Check Point Refaiccnise' Nokes star? : era oe Been) = Lab Manual ae (Sel (ola UUs =eCheck Point Education Series Check Point SOFTWARE TECHNOLOGIES INC. Check Point Security Engineering Lab Manual P/N:705999© 2014 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distrib- uted under licensing restricting their use, copying, distribution, and de-compilation. No part of this product or related documentation may be reproduced in any form or by any means without prior ‘written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and fea~ tures described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subpara- graph (c)(1)(i) of the Rights in Technical Data and Computer Software clause at DFARS 252.227- 7013 and FAR 52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for alist of our trademarks. Refer to the Third Party copyright notices (http:// www.checkpoint.com/ 3rd_party_copyright html) for a list of relevant copyrights and third-party licenses.Tnternational Headquarters: USS, Headquarters ‘Technical Support, Education _& Professional Services: ‘5 Ha'Solelim Street “Tel Avi 67897, Irs ok 9723-758 4855, ‘959 Skyway Road, Suite 300 San Carlos, CA 94070 “ek 650.628.2000 Fay 680-654-4033 6330 Commerce Drive, Suite 120 Irving, TX 75063, ‘Tehora 4440012 Fax: 972-506-7913 eril any comments ox questions about Ou COUTEENS 1: oursewazeus checkpoint. com Torquestonso comments abou oer Check Poin documentation, mal (Ch Teshub,Feedhackteheckpon.cm Dociment DOC -Manual-Lab-CCSA-R77 Revision: R77.102014 Content ‘Mark Hele, Joey Witt Graphics: Cumming Sia Contributors ‘Beta Testing and Technical Review ‘Abdelhadi Guendouzi - Westeon - France ‘Alejandro Diez Rodriguez. - Afina - Spain ‘Anthony Joubaire - Arrow ECS - France Chris Alblas - Arrow ECS - UK (Chris Warlick - Check Point - USA Eric Chenu - Arrow ECS - France [Erik Wagemans ~ICA - Belgium Julie Paul - Check Point - USA Kishin Famani - K-Secure - India Nader Assi - Sequris Group - USA Rutger Trayers - Westcon - Belgium ‘Test Development: Ken Finley - Check Point Check Point Technical Publications Team: Rochelle Fisher, Daly Yam, Eli Har-Even, Paul Grigg, Richard Levine, Rivkah Albinder, Shira Rosenfield, Yaakov SimonContents Preface ... The Starting Configuration Lab Topology .... 5 Lab 1: Upgrading to Cheek Point R71. 10 Installing the Security Management Server Migrating Management Server Data .... Importing the Check Point Database Launch SmartDashboard Upgrading the Security Gateway Lab 2: Core CLI Elements of Firewall Administration . pnnoscoes) Policy Management and Status Verification from the CLI we cee SM Using epinfo ceo 37 Run epinfo on the Security Management Server co 65 Analyzing cpinfo in InfoView (Optional) ........ eee 66 Using fw etl pstat feet e eee eteeeseeeee eee TO Using tepdump : seve B Lab 3: Migrating to a Clustering Solution .......ss+esereseeeeeeeeees 75 Installing and Configuring the Secondary Security Gateway . 16 Re-configuring the Primary Gateway Configuring Management Server Routing . Configuring the Cluster Object Testing High Availability Installing the Secondary Management Server Configuring Management High Availability .......000..0005 Lab Manual iTable of Contents Lab 4: Configuring SmartDashboard to Interface with Active Directory 151 Creating the Active Directory Object in SmartDashboard 152 Verify SmartDashboard Communication with the AD Server..... 2159 Lab 5: Configuring Site-to-Site VPNs with Third Party Certificates wees LOL Configure Access to the Active Directory Server 162 Creating the Certificate viene OT Importing the Certificate Chain and Generating Encryption Keys 169 Installing the Certificate . 182 Environment Specific Configuration. voces oo 185 Testing the VPN Using 3rd Party Certificates ........ fees -195 Lab 6: Remote Access with Endpoint Security VPN .. weeeeeee LIT Defining LDAP Users and Groups : 198 Configuring LDAP User Access 208, Defining Encryption Rules... 219 Defining Remote Access Rules 221 Configuring the Client Side . 228 Lab 7: SmartEvent and SmartReporter ......... 6239 Configure the Network Object in SmartDashboard . 240 Configuring Security Gateways to work with SmartEvent 244 Monitoring Events with SmartEvent 252 Generate Reports Based on Activities 257 ii Check Point Security EngineeringPreface Before beginning any labs, you should have been presented with a virtual environment configured in either VMware Workstation or ESX. Each student should have the following machines configured in the environment: » A-GUI + A-SMS » A-SMS-02 » A-GW-OLD * A-GW-NEW * B-GW * B-GUIL ‘These environments are self contained sandbox configurations, meaning that every student has the same virtual machines to work with, all with identical IP addressing and interface information. Though Intemet connectivity is not required for this class, it may be added by your instructor. Lab ManualPreface The Starting Configuration The first lab in sequence is an upgrade from an existing configuration. Consequently, the instructions for Lab 1 assume that the initial starting configuration has been set up previous to the start of class in accordance with the CPSE 2013 Edition Classroom Setup Procedures. This consists of the following: + The Alpha site is configured as Check Point R76 (Gaia) in a distributed installation. + From the A-GUI virtual machine, use the pre-installed R76 SmartDashboard to log into the Security Management Server for the Alpha site (A-SMS). * Confirm that the starting policy is similar to the following: Bee tm ge, eS monet Ou whee Bis rote Big = Foote Ber neem co Figure 1 — Alpha Site Staring Policy (R76) + The Bravo site is configured as Check Point R77 (Gaia) in a standalone gateway configuration. + From the B-GUI virtual machine, use the pre-installed R77 ‘SmartDashboard to log into the Security Management Server/Security Gateway for the Bravo site (B-GW). 2 Check Point Security Engineering+ Confirm that the starting policy is similar to the following: a on een oe = i comp mw awe aw ow Figure 2— Bravo Site Starting Policy (R75.46) stem Pt la tee in atone oe mtgtine, Bie ie ere + There should be a site-to-site shared secret VPN configured and deployed between the two sites. + The Shared Secret should be vpn123. Lab ManualPreface + Verify that the Eneryption settings for the community are set similarly to the following screenshot: Figure 3 — Encryption ConfigurationLab Topology ‘The lab topology for this course evolves during the course of the labs. The beginning configuration should be a fully functional topology that includes two sites, Alpha and Bravo, with a VPN between them. In the first lab, you will upgrade the Alpha site’s Security Management Server and then push the upgrade to the site’s Security Gateway. As the course progresses, you will deploy new machines to demonstrate gateway clustering and management High Availability. Keep in mind, that the following machines are not pre-installed at the beginning of the class, but installed in later labs: * A-GW.02 * A-SMS-02 Review the topology spanning the next two pages and familiarize yourself with configuration before continuing to the first lab. Lab Manualenueyy ge dione Ass ead: 01 s0u/ waedse101 330/94 ‘eau ibid ea Acress 12018 ‘reson 103.728 ‘Syehatere 226881124 tncadies 1035734 syne Ate 93680834 ow / | Price a2az04 / i se hi “Topotony Conventions:Tenwepy qe Check Point Security Engineering Lab Topology adios toa icalee asda 31302) ves Yon 04/¢ fe Adee 29 10878 ‘ota ews varndsress10a3024 Nee Check Point 86 etna: tr224012 ‘Topology Conventions: 2000 sores represen sterling eee acaLab 1: Upgrading to Check Point R77.10 OSE OEE SS Scenario: The instructions contained within this lab illustrate how to perform an upgrade of a Security Management Server from R76 (Gaia) to R77.10 Gaia. You will export the configuration of your old server to a Windows machine before installing a new R777.10 server. Once the fresh installation of the new OS is complete, you can then import the rules, objects, and settings of the previous server into the database of the new, upgraded server. Once the upgrade of the Security Management Server is complete, use SmartUpdate to “push” an upgrade package of R77.10 to the Security Gateway. Topics: * Clean Installation of R77.10 » Running migrate_export/migrate_import * Access and file transfer via SSH/SCP * File transfer using TFTP * Installing SmartConsole Lab Manual 9Lab 1: Upgrading to Check Point R77.10 installing the Security Management Server Install the R77.10 Management Server blade on the A-SMS-New virtual machine. The management server will manage the Security Gateway for this site. 1. In VMware, create a new Virtual Machine (VM) using the iso image or DVD provided by your instructor. This VM should be defined as follows: = Name: A-SMS-New OS: Other ‘Version: Other Disk Space: 60GB Memory: 2GB One Interface (eth0) = ethO = Connect at power on © LAN Segment: LAN 2 Note: Your classroom configuration may be different. Check with your instructor before continuing to the next step. 10 Check Point Security EngineeringInstalling the Security Management Server 2. Before powering on your VM, verify that it is configured as defined above. 3. Power on the A-SMS-New virtual machine and the Welcome to Check Point Gaia R77.10 screen appears: reste react Panes res orate Pet ee Figure 4 — Welcome to Check Point Gaia R77.10 Highlight the option Install Gaia on this system. Press the Enter key within 60 seconds to launch the installation, At the Welcome screen, highlight OK. and press Enter. Select the keyboard to suit your region and accept the default partition configuration. saws Lab Manual iLab 1: Upgrading to Check Point R77.10 8. At the Account Configuration screen, enter and confirm vpm123 as the password for the OS Level “admin” account. Note: Verify that NumLock is on. It is not on by default after installation. If you haven't already tumed it on, do so now and re-enter and confirm your password. If you enter this password without turning NumLock on, you will not be able to log into the system. 9. Tab to OK and press Enter. 10. Use the following information to configure the Management Interface (eth0) screen: IP Address: 10.1.1.101 Netmask: _-258,255.255.0 Default Gateway (IP): 10.1.1.1 Geers Re eee en Figure 5 — Management Interface (eth0) Configured IL. Select OK and press Enter. The system displays the Confirmation screen. 12. In the Confirmation screen, select OK and press Enter to proceed. 12 ‘Check Point Security EngineeringInstalling the Security Management Server 13. After the drive is formatted and the installation is complete, the system displays the Installation Complete screen. 14. STOP. Do NOT reboot the virtual machine yet: Sees oeineee Pees pee Pesce Figure 6 — Installation Complete Lab Manual 3Lab 1: Upgrading to Check Point R77.10 erver Data Log into the A-SMS-Old Virtual Machine and enter Expert mode. 1. 2. To change the default shell for the admin account to bash and allow WinSCP connections, issue the following command: chsh -s /bin/bash admin Note: By setting the login for SecurePlatform to the bash shell, you bypass some of the built-in security checks in the cpshell login, Check Point recommends changing the default shell only on an “as-needed” basis, 3. While the Installation runs on A-SMS-New, go to A-GUI. 4, From A-GUI, use WinSCP to connect to the A-SMS-Old virtual machine (10.1.1.101) es ee ae ee co oes | | i Figure 7 —winscP is "Check Point Security Engineering‘Migrating Management Server Data 5. In WINSCP, confirm that the left pane displays the local directory and the right pane displays the remote directory. 6. In the right pane, navigate to the /home/admin directory of the old R76 Security Management Server: "el Wok ter Some Ser Ee bg Bae es Ga ue fuse Gay — Messner —t (Gekpaagein., gssam etre Se ie Seaitaia me fieas a = owe Figure 8 — WinSCP Default Configuration 7. Inthe local directory pane, browse to: C:\inetpub\ ftproot Lab Manual 15Lab 1: Upgrading to Check Point R77.10 8. Copy the following file from A-GUI to the /var/tmp directory on the A-SMS-Old virtual machine: Check _Point_migration_tools_R77.10.Linux_SecurePlatform.t gz Figure 9 —Copy Note: When copying the file, ensure that Transfer Settings is set to Binary. 9. Highlight the copied file in the right pane of WinSCP and right-click. 16 Cheek Poi Sceurity EngineeringMigrating Management Server Data 10. From the Context Menu, select Custom Commands > UnTar/Gzip: Bo BSS BIBRA mae Paes AG = a ates boa ne@noe? ‘secs Figure 10 — Special Commands - UnTar/Gzip 11. Extract the directory to the default location: /vax/tmp 12. From the WinSCP window, click the PuTTY Login button: eS Figure 11 — PuTTY Login Button Lab Manual aTLab 1: Upgrading to Check Point R77.10 13. PuTTY logs into the A-SMS-Old server (10.1.1.101) at the /home/admin directory: Figure 12— PUTTY session to hhome/admin on A-SMS-Old 14. At the prompt, issue the following command: epstop 15. Change to the /vax/tmp directory and type the following command ./migrate export A-SMS.tgz 18 Cheek Point Security EngineeringMigrating Management Server Data 16, Press Enter, to run the script, and the system issues the following warning: Figure 13 — Waring 17. Type y, and press Enter. Note: The script typically has a runtime of 20 mins. This may vary depending on the size of your Security Policy, number of objects in the database, etc. ‘Once complete, the system provides the location of the exported file and retums to the Expert Mode command prompt. 18. Minimize the PUTTY window. Lab Manual 19Lab 1: Upgrading to Check Point R77.10 19, Verify that the TFTP server application is running on A-GUI and that it's root directory is set for the following: c:\inetpub\ ftproot Figure 14 — TFTPd32 Interface 20. In the PuTTY Session on A-SMS-Old, initiate a TFTP session back to A-GUI (10.1.1.201). 20 Check Point Security Engineering‘ating Management Server Data 21. Ensure that the session is set for verbose and that binary mode is active. 22. Type the following command and press Enter: put A-SMS.tgz IIT Figure 15 — TFTP Session 23. Verify that the A-sMs.. tgz file has been transferred by checking the contents of the C:\inetpub\ £tproot directory locally on A-GUI. Lab ManualLab 1: Upgrading to Check Point R77.10 24. In the PuTTY session to A-SMS-Old, issue the following command: shutdown now -h Figure 16 — shutdown now -h 25, Exit PuTTY, and close the WinSCP session. 26. Access the A-SMS-New virtual machine. 27. Press Enter, to reboot the virtual machine. 