Henrik Svendsen

Born in 1980, I grew up playing Nintendo. Served in the Military for 10 years, before deciding to get into IT. After studying for a year, I started working as a Microsoft MCSE, and later made the switch to Security, primarily based on Checkpoint Technologies. I am curious of nature, and love a challenge. Married with Claire, and together we have two wonderful daughters Pernille and Mette. In my spare time I Play games (never grow up!) and watch TV series whenever the opportunity is there.

First Time Wizard – run it from Expert

by

When performing a Clean install of your Gateways, you should try running the First Time Wizard from Expert.

[Expert@gw2:0]# config_system -h
Usage: config_system <options>
where config_system options include:
-f|–config-file <path> Read first time wizard configuration
from <path>.
-s|–config-string <string> Read first time wizard configuration
from string.
-t|–create-template <path> Write first time wizard configuration
template file in <path>.
–dry-run Verify that first time wizard
configuration file is valid.
-l|–list-params List configurable parameters.

If both, configuration file and string, were provided, configuration
string will be ignored.
Configuration string should consist of parameters separated by ‘&’.
Each parameter should include key followed by value e.g. param1=value.
For the list of all configurable parameters and their descriptions,
create configuration template file with config_system -t <path> .
[Expert@gw2:0]#

 

 

[Expert@gw2:0]# config_system -t ftw.txt   *(-t to create the template)
[Expert@gw2:0]#
(Edit the config file with vi)
[Expert@gw2:0]# vi ftw.txt
————————————————–  

#########################################################################
# #
# Products configuration #
# #
# For keys below set “true”/”false” after ‘=’ within the quotes #
#########################################################################

# Install Security Gateway.
install_security_gw=true

# Enable DAIP (dynamic ip) gateway.
# Should be “false” if CXL or Security Management enabled
gateway_daip=”false”

# Enable/Disable CXL.
gateway_cluster_member=

# Install Security Management.
install_security_managment=false

# Optional parameters, only one of the parameters below can be “true”.
# If no primary of secondary specified, log server will be installed.
# Requires Security Management to be installed.
install_mgmt_primary=false
install_mgmt_secondary=false

# Provider-1 parameters
# e.g: install_mds_primary=true
# install_mds_secondary=false
# install_mlm=false
# install_mds_interface=eth0
install_mds_primary=false
install_mds_secondary=false
install_mlm=false
install_mds_interface=false

# Automatically download Blade Contracts and other important data (highly recommended)
# It is highly recommended to keep this setting enabled, to ensure smooth operation of Check Point products.
# for more info see sk94508
#
# possible values: “true” / “false”
download_info=”true”

# Improve product experience by sending data to Check Point
# If you enable this setting, the Security Management Server and Security Gateways may upload data that will
# help Check Point provide you with optimal services.
# for more info see sk94509
#
# possible values: “true” / “false”
upload_info=”false”

# In case of Smart1 SmartEvent appliance, choose
# Security Management only, log server will be installed automatically

#########################################################################
# #
# Products Parameters #
# #
# For keys below set value after ‘=’ #
#########################################################################

# Management administrator configuration
# Set to “gaia_admin” if you wish to use the Gaia ‘admin’ account.
# Set to “new_admin” if you wish to configure a new admin account.
# Must be provided, if Security Management installed
mgmt_admin_radio=

# In case you chose to configure a new Management admin account,
# you must fill in the credentials.
# Management administrator name
mgmt_admin_name=

# Management administrator password
mgmt_admin_passwd=

# Management GUI clients
# choose which GUI clients can log into the Security Management
# (e.g. any, 1.2.3.4, 192.168.0.0/24)
#
# Set to “any” if any host allowed to connect to management
# Set to “range” if range of IPs allowed to connect to management
# Set to “network” if IPs from specific network allowed to connect
# to management
# Set to “this” if it’ a single IP
# Must be provided if Security Management installed
mgmt_gui_clients_radio=
#
# In case of “range”, provide the first and last IPs in dotted format
mgmt_gui_clients_first_ip_field=
mgmt_gui_clients_last_ip_field=
#
# In case of “network”, provide IP in dotted format and netmask length
# in range 1-32
mgmt_gui_clients_ip_field=
mgmt_gui_clients_subnet_field=
#
# In case of a single IP
mgmt_gui_clients_hostname=

