Deploying from a USB Drive or SD Card

You can deploy the Check Point Appliance configuration files from a USB drive or SD card (1590 appliances only) and quickly configure many appliances without using the First Time Configuration Wizard. The configuration file lets you configure more settings and parameters than are available in the First Time Configuration Wizard.

Note - SD card deployment is not supported for 1550 appliances.

You can deploy configuration files in these conditions:

  • An appliance with default settings is not configured at all.

  • An appliance that already has an existing configuration.

The Check Point Appliance starts, automatically mounts the USB drive, and searches the root directory for a configuration file.

Note - The USB drive must be formatted in FAT32. SD cards are formatted with ext4.

Sample Configuration File

This is a sample Check Point1550 Appliance configuration file for USB deployment.

set time-zone GMT+01:00(Amsterdam/Berlin/Bern/Rome/Stockholm/Vienna)
set ntp server primary 10.1.1.10
set ntp server secondary

set user admin type admin password aaaa
set interface WAN ipv4-address 10.1.1.134 subnet-mask 255.255.255.192 default-gw 10.1.1.129

delete interface LAN1_Switch

set dhcp server interface LAN1 disable
set interface LAN1 ipv4-address 10.4.6.3 subnet-mask 255.255.255.0

add interface LAN1 vlan 2
set dhcp server interface LAN1:2 disable
set interface LAN1:2 ipv4-address 10.4.3.3 subnet-mask 255.255.255.0

set dhcp server interface LAN2 disable
set interface LAN2 ipv4-address 192.168.254.254 subnet-mask 255.255.255.248
set interface LAN2 state on

set admin-access interfaces WAN  access allow

set hostname DEMOgw01

Preparing the Configuration Files

The Check Point 1550 Appliance Massive Deployment configuration files are composed of Gaia Clish commands. These are the file names that you can use:

  • autoconf.clish

  • autoconf.<MAC address>.clish

<MAC address> is the specified MAC address in this format: XX-XX-XX-XX-XX

You can create multiple configuration files for Check Point Appliance gateways. The gateways run both files or only one of them. First the autoconf.clish configuration file is loaded. If there is a configuration file with the same MAC address as the gateway, that file is loaded second.

Use the # symbol to add comments to the configuration file.

Deploying the Configuration File - Initial Configuration

This section describes how to deploy a configuration file on a USB drive to Check Point Appliance. You must configure and format the file correctly before you deploy it. You can insert the USB drive in the front or rear USB port. Make sure the USB drive is formatted in FAT32.

You can deploy the configuration file to the Check Point Appliance when the appliance is off or when it is powered on.

Important - Do not remove the USB drive or insert a second USB drive while the configuration script runs. This may cause a configuration error.

To deploy the configuration file from a USB drive for the initial configuration:

  1. Insert the USB drive into a Check Point Appliance.

    • Check Point Appliance is OFF - Turn on the appliance. The Power LED is red when the appliance is first turned on.It blinks blue while the boot is in progress and then turns solid blue when the process is complete..

    • Check Point Appliance is ON - The appliance automatically detects the USB drive.

  2. The Check Point Appliance locates the USB configuration file and begins to run the script. The LED blinks blue while the script runs.

  3. The configuration script finishes and the Check Point Appliance Power LED is a constant blue.

  4. Remove the USB drive from the Check Point Appliance.

Note - The Power LED is red when there is a problem running the configuration script. Turn off the Check Point Appliance and confirm that the configuration files are formatted correctly.

Deploying the Configuration File - Existing Configuration

To edit or upgrade the existing configuration of a Check Point 1550 Appliance, deploy a configuration file. Use the set property command to set the appliance to use a configuration file on a USB drive. The USB drive can be inserted in the front or the rear USB port.

You can deploy the configuration file to the Check Point1550 Appliance either when the appliance is off or when it is powered on.

Important - Do not remove the USB drive or insert a second USB drive while the Check Point1550 Appliance configuration script runs. This may cause a configuration error.

