Support Center > Search Results > SecureKnowledge Details
How to run the First Time Configuration Wizard through CLI in Gaia R75.40 / R75.40VS / R75.45 / R75.46 / R75.47
Solution

Check Point Security Gateway and Check Point Security Management require running the First Time Configuration Wizard in order to be configured correctly. The First Time Configuration Wizard is available in Gaia Portal and also through CLI.

To invoke the First Time Configuration Wizard through CLI, run the config_system command from the Expert shell.

  1. Run:
    [Expert@HostName]# config_system -t <file_name>

    This will create an empty template file for system configuration.

  2. Open the file you created with a text editor and fill the appropriate fields.

  3. Run:
    [Expert@HostName]# config_system -f <file_name>

    This will run the First Time Configuration Wizard with the information provided in the filename.

The system is now ready.

 


 

Table of Contents:

  • Abstract
  • Purpose of 'config_system'
  • Usage
  • Run stages
  • How to create a configuration file or a configuration string
  • How to run first time configuration from the command line
  • Example of a configuration file for a StandAlone machine
  • Related solutions

 

Abstract

In order to complete the interactive First Time Configuration Wizard process, customers use a Web interface. There are many customers with large device install-base that use automation tools for "First Time" device configuration (mostly products, since the OS can be configured easily using Gaia "CLISH" shell) through a serial/remote terminal connection.

To fulfill these customers' requirements, the 'config_system' utility was developed (which is a Bash shell script /bin/config_system).

Important Note: The 'config_system' utility is not intended for ongoing system configuration.

 

Purpose of the 'config_system'

The main purpose of the 'config_system' utility is to provide an easy and convenient command line interface to complete the system's First Time configuration during system deployment. The 'config_system' utility is not interactive and is not intended to replace the interactive configuration tools (like the 'sysconfig' utility that is used in SecurePlatform OS).

 

Usage

[Expert@HostName]# config_system --help

Usage: config_system <options> 
where config_system options include:
   -f|--config-file <path>      Read First Time Wizard configuration from <path>.
   -s|--config-string <string>  Read First Time Wizard configuration from string.
   -t|--create-template <path>  Write First Time Wizard configuration template file in <path>.
   --dry-run                    Verify that First Time Wizard configuration file is valid.
   -l|--list-params             List configurable parameters.

If both configuration file and string were provided, the configuration
string will be ignored.
The configuration string should consist of parameters separated by '&'.
Each parameter should include a key followed by a value, e.g., param1=value.
For the list of all configurable parameters and their descriptions,
create a configuration template file with config_system -t <path> .
[Expert@HostName]#

Important Notes:

  • After this script completes, the machine must be rebooted to complete the configuration.
  • This process does not work properly if the config_system is initiated from an SSH session. The configuration should be done via console session.

 

Run stages

There are few controllable stages of the 'config_system' run process:

  1. Receive a string or a configuration file from the user customer as an input.
  2. Parse the input.
  3. Validate the input.
  4. Each parameter calls relevant infrastructure (TCL scripts) that was developed for the Web version of the First Time Configuration Wizard.

 

Pay attention!

The 'config_system' utility does not install or configure the system directly. This utility actually calls different infrastructures that were developed for the Web version of the First Time Configuration Wizard (FTW). One can compare product configuration after Web FTW runs, and after 'config_system' runs; the products should be configured identically by the same I/S.

For historical reasons, all logic was developed on the client side of the FTW, and thus had to be duplicated in the 'config_system' as well. This can lead to inconsistency if the logic was updated on the web client side, but not changed in the 'config_system'.

 

How to create a configuration file or a configuration string

The easiest way to create an input file or a configuration string is to create a template file and fill in the relevant fields in this template according to the fields' description in the template.

In order to dump a template, run:

[Expert@HostName]# config_system --create-template template_file

Now, the user can edit the template_file. In order to check that the configuration file is valid, and all answers are correct, the user can perform a validation process.

The syntax below will allow you to read the configuration file and to perform the validation, while skipping the system configuration stage:

[Expert@HostName]# config_system --config-file template_file --dry-run

From a validated configuration file a configuration string can be created. The configuration string should consist of parameters separated by '&' character.
Each parameter should include a key followed by the value, e.g., param1=true&param2=true&param3=false&param4=deadbeef.

 

How to run first time configuration from the command line

Now, the system can be configured:

  • According to the configuration file:

    [Expert@HostName]# config_system --config-file template_file

  • or according to the configuration string:

    [Expert@HostName]# config_system --config-string "hostname=myhost&domainname=nnm.com&timezone='America/Indiana/Indianapolis'&ftw_sic_key=aaaa&install_security_gw=true&gateway_daip=false&install_ppak=true&gateway_cluster_member=true&install_security_managment=false"


Important Note:
After this script completes, the machine must be rebooted to complete the configuration.

