CHECK POINT SOFTWARE TECHNOLOGIES

Education Services

Check Point
Troubleshooting Administrator
Lab Setup Guide
 EDUCATION SERVICES

Check Point Troubleshooting Administrator

Lab Setup Guide

 Check Point Software Technologies

www.CheckPoint.com
courseware@checkpoint.com
6330 Commerce Dr., Suite 120, Irving, TX 75063

April 13, 2020

 C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E

Configuring the Lab Environment

The Check Point Troubleshooting Administrator course topology is a “sandbox” environment.
All student machines have the same set of IP addresses. The virtual machines connect to the
Internet with NAT through the host machine. Internet connectivity is required for each host
machine used by students attending the course.

Follow the steps below to configure the virtual machines needed for the students to perform
all Security Administration labs. ATCs may use whatever virtualization software they choose,
but Check Point assumes instructors will create most Virtual Machines in either a VMware
Workstation or ESXi environment. Check Point performed all tests in ESXi 5.5.0u2.

Configuring Virtual Machine Settings

Configure all virtual machines with the following options:

 Snapshots – Just Power off

 VMware Tools – Installed
 Remove the Floppy from the Hardware Settings
 Time Synchronization – Synchronization between Guest and Host should be
active if an NTP server is not available.

Overall LDAP Information

Configure the virtual machines on the Alpha Internal network to be in the alpha.cp domain. All users should
log into the domain and not the local virtual machine.
 C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E

Lab Topology
Configure each student environment with the following virtual machines:

Once the setup is complete, all windows Host and Server machines should be able to reach
the internet and all machines should be able to ping each other and the Router.

3
 C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E

Configuring the Virtual Machines

Configure each of the virtual machines listed below on all student machines. The specifications
shown here in terms of CPU Cores, Hard Drive Space, and RAM are minimum requirements.
For better performance, increase these specifications. All user, OS, and application passwords
should be: Chkp!234

A-GUI
Use the information below to configure the GUI Client virtual machine:

Name: A-GUI Check Point Modules Installed:

OS: Windows Client
CPU: 2 Cores  R80.30 SmartConsole (Latest GA Build)
Hard Drive: 40GB
RAM: 2GB

Use the following information to configure the interface for the virtual machine:

IP Address:
10.1.1.201

Subnet Mask:
255.255.255.0
Default Gateway: 10.1.1.1
Interface: eth0
LAN: Management (LAN 1)

Special instructions for the Alpha GUI Client virtual machine:

1. Install the following applications:

 WinSCP
 Putty
 Wireshark
 Notepad + + with Document Monitor Plugin installed.
 IKEView
 7Zip

2. Install and configure an updated web browser.

 C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E

Gaia Configuration for all Check Point Modules

1. Configure Drive Partitions as follows

a. Management Servers: 20GB root, 20GB /var/log

b. Security Gateway: 15GB root, 12GB /var/log

2. Define the interfaces for each module based on the CCTE Classroom Topology.

3. Define a Banner Message for each module similar to the following:

*************************
******** A GW 01 ********
*************************
Unauthorized access is prohibited and punishable by law.

4. Configure the username and password as follows:

Username: admin
Password: Chkp!234

5. Set the shell for the admin user to /bin/bash.

6. Set the inactivity timeout to 480 minutes (8 hours).

7. Set the web session timeout to 480 minutes (8 hours).

8. Set each server to connect to the local NTP server, if available.

9. Install the current GA version of the Jumbo Hotfix on all machines. This lab was
developed using R80.30.

10. For the configuration in SmartConsole:

a. Color – Pink

5
 C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E

A-SMS
Use the information below to configure the Alpha Management Server virtual machine:

Name: A-SMS Check Point Modules Installed:

OS: R80.30 Gaia
CPU: 4 Cores  Security Management Server
Hard Drive: 80GB
RAM: 10GB

Use the following information to configure the interface for this virtual machine:

IP Address: 10.1.1.101 NTP Server (if using an

Subnet Mask: 255.255.255.0 NTP capable default
Default Gateway: 10.1.1.1 router): 203.0.113.254
Interface: eth0
LAN: Alpha Management Time Zone: Local
(LAN 1)

Special instructions for the Alpha Management Server virtual machine:

1. Configure the system administrator credentials to be as follows:

Username: admin

Password: Chkp!234

2. Configure additional administrator accounts in SmartConsole using the following

information:

a. cpadmin
i. Permission Profile: Read/Write All(Default)
ii. Password: Chkp!234
b. ips_admin
i. Permission Profile: Threat_Admin (Custom)
1. Gateway: No Permissions
2. Access Control: No Permissions with the following exceptions:
a. Geo Control-Write
b. Access Control Objects and Settings: Write
3. Threat Prevention: Write All
4. Other: Read Only
5. Monitoring and Logging: Read Only
6. Events and Reports: Read Only
7. Management: No Permissions
8. Endpoint: No Permissions