2 Check Point Security Engineering‘Migrating Management Server Data Configure Security Management Server Using the Web UI Follow these steps to configure the primary Security Management Server for your configuration, 1, From the A-GUI virtual machine, launch an Internet browser such as Firefox or Internet Explorer. 2. Inthe address field, type the following: https: //10.1.1.101 Note: Be sure that you are using HTTPS. You may also need to verify that the LANs in VMware are configured properly before you are able to connect. Both the GUI client machine (A-GUD) and the Security Management Server (A-SMS) reside on LAN 2, if you are following the recommended classroom topology. Consult your instructor, if you are using a different configuration. 3. Press Enter, and your browser should warn you that the site’s Security Certificate is from an untrusted source. 4. Ignore this warning and continue to the site. 5. Log into A-SMS with the following credentials: Login: admin Password: vpn123 Lab Manual 23Lab 1: Upgrading to Check Point R77.10 6. Press Enter, and the system displays the following message: Welcome ta the Gaia First Time Configuration Wizard "Yau jot afew stops say Hom using youc new Glasser (lek ea fo congue your syter. vmwere iar: vitae eS Sal Sean eles Figure 17 — Gaia First Time Configuration Wizard 7. Click Next, and the system displays the deployment Options page. 8. Verify that the following option is selected: Continue with Gaia R77.10 configurations 24 Check Point Security EngineeringMigrating Management Server Data 9. Click Next, and the system displays Management Connection window: Check Point= Gaia [lone Jy Check Point Sea Figure 18 — Network Connection 10. Use the information below to verify that the Security Management Server's network connection is configured properly: Interface: ethO Configure IPv4: Manually IPv4 Address: 10.1.1.101 Subnet Mask: 255.255.255.0 Default Gateway: Leave Blank (This is configured later.) Configure IPv6: Off Lab Manual 25Lab 1: Upgrading to Check Point R77.10 LI. Click Next, and the system displays the Device Information window. 12. Use the following information to configure the Device Information window: Host Name: A-SMS Domain Name: alpha.ep Primary DNS Server: 10.1.1.201 Check Point- Gaia: Device Infoema Pray onsseree flan et Tata 08 Seve Elune pony mre Figure 19 — Device Name Configured Note: Check Point prohibits the use of underscores in object names. 13. Click Next, and the system displays the Date and time Settings. 14, Select the option Use Network Time Protocol (NTP). 15. In the Primary NTP Server field, type 10.1.1.201. 26 Check Point Security EngineeringMigrating Management Server Data 16. Select the correct Time Zone for your location: Check Point- Gaia Bi’ cheok Point Bate and © Leenetane rm Pe) seeecy I ae: Figure 20 — Date and Time Settings Configured Lab Manual a7Lab 1: Upgrading to Check Point R77.10 17. Click Next, and the system displays the Installation Type window: ee Te Centurion oar Check Point’ G: Check Point allation Type (© Sect muy Sec Hargement Figure 21 — Network Configuration - Host Name Options 18. Select Security Gateway or Security Management, and click Next. The system displays the Products window. 19. In the Products window, clear the Security Gateway option. 20. Use the information below to configure the Products window: Products: Security Management ‘Advanced: Define Security Management as Primary Note: Do NOT select the Security Gateway option. 28 Check Point Security EngineeringMigrating Management Server D: 21. Verify that the Products window is configured as follows: Check Point- Gaia Produce Bisson buena sect anager Defoe seat lnaenet {mata Soumond tat ean a fete hy connec 1 Poreor neenen bce Figure 22 — Products Configured 22. Click Next, and enter admin for the Administrator name. 23. Enter and confirm vpn23 as the password. 24. Click Next, and confirm that the option Any IP Address is selected in the Security Management GUI Clients window. Lab Manual 29Lab 1: Upgeading to Cheek Point R77.10 25, Click Next, and the system displays the Summary page: ese Contoyaton ard ainret Time Conran ead Summary ce “Yer dace witb angues wee eng pte seat arama may Scrape (Wingroeprout piece y sesso Cech et (Forres toate cect Te eomlen me contrmon dete et en. Figure 23 — Summary 26. Click Finish, and the system prompts you for a response to the following question: g) Moeett ct amp tee Figure 24 — First Time Configuration Wizard Message 30 Check Point Security EngineeringMigrating Management Server Data 27. Click Yes, and the system proceeds with the configuration: “com Fre Tine Comparaton sara Summary i ‘erty conten secur ana empuay caps Fase Coun Figure 25 — Summary (Progress) 28. Once complete, it displays a message indicating that the configuration was successful: on es Figure 26 — Message Lab Manual 31Lab 1: Upgrading to Check Point R77.10 29, Click OK, and the system displays the following question: ths Chek Pe nprve Stare ste : 5 Ye ‘et en en rc nent econ va aot ssh Figure 27 — Help Check Point Improve Software Updates Note: Ina real world, you may want to allow this access, so that you can be notified of important updates or available downloads. Since this is a test environment and we are not connected to the Internet, we will not be taking advantage of this service. 30. Click No, and the Web UI displays the configuration settings of the newly configured Security Management Server: a So ea Figure 28 — Check Point Web UI - Security Management Server Configured 32 Check Point Security EngineeringMigrating Management Server Data 31. In the Messages page, enter the following before the default message: A-sMS Unauthorized access of this server is prohibited and punishable by law. Figure 29 — Messages Configured 32. Click Apply. Lab Manual 33Lab 1: Upgrading to Check Point R77.10 33. In the User Management section of the navigation pane, select Users: 34 Check Point Security EngineeringMigrating Management Server Data 35. Use the following information to configure the new user: Login Name: WINscpAdmin Password: ypni23 RealName: WINsep Admin Home Directory: /home/WINscpAdmin Shell: Ibin/bash Access Mechanisms: ‘Web Command Line Assigned Roles: adminRole ea esate Figure 32 — Add User Configured Note: Now, when you log into the Security Management Server as WINscpAdmin, the correct shell is available for WINscp to connect and transfer files. There is no longer a need to specifically define the shell in the command line. Since this is an OS level user, you must perform this action on every module you want to have the WINsep user defined. Lab Manual 35Lab 1: Upgrading to Check Point R77.10 36. Click OK, and the system adds the new user to the Users page: Figure 33 — Users 36 Check Point Security EngineeringMigrating Management Server Data Installing SmartConsole In this section, you will install SmartConsole on the A-GUI virtual machine. 1. In the navigation pane of Web portal, click Overview. 2. On the Overview page, click the Download Now button to download the ‘SmartConsole exe: Figure 34 — Web Portal - Overview Lab Manual 9Lab 1; Upgeading to Check Point R77.10 3. Double-click the downloaded SmartConsole .exe file. The Welcome screen displays: Figure 35 — Welcome 4. Click Next, and select the I accept.... option to accept the terms of the license. 5. Click Next, and accept the default destination folder for the application. ee 38 Check Point Security EngineeringMigrating Management Server Data 6. Click Next, and the system displays the SmartConsole window: fees olat) Figure 36 — Installation Type 7. Verify that the Full option is selected. 8. Click Next, and the system displays the Thank You window. 9. Uncheck the option Launch SmartDashboar.... 10. Click the Finish button, to complete the SmartConsole installation. Lab Manual aeLab 1: Upgrading to Check Point R77.10 importing the Check Point Database Use themigrate import command to load the objects, rules, and settings from the previous server into the newly configured R77.10 one. 1. From A-GUI, use the following information to connect to the newly configured Security Management Server via WINscp: Host Name: 10.1.1.101 User Name: WINsepAdmin Password: vpn 123 Figure 37 — WINscp Login Note: In Gaia, the User Name and Password are both case sensitive. 2. Click Login, and WINscp logs into A-SMS. 40 Check Point Security EngineeringImporting the Check Point Database 3. In the right-pane, navigate to the following location: /opt/CPSuite-R77/fwl/bin/upgrade_tools eawwiente ea pom 5 om ener: Renn Figure 38 — WINscp Lab Manual nei iyi. vi igen 4Lab 1: Upgrading to Check Point R77.10 4, Copy the A-SMS . tgz file from its location on. A-GUI to the upgrade_tools folder on A-SMS ines, vase Samia inyaisse snaps, Figure 39 — Copy Note: When transferring files, make sure you configure the Transfer Settings to work in Binary mode. 5, After the file transfer is complete, exit WINscp. — 2 ‘Check Point Security EngineeringImporting the Check Point Database 6. Once the file is copied to the server, log into A-SMS (10.1.1.101) and enter Expert Mode. 7. Type the following command and press Enter, to change directory to the location of the imported file: cd $FWDIR/bin/upgrade_tools 8. To import the file into the new Security Management Server, type the following command: -/migrate import A-SMS.tgz 9. Press Enter, and the system warns you that services must be stopped and asks you to confirm the import. 10. Type y, and press Enter. The system unzips the file and imports the configuration. Once complete, it displays the following question: Sra eareto o Figure 40 — Question 11. Press Enter, to restart Check Point services. Note: Wait for the services to restart before proceeding to the next section Lab ManualLab 1: Upgrading to Check Point R77.10 Launch SmartDashboard Launch SmartDashboard and can connect to the Security Management Server. 1. From the Start menu, click All Programs > Check Point SmartConsole R77.10 > SmartDashboard and the system displays the login window: Figure 41 — SmartDashboard Logi 2. Use the following information to configure the login window: User Name: admin Password: vpni23 Server name or IP address: 10.1.1.101 3. Click the Login button, and the system displays the fingerprint. 4. Click the Approve button, to approve the fingerprint. “4 ‘Check Point Security EngineeringLaunch SmartDashboard 5. Ifyou are using the built-in software trial period, a notification screen showing the days left of the trial period will appear: ‘Sam Check Point product tial period wal expire in 5 Feasecbuin a pemanert cee tom chsh Font stom hiesxin Figure 42 — Check Point Trial Period Screen 6. Check the box Do not show this again. 7. Click OK and SmartDashboard R77.10 displays the Firewall blade Overview: 0 eipies i ay mee | GO disabled Figure 43 — SmartDashboard R77.10 Overview 8. Verify and install the Security Policy. Lab Manual 45Lab 1: Upgrading to Check Point R77.10 Upgrading the Security Gateway Import the upgrade package into the Package Repository on the See Management Server and push the upgrade to the Security Gateway. 1, From the toolbar, select SmartConsole > SmartUpdate. The system launches ‘SmartUpdate and displays a message. 2. Close SmartDashboard. Note: ‘The upgrade will fail if you have SmartDashboard open. The only SmartConsole client you can have open at this point is SmartUpdate. 3. In SmartUpdate, click the option Don’t show this message again. 4, Click OK to clear the message. 5. In the Packages tab, right-click the A-GW-01 object: Figure 44 — SmartUpdate - Package Management 46 ‘Check Point Security EngineeringUpgrading the Security Gateway 6. Select the option Get Gateway Data. Notice that the object now displays a current version of R76: Figure 45 — Add Package Note: This package, placed there by your instructor, is the upgrade package used in the previous section to upgrade the Management Server. It has not, however, been added to the repository yet. It must be in the repository before it can be pushed down to the Security Gateway. 7. In the toolbar, click the Add Package from File icon. Lab Manual 7Lab 1: Upgrading to Check Point R77.10 8. Inthe Add Package window, navigate to the FTP root directory. There, you will find the Upgrade package: Figure 46 — Add Package 9. Select: Check Point_upg_WEBUI_and_SmartUpdate_R77.10.Gaia.tgz 10. Click Open, and the system adds the package to the repository. Note: Check the Operation Status window atthe bottom of the screen, When the process is complete, it should show the operation as “Adding Check Point_upg_WEBUI..” and have a status of “Package was successfully added to t...” and show a progress of “Done”. 48 ‘Check Point Security EngineeringUpgrading the Security Gateway 11. Once the package has been added, right click on the A-GW-01 object and select Upgrade All Packages. Figure 47 — Upgrade All Packages 12. Verify that A-GW-01 is selected in the Upgrade All Packages window, and click Upgrade. The system then shows an Operational Status of “Distributing packages to ‘A-GW-01’. 13. Once the upgrade completes, close SmartUpdate and log into SmartDashboard. Lab ManualLab 1: Upgrading to Check Point R77.10 14, Edit the Security Gateway object: Figure 48 — Check Point Gateway - General Properties a nnn ee 50 Check Point Security EngineeringUpgrading the Security Gateway 15. Notice that the gateway object now shows that the OS Version is Gaia R77.10. 16. From the Topology tab, click the Get Interfaces with Topology button. The system displays a warning message. 17. Click Yes to clear the message and retrieve the interface information: Figure 49 — Get Topology Results, 18. Review the retrieved information and click the Accept button. 