Great! Thanks i am gradually understanding why do we need of Deployment Agent and what is CPUSE feature. Also I would request you to please make a video for the same from CLI and how to upgrade the running checkpoint box from older to newer version and what all step should we take in production environment before upgrading the older verion to newer..step by step via CLI...because i am a new driver and have already sit on bus seat to drive it..hope you understand the situation.. Thanks again!
Thank you Girjesh, sure my plan was to upgrade the gateways we installed to R80.40 so we get a more production upgrade where u need to check and verify abit more things. When my plan is to do one member from webgui and one from CLI. :)
To find NAT default gateway: - click "edit" on Vmware workstation - then click "virtual network editor" - One click on vmnet which is NAT - click "NAT settings" - There you will see your Default Gateway
Thanks man :) I actually find it relaxing and fun to go back to the basics, hopefully its helpful for some ppl that just starting out. You are not the first one suggesting udemy, but then i would need to think a lot more and actually structure it :D Am not sure how big of a market there is for udemy, only seen 2 courses for check point there so far, and not aware of the quality of them. As of now youtube is fine and fun. Maybe in a few months we are at 1000 subs and then the channel can actually start to earn some small cash :)
@@MagnusHolmberg-NetSec I also searched but didn't find anything as comprehensive as yours. I can say that your contents are deserving to be on Udemy. :) Anyway, I think these RUclips videos can be uploaded on Udemy later. By the way, I'll be doing a HotFix tomorrow on production and I used this video as a guide on doing it in my lab. It is really helpful! :) Thanks again!
Good luck! Just a few tips as this is video is not really a production upgrade, (i think i have a video for production upgrade) But make sure that everything is good from start, meaning. Try to push the policy so you see that all works. Do you prepp work, meaning - check how you access the boxes, - check that u have a local account if you are using like tacacs. - Save the current configuration. - If its an appliance you can always do a snapshot. - Always upgrade the CPUSE agent to the latest - cpinfo -y all (verify that you dont have any specific hotfixes that is not offcial.) - have some sort of a baseline, you can use cpview (history), top and free -m to get somesort of baseline. - Start with upgrading the standby node. (verify with cphaprob state) - run a ping or similar test together with watch cphaprob state on the other member to check all is OK :) - to failover the cluster u can use clusterXL_admin down/up or cpstop depending on your pref. - verify that everything looks good. - Start with the other member. - Push policy and verify it with fw stat that it has been installed :) Not sure if i forgot something, but if you going from any R80.X with a new CPUSE agent for hotfixes i think you should be OK :) Regards, Magnus
Hello I love your videos, they have helped me a lot, please keep uploading more videos if you could upload videos about checkpoint infinity, harmony, how to install them would be great
Hi Mr Magnus. This is miles away and best so far. I cannot find your part 2 video of this whereby to install the second gateway. If there is really none, did you just actually clone the gateway1 VM?
Arnold Salvador thank you! I did the second gateway the exact same way as the First one. but didn’t feel like wasting 20min of you guys time. (This is part 3 of the lab) so in part 4 you see that there is two gateways and it’s first then we attach it to the mgmt server.
@@MagnusHolmberg-NetSec Thank you so much for the prompt reply. Once again you are really helping me a lot. You're videos are the best and most comprehensive.. More power to you!
Hi Magnus. I tell you that I am trying to replicate your laboratory, but I have a doubt. On your Windows 10, inside your VMware, how many "Network adapters" cards do you have? I understand that you have the VMnet6, to which you have assigned the segment 192.168.1.0/24, giving the W10 PC the IP .50, statically, correct? But I am seeing that in this video, when you install the GAIA .30, and create a route in the GAIA, you assign an IP to go to the internet which is 192.168.159.2; I would like to know if your W10 has only one network card, which is "VMnet6" or do you also have a network card like NAT, with that segment 159.0 / 24? I'm trying to imitate the videos as they are terrific, but some silly doubts keep me from moving forward. Basically I want to know if in the W10 PC I should only work with the VMnet6 and a static IP that would be .50 according to your topology. If you could share me an image of how you have configured the "Network" of your W10 in your VMware, that would be great. Thanks for your contributions. Hopefully you keep producing more content. :)
Check 4:30 in this video and you do see all the nic:s used for the lab :) Vmnet8 has the NAT (to the host) to give the gateways internet. The win10 host has 1 nic so all the traffic need to pass the gateway to do anything. :)
@@MagnusHolmberg-NetSec Oh, gosh. I did not notice that part. Now everything makes sense. HAHA. You are brave. 😎🤓 Do you know if checkpoint can be implemented in platforms like GNS3 or EVE-NG, to perform topologies?
hello, i've set up the gateway with eth0 dhcp-ed from my router and got dhcp, but i can't still ping to my router's IP, i've set the default static route too, what i'm missing? firewall is bypass
@@dr.franxx if its the external interface its normally enough to set it to external :) If you think it may be antispoofing, put it to detect and not prevent the traffic.