6
 C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E

A-SMS-02
Use the information below to configure the Alpha Management Server virtual machine:

Name: A-SMS-02 Check Point Modules Installed:

OS: R80.30 Gaia
CPU: 4 Cores  Secondary Security Management Server
Hard Drive: 80GB
RAM: 10GB

Use the following information to configure the interface for this virtual machine:

IP Address: 10.1.1.102 NTP Server (if using an

Subnet Mask: 255.255.255.0 NTP capable default
Default Gateway: 10.1.1.1 router): 203.0.113.254
Interface: eth0
LAN: Alpha Management Time Zone: Local
(LAN 1)

Special instructions for the secondary Alpha Management Server virtual machine:

1. Configure the system administrator credentials to be as follows:

Username: admin

Password: Chkp!234

2. This server should be fully configured and ready for the student to use for the lab, but
should remain powered off until the lab in which it is required, in order to save resources.

7
 C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E

A-GW-01
Use the information below to configure the first Security Gateway virtual machine:

Name: A-GW-01 The following Check Point modules

OS: Gaia R80.30 should be installed and configured:
CPU: 2 Cores
Hard Drive: 60GB  Security Gateway
RAM: 4GB

Use the following information to configure the interfaces for this virtual machine:

IP Address: 10.1.1.2 IP Address: 203.0.113.2

Subnet Mask: 255.255.255.0 Subnet Mask: 255.255.255.0
Interface: eth0 Default Gateway: 203.0.113.254
Network: Alpha Management (LAN 1) Interface: eth3
Network: External (vmnet8 - NAT)

IP Address: 192.168.11.2 IP Address: Disabled

Subnet Mask: 255.255.255.0 Subnet Mask: Disabled
Interface: eth1 Interface: eth4
Network: Alpha Internal (LAN 11) Network: Alpha DMZ (LAN 12)

IP Address: 192.168.10.2 NTP Server (if using an NTP capable

Subnet Mask: 255.255.255.0 default router): 203.0.113.254
Interface: eth2
Network: Alpha Synchronization (LAN 10) Time Zone: Local

Special instructions for the Alpha Security Gateway cluster member virtual machine:

1. Configure the server with four cores assigned to a single processor. Multi-threading can
influence system performance in the virtual environment and should be avoided.

8
 C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E

A-GW-02
Use the information below to configure the second Security Gateway virtual machine:

Name: A-GW-02 The following Check Point modules

OS: Gaia R80.30 should be installed and configured:
CPU: 2 Cores
Hard Drive: 60GB  Security Gateway
RAM: 4GB

Use the following information to configure the interfaces for this virtual machine:

IP Address: 10.1.1.3 IP Address: 203.0.113.3

Subnet Mask: 255.255.255.0 Subnet Mask: 255.255.255.0
Interface: eth0 Default Gateway: 203.0.113.254
Network: Alpha Management (LAN 1) Interface: eth3
Network: External (vmnet8 - NAT)

IP Address: 192.168.11.3 IP Address: 192.168.12.3

Subnet Mask: 255.255.255.0 Subnet Mask: 255.255.255.0
Interface: eth1 Interface: eth4
Network: Alpha Internal (LAN 11) Network: Alpha DMZ (LAN 12)

IP Address: 192.168.10.3 NTP Server (if using an NTP capable

Subnet Mask: 255.255.255.0 default router): 203.0.113.254
Interface: eth2
Network: Alpha Synchronization (LAN 10) Time Zone: Local

Special instructions for the Alpha Security Gateway cluster membe r virtual machine:

1. Configure the server with four cores assigned to a single processor. Multi -threading can
influence system performance in the virtual environment and should be avoided.

9
 C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E

A-LDAP
Use the information below to configure a protected host virtual machine:

Name: A-LDAP
OS: Windows Server
CPU: 4 Cores
Hard Drive: 40GB
RAM: 8GB

Use the following information to configure the interface for this virtual machine:

IP Address: 192.168.11.101
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.11.1
Interface: eth0
Network: Alpha Internal (LAN 11)

Special instructions for the Alpha LDAP Server virtual machine:

1. Configure as a Domain Controller for alpha.cp domain.

a) Add User 1, User 2, User 3, and User 4 to users group

b) Configure all users as administrators, but not domain administrators.

c) Add Odd-Group as a user groupand configure User1 and User3 as members of this
group.

d) Add Even-Group as a user group, and configure User 2 and User 4 as memb ers of
this group.