19. Click OK to save the new configuration in the gateway object. Lab Manual slLab 1: Upgrading to Check Point R77.10 20. Push policy to the upgraded Gateway. Figure 50 — Installation Process 21. Ifyou have reached this step with a fully functional configuration, create Snapshots for every virtual machine in the topology. Name the Snapshots “Lab 1 Completed.” Note: If your environment is not fully functional, contact your instructor for assistance. Do not proceed if your configuration has problems, END OF LAB 32 Check Point Security EngineeringLab 2: Core CLI Elements of Firewall Administration Scenario: You have R76 installed as a distributed security solution. Use a selection of common commands and tools to manage the firewall and monitor and capture traffic logs for troubleshooting purposes. Topics: * Installing the Security Policy and verifying status with fw stat + Uninstalling the Policy and verifying status with fw stat » Running £wm load and £w stat to install and verify the Policy * Running cpinfo on a Security Gateway * Finding information from epingo output * Opening epinfo from InfoView + Running the fw ct1 pstat command © Identifying information in the fw ct1 pstat file © Running basic £w monitor and tcpdump commands on a Security Gateway Lab Manual 33Lab 2: Core CLI Elements of Firewall Administrs nd Status Verification from the CL Policy f Policy status for a Gateway is regularly verified in SmartView Tracker. Th fw stat command is also useful to verify Policy status. In circumstances where you cannot log in to SmartDashboard, fw unLoadlecai can be used to uninstall the Policy. 1. From the A-GW-01 virtual machine, run the following command: fw stat Figure 51 —fwstat 2. Run gw unloadlocal from the command line: Figure 62 —fw unloadiocal 3. Verify that the policy was removed by running fw stat Figure 53 — fw stat 54 Check Point Security EngineeringPolicy Management and Status Verification from the CLI 4. Run fw fetch localhost from the command line: Figure 64 — fw fetch localhost Run the w stat command to verify the policy fetch from the Security Management Server: Figure 55 — fw stat Lab Manual 35Lab 2: Core CLI Elements of Firewall Administration 6. From the command line of A-SMS, type the following: fwm load Standard A-GW-01 Figure 56 — fwm load Standard A-GW-01 Note: Ifyou logged into the Gateway via an SSH session, your session will terminate abruptly, as £wm Load does not preserve connections during a Policy install. Log in again and continue with the lab. 7. Verify the Policy is installed successfully, by running £w stat on the Security Gateway: Figure 57 — fw stat 56 Check Point Security EngineeringUsing epinfo Using cpin’ In this section, you will collect configuration files from the Security Gateway. 1. From A-GUI, use Putty to log in to the Security Gateway (10.1.1.1). Once logged in, log in to Expert Mode. 2. At the Expert Mode prompt for A-GW-01, run the following command: cpinfo -1 -z A-GW-01-cpinfo.txt Figure 58 — cpinfo -1-z Lab ManualLab 2: Core CLI Elements of Firewall Administration 3. Press Enter, and the system displays the following prompt. Figure 59 — Question 38Using epinfo 4. Press Enter, and the file collection runs for about a minute. As epinfo runs, status messages will display: Figure 60 — cpinfo -1-z Note: Once cpingo has finished, the output file A-GW-01-cpinfo. txt will be created in the default directory for the administrator: /home/admin Lab Manual 59Lab 2: Core CLI Elements of Firewall Administration 5. From Expert Mode, change the default shell to bash to allow WinSCP. connections: chsh -s /bin/bash admin Note: By setting the login for SecurePlatform to the bash shell, you bypass some of the built-in security checks in the cpshell login. Check Point recommends changing the default shell only on an “as-needed” basis. 60 Check Point Security EngineeringUsing epinfo 6. From A-GUI, start a WinSCP session to the Security Gateway and download the file: ener Figure 61 — cpinfo File Transferred Note: [fusing FTP from the Security Gateway toa FTP server, make sure to use binary mode. Lab Manual ~ 61Lab 2: Core CLI Elements of Firewall Administration 7. Navigate to the directory to which you transferred the text file, and open it in WordPad: Figure 62 — CP Status 2 Check Point Security Engineering8. Scroll down to view the CP Status section and view the following: * Product Name * Policy Name * Policy Install Time Figure 63 — CP Status Using epinfo Lab Manual 63Lab 2: Core CLI Elements of Firewall Administration 9. Using the Edit menu's Find option, identify the following + FireWall-1 Version Information + SecurePlatform Version » CP License Figure 64 — Find ‘Check Point Security EngineeringRun epinfo on the Security Management Server Run cpinfo on the Secu 1, In Expert Mode on the Security Management Server (A-SMS), run the follow- ing command ity Management Server cpinfo -o A-SMS-01-cpinfo.txt Figure 65 — cpinfo Note: In some versions of the software, you can run cpinfo on a module from ‘SmartUpdate. If your version allows this, the system will zip the file automatically, so there is no need for the -z handler. 2. Use TFTP to transfer the file to A-GUL 3. From A-GUI, navigate to the A-SMS-01-cpinfo. txt file. 4. Notice that this cpinfo file from the Management Server contains significantly more information and is a much larger file. Note: When cpingo is run on the Security Management Server, it retrieves information about all the objects and rule, in addition to the Active Directory schema. Lab ManualLab 2: Core CLI Elements of Firewall Administration Analyzing cpinfo in InfoView (Optional) In this section, you will analyze the A-GW- 0: A-SMS-cpinfo. txt files in InfoView. :pinfo.txt and Note: InfoView is available only to Check Point Partners as a troubleshooting tool. Depending on your ATC’s partner status, this tool may or may not be available. 1. From InfoView, open A-GW-01-cpinfo. txt from the File menu: Figure 66 — A-GW-01-cpinfo.txt in InfoView 66 Check Point Security EngineeringAnalyzing epinfo in Info View (Optional) 2. Expand the System Information branch in the navigation pane. 3. Select the Hostname branch. 4. Note the following items: » Hostname * SecurePlatform Version 5. Under the System Information category, double-click the Hostname branch. The system displays only the hostname in a separate file: Figure 67 — InfoView Generated WordPad File with Hostname Information 6. Close the Hostname file. Lab Manual 7Lab 2: Core CLI Elements of Firewall Administration 7. Double-click the CP products branch, to view the Check Point products installed on A-GW-01: Figure 68 — CP Products Installed 8. Close the CP Products file. 68 Check Point Security EngineeringAnalyzing epinfe InfoView (Optional) 9. Double-click the Components branch in InfoView, and review component information: Figure 69 — Check Point Components Installed Lab Manual 9Lab 2: Core CLI Elements of Firewall Administration Using fw ctl pstat This section focuses on generating a file on the Security Gateway containing fw ctl pstat information, and interpreting some of the data 1. While logged in to the Security Gateway in Expert Mode, run the following: fw ctl pstat > pstat.txt Note: The fw command is the same for UNIX and Windows servers. 2. Use the less command to view the pstat.. txt file, and identify the following portions of the file: * Amount of hash-kernel memory, used and available + Number of fragments and how many expired Figure 70 — pstat.txt File Press Enter to scroll and based on this output, determine whether or not the Gateway overloaded or underused. 4. Press Q, to quit the file. 70 Check Point Security EngineeringUsing fw ctl pstat Using fw monitor In this section you will test fw monitor. It’s important to remember, that in a production environment where a Security Gateway is already under heavy load. the fw monitor command can dramatically affect performance. It is always best to test packet captures during off peak times. 1. In Expert Mode on A-GW-01, navigate to the following directory: /var/tmp Note: Itis recommended to run the fw monitor command froma directory with plenty of space so that you do not fill up the hard drive, such as /var. 2. Type the following at the prompt to start fw monitor: fw monitor -o monitorfile.out Figure 71 — fw monitor Generate ICMP and FTP traffic from A-GUI to B-GUL From A-GW-01, type CTRL-C to end monitoring. From A-GUI, use WinSCP to transfer the monitorfile.out off the Security Gateway. ae Lab Manual 1Lab 2: Core CLI Elements of Firewall Administration 6. Use WireShark to review the created output: — za Figure 72 — monitorfle out in Wireshark 7. Locate the ICMP traffic from 10.1.1.201 to 10.2.2.201. Identify additional traffic, such as NTP Client traffic from the 10.1.1.1 interface on the gateway to the GUI client (10.1.1.201). 9. Log in to A-GW-01, and type the following in expert mode: fw monitor -e "accept src=10.1.1.201 or dst=10.1.1.201;" -o monitorfile2.out Note: This monitors traffic to and from a specific address. 10. Generate ICMP Traffic from: + A-GUI to B-GUI * B-GUI to A-GUI 11, From A-GW-01, type CTRL-C to end monitoring. =_ n ‘Check Point Security EngineeringUsing tepdump. 12. From A-GUI, use WinSCP to transfer the monitor£ile2.out off the Security Gateway. 13. Review the created output file to see that only the ICMP traffic to and from 10.1.1.201 is shown: Figure 73 — monitorfle2.out in WireShark Using tcpdump Use TCP Dump to retrieve Layer 2 information from the gateway. 1. From A-GW-01, run the following command in expert mode: tcpdump -i ethl icmp -w dumpfile.out 2. Generate ICMP traffic from A-GUI to the B-GUI virtual machine. 3. On A-GW-O1, type CTRL-C to end monitoring. 4, Use WinSCP to transfer the newly created tepdump file to A-GUL Lab Manual BLab 2: Core CLI Elements of Firewall Administration 5. Use WireShark to view the contents of the tcpdump file: Figure 74 — WireShark - topdump File END OF LAB ” Check Point Security EngineeringLab 3: Migrating to a Clustering Solution Scenario: Now that the Alpha site has been upgraded to R76, business needs require that the security gateway be migrated into a cluster solution to provide an always-up configuration for VPN connectivity. Additionally, a disaster recovery solution recommendation has suggested that a secondary Security Management Server be installed in a Management High-Availability configuration. Topics: © Installing and Configuring ClusterXL in New Mode High Availability * Installing and Configuring Management High Availability Lab Manual 15Lab 3: Migrating to a Clustering Solution Installing and Configuring the Secondary Security Gateway 1. Inthe CDROM of the A-GW-02 virtual machine, mount the R76 media. 2. Power on A-GW-02. 3. When the system displays the VMWare logo, view the Boot Menu. Figure 75 — bios Boot Menu 4. Verify that CD-ROM is the first device listed in the Boot menu. 5. Save any changes and exit the boot sequence configuration. 16 Check Point Security EngineeringInstalling and Configuring the Secondary Security Gateway Continue booting up the virtual machine and the system displays the Welcome screen for Gaia: aoa Cen Figure 76 — Gaia Installation Welcome Screen . Highlight the option Install Gaia on this system, and press Enter. 8. Continue the installation and choose the keyboard configuration appropriate for your country. 9. Accept the default partition configuration, and enter and confirm the following as the password: vpn123 Lab Manual 7Lab 3: Migrating to a Clustering Solution 10. In the Management Port configuration screen, choose eth. Porras Pianeta Cita aioe a Prersitreta) (1 Blink selected Figure 77 — Management Port 78 Check Point Security EngineeringInstalling and Configuring the Secondary Security Gateway 11. In the Management Interface configuration, use the following information: IP Address: 10.1.1.3 Netmask: 255.255.255.0 Default Gateway (IP): Clear default and leave blank Peo Figure 78 — Management interface Configured 12. Confirm installation and the system begins to install the operating system based on the newly configured settings. Lab Manual 79grating to a Clustering Solution 13. Once installation completes, reboot the system: recat Figure 79 — Installation Complete 14, From A-GUI, use HTTPS to log into the Gaia Portal (10.1.1.3): Username: admin Password: vpn 123 80 Check Point Security EngineeringInstalling and Configuring the Secondary Security Gateway 15. Once you have logged into the server, the system launches the Gaia First Time Configuration Wizard: ‘Welcome ta the Gaia First Time Configuration Wizard ‘You jst afew steps a8 om ueng our new aia system’ (lk Neato contigs your stem Figure 80 — Gaia First Time Configuration Wizard Lab Manual 81Lab 3: Migrating to a Clustering Solution Check Point= Gaia: (| Check Point ‘eplyeent Options ee © conn 0 Gah canton © nahn eee on vee © mt tem se aves sectery Figure 81 — Deployment Options —_—_———— 82 Check Point Security EngineeringInstalling and Configuring the Secondary Security Gateway 17. Click Next, and verify that the Management Connection page shows ethl with an IP address of 10.1.1.3. Check Point- Gaia ‘Management Conntetion BD Check Pome Figure 82 — Management Connection Lab Manual 83Lab 3: Migrating to a Clustering Solution 18. Click Next, and accept the default settings on the Connection to UserCenter page: Konnection to UserCenter ere Check Point’ Gaia check Point Cotpree nemce contests es et serena ona ce os E Cota oH Ts Figure 83 — Connection to UserCenter 84 Check Point Security EngineeringInstalling and Configuring the Secondary Security Gateway 19. Use the information below to configure the Device Name page: Host Name: A-GW-02 Domain Name: alpha.cp Primary DNS Server: 10.1.1.201 Check Point Gaia ‘Device infor eet ae: sce may DS ener to 128) ‘econayDissaner — [ ‘erry oe sever lusea meng sre (Check Poin Figure 84 — Device Name Lab Manual 85Lab 3: ing to a Clustering Solution 20. Configure the Security Gateway to use A-GUL as its NTP server: Use Network Time Selected Protocol (NTP): Primary NTP Server: 10.1.1.201 Time Zone: Select the time zone for your area. Prey iTP sere 1911301 Figure 85 — Date and Time Settings 21. In the Installation Type page, select Security Gateway or Security Management. 22. On the Products page, uncheck the Security Management option. 86 Check Point Security EngineeringInstalling and Configuring the Secondary Securi Gateway 23. Use the information below to configure the Products page: Products: Security Gateway Advanced: Unit is a port of a cluster Type: ClusterXL. Sa ‘Check Point- Gaia Produce Bumaroectecimacton [ead "Wawona ona nar mgr hy come (@ forroreneron tae Pee amend a9 Figure 86 — Products 24. Enter and confirm vpn123 as the Activation Key. 25. When you click Finish on the last page, the system asks you if' you want to continue with the configuration. 26. Click Yes, and the system begins to configure the Security Gateway. Once the configuration is complete, the system displays the following message: a Cacao Q SEER reer enna canna Figure 87 — First Time Configuration Wizard Lab Manual 87Lab 3: Migrating ¢o a Clustering Solution 27. Click OK, to confirm reboot. 