• No results found

Checkpoint R75 Lab Manual

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Checkpoint R75 Lab Manual"

Copied!
87
0
0

Loading.... (view fulltext now)

Download now ( 87 Page )

Full text

(1)

CHECKPOINT FIREWALL

VERSION: R75

(2)

Installation Type - SPLAT

Checkpoint Installation is accomplished in multiple ways which includes Installing Checkpoint on Secure Platform, on Windows Operating System or on Nokia Hardware. Here we discuss the SPLAT (Secure Platform) Installation in a Step by Step process. On the machine where SP

(3)

Use Tab key to select OK and hit enter,

(4)

Here we see listed two Interfaces eth0 and eth1 present on our device on which Checkpoint is installed One of the interface is selected for configuration, below we select eth0

Configure IP address for the selected eth0 interface, default gateway information can be left empty since we

(5)

Select OK and hit enter,

(6)

Checkpoint has finished copying files on the Hard Drive, select OK and hit enter

Firewall will reboot and get you to the login screen,

First time login will use default Username and Password as below: Username: admin

(7)

Once default credentials are entered, a new Password and username needs to be created as shown above.

By now all the necessary Checkpoint files has been copied on the secure platform, to complete the initial Network and other configuration open up a browser and connect using the URL shown in the snapshot as an example

(8)
(9)

After accepting the license agreement, login page comes up. Use the credentials created on the first time CLI login

(10)
(11)

Once IP address is assigned to eht1, click next to continue configuration

(12)

Once ip address is entered, click on apply

Default route will be listed in the Routing table

(13)

Here we go for manual settings, NTP server can also be used for this purpose,

Specifying the clients/network to access the firewalls management interface

(14)

ip address which is allowed to connect to the firewall management interface

Select the Checkpoint products you wish to install,

(15)
(16)

Define an Administrator Username and Password to access the Firewall GUI

(17)

This completes the Initial setup of Checkpoint Firewall, now checkpoint will be start the configuration process

(18)
(19)

Click on Product Configuration to download the Smart console for accessing Security Management GUI

Once the download completes, install the smart console application.

(20)

Now you can login to the Firewall CLI and check for the Routing part, both towards External side and Internal side, making sure Internet and LAN are reachable from within the Firewall

(21)

Launch the smart Dashboard and login using the credentials created in web user interface configuration wizard,

(22)

Smart Dashboard has a left panel which is called as Object Tree which holds multiple tabs within it and the right panel holds the Security policies created

Select the Network Objects tab from the left panel (the first tab), expand Checkpoint and right click on the cpmodule and click on Edit,

(23)

A new window opens up,

(24)
(25)

Click on Accept, once done identify the difference between external and internal networks as shown below,

In the options on the top, click on policy and select the Global Properties,

(26)

Stealth Rule and Cleanup Rule

Click on the Rules Options to add a rule in the Smart Dashboard

This Rule can be edited as per the requirement

The First rule should always be the Stealth Rule and the last rule is the Clean Up Rule. Source will be ANY

(27)
(28)

Right click on the Track part and select Log,

Stealth Rule should look like this,

(29)

Creating Administrative Profiles

Select the Users tab from the left panel, right click on the Administrators container and select the new

Administrator

(30)

Click on New and create a Permissions profile for this Admin user

Go to Authentication tab and select the type of authentication, in this case we are using Checkpoint

password which will store the Admin user credentials on Checkpoint Firewall locally,

(31)

This user has to be added to a Group and we create a Group from the same Users tab under

Administrator Group container as below

(32)

Name the Group accordingly and add the user into the group

If you want to create a user with Read/Write permissions, a Read-Write permissions profile has to be

created with Full access or with a customized access as shown below

(33)

HIDE NAT

On the left panel, Network Objects tab which is the first tab, right click on Networks and select Network

A new window pops up, under the General Tab, specify the Name, Network Address, Net Mask and switch to NAT tab

(34)

Select Add automatic address rules and Hide behind Gateway option

(35)

Create two new rules, add the source as LAN_NETWORK and destination ANY for any Service whereas in the next rule let the source and destination be Any and the service to be http

(36)

The Hide NAT rule should look as below,

To push the Configuration from Management Console to the Firewall Module, from the top menu options, select Policy and click on Install.

This displays the available Firewall Modules (if multiple firewall modules are present, here as of now only one), Selece the Firewall module and clock on OK. It starts installing the policies and configuration to the selected firewall module

(37)

If all the configurations and policies installed are proper then it will shows Installation completed successfully.

