Configuring Gaia for the First Time

After you install Gaia for the first time, use the First Time Configuration Wizard to configure the system and the Check Point products on it.

Running the First Time Configuration Wizard in Gaia Portal

To start the Gaia First Time Configuration Wizard:

Step	Instructions
1	Connect a computer to the Gaia computer. You must connect to the interface you configured during the Gaia installation (for example, eth0).
2	On your connected computer, configure a static IPv4 address in the same subnet as the IPv4 address you configured during the Gaia installation.
3	On your connected computer, in a web browser, connect to the IPv4 address you configured during the Gaia installation: `https://<`IPv4_Address_of_Gaia`>`
4	Enter the default username and password: `admin` and `admin`.
5	Click Login. The Check Point First Time Configuration Wizard opens.
6	Follow the instructions on the First Time Configuration Wizard windows. See the applicable chapters below for installing specific Check Point products.

Below you can find the description of the First Time Configuration Wizard windows and their fields.

Deployment Options window:

In this window, you select how to deploy Gaia Operating System.

Section	Options	Description
Setup	Continue with R80.20 configuration	Use this option to configure the installed Gaia and Check Point products.
Install	Install from Check Point Cloud Install from USB device	Use these options to install a Gaia version.
Recovery	Import existing snapshot	Use this option to import an existing Gaia snapshot.

Section

Options

Description

Setup

Continue with R80.20 configuration

Use this option to configure the installed Gaia and Check Point products.

Install

Install from Check Point Cloud

Install from USB device

Use these options to install a Gaia version.

Recovery

Import existing snapshot

Use this option to import an existing Gaia snapshot.

If in the Deployment Options window, you selected Install from Check Point Cloud, the First Time Configuration Wizard asks you to configure the connection to Check Point Cloud. These options appear (applies only to Check Point appliances that you configured as a Security Gateway):

Install major version - This option let you choose and install major versions available on Check Point Cloud. The Gaia CPUSE performs the installation.
Pull appliance configuration - This option lets you to apply initial deployment configuration including different OS version on the appliance. You must prepare the initial deployment configuration with the Zero Touch Cloud Service. For more information, see sk116375.

Management Connection window:

In this window, you select and configure the main Gaia Management Interface. You connect to this IP address to open the Gaia Portal or CLI session.

Field	Description
Interface	By default, First Time Configuration Wizard selects the interface you configured during the Gaia installation (for example, eth0). Note - After you complete the First Time Configuration Wizard and reboot, you can select another interface as the main Gaia Management Interface and configure its IP settings.
Configure IPv4	Select how the Gaia Management Interface gets its IPv4 address: Manually - You configure the IPv4 settings in the next fields. Off - None.
IPv4 address	Enter the desired IPv4 address.
Subnet mask	Enter the applicable IPv4 subnet mask.
Default Gateway	Enter the IPv4 address of the applicable default gateway.
Configure IPv6	Select how the Gaia Management Interface gets its IPv6 address: Manually - You configure the IPv6 settings in the next fields. Off - None.
IPv6 Address	Enter the desired IPv6 address.
Mask Length	Enter the applicable IPv6 mask length.
Default Gateway	Enter the IPv6 address of the applicable default gateway.

Internet Connection window:

Optional: In this window, you configure the interface that connects the Gaia computer to the Internet.

Field	Description
Interface	Select the applicable interface on this computer.
Configure IPv4	Select how the applicable interface gets its IPv4 address: Manually - You configure the IPv4 settings in the next fields. Off - None.
IPv4 address	Enter the desired IPv4 address.
Subnet mask	Enter the applicable IPv4 subnet mask.
Configure IPv6	Optional. Select how the applicable interface gets its IPv6 address: Manually - You configure the IPv6 settings in the next fields. Off - None.
IPv6 Address	Enter the desired IPv6 address.
Subnet	Enter the applicable IPv6 subnet mask.

Device Information window:

In this window, you configure the Host name, the DNS servers and the Proxy server on the Gaia computer.

Field	Description
Host Name	Enter the desired distinct host name.
Domain Name	Optional: Enter the applicable domain name.
Primary DNS Server	Enter the applicable IPv4 address of the primary DNS server.
Secondary DNS Server	Optional: Enter the applicable IPv4 address of the secondary DNS server.
Tertiary DNS Server	Optional: Enter the applicable IPv4 address of the tertiary DNS server.
Use a Proxy server	Optional: Select this option to configure the applicable Proxy server.
Address	Enter the applicable IPv4 address or resolvable hostname of the Proxy server.
Port	Enter the port number for the Proxy server.

