Professional Documents
Culture Documents
Checkpoint Lab Guide PDF
Checkpoint Lab Guide PDF
VERSION: R75
LAB GUIDE
Installation Type - SPLAT
Checkpoint Installation is accomplished in multiple ways which includes Installing Checkpoint on Secure
Platform, on Windows Operating System or on Nokia Hardware. Here we discuss the SPLAT (Secure
Platform) Installation in a Step by Step process. On the machine where SP
Language in which Checkpoint needs to be installed is selected, here we select US (i.e. English)
Here we see listed two Interfaces eth0 and eth1 present on our device on which Checkpoint is installed
One of the interface is selected for configuration, below we select eth0
Configure IP address for the selected eth0 interface, default gateway information can be left empty since
we
Select OK and hit enter,
Checkpoint will start Formatting process of the machine’s Hard Drive, select OK and Hit Enter
Checkpoint has finished copying files on the Hard Drive, select OK and hit enter
First time login will use default Username and Password as below:
Username: admin
Password: admin
Once default credentials are entered, a new Password and username needs to be created as shown
above.
By now all the necessary Checkpoint files has been copied on the secure platform, to complete the initial
Network and other configuration open up a browser and connect using the URL shown in the snapshot as
an example
Open a Browser and launch the Web User GUI login page
After accepting the license agreement, login page comes up. Use the credentials created on the first time
CLI login
Click next,
Click on the eth1 which we want to use as external interface and assign it an ip address
Once IP address is assigned to eht1, click next to continue configuration
Entering the DNS server information, Hostname of the Firewall and selecting the Management interface
Here we go for manual settings, NTP server can also be used for this purpose,
Specify the clients who can access the Firewall GUI (Smart Dashboard)
Define an Administrator Username and Password to access the Firewall GUI
Click next to continue configuration,
This completes the Initial setup of Checkpoint Firewall, now checkpoint will be start the configuration
process
Click Yes,
Once you click OK, you will be redirected to the Web User Interface.
Click on Product Configuration to download the Smart console for accessing Security Management GUI
Select the Network Objects tab from the left panel (the first tab), expand Checkpoint and right click on the
cpmodule and click on Edit,
A new window opens up,
In the options on the top, click on policy and select the Global Properties,
Select the below options to enable the ICMP requests which are blocked by default
Stealth Rule and Cleanup Rule
Click on the Rules Options to add a rule in the Smart Dashboard
The First rule should always be the Stealth Rule and the last rule is the Clean Up Rule. Source will be
ANY
Expand the Destination part and select Firewall for the stealth rule
Right click on the Track part and select Log,
Create Clean Up rule in the similar way as shown above. It should look like this,
HIDE NAT
On the left panel, Network Objects tab which is the first tab, right click on Networks and select Network
A new window pops up, under the General Tab, specify the Name, Network Address, Net Mask and
switch to NAT tab
Select Add automatic address rules and Hide behind Gateway option
To push the Configuration from Management Console to the Firewall Module, from the top menu options,
select Policy and click on Install.
This displays the available Firewall Modules (if multiple firewall modules are present, here as of now only
one), Select the Firewall module and clock on OK. It starts installing the policies and configuration to the
selected firewall module
If all the configurations and policies installed are proper then it will shows Installation completed
successfully.
STATIC NAT
To configure the STATIC NAT we require two nodes, one for the available public ip and another for the
internal private ip of the Server (It can be any server like web, ftp, smtp etc...)
On the left panel, Network Objects tab which is the first tab, right click on Nodes and select Host
The user is added into the group and we can see the Group Lan_Users_Group displayed in the left panel
Creating Rule: A new rule should be created between stealth and clean up rule as shown below,
Right click on the Source section and select Add User/Access Rule option,
Select the service according to the authentication scheme and on the actions tab right click go to Legacy
and select User Auth
Once rule is created, under Action double click on the User Auth select All Servers. Install the Policy to
enable authentication.
External authentication:
We look at the example of enabling authentication using TACACS+ server as an external source. To
create TACACS+ server on checkpoint first we create a Node .
In the Network Objects tab create a node, defining the IP address of the TACACS+ server
Once done you will see TACACS+ server listed under Nodes option
Go to Server and OPSEC Applications tab, right click on the Servers option, select New and click on
TACACS
Specify a name for the TACACS+ Server and for the Host option select the node that was created to
specify the TACACS+ Server and select the type as TACACS+ and mention the secret key
Now on the Left panel users Tab, right click on External User Profiles go to New External User Profile and
select Match all users
A new window opens up,
Creating Rule: Create the rule as explained in the User authentication process, Select the service
according to the authentication scheme and on the actions tab right click go to Legacy and select Session
Auth
The rule should look as below,
Now we go got client auth, here we need a client software to be installed on the users machine for auth to
happen, the configuration required to setup will be same as explained above, the action tab will be having
Client Auth in it. To see the sub configuration under the Client auth you need to double click on it and
configure accordingly.
To filter Java and Activex applets we create a Resource from Resources tab. Right click on the
Resources option go to New and select URI
Click on Configure under Database Updates, and enter the User center credentials (for registered
versions of Checkpoint) otherwise you can select the Use the trial license option to use this feature for a
15 day trial period,
Navigate to URL Filtering > Advanced > Blocked URLs/IPs option and enter the URL to be blocked,
Go to Blocking Notifications, here we can either display a message to the user or redirect him to a
different URL when he is trying to access the blocked URL
Enable the Anti-Virus & Anti-Malware filtering option under Network Security tab,
From the tab menu go to Anti-Virus and URL Filtering tab,
Click on Configure under Database Updates, and enter the User center credentials (for registered
versions of Checkpoint) otherwise you can select the Use the trial license option to use this feature for a
15 day trial period,
Write a Policy which includes the service as FW1_cvp
Remote Access VPN
To configure the Remote Access VPN we need to go to Network Objects tab, right click the CP module
and click on Edit
A new window opens up, enter the Remote Checkpoint Gateway name and its ip address and verify the
OS option, in this case we are using SecurePlatform (in short SPLAT)
Go to the Topology option, select Manually defined and select the remote network object
You will see a new Gateway created under the Network objects,
To create a VPN between Checkpoint and non checkpoint firewall, right click on the Network objects and
uncheck Do not show empty folders
A window opens up, Specify the name and ip address of the remote firewall
Go to Topology option and select Manually defined and select the remote network object
Now, we can see the non checkpoint firewall listed under Interoperable Devices,
Select the VPN community tab and right click on Site to Site, go to New Site to Site and click on Meshed
On the Encryption tab, select the appropriate Encryption Method and Encryption Suite
Under the Shared Secret tab, select each firewall and click on Edit and specify the shared secret key
Under Advanced VPN options, select the appropriate DH groups and check Disable NAT inside the VPN
community
Create a Rule above the Stealth Rule and specify source and destination, under VPN section right click
and select Edit cell
Select, only connections encrypted in specific VPN communities