This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Perry_McGrew
Collaborator
2 weeks ago
Jump to solution

Zero Touch Clarification Help - 3920

We are replacing several 3200s at our Remote Sites with just received 3920's.   These sites are Healthcare and basically can not sustain any lengthy outage.  Sorry in advance for the long post! 

All the GWs are Centrally Managed and have Static Public IPs.   All CP devices are currently R82 JHF41  

I have done a Save Configuration on each of the 3200s and stored them in text files on my Windows PC.  

I have read the Zero Touch docs / SKs.   I've logged into the Zero Touch Portal, "claimed" one of the 3920s  and set up a template.  I created API key on our Management Server and saved it..

Ideally, I want to set them up in my office before I bring them out to the site to swap out the 3200.  Since I don't have direct connection to Internet from my office, I am not sure how this can work.

Currently Template is Under Construction until I am sure I have it correct.

- Version Settings:  Keep Current (since I read 3900's are R82.10 which is NOT an option in the pull down menu)

- Zero Touch Identification Key - Generated (and saved)

- Administrator Password - NOT SURE what to use since I have not done 1st time Setup.  Is it default admin/admin or leave it blank?

- Management Interface - DO I USE the default 192.168.1.1 (which is NOT a valid subnet in our corp network)

- DNS Servers - Internal (which would need VPN Tunnel from a remote site) or Public (i.e. Cloudflare)?

- Connect to the Management Server - Use Mgt Internal LAN or Public IP?  

- API Auth Key - Copied it from the Mgt server.  

- CLISH Script - Pasted the entire "save configuration" output from the 3200 I want to replace.  Will any of the statements error out?

Provided I get this Template correct, it brings me to what needs to be done on the Mgt Server.   The site / VPN community settings are defined for the current 3200.  Its difficult to envision that I just travel to the site, swap all the cable connections from the 3200 into the 3920, and power up the 3920 which will "magically" pull down this template, execute all the CLISH stmts, and on the Mgt Server change the Hardware Appliance to 3900 Appliances, Version R82.10 and pull the Policy.  I also will need to reset the SIC on the Mgt Server for the site.  

TIA.

 

 

0 Kudos
1 Solution

Accepted Solutions
Perry_McGrew
Collaborator
2 weeks ago
In response to Wolfgang
Jump to solution

Raised these questions with our Check Point team.  I got response that Zero Touch really not a good option in our case.

- was created for deploying a large number of GWs and maybe not worth fighting with config issues for a small number of deployments where downtime needs to be minimized.  

- No Lab environment to test / no separate Internet available to test

Recommendation is to deploy using the traditional method.  Build/configure the GW, swap it, reset SIC, change HW model in Smart Console object, push policy.

Maybe Zero Touch will be improved to help ease the replacement of GWs for situations like we face.  

Thanks everyone who responded to this post.

View solution in original post

(1)
12 Replies
the_rock
Legend
Legend
2 weeks ago
Jump to solution

Unlike Fortinet, where default password is empty, then you are forced to change, here its admin / admin. Default mgmt IP is indeed 192.168.1.1, but thats only really needed for first time wizard, most people may not even use that interface later.

I always tell people to use google/cloudflare dns servers to start with, unless you are 100% sure ones you are using will work.

SIC would sadly need to be reset, there is no way around it.

Andy

0 Kudos
Perry_McGrew
Collaborator
2 weeks ago
In response to the_rock
Jump to solution

Thanks.  I am hoping someone who has actually done this Zero Touch process to replace an existing GW will post here.   The Docs leave a lot of questions unanswered.  I read (or interpret) it replaces the 1st time Setup Wizard.  So the initial default ID/PW typically gets changed.  The Zero Touch template just want you to fill in.  You would think (presume) it would be set or tell you to use the 1st time default if the device is fresh out of the box.  We never use the device Management Interface after the initial setup is done.

The Mgt Server IP - Got to think it needs to be its Public IP since I don't see any indication that the VPN tunnel will be established.

The CLISH statements - A while ago, I had to replace one of the 3200's.   I had the SAVE CONFIG.  I did the traditional 1st time setup in my office.  I SSH'd and did a Copy & Paste -- I know some of them failed.  I can't recall if it was the order of the statements (I pasted the entire config).  It just makes me suspicious that it will not work in the Zero Touch.

