Checkpoint Firewall Lab

We got a new Nokia Firewall and I tried to login with the default username ‘admin’ and the default password ‘Password’ however that didnt not work.
What comes in this case: Password Recovery. Checkpoint has already imported the Solution from Nokia Support, this is:

sk41239 – How do I change the admin password when it is lost or unknown?
As always it is not as easy as dokumented, I have run into some problem and was not able to follow the official dokumantation.
Here is what I did.

  1. I rebooted the device and followed the instructions:
100% of the system memory tested OKPress ESC key twice to skip memory test 2,146,041,856 bytes of system memory tested OK Starting bootmgr Loading boot manager..Boot manager loaded. Entering autoboot mode. Type any character to enter command mode. BOOTMGR[1]> BOOTMGR[2]> **boot -s** … Nov 11 08:36:48 init: /etc/spwd.db: No such file or directory Enter pathname of shell or RETURN for sh: .: Can’t open /opt/uf/SurfControl/scripts/envset # **/etc/overpw** This program is used to set a temporary admin password when you have lost the configured password. You must have booted the machine into single user mode to run it. The configured password will be changed. Please change the temporary password as soon as you log on to your system through voyager.Please enter password for user admin: ** – Password complexity is not checked!** Please re-enter password for confirmation: ** – Password complexity is not checked!** Continue? [n] **y** … Admin password changed. You may enter ^D to continue booting. THIS IS A TEMPORARY PASSWORD CHANGE. PLEASE USE VOYAGER TO CREATE A PERMENANT PASSWORD FOR THE USER ADMIN. # ^swapon: adding /dev/wd0b as swap device …

IPSO (Nokia.com) (ttyd0)

This system is for authorized use only.

login: admin

2. I tried to change the password (I did not managed as described in SK)
Password: Nokia[admin]# **dbpasswd admin newpassword “”** Error: Password is not complex enough; try mixing more different kinds of characters (upper case, lower case, digits, and punctuation).
I have tried to change and save the password from CLISH:
Nokia[admin]# **clish** NokiaIP290:2> **set user admin newpass** NokiaIP290:3> **save config** NokiaIP290:4>
3. Quick test if the new password works
Nokia[admin]# **reboot** Nov 11 09:41:57 Nokia [LOG_CRIT] reboot: rebooted by adminIPSO (Nokia.com) (ttyd0)This system is for authorized use only.login: **admin** Password:
After reboot I can login ![:-)]

——————–

Factory Reset

Below shows you how to factory reset a Nokia IPSO,

Nokia[admin]#** ls**
bin     cdrom   dev     image   proc    tmp     var
bootmgr config  etc     opt     sbin    usr     web
Nokia[admin]# cd config
Nokia[admin]#** ls**
active  db
Nokia[admin]# rm active
Nokia[admin]# ls
db
Nokia[admin]# reboot

On reboot select bootmgr to start the wizard,

Verifying DMI Pool Data ……..

1   Bootmgr
2   IPSO
Default: 1

Starting bootmgr
——————–

https://www.cpug.org/forums/miscellaneous/1061-fw-unloadlocal.html

———————-

**How do i reset SIC ? **

  • Go into the CLI of the Firewall and type cpconfig then choose Secure Internal Communication. You will then be prompted to enter a passcode. Enter anything it doesnt matter. Then exit cpconfig using option 10.

cpfw[admin]# cpconfig
This program will let you re-configure
your Check Point products configuration.
Configuration Options:
———————-
(1)  Licenses and contracts
(2)  SNMP Extension
(3)  Group Permissions
(4)  PKCS#11 Token
(5)  Random Pool
(6)  Secure Internal Communication
(7)  Disable cluster membership for this gateway
(8)  Disable Check Point SecureXL
(9)  Automatic start of Check Point Products
(10) Exit

Enter your choice (1-10) : 6

  • Go into the Smart Dashboard and go into the Check Point Object > General Properties > Communication.
  • Select “reset
  • Enter the passcode you previously entered within cpconfig.
  • Select “Initalize”
  • The Trust State should now say “Trust established“.
  • Re-push the policy.

———————

Re-establishing SIC:
This article will give you the steps to establish SIC in a Checkpoint Firewall.

FirewallA[admin]# cpconfig
This program will let you re-configure
your Check Point products configuration.

Configuration Options:
———————-
(1) Licenses
(2) SNMP Extension
(3) PKCS#11 Token
(4) Random Pool
(5) Secure Internal Communication
(6) Enable Check Point High Availability/State Synchronization
(7) Automatic start of Check Point Products

(8) Exit

Enter your choice (1-8) :5

Configuring Secure Internal Communication…

The Secure Internal Communication is used for authentication between
Check Point components

Trust State: Trust established

Would you like re-initialize communication? (y/n) [n] ? y

Note: The Secure Internal Communication will be reset now.
No communication will be possible until you reset and re-initialize the
communication properly!
Are you sure? (y/n) [n] ? y

Enter Activation Key: abc123

Again Activation Key: abc123

initial_module:
Compiled OK.

Hardening OS Security: Initial policy will be applied until the first
policy is installed

The Secure Internal Communication was successfully initialized

Configuration Options:
———————-
(1) Licenses
(2) SNMP Extension
(3) PKCS#11 Token
(4) Random Pool
(5) Secure Internal Communication
(6) Enable Check Point High Availability/State Synchronization
(7) Automatic start of Check Point Products

(8) Exit

Enter your choice (1-8) :8

Thank You…

You have changed Check Point products Configuration.
You need to restart ALL Check Point modules (performing cpstop &
cpstart)
in order to activate the changes you have made.
Would you like to do now? (y/n) [y] ? y
VPN-1/FW-1 stopped

SVN Foundation: cpd stopped
SVN Foundation: cpWatchDog stopped
SVN Foundation stopped
initial_module:
Compiled OK.

Hardening OS Security: Initial policy will be applied
until the first policy is installed

cpstart: Start product – SVN Foundation

SVN Foundation: Starting cpWatchDog
SVN Foundation: Starting cpd
SVN Foundation started

cpstart: Start product – FireWall-1

FireWall-1: starting external VPN module — OK
FireWall-1: Starting VPN-1 Accelerator Card
VPN-1: The VPN Accelerator driver is not responding
VPN-1 Accelerator Card is not enabled
FireWall-1: Failed to start VPN-1 Accelerator Card
FireWall-1: Starting fwd

Installing Security Policy InitialPolicy on all.all@FirewallA
Fetching Security Policy from localhost succeeded

Fetching Security Policy From: 10.1.1.1

Fetch failed: Connection failed – SIC failure
Policy Fetch Failed
Failed to fetch policy from masters in masters file
FireWall-1 started

cpstart error: UserAuthority was not started, marked as not active.

cpstart error: FloodGate-1 was not started, marked as not active.

cpstart error: SmartView Monitor was not started, marked as not active.

cpridstop: cprid stopped

cpridstart: Starting cprid
[1] 21300
FirewallA[admin]#
FirewallA[admin]#

Also Reset SIC on the firewall object from the Security Policy:

1.Double click on the Firewall Object on Policy
2.Click on Communication.
3.Click on Reset Button.
4.Put the activation key
5.Put the activation Key on Confirm Activation Key
6.Click on Initialize button.
7.Click on Test SIC status.
8.Push the policy

Verify the policy push on the firewall.

Show Comments

Get the latest posts delivered right to your inbox.