28. Once the reboot is complete, the system displays the Gaia Portal login screen: Figure 88 — Gaia Portal 29. Log into the portal using the following credentials: Username: admin Password: — ypn23 30. Click Log In, and the system displays the following message: ap Check Pit improve Eta paies % By renee eam nate a ion sz Figure 89 — Message 31. Click No, and the system displays the Overview page. 32. In the navigation pane, click Network Interfaces. cnn RRneneeeeeeeeeeeeeee 88 Check Point Security EngineeringInstalling and Configuring the Secondary Security Gateway 33. Use the information below to configure the interfaces for A-GW-02: ‘eth Ethemet |172.21.1013 | 255.0.0.0 Up Extemal thi Bthemet —[10.1.1.3 255.255.2550 | Up Internal eth2 Ethemet | 192,168.13 | 255.255.255.0 | Up Syne Figure 90 — Interfaces ee Lab Manual eeLab 3: Migrating to a Clustering Solution 34. In the navigation pane, select IPv4 Static Routes. 35. Configure the Default route to point to 172.22.102.1: 90 ‘Check Point Security EnginecringInstalling and Configuring the Secondary Security Gateway 36. On the Messages page, add the following text: A-GW-02 Unauthorized access of this server is prohibited and punishable by law. Figure 92 — Messages 37. Click Apply. 38. In the navigation pane, locate the Maintenance section. 39, Select Shut Down, to view the Shut Down options. 40. On the Shut Down page, click the Reboot button and confirm the action. Lab Manual 2Lab 3: Migrating to a Clustering Solution From the virtual system of the first Security Gateway (A-GW-01), run the epconfig script: Figure 93 — opconfig 2, From the Configuration Options, choose the following option: 6 Enable Cluster membership for this gateway Note: If option six displays the following, exit epeonfig and skip to step 6: Disable Cluster membership for this gateway Press Y to confirm that you want to enable the cluster membership. ‘xit the Configuration options. Reboot A-GW-01 to enable the changes. At A-GUI, open SmartDashboard and remove A-GW-0I from all rules in the Rule Base. wAw a 7. Next, remove all references of A-GW-01 from the IPSec VPN > MyIntranet > Participating Gateways fields. surity EngineeringRe-configuring the Primary Gateway 8. Disable the Stealth Rule and install the policy. eo em cme ett 8 von Baad BAe yt Bae tne eo ee ime Ome hee ravine ‘Areva A twootnn yin ame Dawe Dime rant fe Avesient sey Bye Dart ae te Far Retr Atom 4 moons Raine am aun Bin maton 7508 emaneane Bin A noetmt Bayne Bow Gam Bis Pee Va: cow amy ie mae Note: You may need to wait for A-GW-01 to complete its reboot before pushing policy. 9. Once policy is installed, delete the A-GW-01 object. The system may display a warning message: Click Yes to clear the message. 10. From CLISH on the A-GW-01 virtual machine, run the following command: set interface eth0 ipv4-address 172.21.101.2 mask-length 8 Figure 94 — set interface Note: To specifically define the sub-net mask, you may also run the following command forthe same result: set interface ethO ipv4-address 172.21.101.2 subnet-mask 255.0.0.0 11. Now, run the following command to reconfigure the internal interface: set interface ethl ipv4-address 10.1.1.2 mask-length 24 12, Run the following command to reconfigure the sync interface: set interface eth2 ipv4-address 192.168.101.2 mask-length 24 Lab Manual 93Lab 3: Migrating to a Clustering Solution 13. Run epeonfig to reset SIC, using vpn123 for the activation key. 14. Exit cpconfig. 15. Type exit, and press Enter. 16. Use HTTPS to log back into the Gaia Portal at A-GW-01 (10.1.1.2). 17. Confirm that the newly configured IP addresses appear as follows: Figure 95 — Re-configured A-GW-01 Interfaces 94 Check Point Security EngineeringConfiguring Management Server Routing Configuring Management Server Routing I. From A-GUI, use HTTPS to log into the Security Management Server (10.1.1.101). 2. In the navigation pane, click IPv4 Static Routes. 3. Click the Add Multiple Static Routes button, and the system displays the following: eeneptiee: tera es Fl (© sty secre scone eon a Somer spn baat bene enfin owen soe ten Figure 96 — Add Multiple Routes 4. For the Next Hop Type, verify that Normal is selected. Lab Manual 95Lab 3: Migrating to a Clustering Solution 5. In the text field, enter the following: 172.21.101.2/32 10.1.1.2 172.21.101.3/32 10.1.1.3 Figure 97 — Add Multiple Routes Configured 96 ‘Check Point Security EngineeringConfiguring Management Server Routing 6. Click Save, and verify that the new routes appear as follows: Figure 98 — IPv4 Static Routes Configured 7. Sign-out of the Gaia Portal. Lab Manual 7Lab 3: Migrating to a Clustering Solution Configuring the Cluster Object 1. From SmartDashboard on A-GUI, right-click Network Objects > Check Point. 2. From the menu, select Security Cluster > Check Point Appliance/Open Server: Figure 99 — SmartDashooard Menu 3. The Cluster Creation application starts: ete Tova ea ston oda 20 Ptey> Geb ‘Popes Satie Oana Bee ons Figure 100 — Cluster Creation Wizard 4. Choose Classic Mode and the system displays an unconfigured cluster object. 98 Check Point Security EngineeringConfiguring the Cluster Object 5. Use the information in the Following Matrix to configure the General Properties page of the Cluster: Cluster Name: A-GW-Cluster Cluster IP Address: 172.21.101.1 Platform: Hardware: Open Server Version: R77 OS: Gaia Hl ccc 2 - : ie ‘tame Penner Goer, [RE Fretnice =| e “tae LHTTPAMTTPS Pro Etaoin: [nae Pe Comet sam roan ese Ince Fiecere — G] em TE 3] 08 fe 3] aoe —— a 2 eo Set | Pent Pimeacerte*— pa os sec ven Eva rhetog Sighre-based grid corto of Tapers: (Giieshepmn - Sopereeciemowede nob ers F estemasion Wie 20 oe Poe sncsimwest on _ 7 aera 3 7 ie Tee, ree i on Pac : rere d Figure 101 — Gateway Cluster Properties - General Propertios Lab Manual 9Lab 3: Migrating to a Clustering Solution 6. Select the Cluster Members branch. 7. In the Cluster Members pane, click Add > New Cluster Member. 8. Use the information below to configure the New Cluster Member page: Name: A-GW-01 IP: 172.21.101.2 Comment: Alpha Gateway One 9. Establish SIC with the gateway using vpn123 as the One Time Password: Figure 102 — Cluster Member Properties 10. Click OK to close the Cluster Members Properties page. 100 ‘Check Point Security EngineeringConfiguring the Cluster Object IL. Repeat steps 7 - 10 to configure A-GW-02 using the following information: ‘Name: A-GW-02 IP: 172.21.101.3 Comment: Alpha Gateway Two Figure 103 — Cluster Member Properties Lab Manual ~ 101Lab 3: Migrating to a Clustering Solution 12. Ensure that the A-GW-Cluster > Cluster Members branch is configured similarly to the following: Figure 104— Gateway Cluster Properties - Cluster Members ee 102 Check Point Security EngineeringConfiguring the Cluster Object 13, Select the ClusterXL and VRRP branch and verify that it is configured similarly to the following: Figure 105 — Gateway Cluster Properties - ClusterXL and VRRP. Lab Manual “103Lab 3: ating to a Clustering Solution 14. Select the Topology branch: Figure 106 — Gateway Cluster Properties - Topology ee 04 Check Point Security EngineeringConfiguring the Cluster Object 15, Click Edit, and the system displays the following: a Figure 107 — Edit Topology Lab Manual ~ 105Lab 3: Migrating ¢o a Clustering Solution 16. Under the Columns for A-GW-01 and A-GW-02, click Get Topology. The system displays the IP address information from the cluster members: Figure 108 — Edit Topology - Cluster Members Populated —— eee 106 Check Point Security EngineeringConfiguring the Cluster Object 17. Select the first Name field in the A-GW-Cluster column: [az fore aeay Lab Manual 107Lab 3: Migrating to a Clustering Solution 18. Click Edit, and the Interface Properties Window appears: Figure 110 — Interface Properties - General _ 108 Check Point Security EngineeringConfiguring the Cluster Object 19. Use the following information to configure the General tab of the interface properties for etho of the Cluster: ‘Name: eth0 IP Address: 172.21.101.1 ‘Net Mask: — 255.0.0.0 Figure 111 — Interface Properties - General ‘Lab Manual, ~ 109Lab 3: Migrating to a Clustering Solution 20. Select the Topology tab and configure it using the information below: Topology: External (leads out to the Internet) Anti-Spoofing: Perform Anti-Spoofing based on interface topology Anti-Spoofing action is set to: Prevent Spoof Tracking: Log Figure 112 — Interface Properties - Topology 110 Check Point Security EngineeringConfiguring the Cluster Object 21. Select the Member Network tab and verify that it configured using the information below: Network Address: 172.0.0.0 ‘Net Mask: 255.0.0.0 Figure 113 — Interface Properties - Member Network 22. Click OK, and the system displays the following message: Pe aS Figure 114 — Message Lab Manual Licenses & Contracts > Add License > From file: Figure 124 — SmartUpdate - Licenses & Contracts - Menu Lab Manual 121Lab 3: Migrating to a Clustering Solution 45. Add the licenses to the repository that were provided by your instructor for the gateways (172.21.101.3 and 172.21.101.4). Once in the repository, the licenses automatically attached to the relevant modules: Figure 125 — SmartUpdate - Licenses & Contracts - Licenses Attached 46. Close SmartUpdate. 47. From SmartDashboard, install the Security Policy. 122 Check Point Security EngineeringTesting High Availability Verify that each machine is running Cluster XL and is taking either the active or standby role in the HA cluster. 1. Running the following command at the CLI of each gateway: cphaprob stat 2. Verify that the ephaprob stat output for A-GW-01 is similar to the following: See ee Figure 126—cphaprob stat 3. Verify that the cphaprob stat output for A-GW-02 is similar to the following: Figure 127 —cphaprob statLab 3: Migrating to a Clustering Solution, 4. On A-GW-01 run the following command: fw tab -t connections -s This command displays the connection table for the gateway: Figure 128 — fw tab -t connections -s 5. On A-GW-02 run the following command: fw tab -t connections -s Note: In environments with older switches that do not respond well to MAC addresses that share an IP address being announced using Gratuitous ARP, it may be necessary to configure a Virtual MAC address. To do so, use the following procedure: * To enable VMAC mode, set the global kernel parameter to 1 fwha_vmac_global_param enabledto1 * To disable VMAC mode, set the global kernel parameter to 0: fwha_vmac_global_param enabled 0 * To enable the mode on-the-fly, run this command on all cluster members # fw ctl set int fwha_vmac_global_param_enabled 1 Check Point Security Engineering 124Testing High Availability Log into Expert mode on the machine listed as the active machine from the eps and issue the following command, to force it to a down state: previous s clusterXL_admin down Figure 129 — clusterXL_admin down Log back into the machine that was previously in Standby mode and run the cphaprob state command again to verify that it has now become the active machine. Return to the first gateway and issue the following command, to return it to an active state: clusterXt_admin up Figure 130 — clusterXt_admin up Verify the configuration of the site to site VPN on each side of the A-GW-Cluster and B-GW pair. 10. Connect via FTP from B-GUI to A-GUI. Lab Manual 125Lab 3: Migrating to a Clustering Solution IL. Verify in SmartView Tracker that the connection is encrypted: Figure 131 — SmartView Tracker - Encrypted Traffic 12. To enable a regular check and update the connection table output, run the following command in Expert Mode on each cluster member: watch fw tab -t connections -s 13. Login to the active member of the cluster, and enter Expert Mode. 14, At the Expert prompt, type the following command but do NOT press Enter: clusterxL_admin down 126 Check Point Security Engineering‘Testing High Availability 15. In the FTP session on the B-GUI, set the session for binary (bin), turn on hashing (hash) and then use the mget command to retrieve the installer for SmartConsole R76: mget Check Point*.* Figure 132 — FTP from B-GUI 16, While the file is transferring, switch over to the active cluster member and press Enter. 17. Check the output of the watch fw tab -t connections -s command on each gateway to see the changes in the connection table count. 18. Switch to the B-GUI machine and verify that the FTP session continues. 19. When the session finishes, go back to the now-down cluster member and issue the following command from expert mode: clusterXL_admin up 20. Verify that the cluster member has returned to the active state: ephaprob stat Lab Manual 127Lab 3: Migrating to a Clustering Solution Installing the Secondai Install a secondary Security Management Server ry Management Server 1. Before installing the new server, verify that the R76 installation media is mounted in the A-SMS-Old virtual machine properties menu. Power on the virtual machine, and verify that the CD/DVD ROM is first in the boot selection menu. Nv 3. When the virtual machine starts up, follow the prompts to install R76 as a Security Management Server. 4, Enter and confirm vpn123 as the password. 5. At the Network Interface configuration screen, use the following information to configure the NIC: IP Address: 10.1.1.102 Netmask: 255.255.255.0 Default Gateway: 10.1.1. ee canes PS rere CT eat er Figure 133 — A-SMS-02 IP addressing 128 Check Point Security EngineeringInstalling the Secondary Management Server 6. Complete the installation by rebooting the virtual machine at the system prompt Preteen Pee eee erect eer eae att Figure 134 — Installation Complete 7. After the reboot completes, connect to the newly installed server (10.1.1.102) through HTTPS. 8. Log into the Gaia Portal using the following credentials: Username: admin Password: vpn23 Lab Manual 129Lab 3: Migrating to a Clustering Solution 9. Use the following information to configure the Device Name page: Host Name: A-SMS-02 Domain Name: alpha.cp Primary DNS Server: 10.1.1.201 Check Point- Gaia Figure 135 — Device Name 130 Check Point Security EngineeringInstalling the Secondary Management Server 10. In the process of completing the First Time Configuration wizard, set the NTP server to be A-GUI (10.1.1.201): Check Point Gaia ee 4 Une nton Tm re Frome ipsa 1011201 i een T-535)— igure 136 — Date and Time Settings 11, On the Products page, clear the Security Gateway option. 12, Select only the Security Management option. Lab Manual 131Lab 3: Migrating to a Clustering Solution 13, In the Advanced section, select Secondary from the “Define Security Management as” drop down list: Check Point: Gaia i check Point set ae 1 Sect tansamet ‘Sete Stuy anand a: i Figure 137 — Products 14. Enter and confirm vpn123 as the Activation Key. 15. Click the Finish button, and begin the configuration process. 