Checkpoint: Change the Default WebUI Port in SecurePlatform and Gaia

The WebUI default access port is HTTPS 443. This can conflict when installing some Check Point products, e.g. Endpoint Security Server. In order to mitigate this, change the default webUI port as follows:

SecurePlatform

Log in to the SecurePlatform CLI in Standard mode, and run this command:

webui enable <port_number>

You should see the following:

Shutting down cp_http_server_wd [OK]
Shutting down cpwmd_wd [OK]
Running cp_http_server_wd [OK]
Running cpwmd_wd [OK]

To disable access to the WebUI, run the command:

webui disable

Gaia

To set the Webui port on Gaia enter clish and run:

CLISH> set web ssl-port <port number>

CLISH> save config

** Please read below – this must also be mirrored through SmartDashboard otherwise every policy installation will revert to the default 443 **

To change it through SmartDashboard:

Open ‘SmartDashboard > gateway/cluster object > platform portal’, and in the “Main URL” add the relevant port, for example:

https://143.100.80.100:xxx

This will force the machine to use port xxx. In the case of a cluster, this will also work for both members.

If this is not changed, every policy installation will change the port back to the default 443.

Checkpoint: Migrate R76 Standalone Firewall to a Distributed Smartcenter and Gateways (R7x.xx)

“Database migration between Standalone and Management only machines is not supported”

The error above is observed when trying to migrate the management from a standalone firewall to a new Smartcenter for distributed architecture and appears to be more of a bug than anything else.

Luckily it is easily sorted:

1. Take an export of existing standalone management & firewall:

Download newest migration tools from https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk91140 and run an export:
# $FWDIR/bin/upgrade_tools/migrate export MY_EXPORT

2. Extract the files from the MYEXPORT.tgz using e.g. 7zip. Using Notepad++ or similar, change the “configuration” and “configuration2” files to take the Firewall element out as shown in the pictures below:
Remove the “Firewall” string in “configuration” ..

configuration_1

 

 

 

.. to look like this:

configuration_2
And change the following strings in the “configuration2” file ..

configuration2_1
.. to look like this:

configuration2_2

 

 

 

 

 

 

 

 

 

 

 

 

3. Repackage the files into MY_NEW_EXPORT.tgz, copy them on to the new management center and run the import:

# $FWDIR/bin/upgrade_tools/migrate import MY_NEW_EXPORT

Job done!

Checkpoint: Getting Serial Network Extender VPN (SNX) to work with Mobile Access Blade (MAB)

Explanation:

Before MAB came along, SNX terminated on the IPSEC VPN blade and life was good. You browsed to the external IP, were presented with a popup window, entered your credentials and had good old network connectivity tunnelled over SSL.

Then executives jumped on the iPad / tablet bandwagon and the Mobile Access Blade was born. The MAB now intercepted all traffic and everything terminated on it. SNX appeared to no longer exist but at least the executives were happy as they could access OWA on their mobile devices. And god frowned. Now on to the good stuff:

Symptoms and Status:

  • No SNX window opens when you https to your gateway’s IP – you get the Mobile Portal only
  • Once you log into the portal, there is no “Connect” button to allow you proper network access

Notes / Caveats:

  • Checkpoint Mobile VPN on tablets works, IP network connectivity is present.
  • Not to be confused with Checkpoint Mobile- this only allows published applications. See references below for details)
  • The MAB portal cannot be bypassed to provide direct access to SNX, it is necessary to sign in to MAB and then connect from there.

Fix:

In order to bring back SNX, we need to:

  • Specify access to each subnet we want the SNX user to be able to access
  • Publish these as “Native Applications” – if there are no native applications then the “Connect” button will not be shown

1. Make sure Mobile Access Blade is selected

Mobile Access Blade

 

 

 

 

 

 

 

2. Define address ranges for each subnet you want VPN users to access:

addr_range

 

 

 

 

 

 

 

 

 

3. Create a rule in the MAB policy to allow either a group of users or just All_Users to access the resource: policy

 

 

 

 

4. PUSH THE POLICY!!

5. Log in to the portal:

portal sign in

 

 

 

 

 

 

6. Hit the connect button

connect1 connect1

 

7. Connected, job done!

connect2

 

 

 

 

 

 

 

 

References:

Below are the references for android but there are also apps for iPhone and iPad in the iTunes store.

Android Mobile:

  • https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk65314
  • https://play.google.com/store/apps/details?id=com.CheckPointVpn&hl=en

Android Mobile VPN:

  • https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk84141
  • https://play.google.com/store/apps/details?id=com.checkpoint.VPN&hl=en