You are on page 1of 27

Trusted Networks :Represent internal network resources that must

be protected from unauthorized access. Trusted networks usually


provide internal services, such as a company’s intranet, as well as
valued applications made available to external clients, such as public
e-commerce Web sites.

Nortel Switched Firewall


The Nortel Switched Firewall is placed in the path between various
trusted networks. It examines all traffic moving between the
connected networks and either allows or blocks that traffic,
depending on the security policies defined by the administrator. The
Nortel Switched Firewall consists of multiple Firewall Director
and Firewall Accelerator components that are clustered together to
act as a single system.
Firewall Director
The Firewall Director is a compact, high-performance computing
device running Firewall Operating System (OS) software. It uses built-
in Check Point FireWall-1 software to inspect network traffic and
enforce firewall policies. For increased firewall processing power,
additional Firewall Directors can be attached to the cluster.
Firewall Accelerator
The Firewall Accelerator is a Nortel switch running Accelerator OS
software. It offloads the processing of secured traffic from the
Firewall Director, enhancing firewall performance.For high-
availability configurations, a second Firewall Accelerator and Firewall
Directorcan be attached to the cluster.

NSF Local Console


A local console is used for entering basic network information during
initial configuration. Once the system is configured, the local console
can be used to access the text-based Command Line Interface (CLI)
for collecting system information and performing additional
configuration. The NSF console is not used to manage or install
firewall policies.

NSF Remote Console


For a list of trusted users, the administrator can separately allow or
deny Telnet or Secure Shell (SSH) access to the NSF CLI, and HTTP
or SSL access to the NSF Browser-Based Interface. Remote access
features can be used for collecting system information and performing
additional configuration, but not for managing or installing firewall
policies.

Check Point SmartCenter


The SmartCenter holds the master policy database for all the firewalls
in the network. Its job is to establish Secure Internal Communications
(SIC) with each valid firewall and load each firewall with the
appropriate security policies.

Check Point SmartConsole with management clients


This software usually provides a graphical user interface for creating,
modifying, and monitoring firewall policies.For security, management
clients do not interact directly with the firewalls. Instead, any policy
changes made in a management client are forwarded to the
SmartCenter, which then loads them onto the firewalls.

The Nortel Switched Firewall is a combination of dedicated hardware


and software . It addresses the needs for security, performance, and
ease of use.

Nortel Switched Firewall is a multi-component solution. Hardware is


a combination of Firewall Accelerators and Firewall Directors. The
software is a combination of Accelerator OS software and the
FireWall-1 software from Check Point. By using the throughput of a
gigabit switch controlled by the Check Point inspection engine, the
speed of the firewall is dramatically increased.
Check Point FireWall-1 is a stateful inspection firewall. The Nortel
Switched Firewall performs policy checking for every new connection
request, manages the connection table, and specifies the rules for
handling the subsequent packets in a session. Once a session is active,
policy checking for packets is handled by the Firewall Accelerator.

The Firewall Director connection table is mirrored by the Firewall


Accelerator. This mirroring is accomplished through the Nortel
Appliance Acceleration Protocol (NAAP).

After the Firewall Director inspection engine accepts the setup


packets in a session, subsequent packets belonging to the session are
inspected and forwarded by the Firewall Accelerator without the
involvement of the Firewall Director.

Initial setup:

The Firewall Director console connection is used to access the Nortel


Switched Firewall while performing initial configuration. Connect the
included console cable between the serial port on the Firewall
Director to the serial port of a computer with terminal emulation
software.

Press <Enter> on the console terminal to establish the connection.


The Nortel Switched Firewall login prompt appears. Enter the default
login name (admin) and the default password (admin). a special Setup
utility menu will appears.

login: admin
Password: admin (not displayed)
Welcome to the Nortel Switched Firewall initialization.
------------------------------------------------------------
[Setup Menu]
join - Join an existing SFD cluster
new - Initialize SFD as a new installation
restore - Restore this SFD from a backup taken earlier
offline - Initialize SFD for offline switchless maintenance
boot - Boot Menu
naap - Set NAAP VLAN id
exit - Exit
>> Setup#

Select New and enter the Ip address for Firewall director and subnet
mask(172.17.5.2/24).
Enter the cluster Master IP address (MIP): 172.17.5.1

Set time zone by selecting continent or ocean, then country, then


region.

Set the current date and time.

Set the new administrator password.

Generate a new Secure Shell (SSH) host key for use secure remote
administration sessions.

Set the Check Point one-time password.

Specify the Firewall Accelerator.

Once the Setup utility has been used for basic system
configuration,CLI main menu will displays.