16. When the system completes the configuration of the secondary Security Management Server it displays a message asking if you want to help Check Point improve software updates. 17. Click No, to clear the message. 132 Check Point Security EngineeringInstalling the Secondary Management Server 18. In the navigation pane, click IPv4 Static Routes. 19. Click the Add button, and the system displays the following: © term scat trareratet Bec rp pc anaes manus Utah noir pcis tree unos enege || tecuscave Figure 138 — Add Destination Route Lab Manual 133,Lab 3: Migrating to a Clustering Solution 20. Use the information below to configure the new route: Destination: 172.21.101.2 Subnet Mask: 255.255.255.255 Gateway: 10.1.1.2 bemnmes WEA ote vee cm y © norma cept aa eee ‘Rejctopisweanse esse ‘hex ole Dc pets bt ort son uncut mages ets rg Figure 139 — Destination Route Configured 21. Click Save. 22. Use the information below to add and save another route: Destination: —172,21.101.3 Subnet Mask: 255.255.255.255 Gateway: 10.41.13 134 Check Point Security EngineeringInstalling the Secondary Management Server 23. Verify that the host routes to 172.21.101.2 via10.1.1.2 andto 172.21.101.3 via 10.1.1.3 appear as follows in the list of static routes: Figure 140 — IPv4 Static Routes 24, In the Messages page, add the following text: ‘A-SMS-02 Unauthorized access of this server is prohibited and punishable by law. 25. Click Apply. 26. Sign-out of the Gaia Portal. Lab Manual 135Lab 3: Migrating to a Clustering Solution Configuring Management High Availability 1. On A-GUI, launch SmartDashboard. 2. Right-click Check Point in the Network Objects list, and select Host. 3. Use the information below to configure the Check Point Host: Name: A-SMS-02 IPv4 Address: 10.1.1.102 Comment: Alpha Secondary Security Management Server 4. In the Management tab, select Network Policy Management. Note: By default, the system selects the Secondary Server and Logging & Status options. 5. Select the following options on the Management tab: + SmartReporter * SmartEvent Server * SmartEvent Correlation Unit 136 Check Point Security EngineeringFigure 141 — Check Point Host Lab Manual ~ 137Lab 3: Migrating to a Clustering Solution 7. Click on the communication button and establish SIC with the server, using the following activation key: vpnl23 8. In the navigation pane, select Topology: Piers ED Ge Dt NE X tice | At Figure 142 — Check Point Host - Topology ——— 138 ‘Check Point Security EngineeringConfiguring Management High Availability 9. Click the New icon, to manually define the object's interface: Figure 143 — Interface Properties 10. Click in the Name field, and the system displays the following message: Figure 144 — SmartDashboard Warning 11, Select the option Don’t show this message again. 12. Click OK, to clear the message. Lab ManualLab 3: Migrating to a Clustering Solution 13. Use the information below to define the object’s interface: ‘Name: ethO IP Address: 10.1.1.102 ‘Net Mask: 255.255.255.0 Note: Make sure you enter the name exactly as it is configured on the server. 14. Click OK, to add the interface to the object: Deron Bt Ot Se. X Dae ol care MLM ARES WA, Prone Figure 145 — Check Point Host - Topology Configured 140 Check Point Security EngineeringConfiguring Management High Availability 15. Click OK to close the object. 16. Select Launch Menu > Policy > Global Properties from SmartDashboard. 17. In the Global Properties window, select Management High Availability and ensure that Automatic Synchronization is configured. Figure 146 — Management HA - Automatic Synchronization configured Lab Manual 141Lab 3: Migrating to a Clustering Solution 18. Click OK. 19. Click Launch Menu > Policy > Install the Database. The system displays the following window: Figure 147 — install Database 20. Click OK, to install the database on both Security Management Servers (A-SMS and A-SMS-02): Figure 148 — Install Database 21. Add the newly configured A-SMS-02 object to the Management rule and install the Security Policy. Check Point Security EngineeringConfiguring Management High Availability 22. From SmartDashboard, click Launch Menu > Policy > Management High Availability to view the synchronization status: 23. Close any other SmartConsole applications that may be open at this time. Note: The only application running should be SmartDashboard. If other applications are open, the change action will fail. ‘Lab Manual 143,Lab 3: Migrating to a Clustering Solution 24, Click Change to Standby, and the system displays the following message: Ce conan hrgt ete ofr coen ro ‘indy ond coe Sra St ityedatehatewentatyovsat tat ee Figure 150 — Message 25. Click Yes, and the system displays a message indicating that SmartDashboard has lost it's connection to the server: Figure 151 — SmartDashboard Disconnection Notice 26. Click OK to close SmartDashboard. 144 ‘Check Point Security EngineeringConfiguring Management High Availability 27, Re-launch SmartDashboard and use the information below to connect to the secondary Security Management Server: Username: admin Password: — vpn123 IP Address: 10.1.1.102 Figure 152 — SmartDashboard Login 28. Click Login, and approve the fingerprint message, to continue. Lab Manual 145Lab 3: Migrating to a Clustering Solution 29, The system displays the Secondary - Management High Availability Server screen showing A-SMS-02 set to Standby: Figure 153 — Management HA Status (A-SMS-02) 30. Click Change To Active, and the system displays the following message: JOUR Check Poin product tral perio wil ex Prase attains pemanerticnetiom ch F Dent he th asin Figure 154 — Check Point Trail Period 31. Click the option Don’t show this again. 32. Click OK. 33. Once logged in, install policy. The system automatically synchronizes the databases: eee 146 ‘Check Point Security EngineeringConfiguring Management High Availability : 2 i 2 Figure 155 — Installation Process 34. Click Close. 35. Save and close SmartDashboard. Lab Manual “a7Lab 3: Migrating to a Clustering Solution 36. Open SmartDashboard again, this time connecting to 10.1.1.101. The Policy ~ ‘Management HA window opens, showing A-SMS as Standby and A-SMS-02 as Active. pe seve eet oyntrnged peer eyousre yuo. ve Figure 157 — Check Point SmartDashboard 38. Click OK. 148 Check Point Security EngineeringConfiguring Management High Availability 39. Once logged in, click Launch Menu > Policy > Management HA to verify that A-SMS is now back to Active status. Figure 158 — Management HA Status (A-SMS) Note: One of the systems may show a status of Advanced. If this occurs, simply click the Synchronize button. 40. Click Close. 41. Save and install the Security Policy. 42. If you have reached this step with a fully functional configuration, create Snapshots for every virtual machine in the topology. Name the snapshots “Lab 3 Completed.” Note: If your environment is not fully functional, contact your instructor for assistance. Do not proceed if your configuration has problems. END OF LAB Lab Manual, 149Lab 4: Configuring SmartDashboard to Interface with Active Directory Scenario: The Alpha site has an existing Active Directory configuration used for User Management in addition to functioning as a Root Certificate Authority for encrypted communications and authentication. You will be configuring ‘SmartDashboard to act as a management client for Active Directory. Topics: * Active Directory access + SmartDashboard configuration Lab Manual 151Lab 4: Configuring SmartDashboard to Interface with Active Directory Creating the Active Directory Object in SmartDashboard 1. From the Alpha SmartDashboard, click Launch Menu > Policy > Global Prop- erties, and select User Directory. 2. Check Use User Directory (LDAP) for Security Gateways. Figure 159 — Giobal Properties - User Directory (LDAP) 3. Click OK. 4. In the Servers and OPSEC tab of the Objects Tree, right-click Servers. 152 Check Point Security EngineeringCreating the Active Directory Object in SmartDashboard 5. From the options menu, select New > LDAP Account Unit. Figure 160 — New LDAP Account Unit Lab Manual 153Lab 4: Configuring SmartDashboard to Interface with Active Directory 6. Use the following information to populate the General tab: Name: Alpha_AD Comment: Active Directory for Alpha Color: Blue Profile: Mierosoft_AD Domain: alpha.ep Account, Unit Usage: CRI Retrieval Active Directory Query User Management Note: Before continuing, verify with your instructor the name of the domain. 7. Verify that the configure object appears as follows: Figure 161 — LOAP Account Unit Properties configured 154 Check Point Security EngineeringCreating the Active Directory Object in SmartDashboard 8. Select the Servers tab and click Add. 9. Retrieve the Login DN by running dsquery from a command prompt on the Active Directory server. In this instance the command syntax is: ML. dsquery user -name administrator The output should resemble the following: “CNsAdministrator, CN=Users, DC=alpha, Di scp Make a note of the DN name. This DN is used in various labs. Note: Your DN may vary from the one used in the lab examples. Use the following information to populate the page: Host: Port: ‘Username: Login DN: Password: Default Priority: A-GUI 389 (636 if configuring the Encryption screen) Administrator's username for the Active Directory Server CN=Administrator,CN=Users,DC=alpha,DC=ep Administrator's password for the Active Directory server Check Point Gateways allowed to: Note: Lab Manual Read data from this server Write data to this server Negotiating LDAP access can bea challenge. Here are a few things to keep in mind. Don’t tab between fields. Select each field before manipulating it. If you make a mistake when typing the Login DN, click cancel and try again. Simply editing your entry may cause problems. 155Lab 4: Configuring SmartDashboard to Interface with Active Directory 12. Verify that the LDAP Server is configured as follows: Figure 162 — LDAP Server Properties configured Note: If your LDAP server is configured for encryption, configure the ‘encryption tab before continuing to the next step. 13. Click OK. 14, Select the Objects Management tab. Verify that A-GUL is selected in the Manage objects on property. 15. Under Branches in use, click Fetch branches. 156 Check Point Security EngineeringCreating the Active Directory Object in SmartDashboard 16. Verify that the Objects Management tab appears as follows: Figure 163 — LDAP Account Unit Properties Lab Manual 187Lab 4: Configuring SmartDashboard to Interface with Active Directory 17. On the Authentication tab, uncheck all options in the Allowed Authentication Schemes section. 18. Check only the option Check Point Password. 19. In the Users’ Default Value section, select the Default Authentication Scheme and select Check Point Password. Figure 164 — Authentication Tab Note: Ifyou have configured a pre-shared secret key on your LDAP server, the Eneryption section of this page is where you will put it. 20. Click OK, to close the LDAP AU Properties, and the system adds the Alpha_AD object to SmartDashboard. Check Point Security Engineering‘Verify SmartDashboard Communication with the AD Server Verify SmartDashboard Communication with the AD Server ‘View the Users and Groups configured on the LDAP server in SmartConsole. 1. Double click the Alpha_AD object, and SmartDashboard fetches the levels of the domain: 2. Highlight Alpha and right-click. 3. Select Update Tree from the menu. Lab Manual 159Lab 4: Configuring SmartDashboard to Interface with Active Directory 4, SmartDashboard fetches all levels of the AD Directory Structure and displays the users and groups: Figure 166 — AD Directory Structure shown in SmartDashboard Note: When working in VMware Workstation, you may need to pull the frame up from the bottom of the screen to see the users displayed. 5. Click Save. 6. Ifyou have reached this step with a fully functional configuration, create Snapshots for every virtual machine in the topology. Name the snapshots “Lab 4 Completed.” Note: If your environment is not fully functional, contact your instructor for assistance. Do not proceed if your configuration has problems, END OF LAB 160 Check Point Security EngineeringLab 5: Configuring Site-to-Site VPNs with Third Party Certifi Scenario: The decision has been made to migrate the Alpha-to-Bravo VPN to a 3rd party certificate for encryption authentication. This lab will guide you through creating a 3rd party certificate (using Microsoft Certificate Services) and installing the certificate on the security gateways before reconfiguring the site-to-site VPN. Topics: * Configuring a 3rd party Certificate Provider + Reconfiguring VPN-1 to use 3rd party certificates Lab Manual 16Lab 5: Configuring Site-to-Site VPNs with Third Party Certificates Configure Access to the Active Directory Server 1. Log into AD Server and open Start > Administrative Tools > Active Directory Users and Computers: Somes. stamancrnaers Stryaao. slarangase Serene: Sepa in seco coer Ee Figure 167 — Active Directory Users and Computers, 2. Verify that a user called certuser:is in the database. If not, create it and set the user’s password to the following: creat3cert 3. Configure the user to be a member of the following groups: + Domain Users * Domain Admins * Enterprise Admins 162 Check Point Security EngineeringConfigure Access to the Active Directory Server 4. Open SmartDashboard and define a Node Host object for the B-GUI machine. Call it B-GUI and give it the following address: 10.2.2.202 Figure 168 — B-GUI Object Lab Manual, ~ 163Lab 5: Configuring Site-to-Site VPNs with Third Party Certificates 5. Create the following rule at the top of the Rule Base allowing access to the AD Server: Name: Certificate Access Source: B-GUI Destination: A-GUI VPN: Any Traffic Service: http https Action: Accept Track: Log Install on: Policy Targets ee Bie A halen Pepe ame a eat =o mato scree Beet BAM wate ou armome 1205 we By kano mynam eo [Scns Batons aemscnens A Sawn Aye imp we Ben Brat fab “coeviowend &aanoners | aint iG tp ea yma Reeth A eras & screw Bintan mau pose 21 tnauvene (Biv amamne @ vtone | Dame ihn ene 2 aDe ome sme amen Sy aw iy eure Figure 169 — Certificate Access Rule 6. Install the Security Policy. 