Professional Documents
Culture Documents
Education Services
Check Point
Troubleshooting Administrator
Lab Setup Guide
EDUCATION SERVICES
Follow the steps below to configure the virtual machines needed for the students to perform
all Security Administration labs. ATCs may use whatever virtualization software they choose,
but Check Point assumes instructors will create most Virtual Machines in either a VMware
Workstation or ESXi environment. Check Point performed all tests in ESXi 5.5.0u2.
Lab Topology
Configure each student environment with the following virtual machines:
Once the setup is complete, all windows Host and Server machines should be able to reach
the internet and all machines should be able to ping each other and the Router.
3
C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E
A-GUI
Use the information below to configure the GUI Client virtual machine:
Use the following information to configure the interface for the virtual machine:
IP Address:
10.1.1.201
Subnet Mask:
255.255.255.0
Default Gateway: 10.1.1.1
Interface: eth0
LAN: Management (LAN 1)
WinSCP
Putty
Wireshark
Notepad + + with Document Monitor Plugin installed.
IKEView
7Zip
2. Define the interfaces for each module based on the CCTE Classroom Topology.
9. Install the current GA version of the Jumbo Hotfix on all machines. This lab was
developed using R80.30.
a. Color – Pink
5
C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E
A-SMS
Use the information below to configure the Alpha Management Server virtual machine:
Use the following information to configure the interface for this virtual machine:
Username: admin
Password: Chkp!234
a. cpadmin
i. Permission Profile: Read/Write All(Default)
ii. Password: Chkp!234
b. ips_admin
i. Permission Profile: Threat_Admin (Custom)
1. Gateway: No Permissions
2. Access Control: No Permissions with the following exceptions:
a. Geo Control-Write
b. Access Control Objects and Settings: Write
3. Threat Prevention: Write All
4. Other: Read Only
5. Monitoring and Logging: Read Only
6. Events and Reports: Read Only
7. Management: No Permissions
8. Endpoint: No Permissions
6
C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E
A-SMS-02
Use the information below to configure the Alpha Management Server virtual machine:
Use the following information to configure the interface for this virtual machine:
Special instructions for the secondary Alpha Management Server virtual machine:
Username: admin
Password: Chkp!234
2. This server should be fully configured and ready for the student to use for the lab, but
should remain powered off until the lab in which it is required, in order to save resources.
7
C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E
A-GW-01
Use the information below to configure the first Security Gateway virtual machine:
Use the following information to configure the interfaces for this virtual machine:
Special instructions for the Alpha Security Gateway cluster member virtual machine:
1. Configure the server with four cores assigned to a single processor. Multi-threading can
influence system performance in the virtual environment and should be avoided.
8
C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E
A-GW-02
Use the information below to configure the second Security Gateway virtual machine:
Use the following information to configure the interfaces for this virtual machine:
Special instructions for the Alpha Security Gateway cluster membe r virtual machine:
1. Configure the server with four cores assigned to a single processor. Multi -threading can
influence system performance in the virtual environment and should be avoided.
9
C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E
A-LDAP
Use the information below to configure a protected host virtual machine:
Name: A-LDAP
OS: Windows Server
CPU: 4 Cores
Hard Drive: 40GB
RAM: 8GB
Use the following information to configure the interface for this virtual machine:
IP Address: 192.168.11.101
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.11.1
Interface: eth0
Network: Alpha Internal (LAN 11)
c) Add Odd-Group as a user groupand configure User1 and User3 as members of this
group.
d) Add Even-Group as a user group, and configure User 2 and User 4 as memb ers of
this group.
4. Install Check Point Identity Collector Agent, but do not configure it.
10
C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E
A-Host
Use the information below to configure a protected host virtual machine:
Name: A-Host
OS: Windows Client
CPU: 2 Cores
Hard Drive: 20GB
RAM: 4GB
Use the following information to configure the interface for this virtual machine:
IP Address: 192.168.11.201
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.11.1
Optional DNS Entry: 192.168.11.101
Interface: eth0
Network: Alpha Internal (LAN 11)
11
C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E
A-DMZ
Use the information below to configure a protected host virtual machine:
Name: A-DMZ
OS: Windows Server
CPU: 2 Cores
Hard Drive: 20GB
RAM: 4GB
Use the following information to configure the interface for this virtual machine:
IP Address: 192.168.12.101
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.11.1
Interface: eth0
Network: Alpha Internal (LAN 11)
12
C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E
B-GW
Use the information below to configure the Bravo Security Gateway virtual machine:
Name: B-GW Install and configure the following Check Point modules
OS: Gaia R80.30
CPU: 2 Cores Security Gateway
Hard Drive: 60GB Security Management Server
RAM: 10GB
Use the following information to configure the interfaces for the Bravo Security Gateway
virtual machine:
Note: The eth0 and eth2 interfaces for B-GW are not used in this class but should be set up
in in the virtual environment, so that the eth1 and eth3 interfaces connect to the correct
networks. The other interfaces (eth0 and eth2) should be set with “connect at power o n”
disabled in the VM settings.
13
C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E
B-Host
Use the information below to configure the B-Host virtual machine:
Name: B-Host
OS: Windows Client
CPU: 2 Cores
Hard Drive: 20GB
RAM: 2GB
Use the following information to configure the interface for this virtual machine:
IP Address:
192.168.21.201
14
C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E
Define the following static routes on both Security Gateways in the Alpha site:
Default Gateway:
192.168.21.0/24
15
C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E
16
C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E
b. Color – Pink
i. IPSec VPN
v. Identity Awareness
vi. IPS
vii. Anti-Bot
viii. Anti-Virus
ix. ClusterXL
x. Monitoring
17
C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E
i. IPSecVPN
ii. Monitoring
a. A-MGMT-NET
b. A-INT-NET
c. A-DMZ-NET
a. B-INT-NET
18
C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E
a. A-DMZ-NET
b. A-INT-NET
c. B-INT-NET
c. Encryption:
a. General
v. Account Usage
1. User Management
19
C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E
b. Servers
i. Host – A-LDAP
v. Password – Chkp!234
c. Objects management:
d. Authentication: Default
b. Services Contained:
i. ALL_DCE_RPC
iv. ldap_ssl
20
C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E
Do Not Log
Update
Management
Endpoint Connectivity
Stealth
DNS
Remote Access
VPN
DMZ
Outgoing
LDAP
Cleanup
21
C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E
Do Not Log
Management
Stealth
DNS
VPN
Outgoing
LDAP
Cleanup
22
C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E
Configure the Static NAT objects. Then, configure Hide NATs for all internal networks:
23
C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E
24
C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E
Next, complete the settings for the Security Policies by configuring the following Global
Policy settings:
25
C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E
Router
The router may be either a specific virtual machine or you may use the virtualization software’s
router function. In our testing, Check Point used a router VM to translate traffic going out of
the sandbox and separate the sandbox from the external environment. This router also serves
as the NTP server for the sandbox environment.
All external interfaces of gateways in the topology should point to 203.0.113.254 (rou ter) as
their default gateway.
26