Day: November 2, 2019

1. Connect to the command line on the Security Gateway / Cluster member (over SSH, or console).Note: For cluster, perform this procedure on Standby member first and then on the Active.
2. Go to the Check Point menu: [Expert@HostName]# cpconfig
3. Choose option 5 “Secure Internal Communication” from the menu by typing number 5 and clicking “Enter”:
4. You will be asked if you wish to re-initialize the communication. Press on “y” and then click “Enter”:
5. You will be asked again if you want to reinitialize the communication, Press on “y” and then click “Enter”:
6. You will be prompted to enter the new “SIC” key. Make sure to enter the same key in both fields. Once done typing, click “Enter”:
7. The key will be reinitialized, wait until you see the key was “successfully initialized”. Once done choose the option “Exit” and click “Enter”:
8. The Check Point processes will be restarted. This will take a few minutes. Once completed, you will be returned to the command line. This ends the process on the Security Gateway side:

Note: The Security Gateway will run the default policy until a policy is installed. It is recommended to install policy as soon as the SIC has been reset on your Management Server.

 

Perform the following procedure on the Security Management Server:

1. Connect with SmartDashboard to Security Management Server / Domain Management Server (CMA).
2. Open the Security Gateway object, for which you reset the SIC:
3. Click on the “Communication” button:Note: For cluster, perform this procedure on each cluster member. On the Standby member first and then on the Active.
4. Click the “Reset” button:
5. You will be asked if you are sure you want to reset, click “Yes”:
6. You will receive a notification the reset is done. Click “OK”:
7. Type in the new SIC key you have created on the Security Gateway, and click “Initialize”:
8. Once the SIC has been initialized, you will see the certificate state icon turn green and the note “Trust established”:
9. Click “OK” to close the Properties windows.
10. Save the database: ‘File‘ menu – ‘Save‘.
11. Install policy on the Security Gateway.

Note: The Security Gateway will run the default policy until a policy is installed. It is recommended to install policy as soon as the SIC has been reset.

---

Source: Checkpoint Website

Basic Operation Commands:

• get hostame – Displays the hostname of the device.
• set hostname device10firewall – Sets the hostname to device10firewall.
• get domain – Displays the domain name of the device.
• set domain box.net – Sets the domain name to box.net.
• get chassis – Displays chassis information such as temperature, fan status, and slot information.
• get system – Displays hardware and software information.
• get config – Displays the complete running configuration.
• get zone – Displays all zones present in device.
• set zone name warehouse – Create new zone named warehouse.
• unset zone warehouse – Removes zone warehouse.
• get interface – Displays all physical and sub-interfaces.
• get interface | include tun – Displayes all intefaces starting with tun (tunnel intefaces).
• get interface ethernet0/2 mip – Displays MIP information on specified interface.
• get arp – Displays all number of sessions, MAC addresses,and IP addresses learned by the device.
• get ssh – display active management SSH sessions.
• get counter statistics – Displays statistics for all interfaces.
• get counter statistics interface ethernet0/2 – Displays statistics for ONLY specific interface.
• get performance cpu – Displays CPU utilization over the last 1,5, and 15 minutes.
• get performance session – Displays session utilization over the last 1,5, and 15 minutes.
• get dns host settings – Displays DNS servers and assigned interfaces.
• get dhcp – Displays DHCP information and assigned interfaces.
• get admin – Displays management information such as access ports and filtered IP addresses.
• get address untrust – Displays addresses in the untrust zone.
• get ike gateway – Displays all gateways configured for VPN.
• get vrouter trust-vr – Displays all vrouter information and routes associated with trust-vr.
• get sa – Displays information about IKE (VPN) Gateways.
• get ntp – Displays network time protocol information.
• get service – Displays protocols both native and custom.
• set service “RDP” protocol tcp src-port 0-65535 dst-port 3389-3389 Creates a service named RDP with source ports from 0-65535 and a destination port of 3389. 

1. Login to the AWS console.
2. Go to EC2 service.
3. Go to reserved instance > click on purchase reserved instances.
4. Now purchase reserved instance according to your requirement. You can purchase instances as mentioned below.

•   Platform : Linux/Windows
•  Offering class: Standard/Convertible (If you choose convertible type, you can upgrade or downgrade your instances during the reservation time).
•  Instance type: Select according to your organization requirement.
•  Term: 1 year or 3 years (3 years will give more discount value)
•  Payment Option:

1.  No upfront (No need to pay money in initial stage)
2.  Partial Upfront ( Can pay partial amount eg: 30%, 40% etc..)
3.   All upfront  (You can pay total 100% amount during the reservation time).
4. Once you selected your options click on search button and AWS will show available reservation values. You can click on Add to cart once you decided to go for reservation.
5. You can modify the quantity according to your requirement and then click order button.

Bingo!!!! Now you reserved the instances and saved  money for your organization.

 

 

 

Pre-Activity-Analysis:

1. Verify a support Contract with the vendor and open proactive vendor ticket for the activity. Run the following commands and collect the details:

• tmsh show /sys version
• tmsh show /sys hardware
• tmsh show /sys license
• tmsh show /sys software
•  Interface/VLAN status,
•   Routes
•    netstat -nr
•   tmsh show /net route
•   tmsh list /sys management-route
•   tmsh show net interface
• Take a UCS file backup :# cd /var/local/ucs

  #tmsh save /sys ucs <Device-name_date>.ucs

• Go to Local Traffic››  Network Map >> Show Map and take the output of virtual servers, pool etc.. status.

 

Implementation Plan:

1. Move Guests to Configured Mode

Go to vCMP ›› Guest List ›› Device-v02›› Requested State ›› Configured ›› Update

2. Allocate Cores

Go to vCMP ›› Guest List ›› Device-v02›› Cores Per Slot ›› 4 ›› Update

Ensure to be connected on the device console and monitor for any logs.

3. Ensure Guest is in Deployed Mode

Bring guest device to deploy state using below.

Go to vCMP ›› Guest List ›› < Guest > ›› Device-v02›› Deployed ›› Update.

4. Make sure that all VSs are up

5. Failover the traffic from Device-v01 to Device-v02 by running below command on Device-v01

 tmsh run /sys failover standby

6. Move Guests to Configured Mode

Go to vCMP ›› Guest List ›› Device-v01 ›› Requested State ›› Configured ›› Update

3. Allocate Cores

Go to vCMP ›› Guest List ›› Device-v01 ›› Cores Per Slot ›› 4 ›› Update

Ensure to be connected on the device console and monitor for any logs.

7. Ensure Guest is in Deployed Mode

Go to vCMP ›› Guest List ›› Device-v01 ›› Requested State ›› Deployed ›› Update.

8. Make sure that all virtual servers are up and then Fail over back to Device-v01

Fail over the traffic from Device-v02 to Device-v01 by running the below command on Device-v02

 tmsh run /sys failover standby

Post Activity Test Plan:

1. Run the following commands and ensure the resource health is normal

• tmsh show /sys version
• tmsh show /sys hardware
• tmsh show /sys license
• tmsh show /sys software

2. Verify the management connectivity like ping, snmp, SSH towards active and standby devices
3. Login to each device CLI and ensure the interface are marked up (Validate with pre-change stat) and routes/VLAN configs are present
4. Verify the status of virtual server and pool member. Ensure the up/down/not-monitored counts are as per the pre-change stat
5. Verify the ltm file in /var/log and ensure no abnormal errors are logged
6. Check the CPU & Memory usage and ensure they are normal
7. Go to Local Traffic››  Network Map >> Show Map and compare the output with the “Pre_change_Status” image