164 Check Point Security EngineeringConfigure Access to the Active Directory Server 7. On the Bravo site, use the information below to create a Node Host object to represent the AD Server: Name: AD_Server IP Address: 10.1.1.201 Von Nee AOS | oe) Figure 170 — AD_Server Object Lab Manual 165Lab 5: Configuring Site-to-Site VPNs with Third Party Certificates 8. Define the following rule at the top of the Rule Base: Name: Certificate Access Source: B-GUI Destination: AD_Server VPN: Any Traffic Service: http https Action: Accept Track: Log Install on: Policy Targets aaa ae ss fee em eee es ee oom aw ee Sn ane Fae Smeets vata A sete Ayton Out (Boe Wrweune a ee ee Fads EEO A neona Atoweno @ avian (gm Geet Bue | reat ee fone. ee es sem en ea be eon Figure 171 — Certificate Access Rule 9. Install the Security Policy. 166 Check Point Security EngineeringCreating the Certificate Creating the Certificate The following steps will illustrate the certificate creation process as performed from the Alpha site. 1. Use HTTP to log into the Certificate Server: Atthe beginning of the lab, log in from the Alpha side (A-GUI). Here, use the following URL: http: //localhost/certsrv Note: For this to work, you should be logged into the domain as the Administrator. If you are, you will not be asked to authenticate. ‘When configuring the Bravo side later in the lab, from the B-GUI virtual machine, open an HTTP connection to the NAT address of A-GUI using the following URL: http: //10.1.1.201/certsrv Note: ‘When logging in from the Bravo site, log into the Microsoft Certificate Server using the following credentials: Username: —_certuser Password: Creat3cert Wado Sey |] Comecing e042 Lab Manual 167Lab 5: ‘onfiguring Site-to-Site VPNs with Third Party Certificates 2. Once logged in, the server displays the Welcome page: seen terre ire ee eee eect sete ts tnd elt hen ce he een ie eet ig om amo paso Adon a evs a an Figure 173 — Welcome 3. Click the option Download a CA certificate, certificate chain, or CRL. 4, In the Encoding Method section of the page, select Base 64 option: own A Crem Cm hn RL Aen ete en tee cee eget Figure 174 — Download a CA Certificate, Certificate Chain, or CRL 5. Click the link Download CA certificate chain. 168. Check Point Security EngineeringImporting the Certificate Chain and Generating Eneryption Keys 6. Save the file to the desktop, changing the name to Alpha_certnew to help identify it as the certificate chain: Importing the Certificate Chain and Generating Encryption Keys 1, From SmartDashboard, navigate to Servers > Trusted CAs > New CA: Figure 176 — Servers > Trusted CAs > New CA 2. Under New CA, select Trusted. Lab Manual 169Lab 5: Configuring Site-to-Site VPNs with Third Party Certificates 3. Use the following information to populate the General tab of the Certificate Authority: Name: Microsoft ‘Comment: Certificate Server Color: Black Certificate Authority Type: OPSEC PKT Figure 177 — Certificate Authority Properties - General 170 Check Point Security EngineeringImporting the Certificate Chain and Generating Encryption Keys 4. Select the OPSEC PKI tab: Figure 178 — Certificate Authority Properties - OPSEC PKI Lab Manual imLab 5: Configuring Site-to-Site VPNs with Third Party Certificates 5. Click Get, and the system displays the selection window: Figure 179 — Open 6. Navigate to the Desktop and select Alpha_certnew. 7. Click Open, to import the certificate chain into the Certificate Authority object. The system displays the certificate to view: Figure 180 — Certificate Authority 172 Check Point Security EngineeringImporting the Certificate Chain and Generating Encryption Keys 8. Click OK. 9. In the Retrieve CRL from setting, clear the LDAP Server(s) option and verify that the option HTTP Server(s) is selected. 10. Click OK. 11. Edit the A-GW-Cluster object and select the IPSec VPN branch. Figure 181 — A-GW-Cluster > IPSec VPN Tab Note: When configuring the Bravo gateway, select the Bravo Gateway object. Lab Manual 173Lab 5: Configuring Site-to-Site VPNs with Third Party Certificates 12. In the section Repository of Certificates Available to the Gateway, select Add. 13. Use the following information to populate the Certificate Properties object: Certificate Nickname: A-GW-Cluster-Microsoft Certificate Creation > CA to enroll from: Microsoft Key pair generation and storage: Store keys on the Security Management Server Figure 182 — Certificate Properties 14. Click the Generate button, to generate the encryption keys. The system displays a message: ‘hagerabonof be cea fr ae cot bene, es rene eyalare yu nt cane? Figure 183 — Message 174 Check Point Security EngineeringImporting the Certificate Chain and Generating Encryption Keys 15. Click Yes, and the system displays the Generate Certificate Request window: Figure 184 — Generate Certificate Request 16. Configure the DN for the Certificate Request by using the Canonical Name generated for the object. Note: Use the chart below to define the DN, if t is not currently known, As AD configurations may vary, confirm with your instructor the DN for each site: A-GW-Cluster ‘The following is an example of the syntax of the DN for the Alpha Gateway. Confirm the DN for your configuration with your instructor: N=A-GW-Cluster,DC=alpha,DC=cp 17, Since the DNS is not configured with an entry for the firewall, select Define Alternate Name for the Certificate request. Lab Manual 175Lab 5: Configuring Site-to-Site VPNs with Third Party Certificates 18. Click Add and enter the IP address of the Security Gateway (172.21.101.1): Figure 185 — Generate Certificate Request Note: When requesting the certificate from the Bravo site, enter the address of the Bravo Security Gateway (172.22.102.1).. 176 Check Point Security EngineeringImporting the Certificate Chain and Generating Encryption Keys 19. Enter OK and OK, and the system creates the certificate: F Figure 186 — Certificate Created 20. Highlight the Microsoft Certificate Authority in the repository. Lab Manual 177Lab 5: Configuring Site-to-Site VPNs with Third Party Certificates 21. Click View to access the certificate: Figure 187 — Certificate Request View 22. Click Copy to Clipboard. 23. Click OK, then OK. 24, Open a browser and navigate to the Certificate Server homepage: Setess uses Sate tascam ene ovnane snr note kc cee ch AL eet et dr Figure 188 — Welcome 178 Check Point Security EngineeringImporting the Certificate Chain and Generating Encryption Keys 25, Select the option Request a certificate and the system displays the following page: Figure 189 — Request a Certificate 26. Select the link advanced certificate request, and the system displays the following page: ‘ait cA ems yeep Gna ‘Gatessemiasmanneh ta sthseotay nanos nose fae aun nem abn Ai PAA Figure 190 — Advanced Certificate Request Note: Ifyou are not connecting to the certificate server through Intemet Explorer and are using another browser, you may not see this screen. Lab Manual 179Lab 5: Configuring Site-to-Site VPNs with Third Party Certificates 27. Click the following link: Submit a certificate request by using a base-64 encoded or PKCS #10 file, or submit a renewal request by using a bas-64 encoded PKCS #7 file. 28. Paste the certificate request in the Saved Request box. 29. Select Subordinate Certification Authority from the Certificate Template drop down menu. Figure 191 — Submit Certificate Request or Renewal Request 180 Check Point Security EngineeringImporting the Certificate Chain and Generating Encryption Keys 30. Click Submit, and the system displays the following page: Figure 192 — Certificate issued 31. Select the DER encoded option. 32. Click the link Download Certificate, and save the certificate to the Desktop. ‘Lab Manual 181Lab 5: Configuring Site-to-Site VPNs with Third Party Certificates Installing the Certificate 1. In SmartDashboard, edit the gateway cluster object (or, if configuring the Bravo site, edit the Bravo gateway object) . Select the IPSec VPN branch. . Select the Microsoft CA, and click the Complete button, and the system displays the selection window: wr a Sewer erate axl wine | Boe eto Sagan © wor era 5 & sentyownd 20 Seantycetite 5727203 Figure 193 — Open 4. Select the certnew certificate file and click Open. 182 Check Point Security EngineeringInstalling the Certificate 5. Verify that the issuer is the name of the AD Server. Figure 194 — Certificate Authority Certificate View Note: In our example you see the issueris A- GUT. Your instructor will confirm the name of the AD Server in your configuration. 6. Click OK in the Certificate View window. 7. Click OK. Select the IPSec VPN tab in SmartDashboard and double-click the ‘MyIntranet icon. 9. Select the Encryption branch. 10. In the Encryption Method section, select option IKEvI only. 11. In the Encryption Suite section, select VPN A. 12, In the Participating Gateways branch, select the partner site and click Edit. 13. Select the IPSec VPN branch of the partner site object. 14. Click the Matching Criteria button. 15. In the Certificate Matching Criteria window, select Microsoft from the drop down menu. Lab Manual 183,Lab 5: Configuring Site-to-Site VPNs with Third Party Certificates 16. Select the check box for IP address: Figure 195 — IPSec VPN - Matching Criteria Note: Ina production environment Check Point recommends checking the DN option here as well. This extra check adds an additional level of security, 17. Click OK and OK, then OK. 18. Do NOT install the Security Policy. 184 Check Point Security EngineeringEnvironment Specific Configuration Environment Specific Configuration The configuration steps in this section are related to the specific layout of the lab topology. In the real world you would not configure a “3rd party” certificate server behind one of your gateways. Here we do it because the LDAP server located at the Alpha site is playing the role of a 3rd party certificate server. This is not a recommended configuration but a practical one for the purposes of this lab only. 1. Repeat the steps of the previous sections, beginning with Creating the Certificate, from the perspective of the Bravo site. Note: Import the Certificate chain, generate the encryption keys, install the certificate, and configure the VPN. Save the Security Policy on both sites. 3. At each site, log into Expert Mode on the Security Gateway. Note: For this lab, force up (clusterxL_admin up) the primary Security Gateway in the Alpha cluster and force down (clusterXL_admin down) the secondary Security Gateway. This will limit the required steps to successfully complete this lab. 4, Edit the /etc/hosts file on each gateway (A-GW-01 and B-GW) to add the necessary FQDN and IP addresses for the configuration of the VPN tunnel. Note: Using vi to edit the host file? Here are a few quick commands that may help you: Table 1: Basic vi Commands Command Result 1 Inserts text left of cursor. Exits edit mode Ww Saves changes. a! Quits without saving changes. q Quits. Lab Manual 185,Lab §: Configuring Site-to-Site VPNs with Third Party Certificates 5. On Alpha, edit the /ete/hosts file and add the following entries: 10.1.1.201 A-GUI A-GUI.alpha.cp 172.22.102.1 B-GW B-GW.alpha.cp Figure 196 — Edited hosts File on A-GW-01 Note: Manipulating the hosts files for each gateway is only required because our 3rd party Certificate Authority is not external to our encryption domains and because we do not have DNS running on both sides. 6. On the Bravo gateway, edit the /etc/hosts file and add the following entries: 10.1.1.201 A-GUI A-GUI.alpha.cp 172.21.101.1 A-GW-Cluster A-GW-Cluster.alpha.cp 186 Check Point Security EngineeringEnvironment Specific Configuration 7. From SmartDashboard on A-GUI, right-click Groups in the Network Objects tree. 8. Select Simple Group, and the system displays the following: Figure 197 — Group Properties Lab Manual “187Lab 5: Configuring Site-to-Site VPNs with Third Party Certificates 9. Use the information below to define the simple group object that will represent the Alpha network: Name: a-x-net InGroup: Alpha-Internal 10. Click OK. ee L a — = 5 tebe ears 188 Check Point Security EngineeringEnvironment Specific Configuration 11. Now, use the information below to make another simple group object. This one will represent the Active Directory server: Name: axbox InGroup: — A-GUI Press man | net iat At ons... 1 waited. Figure 199 — Simple Group Configured 12. Click OK. Lab Manual “189Lab 5: Configuring Site-to-Site VPNs with Third Party Certificates 13. In the Network Objects tree, right-click Groups. 14, Select Group with Exclusion, and the system displays the following: Figure 200 — Group with Exclusion Properties 15. Use the information below to configure the exclusion group: Name: a-x-dom Comment: Domain with Exclusion Color: Black 16. In the “Objects in” section, select a-x-net from the first drop-down list. 17. After “except”, select a-x-box from the second drop-down list. 190 Check Point Security EngineeringEnvironment Specific Configuration 18. Verify that the new a-x-dom object appears as follows: Figure 201 — Group with Exclusion Properties 19. Verify the object’s configuration by clicking the View groups button. 20. If configured properly, your object should be defined as follows, with the LDAP server object (A-GUI) being excluded from Alpha-Intemal: — Figure 202 — View Groups 21. Click Close, and then click OK. Lab Manual, 191Lab 5: Configuring Site-to-Site VPNs with Third Party Certificates 22. Edit the A-GW-Cluster object, and select Topology. 23. In the Topology page of the Alpha cluster object, manually define the VPN Domain to be a-x-dom: ~ Ger Ppa | ter Hees . Comoamener [=ssos SCENE A Acre W221 101 eo EEO 2D) WAAC wD Cute WAAL NAD) WISH) TaN OL2h RNEBIOT ARTS Figure 203 — Gateway Cluster Properties - Topology - VPN Domain Defined 24, Click OK. 192 Check Point Security EngineeringEnvironment Specific Configuration 25, Repeat the steps to create the two simple groups and the group with exclusion for the Bravo Security Policy. Note: Keep in mind that the object representing the Active Directory server on Bravo is not A-GUI but AD_Server. You'll need this object excluded from the Alpha domain. 