Cannot connect to Checkpoint locally, I can connect through the Dashbord.

Hi I have an old Checkpoint setup (NG with application intelligence R55) that is both our firewall and our VPN. Now I can access it through the smart dashboard, but I can't connect to it through the terminal locally, nor can I connect to it through the browser (i.e. https://<IP Adderess, no explicit port>).

Also the VPN is not working if I could connect through the terminal and go into expert mode could at least look at the logs, but this is not the case.

The thing is that whenever I try to setup the Secure Client on a machine is not exchanging keys. It always hangs at "Gathering information" or something like that.

Thank You
jmoreno8238Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

grimkinCommented:
Hi,

When you say locally, do you mean you are conected with a console cable into the console port? If this is not working try another cable and use Putty as a terminal program. If you mean that it wont let you in via SSH then you need to check that there are no rules in Dashboard preventing you from connecting; let us know how you get on.
0
jmoreno8238Author Commented:
When I say locally it's that the software is installed on an IBM workstation so I'm trying to connect directly with the keyboard, mouse and monitor. So no console port in my case.
0
yuriskCommented:
And what do you mean you cant access locally ?
- You dont get CLI prompt , or it doesnt accept the password . ?
What do you see on the monitor of the server when you restart or press some key on the keyboard ?
0
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

grimkinCommented:
Checkpoint is made up of the management server and the enforcement module - this can be all installed on one machine (standalone) or the server and enforcement module can be different machines (distributed) - can you confirm which of these you have?

If this is distributed and your management server is running on windows then there is no web interface to access.

Can you also confirm which platform(s) they are running on and which operating systems?
0
jmoreno8238Author Commented:
I can't login. The Checkpoint doesn't accept my user and password.

The Screen I see says:

Checkpoint NG with Application Intelligence R55
... you can also access the administration module at through your browser at
https:

Login: _

(Sorry I'm not at the office right now so I can't really see the specific text, but you get the idea)

For example lets say that I use the following credential to access the checkpoint through the Smart Dashboard

U: admin
P: something1
(This can be done through one specific IP address)

But whenever I go to the server I use the same user and I get invalid credentials or something similar.

Also if I try the same user with the password for expert mode I get invalid credentials as well
and I know that I've accessed this server before.

Maybe something expired...

I don't know about the "management server and the enforcement module" but there is a web interface.
However for VPN connection we always use either the Secure Remote or the Secure Client.

It's running on linux. Whenever I used to access the expert mode what I got was a bash shell. I don't remember which distro though.

I hope that I was able to answer all of you questions.
0
grimkinCommented:
Ok,

Firstly the username and password for dashboard are not the same as for when you are accessing the server directly - for this you need the operating system username / pass which was set when the system was first set up.

By the sounds of it you are using SecurePlatform (SPlat) and the expert mode password can only be used once you have logged in to the default shell (cpshell) unless you specifically changed this previously.

However, if you know the expert password you may be able to log in if you remember your expert password: Reboot and press a key to see the boot menu - choose "Start in maintenance mode" and you will be asked for your expert password. This should log you in to single user mode with a # prompt where you can type "passwd" and enter a new password - this should reset both normal and expert user.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jmoreno8238Author Commented:
Oh ok .

Does checkpoint run under root or should it be another user?
0
grimkinCommented:
The admin user has the same privileges as root.
0
jmoreno8238Author Commented:
So could the user for accessing checkpoint be admin also, and just a different password?
0
grimkinCommented:
The user for accessing the console is always "admin", the user for accessing dashboard is flexible and usually defined when the SmartCenter is first set up although it can be changed via cpconfig. Yes, this could also be admin but with a different password.

Note: Other fw administrators can be defined and edited through the dashboard users tab but not the one which is defined through cpconfig.

The thing to bear in mind is that the admin user for the console and the admin user for dashboard are 2 different and separate accounts.
0
grimkinCommented:
Also meant to say that if you cannot access the web interface then there is most likely a firewall rule restricting this. Typically access to the gateway is restricted to specific admin workstation IP addresses.
0
jmoreno8238Author Commented:
Perfect! Thanks for the great explanation I'm a little new to checkpoint.
I think that I have an idea of what would the other password be.

Do you have any idea as to what could cause the checkpoint's VPN suddenly stop working?

One thing I know is that nobody has modified the configuration, unless somebody hacked it!...

This firewall was reinstalled earlier this year and the guy didn't even leave any license information,
but I wasn't in charge of supervising him or anything. I'm fearing that it might be a licensing issue, and
maybe checkpoint has some sort of tool to verify that.

Thank you
0
grimkinCommented:
No worries!

It's probably not a licensing issue as the maximum eval license time is 30 days after which everything would stop working - the fact that you can log into dashboard means that your license is ok - the details of it can be viewed in SmartUpdate under the licensing tab.

As regards the VPNs, I would make sure that you can get logged in and all of that is working, then open another question as it is a different problem than the one you opened this question with. Once you're sorted here then we can debug the VPN issue.

HTH
0
jmoreno8238Author Commented:
Ok thank you
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.