In our last blog, we showed you how to configure Check Pointfirewalls and Cisco ISE, so that Windows users in Active Directory could accessthe firewalls with different sets of permissions assigned to them via RADIUS. If you plan on adding more than one firewall to ISE, it can become tedious to manually configure each individual firewall with the required changes. In this blog, we will show you how to use the Script feature in Check Point R80’s Smart Console to apply changes to sets of firewalls that share common blocks of configuration.
In the diagram below, firewall R80-10-GW1 (at
192.168.133.11) for the Miami office has already been configured and added as a
RADIUS client of the Cisco ISE server (at 192.168.133.220). We will show you
how you can take the Radius and roles configuration from the command line of
the Miami firewall and apply them to the second firewall, R80-10-GW2 (at
192.168.133.12) for the Fort Lauderdale office, using the Check Point Smart
Console GUI. *This article assumes that
you have already added both firewalls to your Check Point management server;
therefore this topic will not be covered. Please consult official vendor
documentation for information regarding how to do this.*
Let’s start by connecting to the command line of the firewall
in the Miami office, R80-10-GW1 (192.168.133.11) via SSH.
Enter your username and password.
This firewall has been configured to use BASH as its
shell. We’ll want to switch over to the CLISH shell to view the configuration.
Type `clish` at the shell prompt.
Type `show configuration` to view the configuration.
This screenshot shows the end of the configuration.
Next, copy the contents of the putty session to the
clipboard and paste them in a Notepad. Here we will be concerned with the
RADIUS sections and the roles section.
First, let’s look at the Radius commands.
Take these commands below and copy them to another notepad
file.
(You’ll want to replace the asterisks following the word secret, with a shared key (eg abc123) of your choosing that will be used between the Check Point gateway and the ISE Server)
(You’ll want to replace the asterisks following the word secret, with a shared key (eg abc123) of your choosing that will be used between the Check Point gateway and the ISE Server)
set aaa tacacs-servers state off
add aaa radius-servers priority 1 host 192.168.133.220 port 1812 secret ***** timeout 3
set aaa radius-servers super-user-uid 96
add aaa radius-servers priority 1 host 192.168.133.220 port 1812 secret ***** timeout 3
set aaa radius-servers super-user-uid 96
Next, you’ll want to look at the “role” commands and copy them to a text file.
add
rba role checkpointAdmins domain-type System all-features
add
rba role checkpointNoc domain-type System readwrite-features
ext_netstat,ext_ping,ext_ping6,ext_top,ext_traceroute
add
rba role checkpointNoc domain-type System readonly-features
CloningGroup,CloningGroupManagement,aaa-servers,adv-vrrp,aggregate,arp,asset,backup,bgp,blades,bootp,certificate_authority,clock-date,cluster_ha,command,configuration,core-dump,cron,dhcp,dns,domainname,edition,expert,expert-password,expert-password-hash,export,fcd,firewall_management,format,ftw,group,host,host-access,hostname,hw-monitor,igmp,import,inactto,installer,installer_conf,interface,interface-name,iphelper,ipv6-state,lcd,license
add
rba role checkpointNoc domain-type System readonly-features
license_activation,logicalvolume,lom,management_interface,message,mgmt-gui-clients,neighbor,netaccess,netflow,ntp,ospf,password-controls,pbr-combine-static,perf,pim,prod-maintain,proxy,raid-monitor,rba,rdisc,reboot_halt,rip,route,route-injection,route-options,routemap,sam,sceduled_backup,scratchpad,selfpasswd,show-route-all,smart-console,snapshot,snmp,ssmtp,static-mroute,static-route,sysconfig,sysenv,syslog,tacacs_enable,upgrade,user,version
add
rba role checkpointNoc domain-type System readonly-features
virtual-system,vpnt,vrrp,vsx,web
Next, we’ll want to open up SmartConsole and connect to the
management server at 192.168.133.10
Navigate to Gateways and Servers on the top left hand corner
of the window.
You will see the server, gw-28e800, which is the management
server, and the two firewalls, R80-10-GW1, which is the original firewall from
which we will copy parts of the configuration from, as well as the other
firewall R80-10-GW2, which we will copy parts of the configuration to.
