Tuesday, January 8, 2019

Using the Script feature in Check Point R80

Scripting in Check Point R80 by John Ejaife

In our last blog, we showed you how to configure Check Pointfirewalls and Cisco ISE, so that Windows users in Active Directory could accessthe firewalls with different sets of permissions assigned to them via RADIUS. If you plan on adding more than one firewall to ISE, it can become tedious to manually configure each individual firewall with the required changes. In this blog, we will show you how to use the Script feature in Check Point R80’s Smart Console to apply changes to sets of firewalls that share common blocks of configuration.
In the diagram below, firewall R80-10-GW1 (at for the Miami office has already been configured and added as a RADIUS client of the Cisco ISE server (at We will show you how you can take the Radius and roles configuration from the command line of the Miami firewall and apply them to the second firewall, R80-10-GW2 (at for the Fort Lauderdale office, using the Check Point Smart Console GUI. *This article assumes that you have already added both firewalls to your Check Point management server; therefore this topic will not be covered. Please consult official vendor documentation for information regarding how to do this.*

Let’s start by connecting to the command line of the firewall in the Miami office, R80-10-GW1 ( via SSH.
Enter your username and password.

This firewall has been configured to use BASH as its shell. We’ll want to switch over to the CLISH shell to view the configuration. Type `clish` at the shell prompt.

Type `show configuration` to view the configuration.

This screenshot shows the end of the configuration.

Next, copy the contents of the putty session to the clipboard and paste them in a Notepad. Here we will be concerned with the RADIUS sections and the roles section.
First, let’s look at the Radius commands.

Take these commands below and copy them to another notepad file.

(You’ll want to replace the asterisks following the word secret, with a shared key (eg abc123) of your choosing that will be used between the Check Point gateway and the ISE Server)
set aaa tacacs-servers state off
add aaa radius-servers priority 1 host port 1812 secret ***** timeout 3
set aaa radius-servers super-user-uid 96

Next, you’ll want to look at the “role” commands and copy them to a text file.

add rba role checkpointAdmins domain-type System all-features
add rba role checkpointNoc domain-type System readwrite-features ext_netstat,ext_ping,ext_ping6,ext_top,ext_traceroute
add rba role checkpointNoc domain-type System readonly-features CloningGroup,CloningGroupManagement,aaa-servers,adv-vrrp,aggregate,arp,asset,backup,bgp,blades,bootp,certificate_authority,clock-date,cluster_ha,command,configuration,core-dump,cron,dhcp,dns,domainname,edition,expert,expert-password,expert-password-hash,export,fcd,firewall_management,format,ftw,group,host,host-access,hostname,hw-monitor,igmp,import,inactto,installer,installer_conf,interface,interface-name,iphelper,ipv6-state,lcd,license
add rba role checkpointNoc domain-type System readonly-features license_activation,logicalvolume,lom,management_interface,message,mgmt-gui-clients,neighbor,netaccess,netflow,ntp,ospf,password-controls,pbr-combine-static,perf,pim,prod-maintain,proxy,raid-monitor,rba,rdisc,reboot_halt,rip,route,route-injection,route-options,routemap,sam,sceduled_backup,scratchpad,selfpasswd,show-route-all,smart-console,snapshot,snmp,ssmtp,static-mroute,static-route,sysconfig,sysenv,syslog,tacacs_enable,upgrade,user,version
add rba role checkpointNoc domain-type System readonly-features virtual-system,vpnt,vrrp,vsx,web

Next, we’ll want to open up SmartConsole and connect to the management server at

Navigate to Gateways and Servers on the top left hand corner of the window.
You will see the server, gw-28e800, which is the management server, and the two firewalls, R80-10-GW1, which is the original firewall from which we will copy parts of the configuration from, as well as the other firewall R80-10-GW2, which we will copy parts of the configuration to.
At this point, we’ll want to click the Scripts menu option in the top of the page. 

Next, navigate to the scripts repository.

Notice the pre-existing scripts that come with the management server by default.

We’ll want to click on thebutton to create a new script. Let’s start with a script for the RADIUS portion of the configuration. Let’s call it R80-RADIUS-Script.

If the default login shell for the Check Point firewall is clish, we can paste the contents of the RADIUS portion of the config, as is, into the Content text box.

In the event that someone else is logged in, or a previous login session has not expired, you’ll want to add the line `lock database override` to the top of the script. At the end of the script, you’ll want to add the line `save config`. In the box, the script will look like this:

Now, if the admin shell in the firewall is BASH, instead of CLISH, you’ll need to encapsulate each individual line in the config with clish -c ' ' , so the first line will look like
clish -c 'lock database override'
The second line will look like
clish -c 'add aaa radius-servers priority 1 host port 1812 secret abc123 timeout 3'
The the third line will look like this
clish -c 'set aaa radius-servers default-shell /bin/bash'
The fourth line will look like
clish -c 'set aaa radius-servers super-user-uid 96'
…and so forth, until the end of the script. The script box in Smart Console will look like this:

Click the OK button.
Now you’ll see your script, “R80-RADIUS-Script,” in the Script Repository.

Click the Close button.
Now, right-click the R80-10-GW2 firewall, and navigate to Scripts > Scripts Repository.

Click on the R80-RADIUS-Script.
Then click the button that looks like a scroll:
In the pop-up window, click the “Run” button.

Look on the bottom left to verify that the script ran properly.

To verify that the commands were added to the config, lets connect to the firewall via SSH and look at the  configuration, by first typing ‘clish’ and then enter, and then typing ‘show configuration.’ As you can see, the lines have been added.

Now, in Smart Console, we will want to create a second script for for the roles we created in the first blog, to add to the second firewall to allow multiple Windows users to log onto it with different permission levels.
Navigate to the Scripts Repository again

Click thebutton create a new script. Lets call it R80-Add-Roles

Now, copy the lines of configuration pertaining to adding Check Point Roles from R80-10-GW1, and paste them into the Script Content box. Remember to add the “lock database override” at the beginning of the script and “save config” at the end of the script, so the output looks like this.

Now, again, if the admin shell on the Check Point firewall is bash, your script will want to look like this:

Then click “OK” and click “Close.”
Now, right click the R80-10-GW2 gateway and navigate to the Scripts > Scripts Repository again

Click on the R80-Add-Role Script

Then click the scroll button above, again  and click “Run” in the window that pops up.

Then, look to see that the script was applied successfully to the firewall.

If you connect to the firewall, you can see that the commands were added to the config, by typing “clish”, and then “show configuration.”

Now, all that is left to allow Windows users to log on is to add it as a device in ISE.
Open up IE and browse to your ISE server (in our instance, it is

Navigate to Administration > Network Resources > Network Devices

Click the “Add” Button 

In our case, we’ll call our Ft. Lauderdale firewall R80-10-GW2, give it an IP address of, set the Device Profile to CheckPoint-Firewalls, and Set the Device Type to CheckPoint-DeviceType.

Then we’ll check the Radius authentication settings check box and enter the shared secret.

Then click the Submit Button

Now, you should be able to connect to the firewall via the GUI or SSH with your Windows login, as in the previous blog entry.