!! Create user with specific role
set user <username> roles <role name>        !!  Default roles are adminRole & monitorRole

!! Create custom roles
add rba role <username> domain-type System readonly-features <comma-seperated-list-of-RO-commands> readwrite-features <comma-seperated-list-of-RW-commands>

Example of creating a role:

add rba role SomeRole domain-type System readonly-features vpn,ospf,rba readwrite-features tag,revert,fcd

Notes:

  • All Performed via clish. DON'T FORGET TO SAVE

Documentation

[ # ]

clish
add dhcp server subnet <network-ip> netmask <cidr>
add dhcp server subnet <network-ip> include-ip-pool start <pool-start-ip> end <pool-end-ip>
set dhcp server subnet <network-ip> include-ip-pool <pool-start-ip>-<pool-end-ip> enable
set dhcp server subnet <network-ip> default-lease <default-lease-time>
set dhcp server subnet <network-ip> max-lease <max-lease-time>
set dhcp server subnet <network-ip> default-gateway <default-gw-ip>
set dhcp server subnet <network-ip> dns ‘<server1>, <server2>’
set dhcp server subnet <network-ip> domain <domain>
set dhcp server subnet <network-ip> enable
set dhcp server enable
save config

Documentation

[ # ]

config_system -t <file>     # Create a blank template file for editing
config_system -f <file>     # Load settings for first time configuration from file
config_system -s "install_security_gw=true&<etc>"  # Load settings via string instead of file

-- CONFIGURATION FILE --
# INSTALLATION OF THE SOFTWARE
install_security_gw=<true|false>     # $TAG_GW - Install security gateway?
install_ppak=<true|false>        # $TAG_PPAK - Install Performan Pack?
gateway_daip=<true|false>        # DAIP - Dynamic IP? This should be false if ClusterXL or this is a management server ($TAG_MGMT)
gateway_cluster_member=<true|false>    # ClusterXL - Enable ClusterXL?

# MANAGEMENT SERVER CONFIGURATIONS
install_security_managment=<true|false>        # $TAG_MGMT - Install management server?
install_mgmt_primary=<true|false>            # Optional Parameter - Primary Management Server? - Only this or the following can be true. Both cannot be true
install_mgmt_secondary=<true|false>            # Optional Parameter - Secondary Management Server? - Only this or the above can be true. Both cannot be true

# MDS PARAMETERS
install_mds_primary=<true|false>    # Primary MDS? - Only this or the following can be true. Both cannot be true
install_mds_secondary=<true|false>    # Secondary MDS? - Only this or the above can be true. Both cannot be true
install_mlm=<true|false>            # Install Multi-Customer Log Manager?
install_mds_interface=<interface>    # Define the MDS interface to use

# MANAGEMENT SERVER CONFIGURATIONS
mgmt_admin_name=<name>                # GUI Client Admin Name
mgmt_admin_passwd=<password>        # GUI Client Admin Password
mgmt_gui_clients_radio=<any|range|network|this>         # Choose "this" for a single IP address
mgmt_gui_clients_first_ip_field=<ip>                # If "range" chosen for mgmt_gui_clients_radio
mgmt_gui_clients_last_ip_field=<ip>                    # If "range" chosen for mgmt_gui_clients_radio
mgmt_gui_clients_ip_field=<ip>                        # If "network" chosen for mgmt_gui_clients_radio
mgmt_gui_clients_subnet_field=<0-32>                # If "network" chosen for mgmt_gui_clients_radio (this is the CIDR)
mgmt_gui_clients_hostname=<ip>                        # If "this" chose for mgmt_gui_clients_radio
ftw_sic_key=<blah>                                    # SIC password

# OS LEVEL CONFIGURATION
admin_hash=<hash>                    # Optional Parameter - Set the admin password hash (can be grabbed from the firewall by running 'grep admin /etc/shadow | cut -d: -f2')
iface=<interface>                    # Optional Parameter - Management interface name
ipaddr_v4=<ipv4>                    # Management interface IP address (if this is overriding current IP, the current IP will be kept as a secondary address so that we don't lost access. This IP will need to be deleted after configuration)
masklen_v4=<0-32>                    # Management interface netmask (CIDR)
default_gw_v4=<ipv4>
ipaddr_v6=<ipv6>                    # Managetment interface IPv6 address
masklen_v6=<ipv6>                    # Managetment interface IPv6 subnet
default_gw_v6=<ipv6>
hostname=<name>                        # Optional Parameter - Device Hostname
timezone='<ETC/GMT-5/etc>'            # Optional Parameter - Set the timezone
domainname=<example.com>            # Optional Parameter
ntp_primary=<ip>                    # Optional Parameter
ntp_primary_version=<version>        # Optional Parameter
ntp_secondary=<ip>                    # Optional Parameter
ntp_secondary_version=<version>        # Optional Parameter
primary=<ip>                        # Optional Parameter - DNS Server IP
secnondary=<ip>                        # Optional Parameter - DNS Server IP
tertiary=<ip>                        # Optional Parameter - DNS Server IP

