CheckPoint SNX install instructions for major Linux distributions

I decided to do a round up of how to install the software needed on GNU/Linux to enable access through a CheckPoint firewall. My focus was on distributions whose ISO downloads supported UEFI boot, and hard disk encryption out of the box. This explains why Debian is not in this list. These requirements may not apply to you so feel free to add the instructions for your distro of choice to the comments below.

As of build 800007075 Checkpoint no longer support using the Native Client on the command line. This prevents scripting logins, and also requires a heavy desktop when we were able to survive with a headless server. Access is still possible, but only via the “SSL Network Extender“. This is a major pain as it requires (from my experience) X server, Oracle Java, and the FireFox browser to run.  Chrome gives this helpful message on the Java website:

The Chrome browser does not support NPAPI plug-ins and therefore will not run all Java content. Switch to a different browser (Firefox, Internet Explorer or Safari on Mac) to run the Java plug-in.

Despite all this, it still uses the native client but with the “unsupported” -Z option.  Ah well.

With all the distributions I did the following:

  • downloaded the most prominent ISO on offer at the projects main page
  • used dd to transfer the image to usb stick
  • installed using full disk encryption
  • applied all the patch fixes
  • installed openssh-server.

Let me tell you now that your future is full of warnings like, This Connection is Untrusted, I understand the Risks, Add Exception, Confirm Security Exception, allow, allow remember, continue, run, allow, trust server, etc etc. I found it useful to browse to the Verify Java Version site in Firefox to verify that java is working.

You will also need to know the url, username and password for your own checkpoint login site. It should be something like.:
https://checkpoint.example.com/sslvpn/Login/Login

These instructions are going to be terse but the links provided should give you more information if needed.

Ubuntu 15.04 Vivid Vervet

We’re going to install a ppa to get java, change the root password and install some additional libraries that are needed to run checkpoint.

sudo su -
passwd
add-apt-repository -y ppa:webupd8team/java
apt-get update
apt-get install oracle-java9-installer libstdc++5:i386 libpam0g:i386 libx11-6:i386
java -version

Pressing connect will open an xterm window that downloads and runs the native client install.sh script. You will need to enter the root password you set earlier, sudo will not work.

Now finally try the Connect > Continue > Accept Key and you should get connected.

Linux Mint 17.2 “Rafaela”

Very similar to Ubuntu, we’re going to install a ppa to get java, change the root password and install some additional libraries that are needed to run checkpoint.

sudo su -
passwd
add-apt-repository -y ppa:webupd8team/java
apt-get update
apt-get install oracle-java9-installer libstdc++5:i386 libpam0g:i386 libx11-6:i386
java -version

Unlike Ubuntu however the install via the browser did not work for me. You will need to go to your own login site:
https://checkpoint.example.com/sslvpn/Login/Login

Then select Settings > Edit Native Applications Settings > Download installation for Linux

Open a terminal and then run the command snx_install.sh from wherever you downloaded it.

# sh +x ~/Downloads/snx_install.sh
Installation successfull

Now when you go back to the web site, your Connect button should work.

openSUSE 13.2

This is a distribution I haven’t used too much before but decided to give it a try. Again additional libraries were necessary to get snx to run. I also followed these instructions to install java.

zypper install  libX11-6-32bit libXau6-32bit libxcb1-32bit glibc-devel libstdc++-devel libstdc++48-devel linux-glibc-devel
wget ftp://ftp5.gwdg.de/pub/opensuse/repositories/devel:/gcc/SLE-11/i586/libstdc++33-3.3.3-29.2.i586.rpm
rpm -ivh ./libstdc++33-3.3.3-29.2.i586.rpm

Then is was just a case of connecting to the website and pressing Connect

Fedora 22

We have covered installing under Fedora 21 before and the biggest problem was installing Oracle Java. Get the latest from http://www.java.com/en/download/linux_manual.jsp and I copied it to /usr/local/src. You’ll need to adjust accordingly.

dnf update
dnf install libcanberra-gtk2.i686 pkgconfig.i686 /usr/local/src/jre-8u60-linux-x64.rpm
alternatives --install /usr/bin/java java /usr/java/latest/bin/java 200000
alternatives --install /usr/lib64/mozilla/plugins/libjavaplugin.so libjavaplugin.so.x86_64 /usr/java/latest/lib/amd64/libnpjp2.so 200000
alternatives --config java

Summary

I’m sorry if I haven’t covered your distribution in this round up. As I said at the beginning my requirements were pretty specific, but my time was limited. If you browse through the snx series here, you should be able to find out how you can get it running on your own distribution easily enough. This is what I had to do with openSUSE, for which I was a novice user. If not you can always drop me a line.