26. Once the exclusion group is defined, edit the A-GW object and manually define the VPN Domain as a-x-dom: Grey cur | pews GES a Beh Xe CRatToty | [tee a tlm tha Phone [meen | (Gr Mow aa) Bama WA Figure 204 — Externally Managed Check Point Gateway - Topology - VPN Domain Configured Lab Manual 193Lab 5: Configuring Site-to-Site VPNs with Third Party Certificates 27. Go to each side of the VPN configuration and remove the following selection from the Mylntranet > Advanced Settings > Shared Secret: Use only shared secrets for all External members Figure 205 — Myintranet Pre-shared Secret Disabled 28. On each gateway, enable IKE debugging by issuing the command: vpn debug ikeon Note: Ina cluster, this command should be run on the active member. Run the command ephaprob stat to identify which gateway is active. For this lab, ensure that the server’s hosts file that you edited is the Active gateway in the cluster. 29. Install policy on both sites. 194 Check Point Security EngineeringTesting the VPN Using 3rd Party Certificates Testing the VPN Using 3rd Party Certificates 1. From A-SMS-02, use FTP to connect to B-GUI (10.9.1.201). 2. Ping A-SMS-02 (10.1.1.102) from B-GUI. Note: Why are we not using A-GUI for the VPN test? We have to use A-SMS-02 because it is still in the encryption domain and A-GUI has been excluded. Traffic to and from A-GUI will no longer be encrypted. 3. When the file finishes transferring, connect to the gateway with PuTTY and disable IKE debugging with the command: vpn debug ikeoff 4. Connect via WINSCP to the gateway and browse to the following directory: $FWDIR\log Note: To locate the $FWDIR directory, from the prompt of the active gateway, type cd. $FWDIR and then pwd to find the complete path 5. Copy the file ike. e1g to the desktop of A-GUL 6. Open the ike.elg in IKEView and view MM packets 5 (sent to peer) and 6 (received from peer). 7. Locate the data for the CertX.509 Certificate - Signature field. 8. Note the issuing name of the certificate server. 9. If you have reached this step with a fully functional configuration, create Snapshots for every virtual machine in the topology. Name the snapshots “Lab 5 Completed.” Note: If your environment is not fully functional, contact your instructor for assistance. Do not proceed if your configuration has problems. END OF LAB ee Lab Manual 195Lab 6: Remote Access with Endpoint Security VPN Scenario: Like many companies, Alpha has a number of employees who work remotely, or are traveling more often than they are in the offices. To meet the needs of this part of the company, you are rolling out an Endpoint Security VPN. Topics: * Defining LDAP Users and Groups in SmartDashboard * Configuring User Access and Client Encryption * Configuring Client Side Communications Lab Manual 197» ws Lab 6: Remote Access with Endpoint Security VPN. Defining LDAP Users and Groups 1. From the Alpha SmartDashboard, edit Global Properties > User Directory. 2. In the User Directory page, verify that the following option is selected: Use User Directory for Security Gateways Figure 206 — Global Properties - SmartDirectory (LDAP) . In the Users and Administrators tab of SmartDashboard, select Alpha_AD > cp > Alpha. |. Right-click and select Update Tree. The System refreshes the AD Tree. . Select the Alpha_AD > ep > Alpha > Users. Check Point Security EngineeringDefining LDAP Users and Groups 6. Right-click Users and select New > New Group from the context menu: jessaiae cert sm —E— ——————————— es ee So ees a es Figure 207 — AD Structure > Users > Now Group, Note: When working with some LDAP solutions, SmartDashboard may crash at this step, Ifthis happens, create the new group on the LDAP server and reffesh the tree in SmartDashbaord to see the group. You can then proceed with this lab. 7. In the Group Properties window, use the following information to configure the object: Name: VPN Branch: en=users,de=alpha,de=ep Lab Manual 199Lab 6: Remote Access with Endpoint Security VPN 8. While the Group Properties window is still open, double-click the Sales OU in the Users and Administrators tab AD Structure. 9. Highlight the user Robyn Goodfellow. 10. From the Group Properties window, click Add Selected. SNE 5 > VPN > Robyn Goodiellow added Figure 208 — Group Proper 11. Repeat the previous step for the following users in their Organizational Units: Sales: Donovan Leitch Corporate Development: Jack Torrance MIS: Clarice Starling 12. Click OK, to add the Users to the VPN group. 13. Click Cancel, to close the Group Properties window. Note: Cancel will close the window which does not close after pressing OK. This behavior is normal for this specific window. 200 Check Point Security EngineeringDefining LDAP Users and Groups 14. Confirm group creation by double-clicking Users and locating the VPN group. 15. Double-click the VPN group to verify that the correct users were added to the group: Ire 209 — Group Properties 16. Click OK. . Select the Servers and OPSEC Applications > LDAP Account Unit branch and edit the Alpha_AD object created in the earlier lab. a Serer NST ERnneeeeeeeeene eee Lab Manual 201Lab 6: Remote Access with Endpoint Security VPN 18. Under the Authentication tab, ensure that the Users’ Default values > Default Authentication Scheme is set to Check Point Password: Figure 210 — LDAP Account Unit Properties - Authentication 19. Click OK to close the Alpha_AD object. 20. Select LDAP Groups from the Users and Administrators Tree. 21. Right-click, and select New LDAP Group from the context menu. 202 Check Point Security EngineeringDefining LDAP Users and Groups 22. In the LDAP Group Properties window, use the following information to configure the object: Name: VPN_Users Color: Black Comment: VPN Users as configured in Active Directory Account Unit Allpha_AD Scope: Only Group in the branch (DN prefix): CN=VPN, CN=Users Figure 211 — LDAP Group Properties - VPN_Users 23. Click OK. 24, In the Network Objects tree, expand the Networks branch. Lab Manual 203Lab 6: Remote Access with Endpoint Security VPN 25. Use the following information to configure the CP_default_Office Mode_addresses_pool object: ‘Name: CP_default_Office_Mode_addresses_pool Network Address: 10.5.1.0 ‘Net Mask: 255.255.255.0 ee | [iste siad te Soni Tinie ties Figure 212 — Office Mode IP Pool Note: Edit the object as needed to match the settings provided here. 26. Click OK. 204 Check Point Security EngineeringDefining LDAP Users and Groups 27. Create a simple group object called Remote_Access Domain and place the Alpha-Internal and CP_default_ Office Mode_addresses_pool objects in it. Figure 213 — Remote Access Domain Group 28. Click OK. Lab Manual 205Lab 6: Remote Access with Endpoint Security VPN 29. Edit the A-GW-Cluster object. 30. In the Network Security tab, select Policy Server: Figure 214 — Policy Server Blade configured 31. Select the IPSec VPN branch. 32. In the VPN Communities section of the page, click Add. 33, Select the Remote Access object and click OK. 34, Select the Cluster Members branch. 206 Check Point Security EngineeringDefining LDAP Users and Groups 35. Highlight A-GW-1 and click Edit. 36. Select the VPN tab. 37. Select the option Offer Manual Office Mode (using IP Pool). 38. From the drop-down list, select CP_default_Office_Mode_addresses_pool: Figure 215 — Offer Manual Mode IP Pool 39. Repeat the previous step for A-GW-02. 40. Do NOT click OK at this point. Continue to the next section. ———— ‘Lab Manual “207Lab 6: Remote Access with Endpoint Security VPN. Configuring LDAP User Access. 1. Select the Topology branch of the cluster object. 2. Change the manually defined VPN Domain to be Alpha-Internal: reed TAZ Gate frornieny— wonrzwey wrizMe Owe 262th RDIEBIONI AND Te Spe Figure 216 — Cluster - Topology Tab Check Point Security EngineeringConfiguring LDAP User Access Click the button Set domain for Remote Access Community, and the VPN Domain per Remote Access Community window appears: = ee Figure 217 — Remote Access Domain Select the RemoteAccess community, and click Set. From the Set VPN Domain drop-down menu, select the Remote_Access domain object. Click OK, and confirm that the VPN Domain has been configured as follows: Figure 218 — Remote Access Domain Configured Lab Manual 209Lab 6: Remote Access with Endpoint Security VPN 7. Click OK, to return to the Gateway Cluster object’s Topology page. 8. Select the IPSec VPN > Link Selection branch. 9. In the Outgoing Route Selection section, ensure that the option When initiating a tunnel > Route based probing is selected: Figure 219 — Route based probing selected 210 Check Point Security EngineeringConfiguring LDAP User Access 10. Select the VPN Clients > Remote Access branch. 11. In the Visitor Mode configuration section, verify that the Support Visitor Mode option is selected with the defaults: Figure 220 — Support Visitor Mode 12. Select the VPN Clients > Office Mode branch, and select the option Offer Office Mode to group. 13. Verify that the VPN_Users LDAP group is selected in the Office Mode to group drop-down menu, Sra an eneeeeeeeeeeee Lab Manual 21Lab 6: Remote Access with Endpoint Security VPN. 14. Select the Manual (using IP Pool) option for the Office Mode Method: Figure 221 — Offer Office Mode to Group 15. Click Yes, to clear the information message. 16. Select the Platform Portal branch. 212 Check Point Security EngineeringConfiguring LDAP User Access 17. In the Main URL field, type the following: Attps://172.21,101.1:4434 Figure 222 — Gateway Cluster Properties - Platform Portal Note: Once this policy is installed, you will not be able to connect to the Gaia Portal without specifying the port. It is recommended that you define a new port for the portal because Visitor Mode and SSL VPNs can take over the standard SSL/HTTPS port 443 on the gateway’s interface. By defining a new port for Portal access, you avoid any conflicts. —— ‘Lab Manual 213Lab 6: Remote Access with Endpoint Security VPN 18. Click OK, and the system displays the following message: | @ Bestia Figure 223 — Message 19. Click Yes to clear the message. 20. In SmartDashboard, select the IPSec VPN tab. 21. Double-click the Remote Access Community object. 214 Check Point Security EngineeringConfiguring LDAP User Access 22. Use the following information to update the General page: Name: AlphaRemoteAccess "Ponce Geno pepe lero —— Figure 224 — AlphaRemoteAccess 23. Select the Participating Gateways branch. Lab Manual 25Lab 6: Remote Access with Endpoint Security VPN. 24. Confirm that the A-GW-Cluster object appears in the list of participating gateways: ae Figure 225 — Participating Gateways 25. Select the Participating User Groups branch. 26. Click Add. 216 ‘Check Point Security EngineeringConfiguring LDAP User Access 27. In the Add Participant User Groups field, highlight VPN_Users and click OK: Figure 226 — Add Participant User Groups > VPN_Users selected 28. Click OK. 29. Select Launch Menu > Policy > Global Properties. 30. In the Global Properties window, select the Remote Access > VPN - ‘Authentication and Encryption branch. 31. Check the box for Pre-shared Secret (for SecuRemote/Secure Client Users). Lab Manual 217Lab 6; Remote Access with Endpoint Security VPN 32. Ensure that it is configured similarly to the following graphic: Figure 227 — Global Properties - Remote Access - VPN - Authentication and Encryption 33. Click OK to close the Global Properties. 218 Check Point Security EngineeringDefining Encryption Rules Defining Encryption Rules 1. In SmartDashboard, select the More > Desktop tab. 2. Add two rules to the Inbound Rules. 3. In the first default rule, use the following information to create an inbound Encrypt rule for the VPN_Users group: Source: Any Desktop: VPN_Users@CP_default_Office_ Mode_addresses_pool Service: FIP Action: Enerypt Track: Log Note: To configure the Desktop field, right-click and select Add Users Access. 4, Inthe second rule, change the Track field to Log and keep the default settings for all other fields. 5. Verify that the Inbound Rules appear as follows: Figure 228 — Inbound Rules Lab Manual 219Lab 6: Remote Access with Endpoint Security VPN 6. Add two new rules to the Outbound Rules. 7. Inthe first default rule, use the following information to create an outbound Encrypt rule for the VPN_Users group: Desktop: VPN_Users@CP_default_Office_Mode_addresses_pool Destination: Any Service: FTP Action: Enerypt Track: Log 8. In the second rule, change the Track field to Log and keep the default settings for all other fields. 9. Verify that the Outbound Rules appear as follows: Ramon Oven Bee Figure 229 — Inbound Rules 20 Check Point Security EngineeringDefining Remote Access Rules Defining Remote Access Rules 1. In the Firewall tab, view the Policy. 2. Delete the Certificate Access rule. 3. Select the Management rule. 4. In the Service column of the Management rule, click the + icon: [a ee comme + ne 8 ratte = ees 3c @ soon a Bre (oon geen oo ay Oman or eee Bye miae By main om mime Figure 230 — Service Selection Assistant i 221 Lab ManualLab 6: Remote Access with Endpoint Security VPN 5. Click the New button, to define a new service. 6. Select TCP from the drop-down list, and the system displays the following: Figure 231 — TCP Service Properties 222 Check Point Security EngineeringDefining Remote Access Rules 7. Use the information below to configure the TCP Service Properties: Name: HTTPS-4434 Comment: SSL on Port 4434 Color: Firebrick Port: 4434 Keep connections Selected open after Policy has been installed: Figure 232 — TCP Service Properties Configured 8. Click the Advanced button, and the system displays the Advanced TCP Service Properties window. Srp RIT neeneeenneeee ee Lab Manual 223Lab 6: Remote Access with Endpoint Security VPN 9. In the Protocol Type drop-down list, select the option ENC-HTTP: Figure 233 — Advanced TOP Service Properties Configured 10. Click OK, to save the advanced settings. 224 Check Point Security EngineeringDefining Remote Access Rules 11. Click OK, to add the new service to the Management rul [bem cme my Bey tte Crd see th tte suas Bowe ee mm by ote Su 6 sam ay monomer Oo Die ne Cal ee oe oe ed Dut Boe Rees [5 eam cmmsouns A soainens iy ata One Bue wate oe ee oe On Dee Beton [Fio) ete dw Amt Contam ioe at “ans come iv ym ww ee hte Mo Figure 234 — Management Rule Configured 12. Create a new rule below the Stealth Rule based on the following matrix: Name: Remote Access Source: VPN_Users@Any Destination: Any VPN: AlphaRemoteAccess Service: Any Action: Accept Track: Log Note: To add the Source object, right-click the Source field and select Add Objects > Add Legacy Users Access. oem ne Lab Manual 225Lab 6: Remote Access with Endpoint Security VPN 13. Verify that he created rule is similar to the following: Dr a ie Lamm awe ein ao 20 semen gees Stora > Satute anette A tment + aw cemnoainne A nesttens ony poaco> Set eat stmearene 157 mitoons Eom A Ameen yams oom Sw a Figure 235 — Remote Access Rule 8 rae 8 ame soa ery Eo es Be Bue au Eve or 1 mate, |S ronan pose ha a mane (a moto 14. In Users and Administrators, double-click Alpha_AD > ep > alpha > Users > VPN. 15. Note that Robyn Goodfellow is listed as part of the sales OU. 16. Click OK. 17. Double click the Alpha_AD > cp > alpha > adserver > Sales branch. The objects list populates. 