Notes:

  • Add --dry-run to test configuration settings before implementation
  • A reboot will be required to complete the configuration

Documentation

[ # ]

clish -s -c "set selfpasswd oldpass <oldpass> newpass <newpass>"

Or for interactive menu

clish
set selfpasswd

[ # ]

clish -c 'show version all'            !! View the current OS and Product version
clish -s -c 'set edition default <32|64>-bit'           !! Modify the version - 64-bit will only show if the device has enough memory to support it

Documentation

[ # ]

!! CONFIGURE PHYSICAL INTERFACE
set interface <interface> ipv4-address <ip> mask-length <cidr>
set interface <interface> state <on|off> auto-negotiation <on|off> link-speed <10M/half|10M/full|100M/half|100M/full|1000M/full>

!! CONFIGURE VLAN
add interface <physical-interface> vlan <vlan-id>
set interface <physical-interface.vlan> ipv4-address <ip> mask-length <cidr>

!! DELETE INTERFACES
delete interface eth3 ipv4-address            !! Delete IP from interface
delete interface <interface> vlan <vlan-id>            !! Delete VLAN interface

Notes:

  • All Performed via clish. DON'T FORGET TO SAVE

[ # ]

cd /var/tmp; /bin/./asset; cat /var/tmp/outfile; rm /var/tmp/outfile

Notes:

  • This command will display CPU, hard disk, memory, serial numbers, and chassis serial numbers (for some models) and delete the temporary output file after
  • This likely will be replaced with 'show asset hardware' or a similar command within clish or iclid in the future

Documentation

[ # ]

clish -s -c 'add host name <hostname|domain> ipv4-address <ip>'

Notes:

  • Do NOT directly edit the /etc/hosts file

[ # ]

There are 2 primary method for resetting the admin password. Both methods require a reboot of the device and downtime if the device is not part of a cluster

Method 1: Use emergendisk This method requires a device with the same chassis model as the device that requires a password reset, running gaia, and a USB disk

  1. Insert a usb drive into the device that we do have access to
  2. Run the command 'emergendisk' to create the USB recovery disk
  3. After completion, plug the USB disk into the device that requires a password reset and reboot the device
  4. During reboot, a "Press any key" option will appear on screen. Press any key to enter the emergendisk menu
  5. Select the option that states 'Reset Admin Password'. This is usually the second option
  6. You should receive the following once the reset is complete. On some devices, you may not receive this or an error message. You should wait 1-2 minutes after boot to ensure the script has finished.

    Admin password successfully reset
    Please remove disk or any other media and press enter to restart

  7. Remove the USB drive and reboot. The username/password should now be admin/admin. If not, you may need to follow Method 2.

Method 2: Use a live CD or live USB disk This method requires a live CD, such as Ubuntu, to boot from.

  1. Boot from the live CD or USB disk
  2. On some distros (Ubuntu, for example), the system will automatically mount the Check Point partitions. In Ubuntu, this is mounted to /media/ubuntu/. On one of these mount points, there you should be able to run the following to verify the correct mount point. Make sure to note this down as it will be required in the next steps.

    ls -lh /media/ubuntu/<UUID>/config/db/initial_db

    If the partitions are not mounted, you will need to locate the correct partition and mount it someplace. Below is an example:

    sudo mount /dev/sda1 /mnt/checkpoint

  3. Once you have located the correct partition, run the following to change the working root to Check Point's root

    sudo chroot Example: sudo chroot /media/Ubuntu/2cbbf000-blah

  4. Modify the sqlite database

    sqlite3 /config/db/initial_db

  5. Locate the current admin password by running the following. The last line is the current password hash.

    SELECT * from revisions WHERE binding="passwd:admin:passwd";

  6. Run the following to change the password to 'admin'. Replace '<old-pw-hash> with the last hash from step 5.

    UPDATE revisions SET value="$1$zIVyrIdj$1LBW7Pg6XOcXYIgFPTppY." WHERE binding="passwd:admin:passwd" AND VALUE='<old-pw-hash>';

  7. Exit sqlite3

    .exit

  8. Reboot the device and login with admin/admin. Make sure to change the password via clish once logged in

Documentation

[ # ]

dbget :appliance_configuration:value:/model/name    

[ # ]