Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
IWishIKnewMore
Contributor

R81.10 - How to Setup WAN with Modem on eth1 and NAT/DHCP to eth2-5

Jump to solution

I have a 3100 updated to R81.10.

Right now I'm upgrading from an older 600, but noticing Gaia is less friendly to the novice - so bare with the stupid questions.
On my 600 there was literally a WAN/DHCP mode you could turn on for an interface - the 3100 doesn't seem to have this.

What setting/configurations to I need get going to I can achieve the same functionality.
I can't seem to find any guides to this end - I'm guessing this is so basic as to be laughable to have a guide.

Any help appreciated.

Thanks!

0 Kudos
1 Solution

Accepted Solutions
IWishIKnewMore
Contributor

Thanks for all the help.

I didn't want to leave you hanging - I ended up throwing a fresh hard drive in and flashing with pfsense.
So far that's been much simpler for my use case - pre-configured with WAN/LAN as needed and starter firewall settings.

Some of this is my fault thinking that the 3100 software would have been a similar experience to Check Point my 600 or 100g software - but it's been extremely time intensive to-do basic setup and and I haven't even gotten to fine tuning everything.

View solution in original post

0 Kudos
20 Replies
Chris_Atkinson
Employee
Employee

Please refer to sk92768 for instructions for the WebUI / CLISH.

But in case you meant using the Gateway itself as a DHCP server this is also possible refer:

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Gaia_AdminGuide/Topics-GAG/DHCP-Se...

Note the interfaces on a 3100 are not switch ports like that on a 600 however.

NAT is configured within SmartConsole along with your access policy & interface topology. For NAT the simple option is to enable the check box on the gateway object though this is not as flexible as defining manual hide-NAT rules

 

0 Kudos
IWishIKnewMore
Contributor

If specify my internet source as another router - it all works fine.
But if I try to use the modem per sk92768:
Could not connect to the Check Point Cloud. Check your connection settings (Default Gateway, DNS, Proxy)

0 Kudos
Joseph_Audet
Ambassador
Ambassador

Try this: In the gaia web interface, go down to 'Advanced Routing -> Routing Options' and enable the checkbox for 'Kernel Routes' - this will allow the gateway to import the dynamically learned default route that it received from DHCP.

0 Kudos
IWishIKnewMore
Contributor

No change in the error - still:
Could not connect to the Check Point Cloud. Check your connection settings (Default Gateway, DNS, Proxy)

With or without the Modem IP hardcoded.

0 Kudos
the_rock
Champion
Champion

That error literally always mean that gateway can't reach cp update server. So try curl_cli updates.checkpoint.com and curl_cli cws.checkpoint.com commands and see what you get.

0 Kudos
Chris_Atkinson
Employee
Employee

Once the routing has been verified further to Joseph's suggestion some other diagnostic measures may include:

External Interface topology: If the address you receive isn't static try specifying a dummy address of 0.0.0.0/32

Global properties: Menu > Gloabl Properties > FireWall > Access outgoing packets originating from Gateway: First.

Whilst on this screen its probably also beneficial to you to enable "Log Implied Rules".

Click OK and install policy.

0 Kudos
IWishIKnewMore
Contributor

I felt like I was making progress - I finally got cert errors figured out and cpconfig enabled correctly.
I was into smart console:
- Enabled the Hide Nat Setting
- Enabled Autonomous IPS
-Enabled Base Firewall

Now I can't connect to SmartConsole anymore (Certificate Revoked).
GAIA via browser is "Secure Connection Failed"

It seems like if I do a cpstop/cpstart - there is a short window when I get the UI back, but then back to cert errors.

Two steps forward - one step.

Thanks for all the assistance - look forward to trying more things once I can get off just a putty connection 😉

0 Kudos
Chris_Atkinson
Employee
Employee

Does "fw unloadlocal" from the CLI allow you back in to correct your policy/config.

 

0 Kudos
IWishIKnewMore
Contributor

fw unloadlocal - Fixed "Secure Connection Failed" and I can get back into GAIA.
SmartConsole is still (Certificate Revoked).

0 Kudos
the_rock
Champion
Champion

Can you attach a screenshot of the smart console error? Try this...ssh into mgmt server and once you type cpconfig from expert mode, just click option for administrators and add new admin (this is for dashboard). Once you do this, it may ask to do cprestart and then try log in with that newly created user.

0 Kudos
IWishIKnewMore
Contributor

fw unloadlocal -> GAIA -> Certificate Authority Reset -> cprestart - Got rid of the "revoked" messaged.

Back to "Unable to Connect" or "The Operation Timed Out".

cpconfig -> re-add admin -> restart == didn't get any improvement.
^ (originally that's how I got into past those errors and into SmartConsole to begin with).

At least I can get into GAIA again, but a little unsure how to proceed from here.

 

Untitled.png

 

 

 

0 Kudos
the_rock
Champion
Champion

Ok, thats what I figured. So try do what I suggested and see if you can log in. Also, on mgmt server, run cpwd_admin list, as well as cd $FWDIR/scripts and then ./cpm_status.sh

Those commands would tell us if there is an issue with any process on your management server.

0 Kudos
IWishIKnewMore
Contributor

Miraculously SmartConsole just kicked over...didn't change anything from 5 minutes ago...but not going to argue it.
I guess my next question is what do I check for or set that I don't have to run telnet to "fw unloadlocal" and play firewall reset everytime the CP services restart....then maybe back to getting the modem connecting..sigh.. nothing is ever easy 🙂

0 Kudos
the_rock
Champion
Champion

I hear ya brother : - ). Well, technically, every time firewall reboots, it should fetch latest known policy, so if you apply correct policy from mgmt server, than that's what would be on it after reboot. That way, you would never have to run fw unloadlocal command.

0 Kudos
IWishIKnewMore
Contributor

I figured out what happened. There is a "clean-up" rule. That applies when you enable the firewall blade. But neglects to set allow route for MGMT. The smartconsole logs were showing the dropped packets. With 192.168.X.0 to host address Accept defined - problem seems to have corrected.

0 Kudos
RS_Daniel
Advisor

Hello,

Unfortunately Certificate Revoked has became a classic issue in Management server. Good news is that CheckPoint knows how to fix this:  https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

That link just explains the problem, bu it will take you to a second sk with the solution procedure:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Hope it helps you.

Regards

0 Kudos
the_rock
Champion
Champion

I honestly never had that problem in 15 years dealing with CP. But, good links for the reference. Don't want to jinx it now : - )

0 Kudos
IWishIKnewMore
Contributor

I think I have some kind of lead on the modem - our least oddity:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

dhcp.leases is blank for me. (with automatic ipv4 set or static set)

0 Kudos
Chris_Atkinson
Employee
Employee

Your Firewall is a DHCP client?

The SK is referring to it being set as a server for allocating IPs to LAN hosts.

Do you see a default route when you get the dynamic address or have you tried configuring one manually?

Can you ping the next-hop? 

ifconfig -a ethX

netstar -nr

ping a.b.c.d

What IP Range should you receive from the modems DHCP, does it conflict with the existing firewall LAN addressing?

 

 

 

0 Kudos
IWishIKnewMore
Contributor

Thanks for all the help.

I didn't want to leave you hanging - I ended up throwing a fresh hard drive in and flashing with pfsense.
So far that's been much simpler for my use case - pre-configured with WAN/LAN as needed and starter firewall settings.

Some of this is my fault thinking that the 3100 software would have been a similar experience to Check Point my 600 or 100g software - but it's been extremely time intensive to-do basic setup and and I haven't even gotten to fine tuning everything.

0 Kudos