Hi Magnus do you have an idea why my GW-1 is not responding to ping from WIN 10, All requirement fulfilled, both are on the same VMNet 6 with same IP-range, i can reach the CP-MGT from WINs 10 BUT i can't reach GW-1. Pls advise on what i am missing. Thanks
if you check from console on GW1, is that one able to ping the mgmt or anything else on the network? dose it get any arp etc? This can be checked within expert mode with arp -an If you want to offload all sort of policys from the firewall if you think thats whats blocking it you can do fw unloadlocal
@@MagnusHolmberg-NetSec Thank you for replying to my message, i will revert shortly, All i have done is to replicate what you have on your LAB so i am suprised that is not working.
@@MagnusHolmberg-NetSec i have tried the command "fw unloadlocal" this is the error message "Local host is not a Firewall-1 module" what do i do to correct this?
Pls magnus i am stuck with this Lab for weeks, pls your urgent response is needed plss. i can't ping CP-MGT from CP-GW1 neither can i ping CP-GW1 from CP-MGT. I have tried fw unloadlocal same thing. Also note i have not been able to connect to the web UI of the GW from the WIN 10. Pls advise on what i have been missing.
@@akintundeoloyede9735 then you need to troubleshoot your L2/L3 within vmware and your lab. Meaning check that you have actually configure the correct nic and attached it to the right vmnet. Either you do this by disconnecting interfaces in vmware and check status with ifconfig or /var/log/messages in CLI together with arp -an to see that you see the neighbours. Or you reinstall the GW with one NIC only connecting to your mgmt network and then add additional nic after. Goodluck :)
Great! Thanks i am gradually understanding why do we need of Deployment Agent and what is CPUSE feature. Also I would request you to please make a video for the same from CLI and how to upgrade the running checkpoint box from older to newer version and what all step should we take in production environment before upgrading the older verion to newer..step by step via CLI...because i am a new driver and have already sit on bus seat to drive it..hope you understand the situation.. Thanks again!
Thank you Girjesh, sure my plan was to upgrade the gateways we installed to R80.40 so we get a more production upgrade where u need to check and verify abit more things. When my plan is to do one member from webgui and one from CLI. :)
To find NAT default gateway:
- click "edit" on Vmware workstation
- then click "virtual network editor"
- One click on vmnet which is NAT
- click "NAT settings"
- There you will see your Default Gateway
Thank you for the tip :)
Tack Magnus mycket lärorikt video!
Tackar :) å tack för instruktionen i hur man hittar i vmware, det är ett svarthål för min del :D
Brilliant. Clear and coherent.
Thank you Rizwan.
Good luck with your own lab :)
thanks Magnus i got alot to learn from your presentation :)
Thanks for sharing knowledge, It will be great if you give cli demonstration
Your welcome, thank you for watching and commenting :)
Any specific things you wondering about within CLI or just a general overview?
Thanks for the free shared knowledge!!
Your welcome :)
You're the man, Magnus! Thanks for all the effort and time you've shared to make this content! I would suggest you create a Udemy course ;)
Thanks man :)
I actually find it relaxing and fun to go back to the basics, hopefully its helpful for some ppl that just starting out.
You are not the first one suggesting udemy, but then i would need to think a lot more and actually structure it :D
Am not sure how big of a market there is for udemy, only seen 2 courses for check point there so far, and not aware of the quality of them.
As of now youtube is fine and fun. Maybe in a few months we are at 1000 subs and then the channel can actually start to earn some small cash :)
@@MagnusHolmberg-NetSec I also searched but didn't find anything as comprehensive as yours. I can say that your contents are deserving to be on Udemy. :) Anyway, I think these RUclips videos can be uploaded on Udemy later.
By the way, I'll be doing a HotFix tomorrow on production and I used this video as a guide on doing it in my lab. It is really helpful! :) Thanks again!
Good luck!
Just a few tips as this is video is not really a production upgrade, (i think i have a video for production upgrade)
But make sure that everything is good from start, meaning. Try to push the policy so you see that all works.
Do you prepp work, meaning
- check how you access the boxes,
- check that u have a local account if you are using like tacacs.
- Save the current configuration.
- If its an appliance you can always do a snapshot.
- Always upgrade the CPUSE agent to the latest
- cpinfo -y all (verify that you dont have any specific hotfixes that is not offcial.)
- have some sort of a baseline, you can use cpview (history), top and free -m to get somesort of baseline.
- Start with upgrading the standby node. (verify with cphaprob state)
- run a ping or similar test together with watch cphaprob state on the other member to check all is OK :)
- to failover the cluster u can use clusterXL_admin down/up or cpstop depending on your pref.
- verify that everything looks good.
- Start with the other member.
- Push policy and verify it with fw stat that it has been installed :)
Not sure if i forgot something, but if you going from any R80.X with a new CPUSE agent for hotfixes i think you should be OK :)
Regards,
Magnus
@@MagnusHolmberg-NetSec thanks for these reminders! Indeed helpful! 🙏😊
How did your upgrade go :) ?