 

Example of a configuration file for a StandAlone machine (Security Gateway and Security Management Server on the same machine)

#########################################################################
#                                                                       #
#                       Products configuration                          #
#                                                                       #
#    For keys below set "$TRUE"/"$FALSE" after '='  within the quotes   #
#########################################################################
 
# Install $TAG_GW.
install_security_gw=true
 
# Install $TAG_PPAK (aka Performance Pack).
install_ppak=true
 
# Enable DAIP (dynamic ip) gateway.
# Should be "$FALSE" if CXL or $TAG_MGMT enabled
gateway_daip="false"
 
# Enable/Disable CXL.
gateway_cluster_member=false
 
# Install $TAG_MGMT.
install_security_management=true
 
# Optional parameters, only one of the parameters below can be "true".
# If no primary of secondary specified, log server will be installed.
# Requires $TAG_MGMT to be installed.
install_mgmt_primary=true
install_mgmt_secondary=false
 
#########################################################################
#                                                                       #
#                       Products Parameters                             #
#                                                                       #
#               For keys below set value after '='                      #
#########################################################################
 
# Management administrator name
# Must be provided, if $TAG_MGMT installed
mgmt_admin_name=aa
 
# Management administrator password
# Must be provided, if $TAG_MGMT installed
mgmt_admin_passwd=aaaa
 
# Management GUI client allowed e.g. any, 1.2.3.4, 192.168.0.0/24
# Set to "any" if any host allowed to connect to management
# Set to "range" if range of IPs allowed to connect to management
# Set to "network" if IPs from specific network allowed to connect
# to management
# Must be provided if $TAG_MGMT installed
mgmt_gui_clients_radio=any
#
# In case of "range", provide the first and last IPs in dotted format
mgmt_gui_clients_first_ip_field=
mgmt_gui_clients_last_ip_field=
#
# In case of "network", provide IP in dotted format and netmask length
# in range 0-32
mgmt_gui_clients_ip_field=
mgmt_gui_clients_subnet_field=
 
# Secure Internal Communication key, e.g. "aaaa"
# Must be provided, if primary $TAG_MGMT not installed
ftw_sic_key=
 
#########################################################################
#                                                                       #
#       Operating System configuration - optional section               #
#                                                                       #
#               For keys below set value after '='                      #
#########################################################################
 
# Password (hash) of user admin.
# To get hash of admin password from configured system:
#       "dbget passwd:admin:passwd:
# OR
#       grep admin /etc/shadow | cut -d: -f2
#
# IMPORTANT! In order to preserve the literal value of each character
# in hash, enclose the hash string within the quotes.
#       e.g admin_hash='put_here_your_hash_string'
#
# Optional parameter
admin_hash='$1$NhTH9uHl$2DA3nYpEVxxpJ2hHLKY6c/'
 
# Interface name, optional parameter
iface=eth0
 
# Management interface IP in dotted format (e.g. 1.2.3.4),
# management interface mask length (in range 0-32, e,g 24 ) and
# default gateway.
# Pay attention: If you run the first time configuration remotely
# and change your IP in order to maintain the connection,
# the old IP address will be retained as a secondary IP address.
# This secondary IP address can be deleted later.
# Your session will be disconnected after the first time configuration
# process.
# Optional parameter, requires "iface" to be specified
ipaddr=192.168.100.
masklen=24
default_gw=192.168.100.254
 
# Host Name e.g host123, optional parameter
hostname=bisli
 
# Domain Name e.g. checkpoint.com, optional parameter
domainname=checkpoint.com
 
# Time Zone in format Area/Region (e.g America/New_York or Etc/GMT-5)
# Pay attention: the GMT offset should be in classic UTC notation:
# GMT-5 is 5 hours behind UTC (i.e. west to Greenwich)
# Enclose the time zone string within quotes.
# Optional parameter
timezone='Asia/Jerusalem'
 
# NTP servers
# NTP parameters are optional
ntp_primary=1.1.1.1
ntp_secondary=2.2.2.2
 
# DNS - IP address of primary, secondary, tertiary DNS servers
# DNS parameters are optional.
primary=192.168.1.1
secondary=192.168.2.2
tertiary=3.3.3.3

Important Note: After this script completes, reboot the device to complete the configuration.

 

This solution is about products that are no longer supported and it will not be updated

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment