CHECKPOINT FIREWALL VERSION: R75 LAB GUIDE

Installation Type - SPLAT
Checkpoint Installation is accomplished in multiple ways which includes Installing Checkpoint on Secure Platform, on Windows Operating System or on Nokia Hardware. Here we discuss the SPLAT (Secure Platform) Installation in a Step by Step process. On the machine where SP

Once you hit Enter the Installation process starts,

Use Tab key to select OK and hit enter,

Language in which Checkpoint needs to be installed is selected, here we select US (i.e. English)

default gateway information can be left empty since we .Here we see listed two Interfaces eth0 and eth1 present on our device on which Checkpoint is installed One of the interface is selected for configuration. below we select eth0 Configure IP address for the selected eth0 interface.

Checkpoint will start Formatting process of the machine’s Hard Drive. select OK and Hit Enter .Select OK and hit enter.

select OK and hit enter Firewall will reboot and get you to the login screen. First time login will use default Username and Password as below: Username: admin Password: admin .Checkpoint has finished copying files on the Hard Drive.

By now all the necessary Checkpoint files has been copied on the secure platform. a new Password and username needs to be created as shown above. to complete the initial Network and other configuration open up a browser and connect using the URL shown in the snapshot as an example .Once default credentials are entered.

Open a Browser and launch the Web User GUI login page .

. Use the credentials created on the first time CLI login Click next.After accepting the license agreement. login page comes up.

Click on the eth1 which we want to use as external interface and assign it an ip address .

Once IP address is assigned to eht1. click next to continue configuration Assign a Default route address for the firewall as below .

Hostname of the Firewall and selecting the Management interface . click on apply Default route will be listed in the Routing table Entering the DNS server information.Once ip address is entered.

Specifying the clients/network to access the firewalls management interface .Here we go for manual settings. NTP server can also be used for this purpose.

. here we specify a machine ip address which is allowed to connect to the firewall management interface Select the Checkpoint products you wish to install.Now when you click on Any. it will edit the network/host properties as below.

Here we select this as a Primary Firewall Specify the clients who can access the Firewall GUI (Smart Dashboard) .

Define an Administrator Username and Password to access the Firewall GUI .

Click next to continue configuration. This completes the Initial setup of Checkpoint Firewall. . now checkpoint will be start the configuration process Click Yes.

Once you click OK. you will be redirected to the Web User Interface. .

Net version 2 is required on the machine where SmartConsole is being installed . Note: Microsoft . install the smart console application.Click on Product Configuration to download the Smart console for accessing Security Management GUI Once the download completes.

Now you can login to the Firewall CLI and check for the Routing part. both towards External side and Internal side. making sure Internet and LAN are reachable from within the Firewall .

Launch the smart Dashboard and login using the credentials created in web user interface configuration wizard. Click Yes and Smart Dashboard starts loading up. .

Smart Dashboard has a left panel which is called as Object Tree which holds multiple tabs within it and the right panel holds the Security policies created Select the Network Objects tab from the left panel (the first tab). . expand Checkpoint and right click on the cpmodule and click on Edit.

Go to Topology option and there click on Get – Interfaces with Topology .A new window opens up.

Click Yes .

Select the below options to enable the ICMP requests which are blocked by default .Click on Accept. once done identify the difference between external and internal networks as shown below. In the options on the top. click on policy and select the Global Properties.

Stealth Rule and Cleanup Rule Click on the Rules Options to add a rule in the Smart Dashboard This Rule can be edited as per the requirement The First rule should always be the Stealth Rule and the last rule is the Clean Up Rule. Source will be ANY .

Expand the Destination part and select Firewall for the stealth rule .

Stealth Rule should look like this. . It should look like this.Right click on the Track part and select Log. Create Clean Up rule in the similar way as shown above.

Network Objects tab which is the first tab. Net Mask and switch to NAT tab . right click on Networks and select Network A new window pops up.HIDE NAT On the left panel. Network Address. specify the Name. under the General Tab.

Select Add automatic address rules and Hide behind Gateway option You can see the LAN_Network object created .

Create two new rules. add the source as LAN_NETWORK and destination ANY for any Service whereas in the next rule let the source and destination be Any and the service to be http .

.The Hide NAT rule should look as below. To push the Configuration from Management Console to the Firewall Module. select Policy and click on Install. from the top menu options.

This displays the available Firewall Modules (if multiple firewall modules are present. It starts installing the policies and configuration to the selected firewall module . here as of now only one). Select the Firewall module and clock on OK.

If all the configurations and policies installed are proper then it will shows Installation completed successfully. .

. right click on Nodes and select Host Specify the name and ip address of the Server in use .) On the left panel. ftp.STATIC NAT To configure the STATIC NAT we require two nodes. one for the available public ip and another for the internal private ip of the Server (It can be any server like web.. smtp etc. Network Objects tab which is the first tab.

Create another Node in the same way as explained above. .On the NAT tab select Add Automatic Translation rules and specify the free Public address available.

.

Both the newly created nodes appear under the Nodes option Rules should look like as shown below. .

right click on the Users container and select the new user and the default option Specify the login username on the General Tab as shown below.Authentication Select the Users tab from the left panel. .

Go to Authentication Tab and select Check Point Password Fill in the password fields . .

On the left panel users tab.Now we create group and add user in this group. right click the User Groups container and click on New Group Specify the Group name .

including generic user The user is added into the group and we can see the Group Lan_Users_Group displayed in the left panel .Select each user and add them to the group.

