Solved

Checkpoint problem

Posted on 2001-08-30
8
629 Views
Last Modified: 2013-11-16
I inherited a Checkpoint firewall that had an incorrect configuration.  If I go into Checkpoint configuration (where it pulls the ip from the hosts file) and view that ip address section, nothing appears.  I changed the external interface to the correct address, edited the hosts file, and tried to go into policy manager, but the firewall tells me the license is not registered to that address, and will not let me in!  I see that the license is registered to the public address and cannot be changed without being removed, re-registered, etc.  Is this the way it is suppossed to be?  Also, the authorized GUI client, is that suppossed to be an internal client, or the internal address of the firewall?  Help!
0
Comment
Question by:Silas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 11

Expert Comment

by:geoffryn
ID: 6441014
Yes.  Checkpoint licenses are bound to the IP address or host name.  If you change the external address, yo uhave to get Checkpoint to re-issue the license.  The GUI client can be either on the trusted or untrusted side of the FW.  If you put it on the untrusted side, then you may need to create an allow rule for firewall control connections.  
0
 

Author Comment

by:Silas
ID: 6441065
Can the GUI client be on the same box as the firewall daemon/service?  If I cant't get into policy manager, how do I set the rule to access the firewall via a control connection?
0
 
LVL 4

Expert Comment

by:jwalsh88
ID: 6441184
Yes the GUI client can be on the firewall.  When you access the GUI client you are not accessing the firewall, but the Management station running on the firewall.  So as long as you can access the internal port of the firewall you should be able to open the gui using the internal interface IP address on the firewall
0
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

 
LVL 4

Expert Comment

by:jwalsh88
ID: 6441212
The authorized GUI client is the IP address of the remote computer that will access the Management station on the FIrewall using the GUI app.  In checkpoint the firewall creates a rule that allows all defined gui clients to pass traffic through to the Management station.  Which usually is the external address of the firewall.  You need to change everything back to the original external IP address and access it that way.  ignore what I said about using the internal address, I thought you were talking about something else.
0
 

Author Comment

by:Silas
ID: 6441251
After changing the external interface address I get a "no license for user interface... cannot connect to server" error.  Does this mean I have to re-register before I can even get back in (basically meaning that nothing can be changed in the firewall after the fact without having to deal with Checkpoint)?
0
 
LVL 4

Accepted Solution

by:
jwalsh88 earned 25 total points
ID: 6441324
Here is how it works, when you create a license you need the hostname, the external IP address.  If you change either of those the license will no longer work.  Changing either of those means: changing them at an OS level.  Not in Policy editor.  So if you changed the interfaces IP address and hostname and/or hosts file in the OS then you need to simply change them back to what they were and you will be able to access policy manager.  If you are asking can you reconfigure those things without checkpoint?  The answer is absolutely not.  What you can do is get a new, evaluation license which doesn't tie itself to anything, while you wait for you new license, and you can reconfigure the firewall however you want with the eval license then when you know it works order the real license based off the info you send.
0
 

Author Comment

by:Silas
ID: 6449256
It is truly a stupid policy for Checkpoint to activate the license based on a public ip address -what if the ISP changes and the address range is altered?  I thin I will stick with Cisco products.
0
 

Author Comment

by:Silas
ID: 6453401
Jwalsh88: please see my other checkpoint question -I had another issue with licensing I need to solve.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OnPage: Incident management and secure messaging on your smartphone
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question