1
STANDALONE-FIREWALL
In Standalone-Firewall, there is need to 1 Firewall and 1 PC for manage the firewall.
Installation of Firewall
In firewall, you need to take 3 LAN CARDS. Here in the below figure there are three Lan Cards, one Lan card is used for inside network, second Lan card is used for DMZ(demilitarized zone) and third one is used for external network. Which contains the different IP. Now follow the below steps for install and configure to firewall.
2
Step 2: It show the welcome screen and ask for add driver but don’t need to add any driver just click ok.
Step 3: Here you have to select which type of system you want to install. So, select Secure Platform Pro and
3
Step 4: Select US type Keyboard and press ok.
4
Step 6: Here you have to set the IP address of inside network i.e. eth0 and press OK.
5
Step 8: It will ask for format your hard drive so press OK.
6
Step 10: Now firewall has been installed. Here you will see login window and also it will give web user interface
access connect. We finished the firewall installation Now we have to install the PC for manage the firewall. So simply install the windows in PC.
Installation of PC & Configuration of Firewall via web Interface .
Step 1: This is the windows 7 that we have installed with one Lan card that will used for inside network i.e. eth0.
7
8
Step 3: Just open command prompt in PC and check IP that we had set as eth0 is pinging or not.
9
Step 5: SECURE PLATFORM PRO will open in the internet explorer. Here we have to select agreement so just
10
Step 6: Here Login screen will appear. So, put admin for both login name & Password.
11
Step 8: First Time Configuration Wizard – Welcome screen will be appear. Now we are going to configure of
firewall. So, click next.
12
Step 10: Set the IP address and Netmask of eth1 and apply them.
13
Step 12: Now we can see all network is UP. So just click next.
14
Step 14: Add default Route and Apply.
15
Step 16: Now we have to set DNS Server. Just add and click next.
16
Step 18: In web and SSH Clients, add Host and click Next.
Step 19: In this wizard have to select which type of checkpoint we want to install. So click at option and Press
17
Step 20: Here we have to select which Product we want to Install so just tick option and click Next.
18
Step 22: Add GUI Client so click on Host option and give the name any and apply them.
19
Step 24: This screen shows what we did select on this firewall. So, check and click on finish.
20
Step 26:After rebooting the system we have to download and Install the SmartConsole Application.
Click on Product Configuration<Download SmartCenter Console
Step 27: After the installation of Smart Console Application Smart Dashboard will appear on the Desktop. Click
21
Step 28: At first time Login, Finger Print will appear which show to us we are connecting to right server or not.
22
INSTALLATION & CONFIGURATION OF DISTRIBUTED FIREWALL
In Distributed firewall, we need to install 2 firewall (1 firewall and 2 management firewall) and 1 PC for manage them. Where firewall contains 3 Lan Cards i.e. Internal, DMZ and External. And Management Firewall contains 1 Lan Card i.e. Internal. PC also contains 1 Lan Card i.e. Internal.
Configuration of Firewall as Distributed
23
Step 2: It is the first configuration wizard welcome screen so just type “n” for next.
Step 3: Here we have to set the Host Name. Just type 1 for set the Host name and give name whatever you want
24
Step 4: Here select 2 for set the Domain Name
25
Step 6: Here we have to set all network so select one by one and give IP and Subnet mask to them.
26
Step 8: Again click “n” for Next.
27
Step 10: This is License agreement screen so click “Y” for Yes.
28
Step 12: Select 1 for new installation and click “n” for next.
29
Step 14: This scrren shows installing procedure is starting.
Step 15: Here we have to ask assign the IP dynamically but we don’t need to do this because we already set the
30
Step 16: Now we have to put the activation Key. It can be anything.
31
Step 18: Now Installation is done just give username and password i.e. admin for both and in next step you have
to ask for change the password.
Configuration of Management firewall
In Management firewall we need to take only 1 Lan Card i.e. Internal Network. Just install firewall as well as we did installed in previous stage. Now we are going to only configure the Management Firewall.
Step 1: This is the Management Firewall that has already installed and IP of Management Firewall is different
32
Step 2: After the login we have to ask for change the password so just change it. And type SYSCONFIG.
33
Step 4: Here we have to set Host Name of Management firewall so click option 1.
34
Step 6: Type “e” for exit
35
Step 8: This is a welcome screen so just click “n” for next.
36
Step 10: Check option 1 i.e. Check Point Power and press “n” for next.
37
Step 12: Here we have to choose Smart center i.e. smart console for access the firewall through management
firewall. And type “n” for next.