Having to run such a bloated and convoluted tool chain just to end up running the same application is very disappointing. I am also concerned that such an essential piece of business software is built using such old libraries, and that there is no 64 bit version.

I would like to hear if there is a way to get this plugin to run from the command line, or at least run without having a browser window open. If you have suggestions please comment below.

This entry was posted in General, snx. Bookmark the permalink.

21 Responses to CheckPoint SNX install instructions for major Linux distributions

  1. Pingback: Checkpont SNX on Ubuntu 14.04 LTS (Trusty Tahr) | kenfallon.com

  2. Pingback: Checkpoint SSL Network Extender and Fedora19 | kenfallon.com

  3. Pingback: How to install checkpoint ssl extender VPN SNX under Fedora 16 64bit | kenfallon.com

  4. Pingback: Check Point SSL Network Extender | kenfallon.com

  5. Pingback: How to install Checkpoint ssl extender vpn (snx) under Fedora 14 | kenfallon.com

  6. Greg says:

    Thank you so much for posting this information. I went through a similar experience trying to get Check Point working on my Ubuntu laptop. The experience gave me enough concern that I switched to Windows 10 with Check Point Capsule VPN installed from the Windows Store running an Ubuntu guest VM that piggybacks my host’s VPN. A bit of an end-run around the issue I realize but the whole Firefox / Java / root password process seemed horribly brittle and a bad omen for things to come.

  7. Artiom says:

    Hi Ken,

    I’m running Ubuntu 14.04 LTS 64 bit. I’ve followed all your described steps, I’m connecting using Firefox. But anyway it is not connecting, Java console has following stack, I’ve replaced my information with my_, the rest I’ve left it as it is:
    21/12/2015 03:14:19[Component] Trying to create socket to 127.0.0.1:5555
    21/12/2015 03:14:19[Component] Could not connect
    java.net.ConnectException: Connection refused
    at java.net.PlainSocketImpl.socketConnect(Native Method)
    at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
    at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
    at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
    at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:402)
    at java.net.Socket.connect(Socket.java:591)
    at java.net.Socket.connect(Socket.java:540)
    at java.net.Socket.(Socket.java:436)
    at java.net.Socket.(Socket.java:213)
    at CpComponent.initPipe(CpComponent.java:96)
    at SNXNMComponent.initPipe(SNXNMComponent.java:375)
    at SNXNMComponent.checkCommunications(SNXNMComponent.java:449)
    at SNXNMComponent.checkCommunications(SNXNMComponent.java:427)
    at CpComponent.connect(CpComponent.java:131)
    at ClientDirector.InstallAndConnectClient(ClientDirector.java:156)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:520)
    at CpIs$1.run(CpIs.java:717)
    at java.security.AccessController.doPrivileged(Native Method)
    at CpIs.runPrivilegedMethod(CpIs.java:711)
    at CShell.InitializeCShell(CShell.java:390)
    at CShell.Initialize(CShell.java:354)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:520)
    at sun.plugin.javascript.Trampoline.invoke(Unknown Source)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:520)
    at sun.plugin.javascript.JSClassLoader.invoke(Unknown Source)
    at sun.plugin2.liveconnect.JavaClass$MethodInfo.invoke(Unknown Source)
    at sun.plugin2.liveconnect.JavaClass$MemberBundle.invoke(Unknown Source)
    at sun.plugin2.liveconnect.JavaClass.invoke0(Unknown Source)
    at sun.plugin2.liveconnect.JavaClass.invoke(Unknown Source)
    at sun.plugin2.main.client.LiveConnectSupport$PerAppletInfo$DefaultInvocationDelegate.invoke(Unknown Source)
    at sun.plugin2.main.client.LiveConnectSupport$PerAppletInfo$3.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.plugin2.main.client.LiveConnectSupport$PerAppletInfo.doObjectOp(Unknown Source)
    at sun.plugin2.main.client.LiveConnectSupport$PerAppletInfo$LiveConnectWorker.run(Unknown Source)
    at java.lang.Thread.run(Thread.java:747)
    21/12/2015 03:14:19[SNXNetMode] Could not connect to SNX Network Mode, probably not installed.
    21/12/2015 03:14:19[Launcher] Launching /usr/bin/snx -Z
    21/12/2015 03:14:20[Component] Trying to create socket to 127.0.0.1:7776
    21/12/2015 03:14:20[SNXNetMode] Successfully connected to SNX Network Mode.
    21/12/2015 03:14:20[SNXNetMode] Connection to SNX Network Mode is ok
    21/12/2015 03:14:20[Component] Connecting…
    21/12/2015 03:14:20[Proxy] detectProxy, name = my-server
    21/12/2015 03:14:20[Proxy] detectProxy, proxyFullPath = /tmp/.proxy.ini
    21/12/2015 03:14:20[Proxy] URI = https://my-server
    21/12/2015 03:14:20[Proxy] about to get the system-wide proxy selector…
    21/12/2015 03:14:20[Proxy] about select proxy list from the selector…
    21/12/2015 03:14:20[Proxy] about iterate the proxy list…
    21/12/2015 03:14:20[Proxy] about iterate the proxy #0…
    21/12/2015 03:14:20[Proxy] about to get address from proxy…
    21/12/2015 03:14:20[Proxy] no proxy – continue
    21/12/2015 03:14:20[Proxy] done with the list – there is no proxy
    21/12/2015 03:14:20[Messaging] Sending INIT_DATA message:
    21/12/2015 03:14:20[Messaging] Gateway IP: my.ip
    21/12/2015 03:14:20[Messaging] Gateway name: my-server
    21/12/2015 03:14:20[Messaging] Gateway port: 443
    21/12/2015 03:14:20[Messaging] Proxy IP: 0.0.0.0
    21/12/2015 03:14:20[Messaging] Proxy port: 0
    21/12/2015 03:14:20[Messaging] Server CN: my-server
    21/12/2015 03:14:20[Messaging] User Name: my-user
    21/12/2015 03:14:20[Messaging] Server fingerprint: my_fingerprint
    21/12/2015 03:14:20[Messaging] Automatic proxy replacement: true
    21/12/2015 03:14:20[CShell] Initialized successfully

