Wednesday, March 13, 2019

Implementing BGP in Check Point R80, from the Command Line



There may be situations where you elect to run BGP on your Check Point enterprise edge firewall. This can be configured via Check Point’s WebUI. However, there may come a time where don’t have access to a readily available browser, but you still have console or SSH access to the firewall. This article will explain how to implement BGP from the Check Point command line (using CLISH commands), to peer with an ISP router (we’re using Cisco, in this instance).
Our Check Point edge firewall will peer with the router for ISP1. This will in turn peer the router for ISP2. The Check Point firewall will be configured Autonomous System (AS) 40152. The ISP1 Router will be configured with AS 10007, and the ISP2 router will be configured with AS 20008 as outlined in the diagram, below. It is assumed that all interfaces have been preconfigured.



The Interfaces on each network node are configured as follows:
Check_Point_Edge_Firewall eth0: 80.102.37.49/24
ISP1_Router G0/0: 80.102.37.50/24
ISP1_Router G0/1: 54.3.9.17/29
ISP2_Router G0/0: 54.3.9.18/29
ISP2_Lo1: 3.3.3.3/32


The first thing we will want to do on the Check Point firewall is verify what routes have been learned. We do this, by typing the command `show route`



As you can see from the command’s output, below, there is a static default route sending all traffic to the Check Point’s neighbor at 80.102..37.50. We will want to remove this route, eventually, but not right away.

Let’s configure BGP on the ISP1 Router, first.

Next, lets configure BGP on the ISP2 Router.

As you can see from the output above, a BGP neighborship has formed between the ISP1 router and the ISP2 router.
Now, let’s check the routes learned from BGP on the ISP 1 router, by typing `sh ip route bgp`.


As you can see, the ISP1 router has learned about the 3.3.3.3/32 network from its ISP2 neighbor at 54.3.9.18. Let’s see if we can ping 3.3.3.3.


As you can see, the ISP1 router has learned about the 3.3.3.3/32 network from ISP2 and can ping it, as well.

Now, let’s configure the Check Point edge firewall. First, let’s remove the static default route. (In a production environment, you would want to save this step until after you have confirmed that BGP is working). Removing the static default route is accomplished with the following command `set static-route default nexthop gateway address 80.102.37.50 off`
Let’s perform this on the edge firewall.


Now, let’s check the routes on the Check Point firewall again, by typing `show route`


As you can see, the static default route is now gone. Now, let’s add the following Check Point CLISH commands to configure BGP.
set as 40152
set bgp external remote-as 10007 on
set bgp external remote-as 10007 description IS
set bgp external remote-as 10007 local-address 80.102.37.49 on
set bgp external remote-as 10007 peer 80.102.37.50 on
set bgp external remote-as 10007 peer 80.102.37.50 log-state-transitions on
set bgp external remote-as 10007 peer 80.102.37.50 log-warnings on


Now, let’s verify that the BGP neighborship is up, by typing `show bgp peers` as below:


As you can see, the BGP session is established. Now, let’s verify if we’re seeing the BGP learned routes, by typing `show route`.


It seems as though we’re not seeing them here, since the route table only shows two connected routes. However, if we type `show route all` we’ll see the additional routes.


As you can see, the routes to 3.3.3.3/32 and 54.3.9.16/29 are there, however they are hidden. If we try to ping 3.3.3.3, as below, we are unable to. We’ll rectify this shortly.



To unhide the routes from the routing table, we must allow them to be imported, using a route map, from the following commands, below:
set bgp external remote-as 10007 import-routemap "ISP-bgp" preference 1 on
set routemap ISP-bgp id 1 on
set routemap ISP-bgp id 1 allow
set routemap ISP-bgp id 1 match as 10007 on
set routemap ISP-bgp id 1 match neighbor 80.102.37.50 on

Let’s add these commands:





Now, let’s verify that the BGP learned routes are no longer hidden from the routing table, by typing `show route`.