Date and Time Settings window:

In this window, you configure the date and time settings on the Gaia computer.

Field	Description
Set the time manually	Select this option to configure the date and time settings manually.
Date	Select the correct date.
Time	Select the correct time.
Time Zone	Select the correct time zone.
Use Network Time Protocol (NTP)	Select this option to configure the date and time settings automatically with NTP.
Primary NTP server	Enter the applicable IPv4 address or resolvable hostname of the primary NTP server.
Version	Select the version of the NTP for the primary NTP server.
Secondary NTP server	Optional: Enter the applicable IPv4 address or resolvable hostname of the secondary NTP server.
Version	Select the version of the NTP for the secondary NTP server.
Time Zone	Select the correct time zone.

Installation Type window:

In this window, you select which type of Check Point products you wish to install on the Gaia computer.

Field	Description
Security Gateway and/or Security Management	Select this option to install: A Single Security Gateway. A Cluster Member. A Security Management Server, including Management High Availability. An Endpoint Security Management Server. An Endpoint Policy Server. CloudGuard Controller. A dedicated single Log Server. A dedicated single SmartEvent Server. A Standalone.
Multi-Domain Server	Select this option to install: A Multi-Domain Security Management Server, including Management High Availability. A dedicated single Multi-Domain Log Server.

Field

Description

Security Gateway and/or Security Management

Select this option to install:

A Single Security Gateway.
A Cluster Member.
A Security Management Server, including Management High Availability.
An Endpoint Security Management Server.
An Endpoint Policy Server.
CloudGuard Controller.
A dedicated single Log Server.
A dedicated single SmartEvent Server.
A Standalone.

Multi-Domain Server

Select this option to install:

A Multi-Domain Security Management Server, including Management High Availability.
A dedicated single Multi-Domain Log Server.

Products window:

In this window, you continue to select which type of Check Point products you wish to install on the Gaia computer.

If in the Installation Type window, you selected Security Gateway and/or Security Management, these options appear:

Field	Description
Security Gateway	Select this option to install: A single Security Gateway. A Cluster Member. A Standalone.
Security Management	Select this option to install: A Security Management Server, including Management High Availability. An Endpoint Security Management Server. An Endpoint Policy Server. CloudGuard Controller. A dedicated single Log Server. A dedicated single SmartEvent Server. A Standalone.
Unit is a part of a cluster	This option is available only if you selected Security Gateway. Select this option to install a cluster of dedicated Security Gateways, or a Full High Availability Cluster. Select the cluster type: ClusterXL - For a cluster of dedicated Security Gateways, or a Full High Availability Cluster. VRRP Cluster - For a VRRP Cluster on Gaia.
Define Security Management as	Select Primary to install: A Security Management Server. An Endpoint Security Management Server. An Endpoint Policy Server. CloudGuard Controller. Select Secondary to install: A Secondary Management Server in Management High Availability. Select Log Server / SmartEvent only to install: A dedicated single Log Server. A dedicated single SmartEvent Server.

If in the Installation Type window, you selected Multi-Domain Server, these options appear:

Field	Description
Primary Multi-Domain Server	Select this option to install a Primary Multi-Domain Server in Management High Availability.
Secondary Multi-Domain Server	Select this option to install a Secondary Multi-Domain Server in Management High Availability.
Multi-Domain Log Server	Select this option to install a dedicated single Multi-Domain Log Server.

Note - By default, the option Automatically download Blade Contracts and other important data is enabled. See sk111080.

Dynamically Assigned IP window:

In this window, you select if this Security Gateway gets its IP address dynamically (DAIP gateway).

Field	Description
Yes	Select this option, if this Security Gateway gets its IP address dynamically (DAIP gateway).
No	Select this option, if you wish to configure this Security Gateway with a static IP address.

Secure Internal Communication (SIC) window:

In this window, you configure a one-time Activation Key. You must enter this key later in SmartConsole when you create the corresponding object and initialize SIC.

Field	Description
Activation Key	Enter the desired one-time activation key (between 4 and 127 characters long).
Confirm Activation Key	Enter the same one-time activation key again.

Security Management Administrator window:

In this window, you configure the main administrator for this Security Management Server.