Zero Touch seems to be nice tool to speed up deployment.   But I don't have a lab to trial and error it.  I can't have a site down for hours trying to fix the issues and re-establish connectivity.  

the_rock
Legend
Legend
2 weeks ago
In response to Perry_McGrew
Jump to solution

Thats fair! Can you please send those docs/sk's you were referring to? I believe one of my customers did it, I will definitely ask her later.

Andy

0 Kudos
the_rock
Legend
Legend
2 weeks ago
Jump to solution

Hey Perry,

Im also super curious about this topic, let us know if you find anything new. Did you ever open TAC case btw? I asked my customer and they never did this, sorry.

Andy

0 Kudos
Perry_McGrew
Collaborator
2 weeks ago
In response to the_rock
Jump to solution

I have not opened a case yet but will soon.  Our new 9200's just arrived and still have not herd anything about that ClusterXL -> ElasticXL conversion tool.  

Perry

0 Kudos
the_rock
Legend
Legend
2 weeks ago
In response to Perry_McGrew
Jump to solution

I hope tool becomes GA soon...lets see.

Andy

0 Kudos
Chris_Atkinson
Employee Employee
Employee
2 weeks ago
In response to Perry_McGrew
Jump to solution

It's not officially been released as yet. I'm sure it will be made available in due course.

CCSM R77/R80/ELITE
0 Kudos
Wolfgang
Authority
Authority
2 weeks ago
Jump to solution

@Perry_McGrew Zerotouch should be the right way. You can store the configuration there for all you gateways. But you can‘t copy and paste from „config save“. All configuration steps done via zerotouch have to be done without questions and without errors. If anything is problematic the whole process fail. Some test installation is really needed to get a clean install script. But with the right script you only need a internet connection from your new appliances and the configuration will be done automatically at boot up.

Another way is to use Isomorphic and an USB device. You can too have your appliances configuration in a script there. You can place different scripts for your appliances, they are identified via the MAC address.

Main question for me is related to the new release R82.10. Ask TAC for support for this release via zerotouch portal and isomorphic.

Zero Touch Cloud Service for Check Point Appliances 

Zero Touch Administration Guide

How to install Gaia OS from a USB device on Check Point appliance and Open Servers using ISOmorphic ... 

 

(1)
the_rock
Legend
Legend
2 weeks ago
In response to Wolfgang
Jump to solution

Thanks for those @Wolfgang , super useful!

0 Kudos
Perry_McGrew
Collaborator
2 weeks ago
In response to Wolfgang
Jump to solution

@Wolfgang thanks for the reply.  I have been following the docs listed.  I don't have a way to test Zero Touch.  I have used ISOMORPHIC before -- but it would not work here as the 3920 are R82.10 and last I looked, I have not seen ISOMORPHIC updated.  I was surprised to see 3920 are R82.10 since not mainstream released -- figure its because 3920 are ARM devices.  

Anyway, what brought be to look at Zero Touch, was I had used the Save Config statements when I set up a new device.  I'd do the first time wizard setup, then open SSH connection and copy paste the statements in the same order as they appeared - which is much quicker than using the WebUI.  Some do fail -- because I recall some statements need to be applied in specific order that is different than in the Save Configuration.   I fix those and then do a compare of the new device config vs the Save Configuration.  If all looked good, I take the device out to the remote site and reset SIC on our Mgt server and site comes up.

So this Zero Touch process seemed to be a neat, time saving method to address this.   The docs just don't answer the questions I have.   I would be concerned that the Save Config statements are not correct to put in the Zero Touch CLISH statements would fail.  I have several sites that I need to swap out these 3200's with 3920 and any process to make it easier seemed to be what Zero Touch was designed to do.   

0 Kudos
Perry_McGrew
Collaborator
2 weeks ago
In response to Wolfgang
Jump to solution

Raised these questions with our Check Point team.  I got response that Zero Touch really not a good option in our case.

- was created for deploying a large number of GWs and maybe not worth fighting with config issues for a small number of deployments where downtime needs to be minimized.  

- No Lab environment to test / no separate Internet available to test

Recommendation is to deploy using the traditional method.  Build/configure the GW, swap it, reset SIC, change HW model in Smart Console object, push policy.

Maybe Zero Touch will be improved to help ease the replacement of GWs for situations like we face.  

Thanks everyone who responded to this post.

(1)
the_rock
Legend
Legend
2 weeks ago
In response to Perry_McGrew
Jump to solution

All makes sense Perry. Hope it goes well with the cutover.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events