2. Configure as a DNS server for alpha.cp domain.

3. Install and configure an updated web browser.

4. Install Check Point Identity Collector Agent, but do not configure it.

10
 C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E

A-Host
Use the information below to configure a protected host virtual machine:

Name: A-Host
OS: Windows Client
CPU: 2 Cores
Hard Drive: 20GB
RAM: 4GB

Use the following information to configure the interface for this virtual machine:

IP Address: 192.168.11.201
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.11.1
Optional DNS Entry: 192.168.11.101
Interface: eth0
Network: Alpha Internal (LAN 11)

Special instructions for the Alpha host virtual machine:

1. Install and configure an updated web browser.

11
 C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E

A-DMZ
Use the information below to configure a protected host virtual machine:

Name: A-DMZ
OS: Windows Server
CPU: 2 Cores
Hard Drive: 20GB
RAM: 4GB

Use the following information to configure the interface for this virtual machine:

IP Address: 192.168.12.101
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.11.1
Interface: eth0
Network: Alpha Internal (LAN 11)

Special instructions for the Alpha DMZ Server virtual machine:

1. Configure the server as a web server.

2. Replace default web page with provided web page.

3. Install and configure an updated web browser.

12
 C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E

B-GW
Use the information below to configure the Bravo Security Gateway virtual machine:

Name: B-GW Install and configure the following Check Point modules
OS: Gaia R80.30
CPU: 2 Cores  Security Gateway
Hard Drive: 60GB  Security Management Server
RAM: 10GB

Use the following information to configure the interfaces for the Bravo Security Gateway
virtual machine:

IP Address: Disabled IP Address: Disabled

Subnet Mask: Disabled Subnet Mask: Disabled
Interface: eth0 Interface: eth2
Network: Bravo Management (LAN Network: Bravo Sync (LAN 20)
2)

IP Address: 192.168.21.1 IP Address: 203.0.113.100

Subnet Mask: 255.255.255.0
Interface: eth1
Network: Bravo Internal (LAN 21)
Subnet Mask: 255.255.255.0
Default Gateway: 203.0.113.254
Interface: eth3
Network: External (vmnet8 -
NAT)

Note: The eth0 and eth2 interfaces for B-GW are not used in this class but should be set up
in in the virtual environment, so that the eth1 and eth3 interfaces connect to the correct
networks. The other interfaces (eth0 and eth2) should be set with “connect at power o n”
disabled in the VM settings.

13
 C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E

B-Host
Use the information below to configure the B-Host virtual machine:

Name: B-Host
OS: Windows Client
CPU: 2 Cores
Hard Drive: 20GB
RAM: 2GB

Use the following information to configure the interface for this virtual machine:

IP Address:
192.168.21.201

Subnet Mask: 255.255.255.0

Default Gateway:
192.168.21.1
Interface: eth0
Network: Bravo Internal
(LAN 21)

Special instructions for the B-Host virtual machine:

1. Install and configure an updated web browser.

14
 C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E

Define the following static routes on both Security Gateways in the Alpha site:

 Default Gateway:

o Gateway Address: 203.0.113.254

o Comment: Default Gateway

 192.168.21.0/24

o Gateway Address: 203.0.113.100

o Comment: “Bravo Internal”

15
 C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E

Define the following static routes on the Bravo Security Gateway:

 Default Gateway: 203.0.113.254

 10.1.1.0/24 203.0.113.1 “Alpha Management”

16
 C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E

Configure Security Policy Objects

Configure, or verify, the following objects in the security policy prior to beginning the labs:

 A-GW-Cluster (Security Gateway Cluster - 203.0.113.1)

a. Comment – Alpha Site Security Gateway Cluster

b. Color – Pink

c. Enable the following products:

i. IPSec VPN

ii. Mobile Access

iii. Application Control

iv. URL Filtering

v. Identity Awareness

vi. IPS

vii. Anti-Bot

viii. Anti-Virus

ix. ClusterXL

x. Monitoring

d. Configure HTTPS Inspection and Deploy certificate to hosts and servers.

e. Set Platform Portal to port 4434

f. Configure Identity Awareness

i. Browser Based Authentication

ii. AD Query – A-LDAP

 A-GW-01 (Security Gateway – 10.1.1.2)

 A-GW-02 (Security Gateway – 10.1.1.3)

17
 C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E

 B-GW (Security Gateway – 203.0.113.100)

a. Comment – Bravo Site Security Gateway

b. Enable the following products:

i. IPSecVPN

ii. Monitoring

 A-GUI (Host – 10.1.1.201)