At this point, we’ll want to click the Scripts menu option
in the top of the page. 
Next, navigate to the scripts repository.
Notice the pre-existing scripts that come with the
management server by default.
We’ll want to click on the
button to create a new script. Let’s start
with a script for the RADIUS portion of the configuration. Let’s call it
R80-RADIUS-Script.
button to create a new script. Let’s start
with a script for the RADIUS portion of the configuration. Let’s call it
R80-RADIUS-Script.
If the default login shell for the Check Point firewall is clish, we can paste the contents of the RADIUS portion of the config, as is, into the Content text box.
In the event that someone else is logged in, or a previous
login session has not expired, you’ll want to add the line `lock database
override` to the top of the script. At the end of the script, you’ll want to
add the line `save config`. In the box, the script will look like this:
Now, if the admin shell in the firewall is BASH, instead of
CLISH, you’ll need to encapsulate each individual line in the config with clish
-c ' ' , so the first line will look like
clish -c 'lock database override'
The second line will look like
clish -c 'add aaa radius-servers priority 1 host 192.168.133.220 port 1812 secret abc123 timeout 3'
The the third line will look like this
clish -c 'add aaa radius-servers priority 1 host 192.168.133.220 port 1812 secret abc123 timeout 3'
The the third line will look like this
clish -c 'set aaa radius-servers default-shell /bin/bash'
The fourth line will look like
clish -c 'set aaa radius-servers super-user-uid 96'
clish -c 'set aaa radius-servers super-user-uid 96'
…and so forth, until the end of the script. The script box
in Smart Console will look like this:
Click the OK button.
Now you’ll see your script, “R80-RADIUS-Script,” in the
Script Repository.
Click the Close button.
Now, right-click the R80-10-GW2 firewall, and navigate to
Scripts > Scripts Repository.
Click on the R80-RADIUS-Script.
Then click the button that looks like a scroll:
In the pop-up window, click
the “Run” button.
Look on the bottom left to
verify that the script ran properly.
To verify that the commands
were added to the config, lets connect to the firewall via SSH and look at the configuration, by first typing ‘clish’ and
then enter, and then typing ‘show configuration.’ As you can see, the lines
have been added.
Now, in Smart Console, we will
want to create a second script for for the roles we created in the first blog,
to add to the second firewall to allow multiple Windows users to log onto it
with different permission levels.
Navigate to the Scripts
Repository again
Click the
button create a new script. Lets call it
R80-Add-Roles
button create a new script. Lets call it
R80-Add-Roles
Now, copy the lines of
configuration pertaining to adding Check Point Roles from R80-10-GW1, and paste
them into the Script Content box. Remember to add the “lock database override” at
the beginning of the script and “save config” at the end of the script, so the
output looks like this.
Now, again, if the admin
shell on the Check Point firewall is bash, your script will want to look like
this:
Then click “OK” and click
“Close.”
Now, right click the
R80-10-GW2 gateway and navigate to the Scripts > Scripts Repository again
Click on the R80-Add-Role
Script
Then click the scroll button
above, again 
and click “Run” in the window that pops up.
and click “Run” in the window that pops up.
Then, look to see that the
script was applied successfully to the firewall.
If you connect to the
firewall, you can see that the commands were added to the config, by typing
“clish”, and then “show configuration.”
Now, all that is left to allow
Windows users to log on is to add it as a device in ISE.
Open up IE and browse to your
ISE server (in our instance, it is https://192.168.133.220/admin/login.jsp)
Navigate to Administration
> Network Resources > Network Devices
Click the “Add” Button 
In our case, we’ll call our
Ft. Lauderdale firewall R80-10-GW2, give it an IP address of 192.168.133.12,
set the Device Profile to CheckPoint-Firewalls, and Set the Device Type to
CheckPoint-DeviceType.
Then we’ll check the Radius
authentication settings check box and enter the shared secret.
Then click the Submit Button
Now, you should be able to
connect to the firewall via the GUI or SSH with your Windows login, as in the previous blog entry.