To deploy the configuration file from a USB drive to a configured appliance:

  1. From the CLI, enter the command: set property USB_auto_configuration once

    The appliance is set to use a configuration script from a USB drive.

  2. Insert the USB drive in the appliance (the appliance automatically detects the USB drive).

  3. The appliance locates the USB configuration file and begins to run the script. The Power LED blinks blue while the script runs.

  4. The configuration script finishes.

    The Power LED is a constant blue and the screen displays: System Started.

  5. Remove the USB drive from the appliance.

Note - The Power LED is red when there is a problem running the configuration script. Turn off the appliance and confirm that the configuration files are formatted correctly.

Viewing Configuration Logs

After the Check Point Appliance is successfully configured from a USB drive, a log is created.

  • The log file is called autonconf.<MAC>.<timestamp>.<log>

  • The log file is created in the USB root directory and in /tmp on the appliance.

Troubleshooting Configuration Files

This section discusses the scenario where the configuration file fails and the Check Point Appliance is not fully configured.

Configuration File Error

If there is an error and the configuration file fails, the appliance is not fully configured and is no longer in the initial default condition. The commands in the configuration file that show before the error are applied to the appliance. You can examine the configuration log to find where the error occurred.

When the appliance is not fully configured, the First Time Configuration Wizard shows in the Web UI. However, not all of the settings from the failed configuration file show in the First Time Configuration Wizard.

Best Practice - Check Point recommends that you do not use the First Time Configuration Wizard to configure an appliance when the configuration file fails. Restore the default settings to a partially configured appliance before you use the First Time Configuration Wizard to ensure that the appliance is configured correctly.

Suggested Workflow - Configuration File Error

This section contains a suggested workflow that explains what to do if there is an error with the configuration file on a USB drive. Use the set property USB_auto_configuration command when you run a configuration file script on a configured appliance.

  1. The USB drive with the configuration file is inserted into a USB port on the Check Point Appliance.

  2. The Power LED on the front panel blinks red. There is a problem with the configuration file script.

    Sample console output displaying an errorBooting Check Point RD-6281-A User Space...INIT: Entering runlevel: 3........sd 2:0:0:0: [sda] Assuming drive cache: write throughsd 2:0:0:0: [sda] Assuming drive cache: write through.....................................................System Started...Start running autoconfiguration CLI script from USB2  ... Error.autoconf.00-1C-7F-21-07-94.2011-07-21.1248.log was copied to USB2

  3. The log file is created and contains the configuration details.

    • The log file is called autonconf.<MAC>.<timestamp>.<log>

    • The log file is created in the USB root directory and in /tmp on the appliance.

  4. Analyze the log file to find the problem.

If you cannot repair the configuration file:

  1. Remove the USB drive.

  2. Run the CLI command: restore default-settings.

  3. Connect to the Web UI and use the First Time Configuration Wizard to configure the appliance.

If you understand the error and know how to repair the configuration file:

  1. Remove the USB drive.

  2. Run the CLI command: restore default-settings.

  3. Insert the USB drive and run the repaired configuration script again.

Sample Configuration Log with Error

This is a sample configuration log file for a configuration script that fails.

set hostname Demo1
set hostname: Setting hostname to 'Demo1'
OK
 
set interface WAN internet primary ipv4-address 66.66.66.11
Error: missing argument 'subnet-mask' for a new connection
Autoconfiguration CLI script failed, clish return code = 1

Using the set property Command

The set property CLI command controls how the Check Point Appliance runs configuration scripts from a USB drive. These commands do not change how the First Time Configuration Wizard in the Web UI configures the appliance.

  • set property USB_auto_configuration off - The appliance does not run configuration scripts from a USB drive.

  • set property USB_auto_configuration once - The appliance only runs the next configuration script from a USB drive.

  • set property USB_auto_configuration always - The appliance always runs configuration scripts from a USB drive.