 A-LDAP (Host – 192.168.11.101)

a. Server Configuration: DNS Server enabled

 A-Host (Host – 192.168.11.201)

 B-Host (Host – 192.168.21.201)

 A-MGMT-NET (Network – 10.1.1.0/24)

 A-INT-NET (Network – 192.168.11.0/24)

 A-DMZ-NET (Network – 192.168.12.0/24)

 B-INT-NET (Network – 192.168.21.0)

 Alpha-Nets (Network Group)

a. A-MGMT-NET

b. A-INT-NET

c. A-DMZ-NET

d. Set A-GW-Cluster VPN domain to Alpha-Nets group

 Bravo-Nets (Network Group)

a. B-INT-NET

b. Set B-GW VPN domain to Bravo-Nets group

18
 C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E

 Remote_Domain (Network Group)

a. A-DMZ-NET

b. A-INT-NET

c. B-INT-NET

 Alpha Corporation Site-to-Site (VPN Community – Star Topology – Default except as

below)

a. Center Gateway: A-GW-Cluster

b. Satellite Gateway: B-GW

c. Encryption:

i. Phase 1 Algorithm: AES-256

ii. Hash: SHA256

iii. DH: Group 19

iv. Phase 2 Algorithm: AES-256

v. Phase 2 Hash: SHA384

d. Tunnel Management – Per Gateway Pair

 Alpha-AD (LDAP Account Unit)

a. General

i. Comment – Alpha Corporation Active Directory

ii. Color – Blue

iii. Profile – Microsoft AD

iv. Domain – alpha.cp

v. Account Usage

1. User Management

2. Active Directory Query

19
 C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E

b. Servers

i. Host – A-LDAP

ii. Port – 389

iii. Username – Administrator

iv. Login DN - CN=Administrator, CN=Users, DC=alpha, DC=cp

v. Password – Chkp!234

vi. Read and Write Enabled

c. Objects management:

i. Branches in Use: DC=alpha, DC=cp

ii. Return 5000 entries

iii. Network is Secured

1. Management Proxy box cleared

d. Authentication: Default

 LDAP-Services (Service Group)

a. Comment – LDAP Service Group

b. Services Contained:

i. ALL_DCE_RPC

ii. Kerberos_v5, both UDP and TCP

iii. ldap, both UDP and TCP

iv. ldap_ssl

v. Microsoft-DS, both UDP and TCP

vi. NTP Group

20
 C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E

Configure the following rules in the Alpha-Standard Policy:

 Do Not Log
 Update
 Management
 Endpoint Connectivity
 Stealth
 DNS
 Remote Access
 VPN
 DMZ
 Outgoing
 LDAP
 Cleanup

21
 C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E

Configure the following rules in the Bravo-Standard Policy:

 Do Not Log
 Management
 Stealth
 DNS
 VPN
 Outgoing
 LDAP
 Cleanup

22
 C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E

Configure the Static NAT objects. Then, configure Hide NATs for all internal networks:

Object Name NAT IPv4 Address Install on Control

Type Gateway Connections

A-SMS Static 203.0.113.151 A-GW-Cluster Enabled

A-SMS-02 Static 203.0.113.152 A-GW-Cluster Enabled
A-LDAP Static 203.0.113.153 A-GW-Cluster N/A
A-DMZ Static 203.0.113.154 A-GW-Cluster N/A
A-GUI Static 203.0.113.155 A-GW-Cluster N/A
B-Host Static 203.0.113.156 B-GW N/A
A-MGMT-NET Hide 203.0.113.181 A-GW-Cluster N/A
A-INT-NET Hide 203.0.113.182 A-GW-Cluster N/A
A-DMZ-NET Hide 203.0.113.183 A-GW-Cluster N/A
B-INT-NET Hide 203.0.113.185 B-GW N/A

23
 C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E

In Alpha-Standard Policy, configure a manual no-NAT Rule for internal Alpha-Nets.

24
 C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E

Next, complete the settings for the Security Policies by configuring the following Global
Policy settings:

 Accept ICMP Requests – Before Last

 Log Implied Rules – Enabled

25
 C H E C K P O I N T T R O U B L E S H O O T I N G A D M I N I S T R A T O R - L A B S E T U P G U I D E

Router
The router may be either a specific virtual machine or you may use the virtualization software’s
router function. In our testing, Check Point used a router VM to translate traffic going out of
the sandbox and separate the sandbox from the external environment. This router also serves
as the NTP server for the sandbox environment.

All external interfaces of gateways in the topology should point to 203.0.113.254 (rou ter) as
their default gateway.

26