Checkpoint IP Appliance install only with CLI

Posted on November 13, 2010


I always look for the fastest way – CLI – if I have to configure something. That’s why I decided to try an Nokia Firewall install without any Browser and Java, those things makes the day really slooow.
On IPSO it is possible to configure fast everything on CLI, on SecurePlatform it was earlier not possible. What the actual state, I will try it soon.

On IPSO the command line interface is reachable via the CLISH. Lets try the whole bunch of install only with console access:

In this test I used the following settings:

The Firewall Cluster:
1. FIREWALL HOSTNAME: myfirewall01
1. FIREWALL myfirewall01 inside (Management) IP:
1. FIREWALL myfirewall01 outside IP:
2. FIREWALL HOSTNAME: myfirewall02
2. FIREWALL myfirewall02 inside (Management) IP:
2. FIREWALL myfirewall02 outside IP: 

Primary DNS Server IP:
Secondary DNS Server IP:

NTP Server IP:
NTP Server Version: 3
Timezone: Germany/Berlin

1. Set the hostname

Nokia[admin]# clish
NokiaIP290:1> set hostname myfirewall02

2. Set the domainname and DNS servers.

NokiaIP290:3> set dns domainname
NokiaIP290:4> set dns primary
NokiaIP290:5> set dns secondary

3. Set the NTP Client (For logging and VPN it is a must).

NokiaIP290:6> add ntp server version 3 prefer yes

4. Set yout timezone (For logging and VPN it is a must). In this example I used Germany for my timezone (GMT+1)

NokiaIP290:7> set date timezone-city Germany/Berlin

5. Setup the local resolution of the hostname. This step is required for installing Checkpoint Firewall if the firewall hostname is not in the DNS (I guess).

NokiaIP290:8> add host name YourFirewallHostname ipv4 ManagementIPOfTheFirewall
NokiaIP290:9> add host name ipv4 YourSecondFirewallHostname ipv4 ManagementIPOfTheSecondFirewall

NokiaIP290:10> add host name myfirewall01 ipv4
NokiaIP290:11> add host name myfirewall02 ipv4

6. Setup the Logging. I like log everything and later check how much log I got. If I do not have enough space, then I decrease the logging or move to external syslog server.

NokiaIP290:12> set syslog auditlog permanent
NokiaIP290:13> set syslog auditlog-presentation text enable
NokiaIP290:14> set syslog voyager-auditlog on

7. In case your colleague need web based access to the Firewall you need to setup SSL for Voyager
(+If the ‘support visitor mode’ on the Firewall for the remote access vpn is enabled, you need to change the listening port for Voyager. Here I use tcp port 444.)

NokiaIP290:15> set voyager ssl-level 128
NokiaIP290:16> set voyager ssl-port 444

8. I am ready, I have to save the configuration.

NokiaIP290:17> save config

9. Install the checkpoint product on the top of IPSO Operating System.
On a new Nokia Firewall, the IPSO image and the Checkpoint Firewall is already uploaded. Those steps can I – in my case – ignore :-)

myfirewall02[admin]# cpconfig 

Welcome to Check Point Configuration Program
Please read the following license agreement.
Hit ‘ENTER’ to continue…

Do you accept all the terms of this license agreement (y/n) ? y

Please select one of the following options:
Check Point Power – for headquarters and branch offices.
Check Point UTM – for medium-sized businesses.

(1) Check Point Power.
(2) Check Point UTM.

Enter your selection (1-2/a-abort) [1]: 1

Select installation type:

(1) Stand Alone – install VPN-1 Power Gateway and SmartCenter Power.
(2) Distributed – install VPN-1 Power Gateway, SmartCenter and/or Log Server.

Enter your selection (1-2/a-abort) [1]: 2

Select installation type:

(1) VPN-1 Power Gateway.
(2) SmartCenter Power.
(3) SmartCenter Power and VPN-1 Power Gateway.
(4) Enterprise Log Server.
(5) VPN-1 Power Gateway and Enterprise Log Server.

Enter your selection (1-5/a-abort) [1]: 1
Is this a Dynamically Assigned IP Address gateway installation ? (y/n) [n] ? n
Would you like to install a Check Point clustering product (CPHA, CPLS or State Synchronization)? (y/n) [n] ? y
IP forwarding disabled
Hardening OS Security: IP forwarding will be disabled during boot.

Configuring Licenses…
Host Expiration Signature Features

Note: The recommended way of managing licenses is using SmartUpdate.
cpconfig can be used to manage local licenses only on this machine.

Do you want to add licenses (y/n) [y] ? n

Configuring Group Permissions…

Please specify group name [ for super-user group]:

No group permissions will be granted. Is this ok (y/n) [y] ? y

Configuring Random Pool…
You are now asked to perform a short random keystroke session.
The random data collected in this session will be used in
various cryptographic operations.

Please enter random text containing at least six different
characters. You will see the ‘*’ symbol after keystrokes that
are too fast or too similar to preceding keystrokes. These
keystrokes will be ignored.

Please keep typing until you hear the beep and the bar is full.


Thank you.

Configuring Secure Internal Communication…
The Secure Internal Communication is used for authentication between
Check Point components

Trust State: Uninitialized
Enter Activation Key: YourActivationKey
Retype Activation Key: YourActivationKeyAgain

The Secure Internal Communication was successfully initialized

Compiled OK.

Hardening OS Security: Initial policy will be applied
until the first policy is installed

In order to complete the installation
you must reboot the machine.
Do you want to reboot? (y/n) [y] ? y

After booting up the Firewall first I deaktivated the default Policy.

# fw unloadlocal 

Uninstalling Security Policy from all.all@inlanfwsani04n10

10. Install the required HFAs. After uploading the HFA to the firewall, it is useful to check the integrity with the MD5 command. The MD5 hash can be found on the Checkpoint website.

# cd /opt
# mkdir hfa60
# cd hfa60  

# ftp FTPServerAddress
ftp> get Check_Point_NGX_R65_HFA_60.ipso.tgz
local: Check_Point_NGX_R65_HFA_60.ipso.tgz remote: Check_Point_NGX_R65_HFA_60.ipso.tgz
200 PORT command successful.
150 File status OK ; about to open data connection
100% |**************************************************| 116 MB 00:00 ETA
226 Closing data connection; File transfer successful.
122607837 bytes received in 18.04 seconds (6.48 MB/s)
ftp> exit

# md5 Check_Point_NGX_R65_HFA_60.ipso.tgz
MD5 (Check_Point_NGX_R65_HFA_60.ipso.tgz) = 1169f3d4ebd024562326968c8d75273b

# tar -xzvf Check_Point_NGX_R65_HFA_60.ipso.tgz
# ./UnixInstallScript

Package Name Status
———— ——
VPN-1 Power/UTM NGX R65 HFA Succeeded


Just one more reboot and i am ready.

After cpstop if I need the router functionality of the firewall I should use this:
FW-1: disabling IP forwarding. To enable run: “ipsofwd on username