Now, let’s confirm that we can ping the loopback interface of the ISP2 router, by typing `ping 3.3.3.3` on the Check Point router.



As you can see, the 3.3.3.3/32 network is reachable from the Check Point edge firewall via BGP.
As always, you’ll want to save your configuration with the `save config` command.


If you need help setting up Check Point firewalls at your organization, contact sales@spikefishsolutions.com

Tuesday, January 8, 2019

Using the Script feature in Check Point R80

Scripting in Check Point R80 by John Ejaife


In our last blog, we showed you how to configure Check Pointfirewalls and Cisco ISE, so that Windows users in Active Directory could accessthe firewalls with different sets of permissions assigned to them via RADIUS. If you plan on adding more than one firewall to ISE, it can become tedious to manually configure each individual firewall with the required changes. In this blog, we will show you how to use the Script feature in Check Point R80’s Smart Console to apply changes to sets of firewalls that share common blocks of configuration.
In the diagram below, firewall R80-10-GW1 (at 192.168.133.11) for the Miami office has already been configured and added as a RADIUS client of the Cisco ISE server (at 192.168.133.220). We will show you how you can take the Radius and roles configuration from the command line of the Miami firewall and apply them to the second firewall, R80-10-GW2 (at 192.168.133.12) for the Fort Lauderdale office, using the Check Point Smart Console GUI. *This article assumes that you have already added both firewalls to your Check Point management server; therefore this topic will not be covered. Please consult official vendor documentation for information regarding how to do this.*




Let’s start by connecting to the command line of the firewall in the Miami office, R80-10-GW1 (192.168.133.11) via SSH.
Enter your username and password.

This firewall has been configured to use BASH as its shell. We’ll want to switch over to the CLISH shell to view the configuration. Type `clish` at the shell prompt.

Type `show configuration` to view the configuration.


This screenshot shows the end of the configuration.

Next, copy the contents of the putty session to the clipboard and paste them in a Notepad. Here we will be concerned with the RADIUS sections and the roles section.
First, let’s look at the Radius commands.



Take these commands below and copy them to another notepad file.



(You’ll want to replace the asterisks following the word secret, with a shared key (eg abc123) of your choosing that will be used between the Check Point gateway and the ISE Server)
set aaa tacacs-servers state off
add aaa radius-servers priority 1 host 192.168.133.220 port 1812 secret ***** timeout 3
set aaa radius-servers super-user-uid 96

Next, you’ll want to look at the “role” commands and copy them to a text file.


add rba role checkpointAdmins domain-type System all-features
add rba role checkpointNoc domain-type System readwrite-features ext_netstat,ext_ping,ext_ping6,ext_top,ext_traceroute
add rba role checkpointNoc domain-type System readonly-features CloningGroup,CloningGroupManagement,aaa-servers,adv-vrrp,aggregate,arp,asset,backup,bgp,blades,bootp,certificate_authority,clock-date,cluster_ha,command,configuration,core-dump,cron,dhcp,dns,domainname,edition,expert,expert-password,expert-password-hash,export,fcd,firewall_management,format,ftw,group,host,host-access,hostname,hw-monitor,igmp,import,inactto,installer,installer_conf,interface,interface-name,iphelper,ipv6-state,lcd,license
add rba role checkpointNoc domain-type System readonly-features license_activation,logicalvolume,lom,management_interface,message,mgmt-gui-clients,neighbor,netaccess,netflow,ntp,ospf,password-controls,pbr-combine-static,perf,pim,prod-maintain,proxy,raid-monitor,rba,rdisc,reboot_halt,rip,route,route-injection,route-options,routemap,sam,sceduled_backup,scratchpad,selfpasswd,show-route-all,smart-console,snapshot,snmp,ssmtp,static-mroute,static-route,sysconfig,sysenv,syslog,tacacs_enable,upgrade,user,version
add rba role checkpointNoc domain-type System readonly-features virtual-system,vpnt,vrrp,vsx,web


Next, we’ll want to open up SmartConsole and connect to the management server at 192.168.133.10


Navigate to Gateways and Servers on the top left hand corner of the window.
You will see the server, gw-28e800, which is the management server, and the two firewalls, R80-10-GW1, which is the original firewall from which we will copy parts of the configuration from, as well as the other firewall R80-10-GW2, which we will copy parts of the configuration to.
At this point, we’ll want to click the Scripts menu option in the top of the page. 