Field	Description
Use Gaia administrator: admin	Select this option, if you wish to use the default Gaia administrator (`admin`).
Define a new administrator	Select this option, if you wish to configure an administrator username and password manually.

Security Management GUI Clients window:

In this window, you configure which computers are allowed to connect with SmartConsole to this Security Management Server.

Field	Description
Any IP Address	Select this option to allow all computers to connect.
This machine	Select this option to allow only a specific computer to connect. By default, the First Time Configuration Wizard uses the IPv4 address of your computer. You can change it to another IP address.
Network	Select this option to allow an entire IPv4 subnet of computers to connect. Enter the applicable subnet IPv4 address and subnet mask.
Range of IPv4 addresses	Select this option to allow a specific range of IPv4 addresses to connect. Enter the applicable start and end IPv4 addresses.

Leading VIP Interfaces Configuration window:

In this window, you select the main Leading VIP Interface on this Multi-Domain Server.

Field	Description
Select leading interface	Select the desired interface.

Multi-Domain Server GUI Clients window:

In this window, you configure which computers are allowed to connect with SmartConsole to this Multi-Domain Server.

Field	Description
Any host	Select this option to allow all computers to connect.
IP address	Select this option to allow only a specific computer to connect. By default, the First Time Configuration Wizard uses the IPv4 address of your computer. You can change it to another IP address.

Field

Description

Any host

Select this option to allow all computers to connect.

IP address

Select this option to allow only a specific computer to connect.

By default, the First Time Configuration Wizard uses the IPv4 address of your computer. You can change it to another IP address.

First Time Configuration Wizard Summary window:

In this window, you can see the installation options you selected.

By default, the option Improve product experience by sending data to Check Point is enabled. See sk111080.

Notes:

At the end of the First Time Configuration Wizard, the Gaia computer reboots and the initialization process is performed in the background for several minutes.
If you installed the Gaia computer as a Security Management Server or Multi-Domain Server, only read-only access is possible with SmartConsole during this initialization time.
To verify that the configuration is finished:
1. Connect to the command line on the Gaia computer.
2. Log in to the Expert mode.
3. Check that the bottom section of the /var/log/ftw_install.log file contains one of these sentences: "installation succeeded" or "FTW: Complete".
  Run:
# cat /var/log/ftw_install.log | egrep --color "installation succeeded|FTW: Complete"

Example output from a Security Gateway or Cluster Member:

[Expert@GW:0]# cat /var/log/ftw_install.log | egrep --color "installation succeeded|FTW: Complete"

Apr 06, 18 19:19:51 FTW: Complete

[Expert@GW:0]#

Example output from a Security Management Server or a Standalone:

[Expert@SA:0]# cat /var/log/ftw_install.log | egrep --color "installation succeeded|FTW: Complete"

May 01, 2018 03:48:38 PM installation succeeded.

05/01/18 15:48:39 FTW: Complete

[Expert@SA:0]#

Example output from a Multi-Domain Server:

[Expert@MDS:0]# cat /var/log/ftw_install.log | egrep --color "installation succeeded|FTW: Complete"

Apr 08, 2018 07:43:15 PM installation succeeded.

[Expert@MDS:0]#

Running the First Time Configuration Wizard in CLI Expert mode

Description

Use this command in Expert mode to test and to run the First Time Configuration Wizard on a Gaia system for the first time after the system installation.

Notes:

The config_system utility is not an interactive configuration tool. It helps automate the first time configuration process.
The config_system utility is only for the first time configuration, and not for ongoing system configurations.

Syntax

To list the command options, run one of these:

Form

Command

Short form

config_system -h

Long form

config_system --help
To run the First Time Configuration Wizard from a specified configuration file, run one of these:

Form

Command

Short form

config_system -f <Path and Filename>

Long form

config_system --config-file <Path and Filename>
To run the First Time Configuration Wizard from a specified configuration string, run one of these:

Form

Command

Short form

config_system -s <String>

Long form

config_system --config-string <String>
To create a First Time Configuration Wizard Configuration file template in a specified path, run one of these:

Form

Command

Short form

config_system -t <Path>

Long form

config_system --create-template <Path>
To verify that the First Time Configuration file is valid, run:

config_system --dry-run
To list configurable parameters, run one of these:

Form

Command

Short form

config_system -l

Long form

config_system --list-params

Form	Command
Short form	`config_system -h`
Long form	`config_system --help`

Form	Command
Short form	`config_system -f <`Path and Filename`>`
Long form	`config_system --config-file <`Path and Filename`>`