[Main Menu]
info - Information Menu
cfg - Configuration Menu
boot - Boot Menu
maint - Maintenance Menu
diff - Show pending config changes [global command]
validate - Validate configuration
security - Display security status
apply - Apply pending config changes [global command]
revert - Revert pending config changes [global command]
paste - Restore saved config with key [global command]
help - Show command help [global command]
exit - Exit [global command, always available]
>> Main#

If local licensing is used, enter Check Point licensing information for


the Firewall Director.

Log in to the Firewall Director using the administrator account. Be


sure to enter the information exactly as shown on specific Check Point
license.

>> # /cfg/pnp/add
Enter the IP Address: 172.17.5.2 (address of the Firewall Director)
Enter the Expiry date for the License: <Expiration date>
Enter the Feature string: <Feature string>
Enter the License string: <License string>
Successfully added license/IP

Configure information for the attached Firewall Accelerator

>> SFD IP and Firewall License# /cfg/acc/ac1


>> Accelerator 1# addr 172.17.5.4

Configure the ports and interfaces

>> Accelerator 1# /cfg/net/port 1 (Pick Network A port1)


>> Port 1# ena (Enable port 1)
>> Port 1# ../if 1 (Pick IF 1 for Network A)
>> Interface 1# addr 172.17.10.2 (Set address for IF 1)
>> Interface 1# mask 255.255.255.0 (Set mask for IF 1)
>> Interface 1# ena (Enable IF 1)
>> Interface 1# port/add 1 (Add Net. A port to IF 1)

>> Interface Ports # /cfg/net/port 2 (Select Network B port 3)


>> Port 2# ena (Enable port 2)
>> Port 2# ../if 2 (Pick IF 2 for Network B)
>> Interface 2# addr 172.17.13.6 (Set address for IF 2)
>> Interface 2# mask 255.255.0.0 (Set mask for IF 2)
>> Interface 2# ena (Enable IF 2)
>> Interface 2# port/add 2 (Add Network B port to IF 2)

>> Interface Ports # /cfg/net/port 3 (Select Network C port 3)


>> Port 3# ena (Enable port 3)
>> Port 3# ../if 2 (Pick IF 2 for Network C)
>> Interface 3# addr 172.17.9.6 (Set address for IF 3)
>> Interface 3# mask 255.255.0.0 (Set mask for IF 3)
>> Interface 3# ena (Enable IF 3)
>> Interface 3# port/add 3 (Add Network C port to IF 3)

Installing Check Point Management Tools

Insert the Check Point software CD-ROM into the SmartCenter station
drive. The installation program starts automatically.

Select the Check Point Enterprise/Pro or the Check Point Express


option that you want to install. Make the selection based on the Check
Point licenses acquired.
Select New Installation and click Next.
Specify the components being installed.

Select the check boxes for the following items and click Next
SmartCenter
SmartConsole
Make sure Gateway option(s) are not checked. The SmartConsole
selection includes all of the GUI Client tools need for the SMART
Client that administers the Check Point features on the Firewall.

Confirm installing the components and click Next.


At this point, the installation program begins installation of each
selected component. A common Check Point component known as the
SVN Foundation is automatically installed and configured.

Click Next to install the SmartCenter software in the specified


destination folder.
The installation program installs the SmartCenter software
component.

At this point, the program installs the SVN Foundation software


(standard) and SmartCenter software component.

Click OK to complete the SmartCenter component installation.

Click Next to install the SmartConsole software in the specified


destination folder
Specify the SmartConsole components to be installed and click Next.

The installation program installs the SmartConsole software


component.
Once the software is installed, click OK to configure licenses.

Specify a valid Check Point license for the SmartCenter Server. Select
the Fetch From File... or Add... button (below, left) and specify the
appropriate license data (below, right)
Click the Add… button (below, left) and enter login information for
SmartCenter administrators (below, right).
Add any remote management clients (also known as SMART Clients).

Enter localhost or the host’s IP address if the GUI client is on the


same host as the SmartCenter Server. Also specify the DNS hostname
or IP address of other management clients that will be permitted to
interface with this management station. Click Next to continue.

Click Next to Initialize the Certificate Authority.


After initialize the Certificate Authority, should not change the IP
address or the name of the management station.

Record the SmartCenter fingerprint by clicking Export to file


As a security measure, this fingerprint can be used to ensure that no
one has impersonated the administrator.

Reboot the management station.

Once the station is rebooted, installation of the SmartCenter and


SmartDashboard are complete.

Log in to the SmartDashboard Management Tool


Click on StartProgramsCheck Point
SmartConsoleSmartDashboard.
Enter Username and Password also enter Smart Center server Ip
address(172.17.7.22)

Click Approve button to verify that the finger print is the same as the
during installation of smart Center tool.