    It writes that Initialization passes successfully. But there are two different messages:
    21/12/2015 03:14:19[SNXNetMode] Could not connect to SNX Network Mode, probably not installed.
    ***
    21/12/2015 03:14:20[SNXNetMode] Successfully connected to SNX Network Mode.
    Or it work or doesn’t.
    The main problems is that the Firefox shows:
    Connection Mode:
    Status: Connecting…
    Gateway ID:
    Office Mode IP:
    Duration: 0 Days 00:00:00
    Remaining Time: 0 Days 00:00:00
    Please help me.

    Best regards

  8. Delia says:

    Have you ever managed to make it work in a Debian Jessie? I am strugging with it for quite a while now and I do not seem to manage! The answers were perfect for my Ubuntu laptop, but I am struggling with it in my Debian workstation

    • ken_fallon says:

      After some time Delia and I worked out the following.

      dpkg --add-architecture i386
      apt-cache update
      apt-get install libpam0g:i386 libstdc++5:i386 libx11-6:i386
      snx

  9. Pingback: Migrating to Ubuntu – Practical Guide for Voice/Network Engineers – afterthenumber

  10. Emerson Prado says:

    Thank you so much for the Debian instructions! My company has a VPN, and they only provide instructions for Ubuntu 11.10 (and with the already obsoleted library ia32-libs).
    Now I have just connected from my Linux Mint Debian Edition laptop.
    I will recommend your instructions for my colleagues (as one’s sole risk, sure).
    Best regards and keep up,
    Emerson

  11. Michael says:

    Thanks a lot for this article. I managed to get it working with Fedora 23.

  12. Seb says:

    Hello,
    Which java version worked exactly for Artiom ? Java 8.0.91/92 seems to have exactly the same issue as Artiom reported, as well as java9.
    Thanks !

  13. ken_fallon says:

    $ java -version
    java version “1.8.0_91”
    Java(TM) SE Runtime Environment (build 1.8.0_91-b14)
    Java HotSpot(TM) 64-Bit Server VM (build 25.91-b14, mixed mode)

  14. prenex says:

    Good resources!

    I have managed to install it easily however the VPN network I am in need for connecting to is having a two-phase authentication using sms messages after answering the password. With snx I can access the network, send the password and username and their system sends me an SMS with the code – however I see no place where I can write this code into the terminal after this as the snx just drops me to the command prompt telling that the authentication is failed. I see there is a reauth option in the .snxrc, but it seems that this is not for this thing or is it? I cannot try this option right now as I do not want them to lock me out because of trying too many times or something as this is not only my user name… I will try it though…

    Anyways. Has anyone any idea on what to do in case of needing to enter sms codes or is it an alternative to snx for this case that works on linux??? I can use a virtual box for accessing the VPN and move data in-between the linux host and the virtual machine, but this is cumbersome and I do not even want any micro$oft stuff around me anyways….

