Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Attiq786
Participant

User.def location on Smart-1 Cloud

Hi All,

 

I have Migrated our Management server to Smart-1 Cloud and looking to import user.def file. Not sure if its possible, as i have not found any reference in smart-1 cloud management guide. does it have to be uploaded via API? 

I can browse to the home directory on smart-1 cloud but not sure if the file need to be uploaded there.

0 Kudos
13 Replies
G_W_Albrecht
Legend
Legend

The location depends on GW version, see sk98239 (Location of 'user.def' file on Management Server)

But with Smart-1 Cloud you will have to contact TAC, afaik it is not possible/supported to change special files after migration yourself.

0 Kudos
Attiq786
Participant

@G_W_Albrecht Thanks a lot for the info.

 

Regards

0 Kudos
PhoneBoy
Admin
Admin

Anything that requires dbedit or editing .def files on Smart-1 Cloud will require a TAC case to perform.

0 Kudos
Tomer_Noy
Employee
Employee

Procedures that require file editing on the Management machine are not directly supported in Smart-1 Cloud. Such cases should indeed go through TAC and they will make the change & document it so that we can take it into account when maintaining the environment.

It's worth mentioning two things in this context:

  1. GuiDBEdit is available to Smart-1 Cloud customers. Although it is an advanced tool and should be used carefully, it works within the same DB as SmartConsole and does not modify files on the disk. You can launch it from within SmartConsole via the main menu.
  2. A very common use-case for user.def is to modify the subnet_for_range_and_peer parameter. Since R80.40 it's possible to configure custom VPN encryption domains directly in the Community configuration in SmartConsole UI. That is a much better way and can save you the need to modify user.def.
Ted_Serreyn
Contributor

interesting in the custom vpn domains, could you give a reference or explain how this could be used to exclude ip addresses from a vpn?   We are now hitting this as we move customers over to smart-1 cloud.

 

0 Kudos
PhoneBoy
Admin
Admin

You can see a screenshot of it here: https://community.checkpoint.com/t5/Security-Gateways/multiple-domain-per-vpn-community/m-p/115382/h...
There are still going to be situations where .def files will need to be edited, which will have to be done by the TAC.

0 Kudos
Ted_Serreyn
Contributor

yeah definitely doesn't match my case, 1500 remote gateways with route-all vpn, but now we need to exclude the cloud Maas service IP addresses for things to work correctly with smart-1 cloud.

 

Someday we will be able to modify and exclude encryption domains on all devices.

 

 

0 Kudos
Tomer_Noy
Employee
Employee

Hi @Ted_Serreyn,

Can you share some details on what didn't work for you and whether excluding the Management service IPs really solved the issue?

Did you exclude the Management instance internal IP, or the IPs of other service entry points?

Theoretically, there should be implied rules that exclude Management services from the VPN community. I'd like to understand why this didn't work out of the box.

If you prefer to take the discussion offline, we can do that as well.

Thanks,
Tomer

0 Kudos
Tomer_Noy
Employee
Employee

After our short conversation, it seems that the outgoing traffic from the gateway to the Management in the cloud is encrypted by the "route all traffic through VPN" setting. It might be possible to handle this via .def changes on the Management, but there is a simpler solution.

On the latest Gaia Embedded firmware (R80.20.30) there is a new parameter for this scenario, in which you can exclude encryption on outgoing traffic that originates from the satellite gateway. 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 
(SMB-15429 - accept_outgoing_without_vpn)

We will follow up to see that the issue is indeed resolved. Also, we will check how to improve this scenario and make it work seamlessly out-of-the-box, without manual tweaks.

0 Kudos
the_rock
Authority
Authority

Hi Tomer,

Just for my own information, though it might be slightly unrelated, if there is ever a need to modify any files in cloud mgmt server, what is official process? Open TAC case or something else? I ask, because I know there is no ssh access to cloud mgmt and what can be opened from web portal I believe only gives basic api access, not even regular clish commands.

 

Thanks in advance.

0 Kudos
PhoneBoy
Admin
Admin

The official process is opening a TAC case and we make the required changes on the backend.

0 Kudos
Tomer_Noy
Employee
Employee

Indeed, a TAC case is needed when a customer / partner needs to change a file or use some expert setting on the Management environment.

We understand that this is not always convenient, so we are working to minimize the need for such cases.

  • Many file related changes are actually not necessary when we manage the environment. The customer doesn't need to tweak performance, storage or other details.
  • Some changes can already be done in the UI, instead of files. A good example is customizing the VPN encryption domains that exists in the SmartConsole UI since R80.40, but we still see customers configure it in user.def.
  • CG IaaS auto-scaling configuration was also done in files, but in R81.10 we added the option to configure it via Management REST API or Management CLI. Soon Smart-1 Cloud will upgrade to R81.10, so that will be available as well.
  • Last, we are working to take the most common cases and expose them in a better way. For example, we are looking at giving users the option to upload customized .def files. It's not full access via SSH, but will cover a relatively common need.

I hope the extra info helps.

the_rock
Authority
Authority

Yes, thank you, very good explanation!

0 Kudos