Create a new Gateway object to represent the newly installed Firewall


Director.
From the SmartDashboard menu bar, select Manage > Network
Objects. When the Network Objects window appears, click New and
select Check Point > VPN-1 Pro/Express Gateway from the list.

Select Classic mode.

Define the Firewall Director object parameters


Enter the following information:
Name: The name of the newly installed Firewall Director.
IP Address: The address of the newly installed Firewall
Director(172.17.5.2)
Version: Select the Check Point NGX version installed on the firewall
director.
FireWall: Check this item from the list window.

Establish trust between the SmartCenter and the Firewall


Director.
Check Point FireWall-1 uses a one-time password to initiate Secure
Internal Comminutions (SIC) between configured objects and the
SmartCenter.
To establish SIC, click Communication in the Gateway Properties
window.
Get the interfaces for the Firewall Director object.

In the Topology section of the Check Point Gateway window, click Get
Topology. This button retrieves the interfaces that were configured
from the Firewall Director.
Use Central Licensing

Start the SmartUpdate management tool on your management client


station (Smart-
Center).
From the SmartUpdate menu bar, select Licenses > Add.
Click Manually
Click on the License tab in the SmartUpdate menu bar. A list of
installed Firewall Directors appears.

Right-click on your Firewall Director and select Attach Licenses. A list


of currently input licenses appears.

The license will be automatically sent to the Check Point Management


Console license repository and then installed to the Firewall Director.
Follow onscreen prompts until the installation is complete. Verify the
license that you installed.

Create a firewall policy test rule.

From the SmartDashboard tool menu bar, select Rules | Add Rule |
Top. A new rule will be added to the rulebase. The default action of
the new rule is “drop,” indicating that all traffic from any source to
any destination will not pass through the firewall.
Change the action of the new rule to accept by right-clicking on the
drop action icon and selecting accept as the new action from the list.

Push the policies to the Firewall Director.

Select the firewall cluster object and click on the OK button. If the
effort to push policies fails, click Show Errors. A common cause of
errors is an expired license. If this is the case, update the license on
the SmartCenter Server using SmartUpdate and push policies again.
Procedure to Add a user.

>> # /cfg/sys/user

>> User# add

Name of user to add: koti

Select a group.

>> User# edit koti

>> User tester1# groups

>> Groups# add

Enter group name: admin

Set a password.

>> User# edit koti


>> User koti# password

Enter admin’s current password:xxxxx

Enter new password for koti:aaaaa

Re-enter to confirm:aaaaa

Apply the changes.

Select the Access List menu.

>> # /cfg/sys/accesslist

Add trusted remote IP addresses to the list:

>> Access List# add <base IP address to permit> <network mask


for range>and apply the changes

Enable SSH access:For security purposes, SSH access is initially


disabled. To explicitly enable SSH for the cluster, issue the following
commands.
>> # /cfg/sys/adm/ssh/ena
>> Administration Applications# apply

Backup:Issue below command,backup will store specified


location.

>> # /cfg/dump

Restoration Procedure for Smartcenter Server

1.Install Management server on a new machine.Install exactly same


products,versions,hot fixes etc and reboot the new machine.

2.Stop new Management Server using cpstop command.

3.Remove the following files from new machine.

a.$CPDIR/database/*(with subdirectories)

b.$FWDIR/database/*(with subdirectories)

4.Copy the following files from backup files to new machine.


a. $CPDIR/conf/*(with subdirectories)
b. $CPDIR/database/*.C
c. $FWDIR/conf/*(with subdirectories)
d. $FWDIR/log/*

5.Remove the following files from new machine.

a.$FWDIR/conf /CPMILinksMgr.db, $FWDIR/conf


/CPMILinksMgr.db.private.

6.Copy the SIC key from the registry backup to the registry of the new
machine.

7.Upload appropriate license on new machine.

8.start new Management Server using cpstart command.

9.Run SmartDashboard.If a new primary management object was


created,it should be configured according to the new machine.

10. If a new primary object was created then both objects have the
same SIC name.This is must be corrected.

a.Close SmartDashboard

b.Use Check Point Database Tool or dbedit to clear the SIC name
from the old object.

11.Delete the original primarymanagement object.


a.Stop the new Management server (cpstop)

b.Make the following change in $FWDIR/conf/objects_5_0.C

c.Find the original management object.

d.Change the attribute “Deletable to true” then save the changes.

Start the Management server and SmartDashboard.

12.Check the new Management Server functionality.

a.Use SmartDashboard to check the communication with modules


through test SIC status.

b.Install policy on a module.


c.Use smartView Tracker to check the logs.

d.Fetch policy from one of the modules you installed policy on.