Hello I love your videos, they have helped me a lot, please keep uploading more videos if you could upload videos about checkpoint infinity, harmony, how to install them would be great
When you have a cluster do you need to apply updates in a specific order? Do you apply to secondary/backup node first?
You want to do backup nod first to limit the amount of failovers. Other than that it makes no difference
Hi Mr Magnus. This is miles away and best so far. I cannot find your part 2 video of this whereby to install the second gateway. If there is really none, did you just actually clone the gateway1 VM?
Arnold Salvador thank you!
I did the second gateway the exact same way as the First one. but didn’t feel like wasting 20min of you guys time. (This is part 3 of the lab)
so in part 4 you see that there is two gateways and it’s first then we attach it to the mgmt server.
@@MagnusHolmberg-NetSec Thank you so much for the prompt reply. Once again you are really helping me a lot. You're videos are the best and most comprehensive.. More power to you!
Hi Magnus. I tell you that I am trying to replicate your laboratory, but I have a doubt. On your Windows 10, inside your VMware, how many "Network adapters" cards do you have? I understand that you have the VMnet6, to which you have assigned the segment 192.168.1.0/24, giving the W10 PC the IP .50, statically, correct? But I am seeing that in this video, when you install the GAIA .30, and create a route in the GAIA, you assign an IP to go to the internet which is 192.168.159.2; I would like to know if your W10 has only one network card, which is "VMnet6" or do you also have a network card like NAT, with that segment 159.0 / 24? I'm trying to imitate the videos as they are terrific, but some silly doubts keep me from moving forward. Basically I want to know if in the W10 PC I should only work with the VMnet6 and a static IP that would be .50 according to your topology. If you could share me an image of how you have configured the "Network" of your W10 in your VMware, that would be great. Thanks for your contributions. Hopefully you keep producing more content. :)
Check 4:30 in this video and you do see all the nic:s used for the lab :)
Vmnet8 has the NAT (to the host) to give the gateways internet.
The win10 host has 1 nic so all the traffic need to pass the gateway to do anything. :)
@@MagnusHolmberg-NetSec
Oh, gosh. I did not notice that part. Now everything makes sense. HAHA. You are brave. 😎🤓 Do you know if checkpoint can be implemented in platforms like GNS3 or EVE-NG, to perform topologies?
@@ranghelsoto6516 should work in eve-ng.
But I have never tried myself, in official training from check point VMware workstation is used.
hello, i've set up the gateway with eth0 dhcp-ed from my router and got dhcp, but i can't still ping to my router's IP, i've set the default static route too, what i'm missing?
firewall is bypass
checked the log for antispoofing?
If you check in CLI do you get an arp entry?
expert
arp -an
@@MagnusHolmberg-NetSec i do get an arp entry, is it better to disable antispoofing for first test?
@@dr.franxx if its the external interface its normally enough to set it to external :)
If you think it may be antispoofing, put it to detect and not prevent the traffic.
@@MagnusHolmberg-NetSec well since so many misconfigs, i think i'm gonna wipe it and re-scratch, thank you for the response
@@dr.franxx hehe sometimes that’s what is needed, or Atleast a second pair of eyes on the config to see what is missed
how i can fix the issue if i set the ip-address of security management on the installation 192.168.1.1 instead of 192.168.1.2?
My recommendation is just to reinstall it.
But you could change it in Gaia (cli)
Hi Magnus do you have an idea why my GW-1 is not responding to ping from WIN 10, All requirement fulfilled, both are on the same VMNet 6 with same IP-range, i can reach the CP-MGT from WINs 10 BUT i can't reach GW-1. Pls advise on what i am missing. Thanks
if you check from console on GW1, is that one able to ping the mgmt or anything else on the network? dose it get any arp etc?
This can be checked within expert mode with
arp -an
If you want to offload all sort of policys from the firewall if you think thats whats blocking it you can do
fw unloadlocal
@@MagnusHolmberg-NetSec Thank you for replying to my message, i will revert shortly, All i have done is to replicate what you have on your LAB so i am suprised that is not working.
@@MagnusHolmberg-NetSec i have tried the command "fw unloadlocal" this is the error message "Local host is not a Firewall-1 module" what do i do to correct this?
Pls magnus i am stuck with this Lab for weeks, pls your urgent response is needed plss. i can't ping CP-MGT from CP-GW1 neither can i ping CP-GW1 from CP-MGT. I have tried fw unloadlocal same thing. Also note i have not been able to connect to the web UI of the GW from the WIN 10. Pls advise on what i have been missing.
@@akintundeoloyede9735 then you need to troubleshoot your L2/L3 within vmware and your lab.
Meaning check that you have actually configure the correct nic and attached it to the right vmnet.
Either you do this by disconnecting interfaces in vmware and check status with ifconfig or /var/log/messages in CLI together with arp -an to see that you see the neighbours.
Or you reinstall the GW with one NIC only connecting to your mgmt network and then add additional nic after.
Goodluck :)
magnus how to upgarde hot hix and major ver in open server
there is no difference if its appliance or openservers or within vmware. same process.