This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
israelfds95
MVP
MVP
yesterday

Base Script for SMB Configuration via CLI

 

Base Script for SMB Configuration via CLI

I would like to share a base script that you can use and edit when performing SMB configurations via clish.

This makes our lives much easier when working with large-scale SMB deployments. In my last implementation, I pre-configured 48 Spark 1575 appliances, and if I had used Zero Touch for this, these scripts could also have been applied.

These base Script was used on versions R81.10.X, so a sujest read too, for complement if you need more configuration:

R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances CLI Reference Guide

Right now we have a new version, but I don't use this version yet, so I'll just reference the guide here as an information: 

R82.00.X Quantum Spark Appliances CLI Reference Guide

At the beginning, these are the first lines to execute — I will explain why:

set property first-time-wizard off
  #This command skips the web First Time Wizard, allowing us to proceed directly with configuration via clish

delete switch LAN1_Switch
  #By default, every SMB appliance starts with a LAN1_Switch configuration, and all ports are in this LAN1_Switch, this commands will delete LAN1_Switch and free all LAN's interfaces for a free use as you desire.

After that, I disable some unnecessary features and continue with hostname, DNS, NTP, admin access, session settings, disabling DHCP on interfaces, LAN interface configuration, VLAN configuration (including VLAN with active DHCP), and WAN interface configuration already prepared for Check Point SD-WAN.

We know that SMB is quite different from Enterprise environments, and sometimes configuration on SMB appliances can be a bit tricky.

Script via USB autoconf.clish: 

You can use this type of script for be initiated via USB pendrive, you just need edit the name file for this format autoconf.XX-XX-XX-XX-XX.clish 
xx-xx-xx-xx-xx-xx its the spark MAC. 

After edit the name, just put this script in a USB pendrive, and conect on the usb port of the quantum spark, and turn on the gateway, if everething was good with recognition of the pendrive, will initiate the script and the spark will start set all configuration. 

But if don't work fine the pendrive or the autoconf.clish format, you can set manually the script when you do your first access to the Spark via console port. 

A good thing that normally I use when I don't use autoconf, its set one interface that don't will be used, set one generic IPv4 to be one type of management interface, that is better for access ssh to run the clish script, than the console some times. 

Enjoy:

# ---------First configurations and Advanced Settings--------
set property first-time-wizard off
delete switch LAN1_Switch
set dns proxy disable

set hotspot advanced-settings activation off
set pmtud pmtud-mode oneshot
set misp-refresh-route mode on
set iot-stats mode off

# ------------------ DNS, HOSTNAME, NTP --------------------
set device-details hostname "HOSTNAME"

set dns primary ipv4-address "1.1.1.1"
set dns secondary ipv4-address "8.8.8.8"
set dns tertiary ipv4-address 9.9.9.9
set domainname local.domain


set ntp active on
set ntp server primary a.st1.ntp.br
set ntp server secondary b.st1.ntp.br
set ntp local-time-zone GMT-03:00(Brasilia) auto-adjust-daylight-saving off
set ntp interval 60

set admin-access interfaces WAN access allow
set admin-access interfaces Wireless access block
set admin-access allowed-ipv4-addresses any
set admin-access web-access-port 4434
set admin-access ssh-access-port 22

set administrator session-settings inactivity-timeout 10
set administrator session-settings password-history-mechanism true
set administrator session-settings lockout-enable on
set administrator session-settings max-lockout-attempts 5
set administrator session-settings lock-period 5


# ------------------LAN------------------------------------

set dhcp server interface DMZ disable
set dhcp server interface LAN1 disable
set dhcp server interface LAN2 disable
set dhcp server interface LAN3 disable
set dhcp server interface LAN4 disable
set dhcp server interface LAN5 disable


set interface LAN1 state on
set interface LAN1 unassigned

add interface LAN1 vlan 1 ipv4-address 10.90.90.1 mask-length 21
set interface LAN1.1 description USERS


add interface LAN1 vlan 80 ipv4-address 10.80.80.1 mask-length 24
set interface LAN1.80 description MGMT


add interface LAN1 vlan 200 ipv4-address 10.251.12.1 mask-length 22
set interface LAN1.200 description GUEST
set dhcp server interface LAN1.200 include-ip-pool 10.251.12.100-10.251.15.254
set dhcp server interface LAN1.200 enable
set dhcp server interface LAN1.200 dns manual primary 8.8.8.8 secondary 8.8.4.4
set dhcp server interface LAN1.200 lease-time 168

# -----------------WAN-------------------------------

add internet-connection name MPLS01 interface LAN7 type static ipv4-address 10.251.10.3 mask-length 24 default-gw 10.251.10.1
set internet-connection MPLS01 ha-priority 1 load-balancing-weight 10
set internet-connection MPLS01 probe-next-hop true probing-method icmp
set internet-connection MPLS01 probing-advanced probing-frequency 3 probing-window-size 15 failover-after-ping-failure-percent 66 max-latency-allowed 300 high-availability-recovery-time 60
set internet-connection MPLS01 sdwan-tag "MPLS02" sdwan "enabled" download-speed "100" upload-speed "100"


add internet-connection name MPLS02 interface LAN8 type static ipv4-address 10.52.25.3 mask-length 29 default-gw 10.52.25.1
set internet-connection MPLS02 ha-priority 1 load-balancing-weight 10
set internet-connection MPLS02 probe-next-hop true probing-method icmp
set internet-connection MPLS02 probing-advanced probing-frequency 3 probing-window-size 15 failover-after-ping-failure-percent 66 max-latency-allowed 300 high-availability-recovery-time 60
set internet-connection MPLS02 sdwan-tag "MPLS02" sdwan "enabled" download-speed "100" upload-speed "100"

# -----------------SIC-------------------------------

set security-management mode centrally-managed
connect security-management mgmt-addr myHost.com use-one-time-password true local-override-mgmt-addr true send-logs-to local-override-log-server-addr addr myHost.com
set sic_init password tP595EfFcRot

(1)
2 Replies
WiliRGasparetto
MVP
MVP
yesterday

Good Job Israel

0 Kudos
the_rock
MVP Diamond
MVP Diamond
yesterday

Amazing!

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events