Checkpoint: Change the Default WebUI Port in SecurePlatform and Gaia

The WebUI default access port is HTTPS 443. This can conflict when installing some Check Point products, e.g. Endpoint Security Server. In order to mitigate this, change the default webUI port as follows:

SecurePlatform

Log in to the SecurePlatform CLI in Standard mode, and run this command:

webui enable <port_number>

You should see the following:

Shutting down cp_http_server_wd [OK]
Shutting down cpwmd_wd [OK]
Running cp_http_server_wd [OK]
Running cpwmd_wd [OK]

To disable access to the WebUI, run the command:

webui disable

Gaia

To set the Webui port on Gaia enter clish and run:

CLISH> set web ssl-port <port number>

CLISH> save config

** Please read below – this must also be mirrored through SmartDashboard otherwise every policy installation will revert to the default 443 **

To change it through SmartDashboard:

Open ‘SmartDashboard > gateway/cluster object > platform portal’, and in the “Main URL” add the relevant port, for example:

https://143.100.80.100:xxx

This will force the machine to use port xxx. In the case of a cluster, this will also work for both members.

If this is not changed, every policy installation will change the port back to the default 443.

Checkpoint: Migrate R76 Standalone Firewall to a Distributed Smartcenter and Gateways (R7x.xx)

“Database migration between Standalone and Management only machines is not supported”

The error above is observed when trying to migrate the management from a standalone firewall to a new Smartcenter for distributed architecture and appears to be more of a bug than anything else.

Luckily it is easily sorted:

1. Take an export of existing standalone management & firewall:

Download newest migration tools from https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk91140 and run an export:
# $FWDIR/bin/upgrade_tools/migrate export MY_EXPORT

2. Extract the files from the MYEXPORT.tgz using e.g. 7zip. Using Notepad++ or similar, change the “configuration” and “configuration2” files to take the Firewall element out as shown in the pictures below:
Remove the “Firewall” string in “configuration” ..

configuration_1

 

 

 

.. to look like this:

configuration_2
And change the following strings in the “configuration2” file ..

configuration2_1
.. to look like this:

configuration2_2

 

 

 

 

 

 

 

 

 

 

 

 

3. Repackage the files into MY_NEW_EXPORT.tgz, copy them on to the new management center and run the import:

# $FWDIR/bin/upgrade_tools/migrate import MY_NEW_EXPORT

Job done!

Checkpoint: Recover / Recreate a Dead Checkpoint Smartcenter from Files in $FWDIR

Smartcenter dead, only the disk survives. All credit to RStewart from cpshared for sharing the knowledge found in sk article sk32508 article which unfortunately is internal only. I have only re-worded and re-formatted in places. If anything is wrong or missing, please let me know; I went through this process a couple of weeks ago and am now writing from memory ..

  • Take the following 3 files from the SC’s conf directory ($FWDIR/conf) :
    • objects_5_0.C
    • rulebases_5_0.fws
    • fwauth.NDB
  • Build a new SmartCenter of the same version
  • Install the Check Point software from the CD and reboot.
  • Go through sysconfig and configure the OS and the Check Point software. Set the hostname to match the CMA name as closely as you can.
  • Do not reboot and don’t start the products!
  • Put the 3 files above into $FWDIR/conf.
  • Reboot and once the server is up, check you can log in through the dashboard. If you can’t then either something very bad has happened or the instructions above weren’t followed to the T.

Once you have successfully logged in with dashboard, you can progress to the next phase:

  • Follow the process to rename a SmartCenter, which is found in the sk article: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk42071

Once the above is complete you will need to do a brutal fwm sic_reset – this involves manually removing any certificates from the objects file.

  • Follow the sk article below to remove the certificates: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk10451
  • Give it a reboot and you should be good to go

If you’re doing an upgrade from an unsupported version to R7x.x one, the following docs may be useful:

  • http://fireverse.org/wp-content/uploads/2011/03/Upgrade-to-R70.pdf
  • http://fireverse.org/wp-content/uploads/2011/03/Upgrade-to-R71.pdf
  • http://fireverse.org/wp-content/uploads/2011/03/Upgrade-to-R75.gif

Original reference: https://www.cpshared.com/forums/archive/index.php/t-1163.html