?
Solved

Checkpoint problem

Posted on 2001-08-30
8
Medium Priority
?
638 Views
Last Modified: 2013-11-16
I inherited a Checkpoint firewall that had an incorrect configuration.  If I go into Checkpoint configuration (where it pulls the ip from the hosts file) and view that ip address section, nothing appears.  I changed the external interface to the correct address, edited the hosts file, and tried to go into policy manager, but the firewall tells me the license is not registered to that address, and will not let me in!  I see that the license is registered to the public address and cannot be changed without being removed, re-registered, etc.  Is this the way it is suppossed to be?  Also, the authorized GUI client, is that suppossed to be an internal client, or the internal address of the firewall?  Help!
0
Comment
Question by:Silas
  • 4
  • 3
8 Comments
 
LVL 11

Expert Comment

by:geoffryn
ID: 6441014
Yes.  Checkpoint licenses are bound to the IP address or host name.  If you change the external address, yo uhave to get Checkpoint to re-issue the license.  The GUI client can be either on the trusted or untrusted side of the FW.  If you put it on the untrusted side, then you may need to create an allow rule for firewall control connections.  
0
 

Author Comment

by:Silas
ID: 6441065
Can the GUI client be on the same box as the firewall daemon/service?  If I cant't get into policy manager, how do I set the rule to access the firewall via a control connection?
0
 
LVL 4

Expert Comment

by:jwalsh88
ID: 6441184
Yes the GUI client can be on the firewall.  When you access the GUI client you are not accessing the firewall, but the Management station running on the firewall.  So as long as you can access the internal port of the firewall you should be able to open the gui using the internal interface IP address on the firewall
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
LVL 4

Expert Comment

by:jwalsh88
ID: 6441212
The authorized GUI client is the IP address of the remote computer that will access the Management station on the FIrewall using the GUI app.  In checkpoint the firewall creates a rule that allows all defined gui clients to pass traffic through to the Management station.  Which usually is the external address of the firewall.  You need to change everything back to the original external IP address and access it that way.  ignore what I said about using the internal address, I thought you were talking about something else.
0
 

Author Comment

by:Silas
ID: 6441251
After changing the external interface address I get a "no license for user interface... cannot connect to server" error.  Does this mean I have to re-register before I can even get back in (basically meaning that nothing can be changed in the firewall after the fact without having to deal with Checkpoint)?
0
 
LVL 4

Accepted Solution

by:
jwalsh88 earned 75 total points
ID: 6441324
Here is how it works, when you create a license you need the hostname, the external IP address.  If you change either of those the license will no longer work.  Changing either of those means: changing them at an OS level.  Not in Policy editor.  So if you changed the interfaces IP address and hostname and/or hosts file in the OS then you need to simply change them back to what they were and you will be able to access policy manager.  If you are asking can you reconfigure those things without checkpoint?  The answer is absolutely not.  What you can do is get a new, evaluation license which doesn't tie itself to anything, while you wait for you new license, and you can reconfigure the firewall however you want with the eval license then when you know it works order the real license based off the info you send.
0
 

Author Comment

by:Silas
ID: 6449256
It is truly a stupid policy for Checkpoint to activate the license based on a public ip address -what if the ISP changes and the address range is altered?  I thin I will stick with Cisco products.
0
 

Author Comment

by:Silas
ID: 6453401
Jwalsh88: please see my other checkpoint question -I had another issue with licensing I need to solve.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question