# Secure Internal Communication key, e.g. “aaaa”
# Must be provided, if primary Security Management not installed
ftw_sic_key=MySecretSicKeyGoesHere

#########################################################################
# #
# Operating System configuration – optional section #
# #
# For keys below set value after ‘=’ #
#########################################################################

# Password (hash) of user admin.
# To get hash of admin password from configured system:
# dbget passwd:admin:passwd
# OR
# grep admin /etc/shadow | cut -d: -f2
#
# IMPORTANT! In order to preserve the literal value of each character
# in hash, enclose hash string within the quotes.
# e.g admin_hash=’put_here_your_hash_string’
#
# Optional parameter
admin_hash=

# Interface name, optional parameter
iface=

# Management interface IP in dotted format (e.g. 1.2.3.4),
# management interface mask length (in range 0-32, e,g 24 ) and
# default gateway.
# Pay attention, that if you run first time configuration remotely
# and you change IP, in order to maintain the connection,
# an old IP address will be retained as a secondary IP address.
# This secondary IP address can be delete later.
# Your session will be disconnected after first time configuration
# process.
# Optional parameter, requires “iface” to be specified
# IPv6 address format: 0000:1111:2222:3333:4444:5555:6666:7777
# ipstat_v4 manually/off
# ipstat_v6 manually/off
ipstat_v4=manually
ipaddr_v4=
masklen_v4=
default_gw_v4=

ipstat_v6=off
ipaddr_v6=
masklen_v6=
default_gw_v6=

# Host Name e.g host123, optional parameter
hostname=

# Domain Name e.g. checkpoint.com, optional parameter
domainname=

# Time Zone in format Area/Region (e.g America/New_York or Etc/GMT-5)
# Pay attention that GMT offset should be in classic UTC notation:
# GMT-5 is 5 hours behind UTC (i.e. west to Greenwich)
# Enclose time zone string within the quotes.
# Optional parameter
timezone=”

# NTP servers
# NTP parameters are optional
ntp_primary=
ntp_primary_version=
ntp_secondary=
ntp_secondary_version=

# DNS – IP address of primary, secondary, tertiary DNS servers
# DNS parameters are optional.
primary=
secondary=
tertiary=

# Proxy Settings – Address and port of Proxy server
# Proxy Settings are optional
proxy_address=
proxy_port=

###################################################################
# #
# Post installation parameters #
# #
# For keys below set “true”/”false” after ‘=’ within the quotes #
#########################################################################
# Optional parameter, if not specified the default is false
reboot_if_required=

———————————————- 

 

When you have customized the config file, you can run it from Expert mode.

 

[Expert@gw2:0]# config_system -f ftw.txt
dos2unix: converting file ftw.txt to UNIX format …

Validating configuration file: Done
Configuring OS parameters: Done
Configuring products: Done
Verifying installation…

First time configuration was completed!

Reboot is required in order to complete the installation, please perform it manually

Going to load initial security policy.
Your remote session will be disconnected now.
Login again to continue working on the gateway.

 

 

For more info see Secure Knowledge article: sk69701

Checkpoint R80 CPM – new ports for SmartConsole (old CPMI)

by

If you have installed R80.10 recently, you might have noticed that the Management ports have changed from the earlier versions.

Earlier it was TCP/18190 and TCP/18264.

From R80 and on, the “CPM” port is now changed to TCP/19009

CPM – Check Point Management Server
Listened by CPM server for remote connections (For example SmartConsole. Added in R80)

 

 

An updated list of ports being used by Checkpoint software is described in this secureknowledge article.   sk52421

 

First Time Wizard – run it again or skip it.

by

If you have been deploying Checkpoint Firewalls, at some point you most likely have wanted to skip the First Time Wizard.
(First Time Wizard)

First Time Wizard

When migrating gateways to new hardware, I often save the Gaia configuration, and import it just after installing the new appliance. This saves me the trouble of configurering everything from scratch.

(Take note, that this is not possible in all scenarios)

Gaia Save Configuration command.
———————
mgmt1> save
clienv – Save CLI environment variables.
config – save current configuration
configuration – Save configuration to file
mgmt1> save configuration mysavedconfigurationfile
———————

In most cases i skip the FTW, and import the saved Gaia config…

To skip the Gaia FTW in R80 and above, create the “accepted” files manual.