Form	Command
Short form	`config_system -s <`String`>`
Long form	`config_system --config-string <`String`>`

Form	Command
Short form	`config_system -t <`Path`>`
Long form	`config_system --create-template <`Path`>`

Form	Command
Short form	`config_system -l`
Long form	`config_system --list-params`

To run the First Time Configuration Wizard from a configuration string:

Step	Description
1	Run this command in Expert mode: `config_system --config-string <`String of Parameters and Values`>` A configuration string must consist of parameter=value pairs, separated by the ampersand (&). You must enclose the whole string between quotation marks. For example: `"hostname=myhost&domainname=somedomain.com&timezone='America/Indiana/Indianapolis'&ftw_sic_key=aaaa&install_security_gw=true&gateway_daip=false&install_ppak=true&gateway_cluster_member=true&install_security_managment=false"` For more information on valid parameters and values, see the config_system.
2	Reboot the system.

Step

Description

Run this command in Expert mode:

config_system --config-string <String of Parameters and Values>

A configuration string must consist of parameter=value pairs, separated by the ampersand (&).

You must enclose the whole string between quotation marks.

For example:

"hostname=myhost&domainname=somedomain.com&timezone='America/Indiana/Indianapolis'&ftw_sic_key=aaaa&install_security_gw=true&gateway_daip=false&install_ppak=true&gateway_cluster_member=true&install_security_managment=false"

For more information on valid parameters and values, see the config_system.

Reboot the system.

To run the First Time Configuration Wizard from a configuration file:

Step	Description
1	Run this command in Expert mode: `config_system -f <`File Name`>`
2	Reboot the system.

Step

Description

Run this command in Expert mode:

config_system -f <File Name>

Reboot the system.

If you do not have a configuration file, you can create a configuration template and fill in the parameter values as necessary.

Before you run the First Time Configuration Wizard, you can validate the configuration file you created.

To create a configuration file:

Step	Description
1	Run this command in Expert mode: `config_system -t <`File Name`>`
2	Open the file you created in a text editor.
3	Edit all parameter values as necessary.
4	Save the updated configuration file.

To validate a configuration file:

Run this command in Expert mode:

config_system --config-file <File Name> --dry-run

Parameters

A configuration file contains the <parameter>=<value> pairs described in the table below.

Note - The config_system parameters can change from Gaia version to Gaia version. Run config_system --help to see the available parameters.

