[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cannot connect to Checkpoint locally, I can connect through the Dashbord.

Posted on 2008-11-07
14
Medium Priority
?
2,608 Views
Last Modified: 2013-11-16
Hi I have an old Checkpoint setup (NG with application intelligence R55) that is both our firewall and our VPN. Now I can access it through the smart dashboard, but I can't connect to it through the terminal locally, nor can I connect to it through the browser (i.e. https://<IP Adderess, no explicit port>).

Also the VPN is not working if I could connect through the terminal and go into expert mode could at least look at the logs, but this is not the case.

The thing is that whenever I try to setup the Secure Client on a machine is not exchanging keys. It always hangs at "Gathering information" or something like that.

Thank You
0
Comment
Question by:jmoreno8238
  • 7
  • 6
14 Comments
 
LVL 14

Expert Comment

by:grimkin
ID: 22905090
Hi,

When you say locally, do you mean you are conected with a console cable into the console port? If this is not working try another cable and use Putty as a terminal program. If you mean that it wont let you in via SSH then you need to check that there are no rules in Dashboard preventing you from connecting; let us know how you get on.
0
 

Author Comment

by:jmoreno8238
ID: 22910563
When I say locally it's that the software is installed on an IBM workstation so I'm trying to connect directly with the keyboard, mouse and monitor. So no console port in my case.
0
 
LVL 4

Expert Comment

by:yurisk
ID: 22911210
And what do you mean you cant access locally ?
- You dont get CLI prompt , or it doesnt accept the password . ?
What do you see on the monitor of the server when you restart or press some key on the keyboard ?
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
LVL 14

Expert Comment

by:grimkin
ID: 22912700
Checkpoint is made up of the management server and the enforcement module - this can be all installed on one machine (standalone) or the server and enforcement module can be different machines (distributed) - can you confirm which of these you have?

If this is distributed and your management server is running on windows then there is no web interface to access.

Can you also confirm which platform(s) they are running on and which operating systems?
0
 

Author Comment

by:jmoreno8238
ID: 22914591
I can't login. The Checkpoint doesn't accept my user and password.

The Screen I see says:

Checkpoint NG with Application Intelligence R55
... you can also access the administration module at through your browser at
https:

Login: _

(Sorry I'm not at the office right now so I can't really see the specific text, but you get the idea)

For example lets say that I use the following credential to access the checkpoint through the Smart Dashboard

U: admin
P: something1
(This can be done through one specific IP address)

But whenever I go to the server I use the same user and I get invalid credentials or something similar.

Also if I try the same user with the password for expert mode I get invalid credentials as well
and I know that I've accessed this server before.

Maybe something expired...

I don't know about the "management server and the enforcement module" but there is a web interface.
However for VPN connection we always use either the Secure Remote or the Secure Client.

It's running on linux. Whenever I used to access the expert mode what I got was a bash shell. I don't remember which distro though.

I hope that I was able to answer all of you questions.
0
 
LVL 14

Accepted Solution

by:
grimkin earned 1000 total points
ID: 22916839
Ok,

Firstly the username and password for dashboard are not the same as for when you are accessing the server directly - for this you need the operating system username / pass which was set when the system was first set up.

By the sounds of it you are using SecurePlatform (SPlat) and the expert mode password can only be used once you have logged in to the default shell (cpshell) unless you specifically changed this previously.

However, if you know the expert password you may be able to log in if you remember your expert password: Reboot and press a key to see the boot menu - choose "Start in maintenance mode" and you will be asked for your expert password. This should log you in to single user mode with a # prompt where you can type "passwd" and enter a new password - this should reset both normal and expert user.
0
 

Author Comment

by:jmoreno8238
ID: 22917961
Oh ok .

Does checkpoint run under root or should it be another user?
0
 
LVL 14

Expert Comment

by:grimkin
ID: 22918014
The admin user has the same privileges as root.
0
 

Author Comment

by:jmoreno8238
ID: 22918034
So could the user for accessing checkpoint be admin also, and just a different password?
0
 
LVL 14

Assisted Solution

by:grimkin
grimkin earned 1000 total points
ID: 22920457
The user for accessing the console is always "admin", the user for accessing dashboard is flexible and usually defined when the SmartCenter is first set up although it can be changed via cpconfig. Yes, this could also be admin but with a different password.

Note: Other fw administrators can be defined and edited through the dashboard users tab but not the one which is defined through cpconfig.

The thing to bear in mind is that the admin user for the console and the admin user for dashboard are 2 different and separate accounts.
0
 
LVL 14

Expert Comment

by:grimkin
ID: 22920465
Also meant to say that if you cannot access the web interface then there is most likely a firewall rule restricting this. Typically access to the gateway is restricted to specific admin workstation IP addresses.
0
 

Author Comment

by:jmoreno8238
ID: 22923526
Perfect! Thanks for the great explanation I'm a little new to checkpoint.
I think that I have an idea of what would the other password be.

Do you have any idea as to what could cause the checkpoint's VPN suddenly stop working?

One thing I know is that nobody has modified the configuration, unless somebody hacked it!...

This firewall was reinstalled earlier this year and the guy didn't even leave any license information,
but I wasn't in charge of supervising him or anything. I'm fearing that it might be a licensing issue, and
maybe checkpoint has some sort of tool to verify that.

Thank you
0
 
LVL 14

Expert Comment

by:grimkin
ID: 22923698
No worries!

It's probably not a licensing issue as the maximum eval license time is 30 days after which everything would stop working - the fact that you can log into dashboard means that your license is ok - the details of it can be viewed in SmartUpdate under the licensing tab.

As regards the VPNs, I would make sure that you can get logged in and all of that is working, then open another question as it is a different problem than the one you opened this question with. Once you're sorted here then we can debug the VPN issue.

HTH
0
 

Author Comment

by:jmoreno8238
ID: 22923726
Ok thank you
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month19 days, 11 hours left to enroll

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question