Automating tasks with cron on CheckPoint Gaia

To use cron on CheckPoint Gaia firewall you need to create a separate user, as “admin” user crontab file is overwritten on every reboot by /bin/cron_xlate.

Instead of using default command :
> crontab -e
It will warn you as follows:
[code]
# This file was AUTOMATICALLY GENERATED
# Generated by /bin/cron_xlate on Wed Jan 14 13:33:33 2015
#
# DO NOT EDIT
#
SHELL=/bin/bash
MAILTO=””
#
# mins hrs daysinm months daysinw command
#
[/code]

You will also need to specify the user:

> crontab -u cron_user -e

To create a new user for cron, use following commands:

[code]
add user cron_user uid 0 homedir /home/cron_user
set user cron_user gid 100 shell /bin/bash
add rba user cron_user roles adminRole
set user cron_user password
[/code]

Make sure you use new user’s home folder for output in your scripts, to avoid issues with permissions.

CheckPoint SPLAT to Gaia migration script

CheckPont Gaia firewalls have new text-based configuration format.
Here you can download a script, that converts most of configuration on SPLAT system to new Gaia CLI commands, that can be pasted on to new system.

Script converts following data:

Interfaces (including bonding and vlans)
Routing
DNS
NTP

Bonding parameters and timezone data have to be preconfigured.

Script does not modify anything on the system, so it can be safely run on production systems.

Donwload:
splat2gaia.sh

CheckPoint Gaia SNMP configuration

Here is an example of SNMPv3 configuration in CheckPoint Gaia Appliace:

[code]
set snmp agent on
set snmp contact “zzzz@domain.com”
set snmp location “Middle of nowhere”
add snmp address 123.34.56.78
set snmp agent-version v3-Only
add snmp usm user snmpv3user security-level authPriv auth-pass-phrase 111222333 privacy-pass-phrase 555666777
[/code]

To use less secure version of SNMP v1/v2 use following commands:

[code]
set snmp agent on
set snmp contact “zzzz@domain.com”
set snmp location “Middle of nowhere”
add snmp address 123.34.56.78
set snmp agent-version any
set snmp community snmpv2community read-only
[/code]

Replace 123.34.56.78 with Firewall’s interface IP which is going to answer the SNMP requests. This command may be omitted – then SNMP will listen on all interfaces.

If you want to enable SNMPv3 only you might want to remove the default “public” community from configuration file, but after changing the agent-version to v3-Only the firewall will reject your command:

[code]
delete snmp community public read-only
NMSSNM0075 SNMP v3-Only does not accept community strings.
[/code]

To work around this issue, just execute:

[code]
set snmp agent-version any
delete snmp community public read-only
set snmp agent-version v3-Only
[/code]

CheckPoint NTP time sync configuration

To set NTP in CheckPoint SecurePlatform (SPLAT) system run following command:

[code]
ntp -n 1800 time.nist.gov ntp.eenet.ee ntp.estpak.ee
[/code]

You may also use IP addresses:

[code]
ntp -n 1800 64.236.96.53 193.40.133.142 192.98.49.10
[/code]

This command will create a config file in /etc/sysconfig/ntp and enable ntpd on boot.

The following file was produced by example command:
[code]
SERVER1=64.236.96.53
SERVER2=193.40.133.142
SERVER3=192.98.49.10
INTERVAL=1800
MD5_SECRET=
USE_NTP=true
[/code]

You may want to confirm ntpd will be started at boot by running:
[code]
chkconfig –list ntp
[/code]

Command should display:
[code]
ntp 0:off 1:off 2:off 3:on 4:off 5:on 6:off
[/code]

CheckPoint VPN – Wrong value for: Group Description

While debugging a VPN you an error in the log, that says:

IKE Main Mode Failed to match proposal: Transform 3DES / AES, SHA1 / MD5, Pre-shared secret, Group 1 (1024 bit)

This error means that you have a mismatch in Phase 1 settings on the other side of the VPN.
“Group Description” should not confuse you – mismatch is not necessarily in Diffie–Hellman group value.

If you have access to the remote device, check the settings yourself, or contact its maintainer.