Parameter	Description	Valid values
`install_security_gw`	Installs Security Gateway, if set to `true`.	`true` `false`
`gateway_daip`	Configures the Security Gateway as Dynamic IP (DAIP) Security Gateway, if set to `true`.	`true` `false` Note - Must be set to `false`, if ClusterXL or Security Management Server is enabled.
`gateway_cluster_member`	Configures the Security Gateway as member of ClusterXL, if set to `true`.	`true` `false`
`install_security_managment`	Installs Security Management Server, if set to `true`.	`true` `false`
`install_mgmt_primary`	Makes the installed Security Management Server the Primary one. Note - The `install_security_managment` must be set to `true`.	`true` `false` Note - Can only be set to `true`, if the `install_mgmt_secondary` is set to `false`.
`install_mgmt_secondary`	Makes the installed Security Management Server a Secondary one. Note - The `install_security_managment` must be set to `true`.	`true` `false` Note - Can only be set to `true`, if the `install_mgmt_primary` is set to `false`.
`install_mds_primary`	Makes the installed Security Management Server the Primary Multi-Domain Server. Note - The `install_security_managment` must be set to `true`.	`true` `false` Note - Can only be set to `true`, if the `install_mds_secondary` is set to `false`.
`install_mds_secondary`	Makes the installed Security Management Server a Secondary Multi-Domain Server. Note - The `install_security_managment` must be set to `true`.	`true` `false` Note - Can only be set to `true`, if the `install_mds_primary` is set to `false`.
`install_mlm`	Installs Multi-Domain Log Server, if set to `true`.	`true` `false`
`install_mds_interface`	Specifies Multi-Domain Server management interface.	Name of the interface exactly as it appears in the device configuration. Examples: `eth0`, `eth1`
`download_info`	Downloads Check Point Software Blade contracts and other important information, if set to `true` (Best Practice - Optional, but highly recommended). For more information, see sk94508.	`true` `false`
`upload_info`	Uploads data that helps Check Point provide you with optimal services, if set to `true` (Best Practice - Optional, but highly recommended). For more information, see sk94509.	`true` `false`
`mgmt_admin_radio`	Configures Management Server administrator. Note - Must be provided, if you install a Management Server.	Set to `gaia_admin`, if you wish to use the Gaia `admin` account. Set to `new_admin`, if you wish to configure a new admin account.
`mgmt_admin_name`	Sets management administrator's username. Note - Must be provided, if `install_security_managment` is set to `true`.	A string of alphanumeric characters.
`mgmt_admin_passwd`	Sets management administrator's password. Note - Must be provided, if `install_security_managment` is set to `true`.	A string of alphanumeric characters.
`mgmt_gui_clients_radio`	Specifies SmartConsole clients that can connect to the Security Management Server.	`any` `range` `network` `this`
`mgmt_gui_clients_first_ip_field`	Specifies the first address of the range, if `mgmt_gui_clients_radio` is set to `range`.	Single IPv4 address of a host. Example: 192.168.0.10
`mgmt_gui_clients_last_ip_field`	Specifies the last address of the range, if `mgmt_gui_clients_radio` is set to `range`.	Single IPv4 address of a host. Example: 192.168.0.20
`mgmt_gui_clients_ip_field`	Specifies the network address, if `mgmt_gui_clients_radio` is set to `network`.	IPv4 address of a network. Example: 192.168.0.0
`mgmt_gui_clients_subnet_field`	Specifies the netmask, if `mgmt_gui_clients_radio` is set to `network`.	A number from 1 to 32.
`mgmt_gui_clients_hostname`	Specifies the netmask, if `mgmt_gui_clients_radio` is set to `this`.	Single IPv4 address of a host. Example: 192.168.0.15
`ftw_sic_key`	Sets a secure Internal Community key, if `install_security_managment` is set to `false`.	A string of alphanumeric characters.
`admin_hash`	Sets administrator's password.	A string of alphanumeric characters, enclosed between single quotation marks.
`iface`	Interface name (optional).	Name of the interface exactly as it appears in the device configuration. Examples: `eth0`, `eth1`
`ipstat_v4`	Turns on static IPv4 configuration, if set to `manually`.	`manually` `off`
`ipaddr_v4`	Sets IPv4 address of the management interface.	Single IPv4 address.
`masklen_v4`	Sets IPv4 mask length for the management interface.	A number from 0 to 32.
`default_gw_v4`	Specifies IPv4 address of the default gateway.	Single IPv4 address.
`ipstat_v6`	Turns static IPv6 configuration on, if set to `manually`.	`manually` `off`
`ipaddr_v6`	Sets IPv6 address of the management interface.	Single IPv6 address.
`masklen_v6`	Sets IPv6 mask length for the management interface.	A number from 0 to 128.
`default_gw_v6`	Specifies IPv6 address of the default gateway.	Single IPv6 address.
`hostname`	Sets the name of the local host (optional).	A string of alphanumeric characters.
`domainname`	Sets the domain name (optional).	Fully qualified domain name. Example: `somedomain.com`
`timezone`	Sets the Area/Region (optional).	The Area/Region must be enclosed between single quotation marks. Examples: `'America/New_York'` `'Asia/Tokyo'` Note - To see the available Areas and Regions, connect to any Gaia computer, log in to Gaia Clish, and run (names of Areas and Regions are case-sensitive): `set timezone Area`<SPACE><TAB>
`ntp_primary`	Sets the IP address of the primary NTP server (optional).	IPv4 address.
`ntp_primary_version`	Sets the NTP version of the primary NTP server (optional).	`1` `2` `3` `4`
`ntp_secondary`	Sets the IP address of the secondary NTP server (optional).	IPv4 address.
`ntp_secondary_version`	Sets the NTP version of the secondary NTP server (optional).	`1` `2` `3` `4`
`primary`	Sets the IP address of the primary DNS server (optional).	IPv4 address.
`secondary`	Sets the IP address of the secondary DNS server (optional).	IPv4 address.
`tertiary`	Sets the IP address of the tertiary DNS server (optional).	IPv4 address.
`proxy_address`	Sets the IP address of the proxy server (optional).	IPv4 address, or Hostname.
`proxy_port`	Sets the port number of the proxy server (optional).	A number from 1 to 65535.
`reboot_if_required`	Reboots the system after the configuration, if set to `true` (optional).	`true` `false`