Exploring CheckPoint

My first impressions, experiences and notes on the Check Point appliances and tools - the little issues I had and some recommendations going forward.

Firewalls...
Photo by Viktor Forgacs / Unsplash

A few weeks ago, I started a new job, where I got the chance to familiarize myself with Check Point network security appliances (the 3000 series) and tools (SmartConsole R81 and the Gaia console).

I started by installing and configuring Gaia on a 3000 appliance with the configuration wizard, which was simple enough. It guides you through everything required to set it up and takes only around 10 to 15 minutes. Upgrading it from R81 to R81.10 took way longer, and the jumbo package took very long to install as well. I soon realized that the appliance is useless by itself, and requires a management server to function.

What even is SmartConsole?

SmartConsole is an application installed on a client computer used for managing security policies, which are then published to different gateways based on their configuration.

So I set up ESXi 6.5 (which was a bit of a hassle, as I was doing it on an old lab machine) and installed GaiaOS in a VM on the server. Thinking it was just like any other linux distribution, I was quite conservative with the resources and only assigned it around 40Gb for the boot drive and 4Gb of ram.

That also worked without a hitch, but for some reason the management server and the appliance did not want to sync their policies. I decided to update the management server to the latest version as well, when I faced my first major issue.

As it turns out, these CheckPoint appliances are really needy about their log partitions. 3GB wasn't enough to even update it. I had to add storage... My first instinct was to just expand the disk, as it worked every other time I worked with linux VMs. Turns out, that's the wrong way to go about that. You have to create and add a new drive, and then expand the LVM partitions in Gaia.

As CLISH - the CLI used to configure the appliances - is intended to be used by network administrators to configure stuff like network interfaces and whatnot, it's tightly locked down and does not allow much access to the actual linux system underneath.

To edit stuff further, entering expert mode is required. You must first set the expert mode's password with set expert-password and then the mode can be entered with the simple command expert.

This video helped me a buttload when resizing the /var/log partition it was angry about.

When I got to the point of the lvm_manager, it refused to work as I wasn't in the maintenance mode. To put it into maintenance mode, I followed this little guide:

R77.10 maintenance mode
Hi, after rebooting the primary in XL cluster , I got the below message: *** please reboot in the maintenance mode to repair filesystem when I rebooted the firewall , can’t see “press any key to see boot menu ” . I read it could be defaulted to 0 second. is there is thing I can do ? any advice is h…

I changed the grub settings, waited for it to boot, changed to maintenance and it put me into the sh-4.4$ shell. From there, I continued the process as if I were in a normal expert mode shell. I entered lvm_manager and successfully resized the log partition.


A note on standalone/centrally managed appliances

With the 3000 appliances, if you set it to standalone management (gateway + management), the only way to reverse that decision is to reinstall Gaia from the factory version, which can be very tedious, so make sure to set the option correctly the first time.

It's also worth noting that, while standalone management is supported on 3000 appliances, it probably won't work well, as the management server is very resource heavy and the performance may be underwhelming. Considering how easy it is to setup a separate management server VM, it should be a no-brainer for anyone who already spent several thousand Euros on the appliances themselves.

Other small notes

I had a little trouble configuring the gateway interfaces to use DHCP addresses instead of static addresses - it's not even an option in the Gaia configuration interface. I found the following commands can be used in the CLISH to configure DHCP manually:

add dhcp client interface eth1
set interface eth1 state on

Another thing I noted is that in the case you need to change the SIP pre-shared password, there's no obvious way to do it through the Gaia configuration interface, so I found this useful command to configure everything possible in the configuration wizard through the CLISH:

cpconfig

And that's about it!

I only had around a week to play with these appliances, and I must say I really enjoyed taking a look at the top-of-the-line firewalls in use today, and getting a sneak peek into the future of cybersecurity. There are many features I found very cool and that I would have never even thought of - like the option to filter allowed file types and even credit card information to secure the users on the network.

I did say the next (this) post will be about my adventures with Moodle, oh well... I'll get around to that soon... See ya!