Symptom:

A basis of troubleshooting requires the confirmation of correct configuration. Not an assumption of correct configuration because the admin calling you for help said it is (even if admin knows what they are doing, you may catch something they overlooked).

Solution:

As Check Point prefers the management via GUI, the interpretation of text configuration is very convoluted which leads to inaccuracy. Luckily Check Point provides us a tool as their VAR support which we can view the policy and Check Point configurations via the same GUI (SmartDashboard).

Please keep in mind that this is for the Check Point Security Products portion of the configuration NOT the operating system’s; therefore, this will provide you their firewall policy, NAT configuration, VPN configuration, IPS configuration, etc… It will NOT provide a GUI way to see the system IP addresses (well as a portion of the Firewall’s anti-spoofing feature such can be obtained via the Firewall object’s topology tab, but this information can be manually entered there and may be incorrect, prefer getting such directly from the device / CPinfo), VLAN configuration, system time, routing configuration, cpconfig elements (GUI clients, the cpconfig admin, etc), etc… Most of this information can be attained through the cpinfo (a flat txt file after extracting it if in .gz format), by opening the text in a text editor and search for the relevant Linux command. For example “ifconfig” to determine the IP addresses on the device (in the case of a distributed deployment you would need the cpinfo from the firewall itself for system config items).

Solution:

Required prerequisites:

You must have the cpinfo collected from the Security Management Server (SMS), and the cpinfo should be extracted if given in a .gz format (should be open-able by a text editor). The SMS is the server that manages the firewalls, so if it is in a distributed environment then it will not be from the firewall itself… See the SMART explained FAQ for more detail.

You must have infoview installed (found here https://supportcenter.checkpoint.com/supportcenter/portal/role/supportcenterUser/page/default.psml/media-type/html?action=portlets.DCFileAction&eventSubmit_doGetdcdetails=&fileid=8227 ) and you must launch it in XP compatibility mode if running Windows 7 (right-click the start menu Infoview shortcut, select properties, select compatibility tab and read). You will need to log in with a valid VAR account to obtain, see “Checkpoint login info” FAQ for more detail.

You must have the correct version of SmartConsole installed. To determine the correct version first open the cpinfo in a text editor and search for the word “version” (you will have to go through a few before seeing the Management version. You are looking for the Rnn or Rnn.nn format where n is a variable of a single digit number). After determining version go to https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doShowproductpage&productTab=downloads&product=191 and download the same version SmartConsole client.

Notes: The only component necessary for install for the SmartConsole client is SmartDashboard. Once you have installed SmartDashboard, run it in “Demo Mode” first (only required after first install). Launching PolicyViewer without doing so will almost always fail. This is required (I believe) to build the db that SmartDashboard needs to run without connecting to an actual management server.

Procedure:

After ensuring correct applications are installed, and cpinfo is extracted, launch infoview, then open the extracted text file (“File” menu > “Open…”). This will take a minute for infoview to parse through the large file.

After it completes parsing, click on the “Policy Viewer” button on the top toolbar (button with a tower looking icon and only a * beside it)(if you hover over the buttons a tooltip with the name appears).

If a popup appears then you will need to specify the location of the fwpolicy.exe for that version. Quickest way to determine this is to right-click on the SmartDashboard (for that version) in your Windows Start menu and select properties, copy the path (without quotes or the trailing zero “0”) from the “Target” entry box, and paste that into the location box (right box). In the version box (left smaller box NOT the “Version:” box above the two boxes beside each other), specify the Rnn.nn version, and finally click the ADD.

That should be it.

Some troubleshooting steps if it fails to load the policy:

1) If you didn’t get a pop-up to configure the path, click on the Down-Arrow button beside the policy viewer button and select “Configure…”, then manually specify the version and path as above.

2) If SD launches but does not fully load (hangs) then try editing the cpinfo in a text editor and replace ALL instances of “totally_disable_VPE (false)” with “Tototally_disable_VPE (true)” excluding quotes…