Checkpoint: Getting Serial Network Extender VPN (SNX) to work with Mobile Access Blade (MAB)

Explanation:

Before MAB came along, SNX terminated on the IPSEC VPN blade and life was good. You browsed to the external IP, were presented with a popup window, entered your credentials and had good old network connectivity tunnelled over SSL.

Then executives jumped on the iPad / tablet bandwagon and the Mobile Access Blade was born. The MAB now intercepted all traffic and everything terminated on it. SNX appeared to no longer exist but at least the executives were happy as they could access OWA on their mobile devices. And god frowned. Now on to the good stuff:

Symptoms and Status:

  • No SNX window opens when you https to your gateway’s IP – you get the Mobile Portal only
  • Once you log into the portal, there is no “Connect” button to allow you proper network access

Notes / Caveats:

  • Checkpoint Mobile VPN on tablets works, IP network connectivity is present.
  • Not to be confused with Checkpoint Mobile- this only allows published applications. See references below for details)
  • The MAB portal cannot be bypassed to provide direct access to SNX, it is necessary to sign in to MAB and then connect from there.

Fix:

In order to bring back SNX, we need to:

  • Specify access to each subnet we want the SNX user to be able to access
  • Publish these as “Native Applications” – if there are no native applications then the “Connect” button will not be shown

1. Make sure Mobile Access Blade is selected

Mobile Access Blade

 

 

 

 

 

 

 

2. Define address ranges for each subnet you want VPN users to access:

addr_range

 

 

 

 

 

 

 

 

 

3. Create a rule in the MAB policy to allow either a group of users or just All_Users to access the resource: policy

 

 

 

 

4. PUSH THE POLICY!!

5. Log in to the portal:

portal sign in

 

 

 

 

 

 

6. Hit the connect button

connect1 connect1

 

7. Connected, job done!

connect2

 

 

 

 

 

 

 

 

References:

Below are the references for android but there are also apps for iPhone and iPad in the iTunes store.

Android Mobile:

  • https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk65314
  • https://play.google.com/store/apps/details?id=com.CheckPointVpn&hl=en

Android Mobile VPN:

  • https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk84141
  • https://play.google.com/store/apps/details?id=com.checkpoint.VPN&hl=en

Checkpoint: Recover / Recreate a Dead Checkpoint Smartcenter from Files in $FWDIR

Smartcenter dead, only the disk survives. All credit to RStewart from cpshared for sharing the knowledge found in sk article sk32508 article which unfortunately is internal only. I have only re-worded and re-formatted in places. If anything is wrong or missing, please let me know; I went through this process a couple of weeks ago and am now writing from memory ..

  • Take the following 3 files from the SC’s conf directory ($FWDIR/conf) :
    • objects_5_0.C
    • rulebases_5_0.fws
    • fwauth.NDB
  • Build a new SmartCenter of the same version
  • Install the Check Point software from the CD and reboot.
  • Go through sysconfig and configure the OS and the Check Point software. Set the hostname to match the CMA name as closely as you can.
  • Do not reboot and don’t start the products!
  • Put the 3 files above into $FWDIR/conf.
  • Reboot and once the server is up, check you can log in through the dashboard. If you can’t then either something very bad has happened or the instructions above weren’t followed to the T.

Once you have successfully logged in with dashboard, you can progress to the next phase:

  • Follow the process to rename a SmartCenter, which is found in the sk article: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk42071

Once the above is complete you will need to do a brutal fwm sic_reset – this involves manually removing any certificates from the objects file.

  • Follow the sk article below to remove the certificates: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk10451
  • Give it a reboot and you should be good to go

If you’re doing an upgrade from an unsupported version to R7x.x one, the following docs may be useful:

  • http://fireverse.org/wp-content/uploads/2011/03/Upgrade-to-R70.pdf
  • http://fireverse.org/wp-content/uploads/2011/03/Upgrade-to-R71.pdf
  • http://fireverse.org/wp-content/uploads/2011/03/Upgrade-to-R75.gif

Original reference: https://www.cpshared.com/forums/archive/index.php/t-1163.html

Android: Setting The SMSC (SMS Message Centre) in Android ICS

A combination of being in a rush and fat fingers whilst in the “Testing” menu (*#*#4636#*#*) led to me deleting the SMS Message Centre Number from my Google Nexus S phone.

It runs a custom ICS – either Apex or AndroidME – and there is no “Message Centre” setting under the Messaging App.

So, scrolling to the bottom in the Testing menu -> Phone Information you can see the “SMSC: ” field.

Tip: DON’T PRESS UPDATE, PRESS “REFRESH” TO SEE THE CURRENT SETTING!!!

The actual SMSC number is: +447785016005, however inputting this into the field and hitting update just produces “update error”. The issue is that this needs to be translated into PDU format (Protocol Description Unit) and you can do that here: http://www.twit88.com/home/utility/sms-pdu-encode-decode.

For the number above, this turns out to be 0791447758100650 which is what you would hope to see on your working UK Vodafone droid.

For some people, entering the PDU number above into your SMSC field in the testing menu and pressing “update” will have the desired effect but for me, the “update” button won’t work unless you have a “+” in front of the number which is no use at all.

The solution? Take the SIM card out and stick it in a non-android phone (I used a Blackberry), go to the messageing app, settings, message centre number and enter the real number, i.e. +447785016005.

Save, exit, power off, replace SIM into Android phone, job done.

Hope this helps someone ..

 

References:

http://forum.xda-developers.com/showthread.php?t=926771