38
Step 14: This screen shows enable you to centerally manage the firewall just check option and type “n” for next.
39
Step 16: Now it is installing Primary SmartCenter.
40
Step 18: Now we have to add administrator. So give administrator name and password.
41
Step 20: Here it will give Finger Print and ask for save it so type “n”.
42
Step 22: This is the PC where Windows 7 has installed. Here open the dashboard using management firewall IP.
43
Step 24: This is Dashboard where you can manage the firewall.
Step 25: Till we have configure the management firewall and now we have to add gateway so right click on
44
Step 26: Now click on Simple mode (wizard).
45
Step 28: Here we have to provide Activation Key which we had gave in configuration of Management firewall.
And click next.
Step 29: Here we have to choose how to configure Gateway’s Interface & Topology. So, we will select retrieve
46
Step 30: Here all Network has been retrieved automatically. Just close it.
47
Step 32: Here now we can see firewall (India-FW1) has been added.
Step 33: Here we have to now create the rule so just click on rules icon where arrow is representing. By default
48
Step 34: Now we have to change the action from Drop to Accept and track will be LOG in created rule.
49
CREATING RULES AND NAT
Now we are going to discuss how to create rules and NAT (network address translation) in firewall. So, we have already firewall and PC then just login in dashboard and follow the step.
Step 1: First we have to change external network in bridge mode why we are doing because we are connecting
to the lan network means wireless network.
50
Step 3: This is the Dashboard where we can create any rules on a particular users or on a group.
Step 4: In the Left Panel we can see administrator tab where we can create multiple user for manage the firewall
51
Step 5: Right Click on administrator menu then new administrator menu will be appear click on them.
52
Step 7: In the above tab we can see admin authentication where we can put password for those user.
Step 8: In the left panel we can see network objects where checkpoint option is available after click on
checkpoint we can see our installed firewall click on them. Checkpoint gateway box will appear where in left panel click on topology.
53
Step 9: In topology tab we have to click on GET after interface with topology. We are using interface with
topology to get the static network from firewall.
54
Step 11: Click on any one network there one box will appear where we have to uncheck perform antispoofing
based on interface topology option. Do same thing for all network.
55
Step 13: Here type Network name and its correspondence IP and Net mask. We can also add color to identify
them. Do same thing for add the all network like Inside, DMZ and External.
56
Step 15: Now we are going to add node. Node is host object click on node then new node and then host.
57
Step 17: Here we are adding Inside-Host as Internal network.
58
Step 19: We are creating group for above all nodes and give it name server group and add all created nodes.
Step 20: Now we are creating rules and give it name allow. We are allowing traffic from inside_host destination
59
Step 21: Now push the policy.
60
Step 23: Now we can track traffic by clicking on window menu then smartview tracker.
Step 24: Here we can see all traffic information means what the source and destination of traffic and which rules
61
Step 25: Create another rule i.e. stealth rule and clean-up rule. And stealth rule says any traffic that is coming
form any source on the destination firewall should be drop and track should be log. And clean-up rule says if coming traffic is not mismatch from above rules should be drop and track should be log.
Step 26: Add another rule i.e. allow internet, traffic that is coming from inside-network and destination is any
62
Step 27: Push the policy.
Step 28: we can divide rule section wise. Right Click on rules and select option Add section title and give it name
63
Step 29: Now we are creating NAT rules. NAT is used for translate private IP address to public IP address, we can
it by using automatic and manually.
64
Step 31: In manually we need to define everything like what IP will be translate in which IP.
Step 32: After creating of NAT rules. Click on smartview tracker where you can track which NAT rules is applying
65
Creating Backup and Upgrade Firewall
Step 1: Log in dashboard with firewall IP.66
Step 3: When you will click on database revision control there box will appear just click on create button and
give the name and time of database.
67
Step 5: Again clcik on File menu and click on option database rivison control.
68
Step 7: Now here you have to select restore the entire database.
69
Step 9: Lets do a backup via command line. Just login and type sysconfig where you can see all Network
70
Step 10: Now type Backup. It will ask, do you want to proceed type “y”.
71
Step 12: Where backup is store. So type command expert mode. Below is the some command that you have to
type in expert mode one by one.
72
Step 13: Now type command
ifconfig eth0 down, ifconfig eth1 down
. It down the all network.73
Step 15: Now we are going to restore. Type
restore.
74
Step 17: Now select 1.
75
Upgrade Export & Import Utility
Step 1: Go in expert mode. And type these command one by one cd $fwdir, cd bin/, ls. It will show you upgrad
tools.
