2.1.1 Check Point

We always recommend a system administrator defer to the vendor’s official documentation on credential creation. Please follow the vendor’s instructions for configuring the device for access with an ssh key, and then use the Indeni WebGUI to store the Private key in the relevant Credential Profile.

In order for Indeni to run its full set of discovery and interrogation scripts, a /bin/bash user with a role of administrator needs to be used to connect your device. It is highly recommended that a unique Indeni user is created for auditing and security purposes.


Creating User on GAiA WebUI Portal

  1. Log in to the Check Point WebUI.
  2. Go to User Management → Users → Add
  3. Fill in the required information. It is important to set the Shell to /bin/bash and set the role to adminRole.

Creating Users via CLI

  1. Log in to the Check Point device using SSH
  2. Make sure you are in Clish. If you have the shell set to /bin/bash, run the command clish
  3. Add the user (in the example we are using the username indeni):
    add user indeni uid 0 homedir /home/indeni
  4. Set the password for the user:
    set user indeni password
    New password: [xxxx]
    Verify new password: [xxxx]
  5. Type the following to add the access role adminRole:
    add rba user indeni roles adminRole
  6. Type the following to set the shell to /bin/bash:
    set user indeni shell /bin/bash

Creating Chassis Users

Chassis users it’s only possible to be created via CLI. Follow this procedure to create the user:

  1. Log in to the Check Point device using SSH
  2. Make sure you are in Clish. If you have the shell set to /bin/bash, run the command clish
  3. Add the user (in the example we are using the username indeni):
    add user indeni uid 0 homedir /home/indeni
  4. Set the password for the user:
    set user indeni password
    New password: [xxxx]
    Verify new password: [xxxx]
  5. Type the following to set the shell to /bin/bash:
    set user indeni shell /bin/bash

How to add CheckPoint chassis to Indeni

Monitoring of Indeni chassis is made though the Unique IP Address For Chassis (UIPC).  To check which UIP has the chassis configured the firewall administrator should run into a chassis device following command:

show chassis id <chassis_id> general unique_ip

where <chassis_id>  could be:

  • 1
  • 2
  • all

If chassis UIPC is not configured official documentation must be followed.

R76SP.50:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk115735

R80.20SP:
https://sc1.checkpoint.com/documents/R80.20SP/WebAdminGuides/EN/CP_R80.20SP_AdminGuide/html_frameset.htm?topic=documents/R80.20SP/WebAdminGuides/EN/CP_R80.20SP_AdminGuide/211530

Creating Maestro MHO and Security Group Users

Users on Maestro MHO devices can be created following the procedures previously described as valid for any other GAiA device:

  • Creating User on GAiA WebUI Portal
  • Creating Users via CLI

In the case of Security Groups the procedure is the same but, to connect to a Security Group, the management IP of the Security Group must be used over HTTPS or SSH depending on the method chosen.

How to add CheckPoint Maestro appliances to Indeni

Maestro deployments are composed by two types of appliances, Maestro Hyperscale Orchestrator (MHO in advance) and Gateways. Gateways are grouped in logical units called Security Groups which works as a independent cluster of gateways.

For Indeni to monitor these properly, MHO(s) and Security Group(s) should be added as devices.
In both cases management IP address is used to monitor the devices.

MHO

Management IP address to be allowed to connect via SSH.

If the MHO is clustered, both devices will be monitored automatically under the added MHO.

Security Group

Management IP address is defined when Security Group is created into SmartConsole.

To check management IPs defined for Security Groups the firewall administrator should run into MHO following CLI command:

show maestro security-group id <Security Group ID>

where <Security Group ID> could be:

  • 1
  • 2

Example:

If you are unable to connect to the Security Group, please refer check:
https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eventSubmit_doGoviewsolutiondetails=&solutionid=sk164372

Creating via GAiA Embedded

  1. Login to the webUI
  2. Go to Users & ObjectsAdministratorsNew
  3. Fill in the username and password and click Apply
  4. Login with the user using SSH and type the command expert followed by the command “bashUser on”:

Connect using public/private SSH Keys

The SSH key is stored within the Indeni application and not in the typical Linux OS location, therefore, device keys will need to be entered individually into the WebUI which can be doing by performing the following:

  1. Log into the remote device
  2. Make a note of which user Indeni will connect with. This will be needed later. In our example below the username will be “indeni”
  3. To create a public/private key pair, type the following:
    ssh-keygen -t rsa -b 4096 -f indeni-ssh –N
  4. Create a folder called “.ssh” in the home folder of the user which will use Indeni, by typing in the following:
    mkdir /home/indeni/.ssh
  5. Move the public key to the .ssh folder, and rename it to authorized_keys and set the correct permissions by typing the following:
    mv indeni-ssh.pub /home/indeni/.ssh/authorized_keys
    chmod 700 /home/indeni/.ssh
    chmod 600 /home/indeni/.ssh/authorized_keys

    OPTIONAL: For increased security, perform the following to render the password for the “indeni” account useless, allowing only the SSH key to login:
    ” dbset passwd:indeni:passwd “*” ” “dbset save

  6. Get the output the private key by typing the following:
    cat indeni-ssh

    OUTPUT EXAMPLE
    —–BEGIN RSA PRIVATE KEY—–MIIJJQIBAAKCAgEAp5UbPfn36Y1NIqbvJLPWvd128IfZ1FH5gt/E=……—–END RSA PRIVATE KEY—–

  7. When adding the device into Indeni, select “SSH Key” and input the entire content (including the dashes  “—–BEGIN RSA PRIVATE KEY — and — END RSA PRIVATE KEY —–” of the RSA output.

Frequently Asked Questions


I’ve setup the user as described, but I cannot add the device

The most common issue is that the user configured has the incorrect shell, and/or the incorrect permissions. Make sure that the shell is set to /bin/bash, the role is adminRole, has the correct password set and that the Uid is ‘0’ (zero). To verify this run, the following Clish command:
show user <username>” and “show rba user <username>