Specify the name and select Specific networks option. .Creating Rule: A new rule should be created between stealth and clean up rule as shown below. Right click on the Source section and select Add User/Access Rule option.

Select the service according to the authentication scheme and on the actions tab right click go to Legacy and select User Auth .Add the LAN_NETWORK under specific networks and click OK.

under Action double click on the User Auth select All Servers. Install the Policy to enable authentication.Once rule is created. To create TACACS+ server on checkpoint first we create a Node . In the Network Objects tab create a node. External authentication: We look at the example of enabling authentication using TACACS+ server as an external source. defining the IP address of the TACACS+ server .

select New and click on TACACS .Once done you will see TACACS+ server listed under Nodes option Go to Server and OPSEC Applications tab. right click on the Servers option.

Specify a name for the TACACS+ Server and for the Host option select the node that was created to specify the TACACS+ Server and select the type as TACACS+ and mention the secret key Now on the Left panel users Tab. right click on External User Profiles go to New External User Profile and select Match all users .

Go to Authentication tab and select TACACS as the Authentication Scheme: .A new window opens up.

we already have a user created. right click the username and click on Edit .Create a General user on the left panel users.

A window opens up. go to Authentication and select the Authentication scheme as TACACS and select the TACACS Server Creating Rule: Create the rule as explained in the User authentication process. Select the service according to the authentication scheme and on the actions tab right click go to Legacy and select Session Auth .

Now we go got client auth. To see the sub configuration under the Client auth you need to double click on it and configure accordingly. here we need a client software to be installed on the users machine for auth to happen. the action tab will be having Client Auth in it. The rule should look as below. . the configuration required to setup will be same as explained above.The rule should look as below.

specify the resource name . Right click on the Resources option go to New and select URI New window opens up.Java and Activex Filter To filter Java and Activex applets we create a Resource from Resources tab.

Under match tab. select the appropriate inputs .

select the appropriate inputs You can see a new URI resource is created .Under the Action tab.

Now write a Security Policy as shown below Security Policy appears as below. .

right click the CP module and click on Edit Enable the URL filtering option under Network Security tab. To configure the URI Filter we need to go to Network Objects tab. .URI Filtering URI Filtering stands for Universal Resource Identifier Filtering and it uses its proprietary UFP Protocol.

and enter the User center credentials (for registered versions of Checkpoint) otherwise you can select the Use the trial license option to use this feature for a 15 day trial period. Click on Configure under Database Updates.From the tab menu go to Anti-Virus and URL Filtering tab. .

.Navigate to URL Filtering > Advanced > Blocked URLs/IPs option and enter the URL to be blocked.

here we can either display a message to the user or redirect him to a different URL when he is trying to access the blocked URL Write a Policy which includes the service as FW1_ufp .Go to Blocking Notifications.

To configure the Anti Virus Filtering Filter we need to go to Network Objects tab. .Anti-Virus Integration Checkpoint uses a proprietary protocol called as CVP (Content Vector Protocol) for this feature. right click the CP module and click on Edit Enable the Anti-Virus & Anti-Malware filtering option under Network Security tab.

Click on Configure under Database Updates. and enter the User center credentials (for registered versions of Checkpoint) otherwise you can select the Use the trial license option to use this feature for a 15 day trial period. .From the tab menu go to Anti-Virus and URL Filtering tab.

Write a Policy which includes the service as FW1_cvp .

Remote Access VPN To configure the Remote Access VPN we need to go to Network Objects tab. right click the CP module and click on Edit Enable the Mobile Access option under Network Security tab. .

below window pops up .Once you click on the Mobile access option.

Selecting a Demo application for testing Creating a Test User Specifying a URL to be used for a Remote Access VPN connection .

.

.Write a Policy as shown below.

IPSec VPN To configure the IPSec VPN we need to go to Network Objects tab. . right click the CP module and click on Edit Enable the IPSec VPN option under Network Security tab.

enter the Remote Checkpoint Gateway name and its ip address and verify the OS option.To create an IPSec VPN between Checkpoint Firewalls right click on Checkpoint under Network objects and select Externally Managed VPN Gateway A new window opens up. in this case we are using SecurePlatform (in short SPLAT) .

Go to the Topology option. . select Manually defined and select the remote network object You will see a new Gateway created under the Network objects.

right click on the Network objects and uncheck Do not show empty folders Right click on the Interoperable Devices and click on Interoperable Device. A window opens up. Specify the name and ip address of the remote firewall .To create a VPN between Checkpoint and non checkpoint firewall.

we can see the non checkpoint firewall listed under Interoperable Devices.Go to Topology option and select Manually defined and select the remote network object Now. .

Select the VPN community tab and right click on Site to Site, go to New Site to Site and click on Meshed

A window opens up, specify the community name,

On the Participating tab, click on Add and select all the Firewalls,

On the Encryption tab, select the appropriate Encryption Method and Encryption Suite

Under the Shared Secret tab, select each firewall and click on Edit and specify the shared secret key

.

under VPN section right click and select Edit cell .Under Advanced VPN options. select the appropriate DH groups and check Disable NAT inside the VPN community Create a Rule above the Stealth Rule and specify source and destination.

.Select. only connections encrypted in specific VPN communities Policy should look like this. Note: This security policy comes above the Stealth Rule.

Sign up to vote on this title
UsefulNot useful

Master Your Semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master Your Semester with a Special Offer from Scribd & The New York Times

Cancel anytime.