Check Point Configure LOM Remotely from GAiA.

Posted on | By Tom | No comments

tl;dr

  • Connect to the GAiA CLI in expert mode.
  • service ipmi start
  • ipmitool user list 0x1
  • ipmitool user set password 2 “Password01”
  • ipmitool lan print 8
  • ipmitool lan set 8 ipsrc static
  • ipmitool lan set 8 ipaddr 192.168.1.64
  • ipmitool lan set 8 netmask 255.255.255.0
  • ipmitool lan set 8 defgw ipaddr 192.168.1.254
  • service ipmi stop

System Setup:

Hardware:
Check Point 6200 Plus

Operating System:
R80.30

Introduction

Check Point hardware firewalls have, in some cases, a lights out management feature. This is similar to the Cisco CIMC, Dell iDRAC and HP iLO. If you are not familiar with this technology I normally describe it as being a bit like a Raspberry Pi being built into the back of the server. Its completely interdependent of the main hardware. You can then log into this Raspberry Pi remotely and do things like mount virtual DVDs into the server, monitor the health and console etc as well as rebooting the server. As the hardware is completely interdependent you can even do this when the server is turned off, providing it still has power!

Check Point also have such a feature, the have been really creative with their naming and gone for “Lights Out Management” (LOM). In this guide I will talk you through how to configure this up through the GAiA command line.

I normally recommend configuring this as soon as you deploy a new check point, you never know when you are going to need it! However, maybe you have inherited an environment and assumed your predecessor had configured it and now you are working from home and found this is not the case. Providing you can get someone else go to site and cable the LOM port into a switch for you, you can then use this guide to configure up the port remotely.

First we need to connect to the GAiA CLI in expert mode. If you are a bit confused at this point this guide might be a bit too much for you at the moment. Once in we can start the “Intelligent Platform Management Interface (IPMI)” service. 

[Expert@hostname:0]# service ipmi start

After this we can look at what users we currently have configured. We can see on the output below admin is configured with an ID of “2”. I have put the important bit in bold to help it stand out.

[Expert@hostname:0]# ipmitool user list 0x1
ID Name Enabled Callin Link Auth IPMI Msg Channel Priv Limit
1 true false false true ADMINISTRATOR
2 admin true false false true ADMINISTRATOR

We can now set the users password using the following command. Note the “2” in the below command relates to the 2 in bold above. I’m sure I don’t need to tell you “Password01” is just to demonstrate the point and really shouldn’t be used in production!

[Expert@hostname:0]# ipmitool user set password 2 "Password01"

Okay now we have control of the user account we can configure up the LOM port itself. To start off with we probably want to see what’s currently set, just in case we have to change it back! Note: You may need to change 8 to 1.

[Expert@hostname:0]# ipmitool lan print 8
OR
[Expert@hostname:0]# ipmitool lan print 1

Now we have that saved safely in notepad++ we can change the NIC to static and then configure the IP address, Network Mask and Default Gateway. Note: Depending on the command that worked in the last step you may need to change 8 to 1.

[Expert@hostname:0]# ipmitool lan set 8 ipsrc static
[Expert@hostname:0]# ipmitool lan set 8 ipaddr 192.168.1.64
[Expert@hostname:0]# ipmitool lan set 8 netmask 255.255.255.0
[Expert@hostname:0]# ipmitool lan set 8 defgw ipaddr 192.168.1.254

Providing we can now connect without issue we can stop the IPMI service.

[Expert@hostname:0]# service ipmi stop

Enjoy!

Category: Check Point, Quantum - Firewalls | Tag: , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *