Isomorphic Evolves: Unattended Install & Config of Check Point Firewalls

Deploying firewalls takes a lot of patience, communication, and coordination from all parties, especially when it's being done remotely. This blog post discusses an option to help this process.

Deploying Check Point firewalls is a common task for the Operations team at Hurricane Labs. Whether it is a customer with a fresh installation, a new acquisition at a remote location, or replacing an existing solution, it all begins with installing and configuring the operating system. You can imagine this takes a lot of patience from all parties involved, as communication, coordination, and the overall conditions have to practically be immaculate for deployment success. Fortunately, we have discovered an option that alleviates this process.

Remote Configuration Support Can Be A Challenge

Every situation is unique, but in providing support for globally operating organizations we are often approaching this remotely. This results in two general methods:

  1. Configuring the firewall in person and shipping it to the location
  2. Working with an individual at the remote location to configure it

While running through our gamut of configuration commands, which is second nature for most of us here, it can certainly be confusing for our remote contact of varying technical ability. Understanding this, we prefer to create a remote session so we can do the configuration. However, doing so relies on several conditions:

  • A stable Internet connection (which may not even exist yet)
  • A console cable and the appropriate adapters
  • Knowledge of Putty, or similar software

Time to Take Advantage of the Latest Version of Isomorphic

We were thus excited to see a new unattended install option when launching the latest version of Check Point’s Isomorphic tool. This software is used to create a bootable USB drive for your desired version of Check Point.

Until now, you would still need to choose an output method (VGA, serial, etc.) and then configure the OS manually once the install completed. With the Unattended Installation option, not only will the installation begin and complete automatically, it will also configure an interface of your choice in the process. The only “hands-on” needed is to plug in the USB drive and power the firewall on.

The first thing to do, if you haven't already, will be to download the latest version of Isomorphic from Check Point.

As mentioned, you will now see a new “Installation type” drop-down menu where you can select “Unattended installation.” You will select the desired Check Point ISO file and destination drive as usual, and then click the Configure button. In this window, you will have the opportunity to provide the details for the interface you want to configure. You’ll also notice an option to import or export a configuration file. Beneath the user-friendly GUI, the values you enter will ultimately create an XML file that the installation will use to configure the interface. Once created, you can export it and send it to another administrator to import and build the drive.

To build a configuration, you’ll start with the “Add…” option, which will present you with a configuration window asking for the interface name, IP address, subnet mask, and default gateway; all the vital information need to turn up an interface.

Note that the interface name will need to match what the OS will read it as, such as eth1. You’ll also notice radio buttons for “default,” or the option to define a Management MAC address. You can only configure one interface per appliance, but you can put multiple appliance configurations on the same USB drive. The appropriate configuration in this situation is determined using the Mgmt interface MAC address.

Let's Look at a Case Where This Option Could Benefit You

Imagine a scenario in which you’ve acquired a company in China and want to deploy a Check Point firewall cluster. Local administrators at this location used a local vendor for the Check Point appliances and already have them at the facility. Previously, you would have had to work with the local administrators to gain access to the appliances in some fashion, install the desired version of Check Point, and then configure the operating system.

Instead, you can utilize the unattended installation option in Isomorphic to create a bootable USB that will install the right software version and configure the external interface so you can reach them remotely. Instead of configuring two USB drives (one for each member of the cluster), when adding the interface configuration you also designate the Mgmt interface MAC address (for appliances this should also be the certificate key of the license).

When the USB drive is attached to the appliance with a MAC address ending in :00, for instance, it will apply the interface configuration defined for that address. When it is attached to the appliance with a MAC address ending in :01, it will apply the interface configuration defined for that address.

Note: if you only have one appliance to configure, you can use the “default” option which is the configuration that will be used if no MAC is defined, or no MAC matches.

You then ship this USB drive (or if you’re in a time crunch, send the software and exported configuration to the local administrators to build the USB drive locally). Once the USB drive is attached and the firewall is turned on, it will install the software and configure the interface.

In our example, let’s say eth1 will be the external interface and therefore the interface we configured in Isomorphic. Local administrators connect eth1 to the Internet service device and once the configuration is complete you are able to reach the firewall remotely via the address you configured, and finish the configuration.

Looking Forward to Utilizing this Check Point Feature Now and in the Future

You may have noticed that we specify Check Point appliance in our example. Unfortunately, unattended installation will not work with open servers or virtual machines. Additionally, Gaia is the only operating system supported; SecurePlatform or IPSO will not work. Finally, the last deal breaker may be that only Gaia R77.20 and above are supported.

Fortunately, these are scenarios that we encounter on the norm, and this is something we will be using extensively in the future. We hope that you will also be able to take advantage of the unattended install feature.



Close off Canvas Menu