  15. stasibear says:

    After months of using the tunnel from a Windows host, it stopped working abruptly and I was blocked from critical day-job duties.

    With the help of your articles I was able to get a setup working on a Gentoo host, and it runs more smoothly than the Windows setup ever did (fewer warnings anyway). Thanks for publishing this.

    I wrote up my findings on the wiki for other Gentoo users: https://wiki.gentoo.org/wiki/SSL_Network_Extender

    Take a look, it’s not all distro-specific. And thanks again!

  16. Richard says:

    I use snx command on Fedora 24 and it always show the following error:
    [richard@vina ~]$ snx -s nanpao-vpn -u vpnuser
    Check Point’s Linux SNX
    build 800007102
    Please enter your password:

    SNX: Authentication failed

    But I can create VPN via Firefox. What is the problem? Thank you for your support.

  17. ken_fallon says:

    As I say in the article “As of build 800007075 Checkpoint no longer support using the Native Client on the command line. This prevents scripting logins, and also requires a heavy desktop when we were able to survive with a headless server. Access is still possible, but only via the “SSL Network Extender“. ”

    So please contact CheckPoint and voice your frustration.

  18. I feel like I should post this somewhere and this is probably where someone might find it. I also have not been able to run snx and have been using SSL Network Extender using firefox and icedTea plugin with openJDK7. It stopped working the other day. The only solution I could find was ditching icedTea/openJKD and going to oracle-java8 which fixed the network extender.

  19. karatedog says:

    I try to use the SSL network extender (and not the snx_install.sh version), but during the authentication a terminal window pops up, asking for root password (it is the snx_install.sh that is run by some automatism). Of course the authorization fails, and the web client immediately tells me that auth failed.
    Is there a way to prevent snx_install.sh to run?

  20. Rafael Pivetta Balbuena says:

    Thank you for your clear instructions!!

  21. Matt says:

    Hi Ken,

    It seems with the newly released version of Firefox 52 and Java 9, the java browser plugin has been deprecated, leaving linux Firefox users of the checkpoint SSL VPN client SOL.

    I’d much prefer to not have to roll back Firefox and Java.

    Any ideas you might have would be greatly appreciated.

  22. Matt says:

    I found a working solution that doesn’t require any browser or java.

    openconnect –juniper supports Pulse Connect as of v7.08.

    http://www.infradead.org/openconnect/index.html

    Works like a charm for me (I’m using Linux Mint).

  23. Fred Welland says:

    Followed this blog post for quite some time. Thanks Ken for your leg work! Based on your instructions and some of my own hacking I have been using SNX/VPN via linux in almost a every version of Fedora since like 15 or 16 (up to and including F25).

    Firefox 52+ is moving away from NPAPI (much like google-chrome did some time ago).

    NPAPI is the older netscape plugin api — and the java applet stuff uses NPAPI. Transitively, so does the CheckPoint VPN/SNX stuff.

    For recent versions of FFX; you can re-enable the NPAPI (java applets and other plugins) via a simple FFX registry tweak. Read about it here (among many other places): http://stupidfredtricks.blogspot.com/

    AND

    Oracle Java 1.8.0 131, which was recently released has tweaked something in the whole applet world too. This breaks the SNX connector applet. I don’t know for certain but I think it has to do with how checkpoint signs their applet (this is one of the security fixes addressed in the 131 JDK/JRE).

    For now — maybe don’t use 131 for your applets and checkpoint. 121 is still working well for me (FFX 52, Fedora 25, etc..).

  24. Fred Welland says:

    Follow up regarding JDK 1.8.0 131.

    CShell.jar is the applet that ‘runs’ and is command/control for the snx. For my vpn the cshell that is served up by our checkpoint thing was signed using old-school signing:
    ———-
    – Signed by “CN=Check Point Software Technologies Ltd., OU=Digital ID Class 3 – Java Object Signing, O=Check Point Software Technologies Ltd., L=Tel-Aviv, ST=Israel, C=IL”

    Digest algorithm: SHA1

    Signature algorithm: MD5withRSA (weak), 2048-bit key

    Timestamped by “CN=GeoTrust 2048-bit Timestamping Signer 1, O=GeoTrust Inc, C=US” on Tue Aug 30 11:16:58 UTC 2016

    Timestamp digest algorithm: SHA-1

    Timestamp signature algorithm: SHA1withRSA, 2048-bit key

    WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:

    jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
    —————–

    Or network peeps got some patch from checkpoint (addressing 1.8.0 131 compatibility). Now cshell is signed like so (and works with 131):

