Solved

Checkpoint problem

Posted on 2001-08-30
8
634 Views
Last Modified: 2013-11-16
I inherited a Checkpoint firewall that had an incorrect configuration.  If I go into Checkpoint configuration (where it pulls the ip from the hosts file) and view that ip address section, nothing appears.  I changed the external interface to the correct address, edited the hosts file, and tried to go into policy manager, but the firewall tells me the license is not registered to that address, and will not let me in!  I see that the license is registered to the public address and cannot be changed without being removed, re-registered, etc.  Is this the way it is suppossed to be?  Also, the authorized GUI client, is that suppossed to be an internal client, or the internal address of the firewall?  Help!
0
Comment
Question by:Silas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 11

Expert Comment

by:geoffryn
ID: 6441014
Yes.  Checkpoint licenses are bound to the IP address or host name.  If you change the external address, yo uhave to get Checkpoint to re-issue the license.  The GUI client can be either on the trusted or untrusted side of the FW.  If you put it on the untrusted side, then you may need to create an allow rule for firewall control connections.  
0
 

Author Comment

by:Silas
ID: 6441065
Can the GUI client be on the same box as the firewall daemon/service?  If I cant't get into policy manager, how do I set the rule to access the firewall via a control connection?
0
 
LVL 4

Expert Comment

by:jwalsh88
ID: 6441184
Yes the GUI client can be on the firewall.  When you access the GUI client you are not accessing the firewall, but the Management station running on the firewall.  So as long as you can access the internal port of the firewall you should be able to open the gui using the internal interface IP address on the firewall
0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 
LVL 4

Expert Comment

by:jwalsh88
ID: 6441212
The authorized GUI client is the IP address of the remote computer that will access the Management station on the FIrewall using the GUI app.  In checkpoint the firewall creates a rule that allows all defined gui clients to pass traffic through to the Management station.  Which usually is the external address of the firewall.  You need to change everything back to the original external IP address and access it that way.  ignore what I said about using the internal address, I thought you were talking about something else.
0
 

Author Comment

by:Silas
ID: 6441251
After changing the external interface address I get a "no license for user interface... cannot connect to server" error.  Does this mean I have to re-register before I can even get back in (basically meaning that nothing can be changed in the firewall after the fact without having to deal with Checkpoint)?
0
 
LVL 4

Accepted Solution

by:
jwalsh88 earned 25 total points
ID: 6441324
Here is how it works, when you create a license you need the hostname, the external IP address.  If you change either of those the license will no longer work.  Changing either of those means: changing them at an OS level.  Not in Policy editor.  So if you changed the interfaces IP address and hostname and/or hosts file in the OS then you need to simply change them back to what they were and you will be able to access policy manager.  If you are asking can you reconfigure those things without checkpoint?  The answer is absolutely not.  What you can do is get a new, evaluation license which doesn't tie itself to anything, while you wait for you new license, and you can reconfigure the firewall however you want with the eval license then when you know it works order the real license based off the info you send.
0
 

Author Comment

by:Silas
ID: 6449256
It is truly a stupid policy for Checkpoint to activate the license based on a public ip address -what if the ISP changes and the address range is altered?  I thin I will stick with Cisco products.
0
 

Author Comment

by:Silas
ID: 6453401
Jwalsh88: please see my other checkpoint question -I had another issue with licensing I need to solve.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Here's a look at newsworthy articles and community happenings during the last month.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question