Next, navigate to the scripts repository.

Notice the pre-existing scripts that come with the management server by default.


We’ll want to click on thebutton to create a new script. Let’s start with a script for the RADIUS portion of the configuration. Let’s call it R80-RADIUS-Script.



If the default login shell for the Check Point firewall is clish, we can paste the contents of the RADIUS portion of the config, as is, into the Content text box.



In the event that someone else is logged in, or a previous login session has not expired, you’ll want to add the line `lock database override` to the top of the script. At the end of the script, you’ll want to add the line `save config`. In the box, the script will look like this:



Now, if the admin shell in the firewall is BASH, instead of CLISH, you’ll need to encapsulate each individual line in the config with clish -c ' ' , so the first line will look like
clish -c 'lock database override'
The second line will look like
clish -c 'add aaa radius-servers priority 1 host 192.168.133.220 port 1812 secret abc123 timeout 3'
The the third line will look like this
clish -c 'set aaa radius-servers default-shell /bin/bash'
The fourth line will look like
clish -c 'set aaa radius-servers super-user-uid 96'
…and so forth, until the end of the script. The script box in Smart Console will look like this:



Click the OK button.
Now you’ll see your script, “R80-RADIUS-Script,” in the Script Repository.


Click the Close button.
Now, right-click the R80-10-GW2 firewall, and navigate to Scripts > Scripts Repository.


Click on the R80-RADIUS-Script.
Then click the button that looks like a scroll:
In the pop-up window, click the “Run” button.



Look on the bottom left to verify that the script ran properly.




To verify that the commands were added to the config, lets connect to the firewall via SSH and look at the  configuration, by first typing ‘clish’ and then enter, and then typing ‘show configuration.’ As you can see, the lines have been added.



Now, in Smart Console, we will want to create a second script for for the roles we created in the first blog, to add to the second firewall to allow multiple Windows users to log onto it with different permission levels.
Navigate to the Scripts Repository again






Click thebutton create a new script. Lets call it R80-Add-Roles




Now, copy the lines of configuration pertaining to adding Check Point Roles from R80-10-GW1, and paste them into the Script Content box. Remember to add the “lock database override” at the beginning of the script and “save config” at the end of the script, so the output looks like this.



Now, again, if the admin shell on the Check Point firewall is bash, your script will want to look like this:



Then click “OK” and click “Close.”
Now, right click the R80-10-GW2 gateway and navigate to the Scripts > Scripts Repository again


Click on the R80-Add-Role Script



Then click the scroll button above, again  and click “Run” in the window that pops up.



Then, look to see that the script was applied successfully to the firewall.




If you connect to the firewall, you can see that the commands were added to the config, by typing “clish”, and then “show configuration.”



Now, all that is left to allow Windows users to log on is to add it as a device in ISE.
Open up IE and browse to your ISE server (in our instance, it is https://192.168.133.220/admin/login.jsp)


Navigate to Administration > Network Resources > Network Devices



Click the “Add” Button 

In our case, we’ll call our Ft. Lauderdale firewall R80-10-GW2, give it an IP address of 192.168.133.12, set the Device Profile to CheckPoint-Firewalls, and Set the Device Type to CheckPoint-DeviceType.



Then we’ll check the Radius authentication settings check box and enter the shared secret.



Then click the Submit Button




Now, you should be able to connect to the firewall via the GUI or SSH with your Windows login, as in the previous blog entry.