226 Check Point Security EngineeringDefining Remote Access Rules se . Select Robyn Goodfellow and double-click to open the LDAP User Properties: Figure 236 — LDAP USer Properties > Robyn Goodfellow 19. Make note of the Login Name for Robyn Goodfellow. 20. Click OK, to close the LDAP User Properties page. 21. In the IPSec VPN tab, edit the Mylntranet object. Note: Depending on your screen resolution and display, you may have to click More > IPSec VPN. 22, Select the Participating Gateways branch. 23, Select both gateways in the Participating Gateways field, and click the Remove button. 24. Install the Security Policy. Lab Manual 227Lab 6: Remote Access with Endpoint Security VPN Configuring the Client Side 1. From the Bravo ‘SmartDashboard, “select the IPSec VPN tab ‘and edit the MylIntranet object. Select the Participating Gateways branch. 3. Select both gateways in the Participating Gateways field, and click the Remove button. 4, Install the Security Policy. 5. On the B-GUI desktop, double-click on the following item to begin the installation: CheckPointEndpointSecurity.msi 6. On the InstallSheild Wizard screen, click Next: ‘Wekome tothe InstalShield Wizard for Check Point Endpoint Secty ‘eat ad ad i hasnt no Eiaimcyar annus Tosmve ato Figure 237 — Check Point Endpoint Security 7. Accept the License Agreement. 8. Click Next and accept all defaults. 9. Click Install. 10. Click Finish to complete the installation. 228 Check Point Security EngineeringConfiguring the Client Side 11. Double-click the VPN icon in the system tray, and the system displays the following question: EGieckBon tear seca ry Nest config oly to config anon teh (oe ta Figure 238 — Message 12. Click Yes to configure a new site, and the Site Wizard starts: Welcome to the Site Wizard eset pate tosh bent f Figure 239 — Endpoint Security VPN selected 13. Click Next. Lab Manual 229Lab 6: Remote Access with Endpoint Security VPN. 14. Use the following information to populate the Site information: Server Address or Name: 172.21.101.1 Display Name: alpha ‘Welcome othe Sate Wiad iy aay ene ces ‘peste, lee reuted maton anit ret |W osiey name: Figure 240 — Site Created 15. Click Next. Note: You may see a certificate trust warning at this point, Ifyou do, click Trust, and Continue. This message can be safely ignored in the lab environment. Figure 241 — Trust Warming —_ 230 Check Point Security EngineeringConfiguring the Client Side 16. For the Authentication Method, choose Username and Password: 1 Verne and Pssmord Gece sten adoro ely nih aura esd cortate ‘Prova ng vane eran oer cert * ceca Rte. © Chatege Response ei youre ie ert eer toa lerge a (ae Co Figure 242 — Site Wizard - Authentication ‘Authentication Mthod ‘acne supercon mada basen 17. Click Next, and the system displays the following message: Site created successfully Figure 243 — Message Lab Manual 21remote Access with Endpoint Sec 18. Click Finish to complete site configuration, and the system asks if you would like to connect now. 19. Click Yes, and the system displays the Security Login window: 7 Sana (eeu 20. Use the following information to complete the Endpoint login screen: Username: — goodr Password: P@ssw0rd 21. Click Connect, and the client builds the tunnel. '@ Chee Pons Endpoin cursy 8 2 Figure 245 — Encrypted Connection Established 232 Check Point Security EngineeringConfiguring the Client Side 22. Once the tunnel is established, verify the desktop status by double-clicking the Check Point Endpoint Security icon. 23. Review the status of the following items: » VPN * Firewall + Compliance ‘Your conor in compance with the xpaizationa secur potcy ven ©. Comectes ©. Compion Figure 246 — Endpoint Security - Status Lab Manual 233Lab 6: Remote Access with Endpoint Security VPN 24, After confirming the status, open a command prompt and initiate an FTP session to 10.1.1.201. 25. From the A-GUI, view the connection information in the ‘SmartView Tracker. 26. View the initial client login record: EEE lf LO remn Ore — (Barceah S Mobile Access: °8 Login ere ndpoint Connect today = 1835-21, rs aioe fameoee —— Paent = Beantisian acer ie Biren Goeceow(9204) —Reauthentate hous ES eaten Datafocypton 2065+ SAL ‘uthentcaton ESSE «SHA + Group? tome ‘rein Connect. Enrption Veron Sesion ID aeseeann Retted Loge sin User Groups VPNLUser ser OH Oks Cocdfln Robyn OUsSuerDCealphaDxe ° Serve pe 43) Prtocl Et on own Tyee eg Tome May, a 193021 Figure 247 — Mobile Access - Log In Record 234 Check Point Security EngineeringConfiguring the Client Side 27. View the assigned Office Mode IP: EE [Qe Ore cereale Figure 248 — Tracker detail - Office Mode IP 28. Confirm that once the connection has been opened, the client sends tunnel test packets to verify the activity of the tunnel. Lab Manual 235Lab 6: Remote Access with Endpoint Security VPN 29. View the details of one of the tunnel tests in Smart View Tracker: | ted own 72 ED Aaw.Ounte (172.21.100.11 | AGW (17221.101.2] co [sceomsceme can ae ESP ES SHA Figure 249 — Tunnel Test Details, 30, View the Decrypt logs for the FTP connection. 31. From A-GUI, while still connected from B-GUI to A-GUI (10.1.1.201) through the FTP session, attempt the access the Gaia Portal by launching a Web browser and navigating to the following address: https: //172.21.101-2 Note: Your connection attempt should fail and your browser should display an error message. 236 ‘Check Point Security EngineeringConfiguring the Client Side 32. In the browser, type the following to access the Gaia Portal on the active cluster member: https: //172.21.101.1:4434 Figure 250 — Connection Succeeded END OF LAB Lab Manual 237Lab 7: SmartEvent and SmartReporter Scenario: You nced to set up the SmartEvent & SmartReporter Suite to generate reports for executive level meetings, as well as for record keeping for compliance auditing, Topi * Configuring the SmartEvent Suite * Generate Reports based on available data Lab Manual 239Lab 7: SmartEvent and SmartReporter Configure the Network Object in SmartDashboard 1. In SmartDashboard, open the following object: A-SMS 2. Use the following information to configure the object: Name: A-SMS IP Address: 10.1.1.101 Management Blade Selections: Monitoring SmartReporter - SmartEvent Server - SmartEvent Correlation Unit Note: An information message may appear. Click OK to dismiss it. 240 ‘Check Point Security EngineeringConfigure the Network Object in SmartDashboard 3. Verify that the object is configured as follows: Br Sinden Sem | F Bepeet Fle tnagpnnt | Phong Sane Figure 251 — A-SMS Configured 4. Click OK. Lab Manual 241Lab 7: SmartEvent and SmartReporter 5. Edit the gateway cluster object and select the Monitoring option in the ‘Network Security tab: Figure 252 — Gateway Cluster Properties Configured 242 ‘Check Point Security EngineeringConfigure the Network Object in SmartDashboard 6. Select the Monitoring Software Blade branch, and select the following options: = Traffic Connections © Traffic Throughput (Bytes per second) Palo ott b secven 8 YPN eke Fach Pky Opies Heart (Ober Figure 253 — Monitoring Software Blade Page Lab Manual 243Lab 7: SmartEvent and SmartReporter Configuring Security Gateways to work with SmartEvent 1. Select the Logs branch. 2. Under the section Send logs and alerts to these log servers, Verify that A-SMS is listed. Figure 254 — Log Servers branch 3. Select the Logs > Additional Logging Configuration branch. 4, Select Forward log files to Log Server. 244 Check Point Security EngineeringConfiguring Security Gateways to work with SmartEvent 5. From the dropdown menu, select A-SMS: Figure 255 — Additional Logging Configuration 6. Click the Manage button and select New > Scheduled Event. Lab Manual 245Lab 7: SmartEvent and SmartReporter 7. Use the following information to configure the Scheduled Event Properties window: ‘Name: SmEventLab Time of Event - Every: 2 Minutes Figure 256 — Scheduled Event Properties configured 246 Check Point Security EngineeringConfiguring Security Gateways to work with SmartEvent 8. Click OK, and verify that the Additional Logging Configuration page appears as follows: Figure 257 — Gateway Cluster Properties - Additional Logging Configuration 9. Click OK. Lab Manual © 247Lab 7: SmartEvent and SmartReporter 10. From the Launch Menu, select Policy > Install Database and the Install Database window opens: Figure 258 — Install Database window 11. Verify that A-SMS is selected and click OK. 12. After the database installation completes, install the Security Policy. 13. In SmartDashboard, select SmartConsole > SmartEvent. Before SmartEvent loads, requires a server selection: EE leaeos ea Figure 259 — Select Server 14, Select the Primary Security Management Server (10.1.1.101). 248 Check Point Security EngineeringConfiguring Security Gateways to work with SmartEvent 15. Click OK, and the system displays an empty SmartEvent dashboard: Figure 260 — SmartEvent 16. Select the Policy tab. 17. In the navigation pane, select General Settings > Objects > Network Objects. Lab Manual 249Lab smartEvent and SmartReporter 18. Verify that the Alpha networks defined as internal appear in the Network = ae ce * Figure 261 — Network Objects 19. From SmartDashboard, select Launch Menu > View > Products. 230 Check Point Security EngineeringConfiguring Security Gateways to work with SmartEvent 20. Select SmartReporter Policy, and the system displays the following: Figure 262 — Consolidation Policy 21. Review the rules of the policy to see how alerts, logs, and messages are handled. 22. Close SmartDashboard and return to SmartEvent. Lab Manual “251Lab 7: SmartEvent and SmartReporter Monitoring Events with SmartEvent From SmarEvent, click on the Policy tab. 2. Expand the Unauthorized Entry branch and select the Check Point Administrator credential guessing: ‘Check Poit isin reenil goes Figure 263 — Policy Tab > Unauthorized Entry > Check Point Administrator 252 Check Point Security EngineeringMonitoring Events with SmartEvent 3. Change the Failure Detection setting from the default of 3 failures every 600 seconds to 2 failures every 300 seconds. 4. From the Actions menu, select Install Event Policy and the system displays the following message: iy *tesareyarsnt atl Send po? Figure 264 — SmartEvent Dialog 5. Click Yes. After the policy is installed, select the Events tab > Predefined > All Events: lie CE a Figure 265 — Events > Predefined > All Events 6. Minimize SmartEvent and then log out of SmartDashboard. Lab Manual 253Lab 7: SmartEvent and SmartReporter 7. Attempt to log in to SmartDashboard, using the wrong password at least twice, then launch SmartEvent. Note: Launch the SmartDashboard login screen by clicking Start > All Programs > SmartDashboard. Do not launch SmartDashboard from the Window drop-down menu in the task bar. 8. In the Events tab, select the Last Hour’s events in the filter group. Figure 266 — Last Hour fier 9. Refresh the screen using the refresh hot key on the SmartEvent taskbar. 254 Check Point Security EngineeringMonitoring Events with SmartEvent 10. Note that in the All Events Detail report, a Critical Event is listed: '& Check Point adminstator rece, ess pts 9 Figure 267 — Critical Event Detail Lab Manual 235Lab 7: SmartEvent and SmartReporter 11. In the Critical Event detail panel, click Actions > Event Raw Logs. SmartView Tracker opens, showing the Failed Login triggers: Figure 268 — SmartView Tracker - Failed Login Triggers 256 Check Point Security EngineeringGenerate Reports Based on Activities Generate Reports Based on Activities 1. Generate FTP from B-GUI to A-GUI and HTTP traffic from B-GUI to A-DMZ. 2. Inthe SmartEvent Client, select the Reports tab. 3. Click All Reports > All > List of All Events, to launch SmartReporter: List of All Events Report Pe ee er rere Figure 269 — SmartReporter Client Lab Manual 257Lab 7: SmartEvent and SmartReporter 4, In the List of All Events Report page, click the Manage button: od tem mT pal etn 6 Spat: Soon Dax SST STI x Ss Figure 270 — Firewall Activity > Period configured 5. Review the Period, Filter, Schedule, and Email Settings. . Click OK. 7. Click the Generate button, and the system displays the Generate a Report window: CELL memes [Fete OTE STE ee) Figure 271 — Generate Report Note: It may be necessary to wait approximately fifteen minutes for data to be collected before generating reports. 258 Check Point Security EngineeringGenerate Reports Based on Activities 8. Once the report has completed, click the Open in Browser button to view the Penna tigre Figure 272 — Generated Report END OF LAB Lab Manual ~ 259Check Point Security Engineering Learn to troubleshoot Check Point security systems ferro aoe o a= ete ec ees Ree a ad Pea Na mre as aU Rls uae nao es SC u MEU fer Ro eee cies Re eRe Ne eS | processing and Stateful Inspection. Labs include configuring security gateways, Funan h gh MEU aoc uence sts hoe CL Who Should Attend? Sree een Cae sent eu! eee en ole ec een cen Mr ere eee re This could include System Administrators, Support Analysts, Network Engineers and anyone seeking CSE certification. be ey ‘Successful completion of this course depends on knowledge of multiple disciplines related to network- Pavesi uct gel enon Greece meted ene un ‘administration, networking (TOP/IP} knowledge, eee eee Ce eee feecnentuiection) eMeCm Cre} * In-depth explanation of Check Point frewal technology Set eget eo Check Point frewal technology eee ee Scere er Mere neta tess elec * Software acceleration features Certify your Knowledge Challenge the 1 STs book your bes roou at Person VUE. preparing for heck Point Gerlfied Secunty Expert G ‘wnw.vue.com/checkpoint Boerne Ne ecco ts un * Reporting tools, deployment options and features erect mel) aha lati, Perec ee nt gestae ing eee eee mmeas Beene ewe kaetlec ieee cy Peo meee ener ai renee ieee ie) ee eda eur ye tee ce Ta Se etsee eee eee ernie eon iced eels neotenic elena Link Selection and Multiple Entry Point solutions Pets rete een ne eee (ecco nomic ee Ciro aero Br eeremes era Se eee ec ticn '= Configure SmartDashboard to interface with Active Directory Peet eur cee =n ont era aN Snes Ge cs ISBN 073-1-995052-% nn 82-13 a ] rei 2 www.checkpoint.com/services/education/ ea