Adding new admin user to CheckPoint Gaia with expert permissions

To add a new administrator user account with “expert” prompt add following lines to configuration in the CLI shell:

[code]
add user NEWUSER uid 0 homedir /home/NEWUSER
set user NEWUSER gid 100 shell /bin/bash
set user NEWUSER password-hash $1$************ / OR / set user NEWUSER password
add rba user NEWUSER roles adminRole
[/code]

Replase NEWUSER with new administrator’s login name.

This new account will login in “expert” shell and will not need to type additional password.
To access Gaia’s CLI shell user will need to execute /bin/clish

Enable SNMP monitoring in CheckPoint

Step 1. Turning on SNMP extension
(to enable extended CP MIBS – http://www.oidview.com/mibs/2620/CHECKPOINT-MIB.html)
[code]cpconfig

Configuration Options:
———————-

(2) SNMP Extension

[/code]
Press the corresponding number to access SNMP extension configuration. In our case it is – “2”.
[code]Configuring SNMP Extension…
=============================
The SNMP daemon enables Check Point products module
to export its status to external network management tools.
Would you like to enable Check Point products SNMP daemon ? (y/n) [y] ?
[/code]
Press “y” or [Enter] key to enable the SNMP extension.[/code]
[code]Thank You…
You have changed Check Point products Configuration.
You need to restart ALL Check Point modules (performing cpstop & cpstart)
in order to activate the changes you have made.
Would you like to do it now? (y/n) [y] ?
[/code]
Press “y” or [Enter] key again to apply the changes.

2. Configuring SNMP users

[code]snmp user add authuser USER pass PASSWORD1 priv PASSWORD2
service snmpd restart
[/code]

3. Adding SNMPd to automatic startup sequence
[code]
chkconfig snmpd on
[/code]

Source: http://www.checkpoint.com/techsupport/downloads/docs/firewall1/r54/SNMP_Add-on_Manual.pdf

CheckPoint advanced VPN Debugging

CheckPoint shows basic VPN information in SmartDashboard VPN section.
but sometimes there is not enough information on certain problems (like id mismatch).
There is a way to obtain more detailed logs (sort of Cisco’s “debug crypto ipsec” command).

To turn on VPN debug log enter the following command:

[code] vpn debug trunc; vpn debug ikeon[/code]

This will enable log output to $FWDIR/log/ike.elg
To read the file output in a more convenient way, download Checkpoint’s *IKEView.exe* utility (Windows only):

http://pingtool.org/downloads/IKEView.exe

Don’t forget to stop the debug with command:

[code] vpn debug off; vpn debug ikeoff [/code]

Source: sk33327