Step 2: Type cd upgrade_tools/, pwd, ls. It will ask for upgrade export or upgrade import. So first make
directory by using command mkdir /username
then type ./upgrade_export /username
and give the name of bakupfile. It willshow you export operation finished succesfully.
76
Step 3:Now we are going to upgrade import utility. Just type following commands
cd /username
, ls, ls –l, cpstop.77
78
Step 6: You have to ask for the licence just type “n”.
79
Snapshot
Step 1:Type command “snapshot”.80
Step 3: Now type “revert” for revert.
81
Step 6: Now when we will select Snapshot Image Management then it will ask for expert password.
82
Upgrading Firewal
Step 1: Now we are going to upgrade the firewall. First we have to go in expert mode and after that insert CD of
latest version which we want to install.
Step 2: Type command “Patch add cd” and press enter. It will show you upgrade package where you have to
83
Step 3: Now it asking do you want to create a backup image for automatic revert so just press”n” and press
enter.
84
Step 5: It is a license agreement screen so type “y”.
Step 6: Here is three option for security management upgrade system and we have to choose 1 option i.e.
85
Step 7: Type “n” for next.
Step 8: Here we have to ask for contract information so we don’t need to download and import of contract file
86
Step 8: Type “n” for next.
87
Step 9: This screen shows verification was completed successfully and it is ready for upgrade. Type “n” for next.
88
Step 11: Here you have to ask for upgrade installed products or upgrade installed products and install new
products. If you want to install new product also with upgradation then you can select 2nd option but here we are selecting option 1st and press n for next.
89
Step 13: Now it is extracting the file from CD.
90
Step 14: Now you have to rebbot the system so type “reboot”.
Step 15: After reboot the system check version of checkpoint type”fw ver” you will see checkpoint has been
91
Step 17: R75 smart console must have .net framework so just install it.
92
Step 19: Select smart console from drive and copy it into PC and install it.
Step 20: Here select smart tracker, smart monitor, smart viewer. Now your firewall has been upgrade from r65
93
Management High availability
In management high availability, one firewall is connected through two management server. One management is known as primary management and another one is called secondory management. If any causes primary management has failed then you can mange the firewall through secondary management. Now we are going to configure the management high availability.
Step 1: We have already installed one management server and one firewall. So, we just going to install and
94
Step 2: Here you have to set IP address as inside network.
95
Step 4: Here select secondary management because we already installed primary mangement. Type “n” for
next.
96
Step 6: Log in dashboard by using secondary management IP.
97
Step 8: click on communication tab.
98
Step 10: Here we have to give activation key and click on initialize.
Step 11: Now we have to add secondary management server so Right click on checkpoint then after click on
99
Step 12: In checkpoint product you have to do tick on secondary smartcenter server and give the name of
secondary managment and his IP.
100
Step 14: You can see in left panel secondary management has been added.
Step 15: Now you have to get interfaces with all existing network. So click on firewall then topolgy and then click
101
Step 16: Here all network will be appear just accept them.
102
Step 18: add rule click on internal network then network properties box will appear there clcik on nat tab and
tick automatically address translation rules and hide behind gateway.
103
Step 20: Again login in secondary management server.
Step 21: Here we can see it showing details of both mangement server just click on change archives button it
104
Step 22: Here is two option to syncronize management high avalibility that is manual and automatic. In
automatic high availability you have to right click on policy tab then click on global properties and then management high availability where you will see automatic syncronization when policy installed.
105
Step 24: Now click on syncronize button.
106
Firewall high availability
In firewall high availability we need to install two firewalls and each firewall has 4 lan cards, one lan card as internal, 2nd lan card as dmz, 3rd lan card as external (in bridge mode), and last one will used for syncronization.
107
Step 2: Here you have to ask for would you like to install a checkpoint cluster product type”y”.
108
Step 4: This is the first firewall.
109
Step 6: Here you can see all network are available just accept them.
110
Step 8: Type “sysconfig” then type “6” for add the routing.
Step 9: Now type “4” for delete the default route. And again type “6” for add default route just give default
111
Step 10: Now we have to add the another firewall. So click on checkpoint and click on new checkpoint then click
on vpn-1 power.
112
Step 12: Now insert activation key for initialize the connection.
113
Step 14: Now we have to configure them. So again click on checkpoint and select vpn-1 power\cluster option.
114
Step 16: Click on add and then add gateway to cluster.
115
Step 18: Here you have to set network address and choose cluster syncronization as primary.
116
Step 20: Again type cluster interface for DMZ.
117
Step 22: Now click on finish.