Login in Expert mode, and create these files.

  • [Expert@HostName:0]# touch /etc/.wizard_accepted
  • [Expert@HostName:0]# touch /etc/.wizard_started

For full description see sk71000

If you want to rerun the FTW, simply delete the files above.

  • rm -i /etc/.wizard_accepted
  • rm -i /etc/.wizard_started

See also…

http://svendsen.me/first-time-wizard-run-it-from-expert/

https://www.checkpoint.com/

Checkpoint Anti-Ransomware – now in consumer version at Zonealarm.com

by

Checkpoint has a dedicated goal, to fight ransomware globally.
This mean that Checkpoints consumer solutions, Zonealarm, benefits from the research done a Checkpoint.
Antivirus is dying (if not already dead) but threat emulation is one path towards the future.
Zonealarm Anti-Ransomware have released an affordable solution, based on Chekcpoints Anti-Ransomware product.

The price is the best part… at the current time of writing, Anti-Ransomware is priced at $1.99/month. (about 13 DKR)
The low price makes it very affordable in my opinin.

zonealarm-ad

I bought a license for 3 pc, and installed the Anti-Ransomware agent last Thursday (12/10-2017) – and boy am I glad I did.
Today I was working with password cracking software, and at some point I have downloaded some software containing Ransomware. (I know, its my own fault...)
Moments after, the Checkpoint/Zonealarm Anti-Ransomware agent, informed me that something was very wrong…

The Anti-Ransomware agent looks like this, when everything is great, and when everything is not so great…

 

I of cause choose to “Repair file” which triggered the agent to delete and restore…

 

 

 

Be aware, that the computer will reboot several times, so you need to be patient. At some point I noticed that my mails from April and till now was gone…   this of cause got me worried, so i contacted Zonealarm support. The most disturbing about the experience, was that the Zonealarm agent also was missing, and nowhere to be found.
It was even missing in Control Panel > Programs.

Apparently this is what it is suppose to do…  after rebooting again, and waiting 10-15 minutes for the computer to “Prepare windows for use” everything was back to the way it was suppose to be.

Mails that was missing was back, Zonealarm were visible in “Programs” and my desktop looked like it did this morning.

 

Even if it was a bit scary, and I could wish for some visual “steps for recovery” on the Zonealarm Agent, it turned out fine.
I would deffently recommend you to give the product a try….    could save the day at some point!

 

Worried about Checkpoints use of Kaspersky products ? Here´s how to disable and remove it.

by

According to this article at theGuardian, Kaspersky labs have been compromised by Russian intelligence.
My guess is that they are not the only company in the world.

Wired.com also covers the story.

As a response Checkpoint have released a SK118539 on how to disable and remove Kaspersky Labs components from Checkpoint Security Gateway.

In case that you are responsible for the security, you may need to consider disabling the Kaspersky Labs components.
This covers Anti-Virus Deep Scan, Anti-Virus Archive Scanning, or Traditional Anti-Virus.

The suggestion is to enable Threat Emulation blade as a replacement.
My opinion is that the TE blade is far superior to the traditional AV components, so this might be a good chance to test it.

 

New Jumbo hotfix – GA avaliable Take 205

by

Checkpoint released a new GA Jumbo for R77.30 the 15 Dec 2016.
Check_Point_R77_30_JUMBO_HF_1_Bundle_T205_FULL.tgz

Note: Effective December 15th 2016, the General Availability Take_205 is available for CPUSE online installation in Gaia Portal and Gaia Clish (it replaces Take_185).

 

 

Latest ongoing      Take_213     released 05 feb 2015

See sk106162 for further details.

Checkpoint Data Center Security Appliances 41000

by

This week i was luckey enough to get a closer look at Checkpoint´s 41000 Data Center Security Appliance.

It truely is a beauty – and i was luckey enough to get some “hands on” time on my own.
More to come within the next few days, but untill then here is a picture of the beatifull creature, and a link for more info.

https://www.checkpoint.com/products/41000-61000-security-systems/

41000_ink_li

 

41000b_ink_li