    —————–
    Timestamped by "CN=GlobalSign TSA for Standard – G2, O=GMO GlobalSign Pte Ltd, C=SG" on Wed Apr 26 08:31:16 UTC 2017

    Timestamp digest algorithm: SHA-256

    Timestamp signature algorithm: SHA1withRSA, 2048-bit key

    – Signed by "CN=Check Point Software Technologies Ltd., OU=Digital ID Class 3 – Java Object Signing, O=Check Point Software Technologies Ltd., L=Tel-Aviv, ST=Israel, C=IL"

    Digest algorithm: SHA-256

    Signature algorithm: SHA256withRSA, 2048-bit key

    Timestamped by "CN=GlobalSign TSA for Standard – G2, O=GMO GlobalSign Pte Ltd, C=SG" on Wed Apr 26 08:30:54 UTC 2017

    Timestamp digest algorithm: SHA-256

    Timestamp signature algorithm: SHA1withRSA, 2048-bit key

    jar verified.

    —————–

    HTH!

  25. AJ says:

    Firefox 52 ESR still allows java plugins. Checkpoint is supposed to have a replacement solution out in Q2 2017.

    https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113410

  26. Pingback: linux – check point web vpn client – G3n1k's Blog

  27. Jeff Bonhag says:

    Thanks Ken, and thanks to everyone on this thread for your hard work and suggestions. I can confirm that Java 8u131 doesn’t work on CentOS 6, and that you need to use Java 8u121 instead.

    I put together a Vagrantfile for anyone who might be interested: https://gist.github.com/jeffbonhag/72f1749e85dc63fd9bd1b88a47e9050d

    Cheers!

  28. Luis Faria says:

    I was able to connect in Ubuntu 17.04 using Firefox ESR (52.2.1esr) and installing the following dependencies.
    sudo apt-get install libpam0g:i386 libstdc++5:i386
    https://www.mozilla.org/en-US/firefox/organizations/

  29. Bruno says:

    Hello,
    For those having problems to connect with JAVA version >= 1.8.0.121, the problem resides in the way the .jar applet is signed. After this version the algorithm MD5 is no longer accepted as signed and the applet is treated as unsigned. Because of this JAVA tries to execute the applet in a sandbox which is not supported.
    You should ask your company tech support to change the way they sign the applet.

    For a workaround you can change the security configuration. (This weakens security!!)
    – Find your JAVA path, and under /lib/security edit the file java.security.
    – Look for this entry: jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
    – Remove the MD5. (jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1)

    Now you should be able to connect again.

  30. Eric Brombaugh says:

    Thanks for the details. I’ve gotten Checkpoint running on my Fedora 25 system so here’s a few notes on what I found in addition to what’s noted above:
    1) Use an older version of JRE – I had to drop back to 92 for mine to work.
    2) Use Firefox 52 ESR – installing older non-ESR versions works, once. Then they update themselves to a newer version that won’t run Java and subsequent login attempts will fail.
    3) Don’t forget to install the libstdc++.so.5 that SNX requires. This is available thru the compat-libstdc++-33-3.2.3-68.16.fc25.i686 package.

  31. thank you so much for all the help, from the post to all the comments. I was able to run it with Fedora 27, FFX 52.0ESR, disabling updates , setsebool -P unconfined_mozilla_plugin_transition 0, yum install /lib/ld-linux.so.2 libX11.so.6 libpam.so.0 libstdc++.so.5 xterm, adding key plugin.load_flash_only=false in firefox with about:config and using jre 1.8.0.92

  32. Raj Prakash says:

    First, huge thanks go out to the author and all the contributors. Just wanted to chime in and confirm my functioning environment. I am running Ubuntu Bionic (18.04.1 LTS), Firefox ESR (52.9.0), and Oracle JRE (build 1.8.0_181-b13).

    I installed Firefox using the ppa:mozillateam/ppa (sudo apt-get install firefox-esr) and, as the original post noted, JRE from the ppa:webupd8team/java (apt-get install oracle-java8-set-default), and support packages apt-get install libstdc++5:i386 libpam0g:i386 libx11-6:i386.

    Unlike the Ubuntu 15.04 notes in the original post, clicking Connect (after logging in) did not open an xterm and run the installer. My experience was in fact similar to the Linux Mint 17.2 notes in the original post. I had to download the snx_install.sh file under Settings > Edit Native Applications Settings > Download installation for Linux. As noted, sh +x installed the right files, and clicking Connect worked like a charm.

  33. Pingback: Connecting to a Checkpoint VPN from Fedora 29 – Gordon Buchan Blog

Leave a Reply

Your email address will not be published. Required fields are marked *