Step 23: Now you can see there is firewall cluster has been added in left panel. Just installed the policy after
118
Step 24: Now we have to enable the cluster on first firewall. so type “cpconfig” and then type ”7” i.e. enable
cluster membership for this gateway.
119
Step 26: Now you have to reboot the firewall. So type “reboot”
120
Step 28: Now we have to change gateway of PC because we need to give cluster gateway.
Step 29: Create rule, source fw1 to destination fw2 and source fw2 to destination fw1 and action should be
121
Step 30: Now log in firewall and type command “cphaprob stat” it will show you one firewall will be in active
mode and another will be on standby.
Step 31: If primary firewall goes down then you click on firewall cluster and then on cluster XL and select switch
122
Load Sharing
Load Sharing is process to share the load of firewall between two firewall. it will share 50-50 on both firewall.
Step 1: Click on Firewall cluster from left panel and go into cluster XL. There you have to select load sharing
Step 2: Now you can see both firewall are in active mode and assingned load 50-50 %. This was the multicast
123
Step 3: Now we are doing unicast load balancing. In unicast load balancing both firewall are active but assinged
load on them is 30-70%. If any causes one firewall is down then it assing the 100 % load on another firewall. Click on unicast mode in cluster properties.
124
Step 5: Type “cphaprob stat” in command.you will see both firewall are active and having load in ration 30:70.
125
126
Configuration of VPN
Let suppose we have two office one is situated in india and another one is in china and we want communicate to each other, so there VPN will established for communicate between them. VPN is a virtual private network and encryption and decryption algorithm are used for security purpose.
In the below figure we can see there is two firewall and two management server respectiveley which is connected through interface gateway. Now follow the step to install and configure the firewall.
127
Step 1: This is India FW-PC and there is need of only one LAN card as internal network.
Step 2: This is India–FW and there is need of three lan cards. Eth0 as internal, eth1 DMZ and eth2 as external (in
128
Step 3: This is China FW-PC and there is need of only one lan card as Internal network.
Step 4: This is China-Fw and there is need of two lan cards. eth0 as Internal network and eth1 as external
129
Step 5: Now we are going to install china-fw and Here we have to set the host name of china-fw.
130
Step 7: Again type “n” for next.
131
Step 9: Here we can add administrator name and his password.
132
Step 11: here we have to set the IP address of all network in China-fw. Select one by one network and set them.
133
Step 13: Change IP for eth1.
134
Step 15: Now login dashboard on china fw-Pc.
135
Step 17: Click on get address button for get the IP.
136
Step 19: Here you can see all interface but both are internal network. So click on IP whether you want to make
137
Step 20: Now open china-fw properties and tick Vpn from checkpoint properties.
138
Step 22: After that you have to set the route just select option 3 and give the default gateway for route the
139
Step 23: Login in dashborad on india-fw-Pc.
140
Step 25: Here all interfaces will be appear just accept them.
141
Step 27: Do same thing for China-Fw.
Step 28: Now add Network in China firewall. Click on network tab from left panel and give name and his IP for
142
Step 29: Again click on network and give name and his IP for remote network (it contain the IP of India-Fw).
143
Step 31: Add remote network.
Step 32: Click on India-Fw then on topology where you will see in the below VPN domain there you have to
144
Step 33: Do same thing for China-Fw.
Step 34: Now we have to create connection between two firewall. so click on checkpoint then new checkpoint
145
Step 35: Where you have to specify the name and IP of china-Fw and tick mark on VPN option.
Step 36: Now click on topology and specify the network in manual defined where you have to select remote
146
Step 37: Now Go in the china-fw and do same thing as well as we did for india-Fw.
147
Step 39: Here we can see both firewall has been added in checkpoint. Now click on India-Fw then on VPN and
then on link session where you have to choose option selected address from topology table and select external IP.
148
Step 41: Now click on VPN tab from dashboard there Right click on blank space and click on new community
then on meshed.
149
Step 43: And here add both firewall. Now click on VPN properties tab from left panel.
Step 44: Here you have to specify what do you want to keep encryption algorithm. Set same algorithm for phase
150
Step 45: Now click on advanced settings then on shared secred and where you have to put the password for
security.
151
Step 47: Add both firewall.
152
Step 49: Put secret key.
Step 50: Now we have to create the rule where source and destination is internal_network to remort_network
and remort_network to internal_network. And in VPN select India-china topology. Add service remort desktop, icmp_proto and telnet and accept the action and it should be log.
153
154
Step 52: Now type “cmd” and ping the IP of another firewall and check it is pinging or not.
155
Step 54: Now take remote from india-fw-pc to china-fw-pc and see it is working or not.
