addr:127.0.0.1  Mask:255.0.0.0
            UP LOOPBACK RUNNING PROMISC DYNAMIC  MTU:65536  Metric:1
            RX packets:16931 errors:0 dropped:0 overruns:0 frame:0
            TX packets:16931 errors:0 dropped:0 overruns:0 carrier:0
            collisions:0 txqueuelen:1000
            RX bytes:2581031 (2.4 MiB)  TX bytes:2581031 (2.4 MiB)

[Expert@A-GW-2:0]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.40.0    *               255.255.255.0   U     0      0        0 eth0

And I did add a default gateway route like this:

[Expert@A-GW-2:0]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.40.2    0.0.0.0         UG    0      0        0 eth0
192.168.40.0    *               255.255.255.0   U     0      0        0 eth0

still not working. I can ping the internet as well!

and there is no firewall:

[Expert@A-GW-2:0]# fw unloadlocal
 Local host is not a FireWall-1 module

the_rock · ‎2024-04-15

Ok, so its just mgmt server, got it now. Maybe as a quick test, disable web access, save, re-enable, save, test again.

Andy

Moudar · ‎2024-04-15

if you mean:

set web daemon-enable off/on

that did not make it better!

Moudar · ‎2024-04-15

this server is not a gateway nor a SMS, because i could not enter the first configuration wizard

the_rock · ‎2024-04-15

I think now I get the whole "picture". So you installed Gaia, then rebooted, tried web UI, to initiate first time wizard to install it as either mgmt or gateway and thats where you are "stuck, got it. Hm, I cant say I personally ever experienced that myself, really odd. Are you allowed to do remote? I would like to check and see if I can help you fix it.

If you are, just message me directly.

Moudar · ‎2024-04-15

You got it! it is just a lab

How do you prefer to remote? TeamViewer

Moudar · ‎2024-04-15

or Teams, is best

the_rock · ‎2024-04-15

I dont like teamviewer, not so secure in my opinion. I will send you zoom offline

Andy

the_rock · ‎2024-04-15

my eve-ng fw settings

PhoneBoy · ‎2024-04-15

Since you’re installing this in EVE-NG which is not technically supported, what specific ram/hdd did you allocate to the VM?
What version was installed?

If you did not allocate the minimum values specified in the release notes for the version you’re running, you could experience behavior like this.

Realistically for a standalone gateway in a lab (no external management), you need to allocate at least 8GB of RAM and about ~200GB for hard drive.
That is assuming lab usage only.

Moudar · ‎2024-04-15

My machine got 4 vCPU and 8GB ram and about 40GB disk.

The same specification (maybe less) is working when running the server directly on VMware workstation!

I run 81.20

the_rock · ‎2024-04-15

I use eve-ng all the time and I never give it more than 100GB, works just fine.

Andy

the_rock · ‎2024-04-15

Lets do remote if you are allowed to, just message me offline.

the_rock · ‎2024-04-15

Just a quick update. @Moudar and I did remote session and though we verified DG is correct and config is saved, ssh works fine, but web UI does not. We even attempted different port, same issue. Spun up another instance in eveng, no joy.

The unfortunate thing is that NO cp commands will work, as we cant even run first time wizard to configure the lab. I told him would get access later to our lab eveng and report back. We also tested different nic types available, but exact same problem after restart.

Andy

Bob_Zimmerman · ‎2024-04-15

If you have command line access, just use config_system.

For that matter, EVE-NG does cloud-init, right? That would be the ideal option, since you wouldn't need to log in to the command line or web UI at all to get a fully-configured box.

the_rock · ‎2024-04-15

That may work, but it still begs a question why web UI fails, considering its not configured as either mgmt or fw, since first time wizard was not even started.

Andy

Moudar · ‎2024-04-16

I have now configured one server as SMS using (config_system). When trying to connect via SmartConsole I get this:

SOLR service is restarting all the time:

Disk space on this SMS:

Any ideas!

the_rock · ‎2024-04-16

Hey bro,

I dont think space would be an issue for this specific problem, as I was able to log in fine to my old mgmt in eve ng with less than 6 GB free in root dir. Now, here is what I would do. First off, run api status command, see what it shows. Im fairly sure it will show failing at the bottom, if it does, please do this.

Go to $FWDIR/scripts dir, run ./cpm_status sh, if it shows anything but up and ready, initiate ./run_cpmdoc.sh and upload the results.

Best,

Andy

Moudar · ‎2024-04-16

[Expert@SMS:0]# $FWDIR/scripts/cpm_status.sh
Check Point Security Management Server is running and ready
[Expert@SMS:0]#
[Expert@SMS:0]#
[Expert@SMS:0]#
[Expert@SMS:0]#
[Expert@SMS:0]# api status

API Settings:
---------------------
Accessibility:                      Require local
Automatic Start:                    Enabled

Processes:

Name      State     PID       More Information
-------------------------------------------------
API       Started   5251
CPM       Started   5251      Check Point Security Management Server is running and ready
FWM       Started   4883
APACHE    Stopped   0

Port Details:
-------------------
JETTY Internal Port:               54855
JETTY Documentation Internal Port: 62023
APACHE Gaia Port:                  443

Profile:
-------------------
Machine profile:                   Large env resources profile with SME or Dedicated Log Server
CPM heap size:                     1280m

                          Apache port retrieved from: default value


--------------------------------------------
Overall API Status: Started
--------------------------------------------

API readiness test FAILED. The server is down and unable to receive connections!

Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'

Moudar · ‎2024-04-16

maybe the problem is with the SOLR service which does not start !

the_rock · ‎2024-04-16

For sure. You can try below.

Andy

https://support.checkpoint.com/results/sk/sk172385

Moudar · ‎2024-04-16

cannot find personalizedCpmServerSettings.props.

Moudar · ‎2024-04-16

checking the $FWDIR/log/api.elg

2024-04-16 15:55:07,753 ERROR com.checkpoint.management.web_api.web_services.JaxRsServerPublisher.createWebAPIServer:164 [main] - Failed to configure Apache proxy server. Management API is not accessible!

the_rock · ‎2024-04-16

Can you try api restart? Reboot?

the_rock · ‎2024-04-16

Thats your issue, api has failed, smart console will never work in such scenario. Can you run cpm doc and send please.

Andy

Moudar · ‎2024-04-16

what is cpm doc?

Are you a member of CheckMates?

Gateway on EVE-NG