Solved

Checkpoint problem

Posted on 2001-08-30
8
619 Views
Last Modified: 2013-11-16
I inherited a Checkpoint firewall that had an incorrect configuration.  If I go into Checkpoint configuration (where it pulls the ip from the hosts file) and view that ip address section, nothing appears.  I changed the external interface to the correct address, edited the hosts file, and tried to go into policy manager, but the firewall tells me the license is not registered to that address, and will not let me in!  I see that the license is registered to the public address and cannot be changed without being removed, re-registered, etc.  Is this the way it is suppossed to be?  Also, the authorized GUI client, is that suppossed to be an internal client, or the internal address of the firewall?  Help!
0
Comment
Question by:Silas
  • 4
  • 3
8 Comments
 
LVL 11

Expert Comment

by:geoffryn
Comment Utility
Yes.  Checkpoint licenses are bound to the IP address or host name.  If you change the external address, yo uhave to get Checkpoint to re-issue the license.  The GUI client can be either on the trusted or untrusted side of the FW.  If you put it on the untrusted side, then you may need to create an allow rule for firewall control connections.  
0
 

Author Comment

by:Silas
Comment Utility
Can the GUI client be on the same box as the firewall daemon/service?  If I cant't get into policy manager, how do I set the rule to access the firewall via a control connection?
0
 
LVL 4

Expert Comment

by:jwalsh88
Comment Utility
Yes the GUI client can be on the firewall.  When you access the GUI client you are not accessing the firewall, but the Management station running on the firewall.  So as long as you can access the internal port of the firewall you should be able to open the gui using the internal interface IP address on the firewall
0
 
LVL 4

Expert Comment

by:jwalsh88
Comment Utility
The authorized GUI client is the IP address of the remote computer that will access the Management station on the FIrewall using the GUI app.  In checkpoint the firewall creates a rule that allows all defined gui clients to pass traffic through to the Management station.  Which usually is the external address of the firewall.  You need to change everything back to the original external IP address and access it that way.  ignore what I said about using the internal address, I thought you were talking about something else.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:Silas
Comment Utility
After changing the external interface address I get a "no license for user interface... cannot connect to server" error.  Does this mean I have to re-register before I can even get back in (basically meaning that nothing can be changed in the firewall after the fact without having to deal with Checkpoint)?
0
 
LVL 4

Accepted Solution

by:
jwalsh88 earned 25 total points
Comment Utility
Here is how it works, when you create a license you need the hostname, the external IP address.  If you change either of those the license will no longer work.  Changing either of those means: changing them at an OS level.  Not in Policy editor.  So if you changed the interfaces IP address and hostname and/or hosts file in the OS then you need to simply change them back to what they were and you will be able to access policy manager.  If you are asking can you reconfigure those things without checkpoint?  The answer is absolutely not.  What you can do is get a new, evaluation license which doesn't tie itself to anything, while you wait for you new license, and you can reconfigure the firewall however you want with the eval license then when you know it works order the real license based off the info you send.
0
 

Author Comment

by:Silas
Comment Utility
It is truly a stupid policy for Checkpoint to activate the license based on a public ip address -what if the ISP changes and the address range is altered?  I thin I will stick with Cisco products.
0
 

Author Comment

by:Silas
Comment Utility
Jwalsh88: please see my other checkpoint question -I had another issue with licensing I need to solve.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now