(38)
(39)

STATIC NAT

To configure the STATIC NAT we require two nodes, one for the available public ip and another for the internal private ip of the Server (It can be any server like web, ftp, smtp etc...)

On the left panel, Network Objects tab which is the first tab, right click on Nodes and select Host

(40)

On the NAT tab select Add Automatic Translation rules and specify the free Public address available,

(41)
(42)

Both the newly created nodes appear under the Nodes option

(43)

Static NAT for different Services

To perform Static NAT behind a single Public IP to different Private IP’s in a DMZ based upon the

services, we look at a sample configuration. In the below example, Go to NAT tab and add manual static

NAT rules according to the requirement.

(44)

Below example shows the Manual Hide NAT configuration, once you drag and drop the public server

object a window pops up asking to choose from the two options as shown below,

(45)

Authentication

Select the Users tab from the left panel, right click on the Users container and select the new user and the default option

(46)

Go to Authentication Tab and select Check Point Password

Fill in the password fields ,

(47)

Now we create group and add user in this group.

On the left panel users tab, right click the User Groups container and click on New Group

(48)

Select each user and add them to the group, including generic user

(49)

Creating Rule: A new rule should be created between stealth and clean up rule as shown below, Right click on the Source section and select Add User/Access Rule option,

(50)

Add the LAN_NETWORK under specific networks and click OK.

Select the service according to the authentication scheme and on the actions tab right click go to Legacy and select User Auth

(51)

Once rule is created, under Action double click on the User Auth select All Servers. Install the Policy to enable authentication.

External authentication

:

We look at the example of enabling authentication using TACACS+ server as an external source. To create TACACS+ server on checkpoint first we create a Node .

(52)

Once done you will see TACACS+ server listed under Nodes option

Go to Server and OPSEC Applications tab, right click on the Servers option, select New and click on TACACS

(53)

Specify a name for the TACACS+ Server and for the Host option select the node that was created to specify the TACACS+ Server and select the type as TACACS+ and mention the secret key

Now on the Left panel users Tab, right click on External User Profiles go to New External User Profile and select Match all users

(54)

A new window opens up,

(55)

Create a General user on the left panel users, we already have a user created, right click the username and click on Edit

(56)

A window opens up, go to Authentication and select the Authentication scheme as TACACS and select the TACACS Server

Creating Rule: Create the rule as explained in the User authentication process, Select the service

according to the authentication scheme and on the actions tab right click go to Legacy and select Session Auth

(57)

The rule should look as below,

Now we go got client auth, here we need a client software to be installed on the users machine for auth to happen, the configuration required to setup will be same as explained above, the action tab will be having Client Auth in it. To see the sub configuration under the Client auth you need to double click on it and configure accordingly.

(58)

Active Directory Integration with Checkpoint

To setup authentication using the user information stored in the LDAP server, the configuration is as

below:

(59)
(60)

We can see that a new template by name LDAP_Template is listed as below:

(61)

Provide the necessary details for the creation of LDAP server node

(62)

Provide the necessary details for the LDAP account unit and make sure that Microsoft_AD is selected

from the dropdown and provide the domain name on which LDAP server is configured

(63)

Under the Servers tab of LDAP account unit, provide the LDAP server admin user name and password.

Login DN contains the info as below: CN=administrator,CN=users,DC=netmetric,DC=com

(64)
(65)

Go to Objects management Tab and click on Fetch branches, by doing this the Domain information will

be pulled from the LDAP server

(66)
(67)
(68)
(69)

We can see new objects for LDAP Template, LDAP Group and LDAP account unit are created under the

objects tree

(70)
(71)

If we want a session authentication agent to pop up on the users machine upon the authentication

challenge, the client Auth settings will be as below, this window opens after double clicking on the client

auth under action tab as below:

(72)

IPSec VPN

To configure the IPSec VPN we need to go to Network Objects tab, right click the CP module and click on Edit

(73)

To create an IPSec VPN between Checkpoint Firewalls right click on Checkpoint under Network objects and select Externally Managed VPN Gateway

A new window opens up, enter the Remote Checkpoint Gateway name and its ip address and verify the OS option, in this case we are using SecurePlatform (in short SPLAT)

(74)

Go to the Topology option, select Manually defined and select the remote network object

(75)

To create a VPN between Checkpoint and non checkpoint firewall, right click on the Network objects and uncheck Do not show empty folders

Right click on the Interoperable Devices and click on Interoperable Device,

(76)

Go to Topology option and select Manually defined and select the remote network object

(77)

Select the VPN community tab and right click on Site to Site, go to New Site to Site and click on Meshed

(78)

On the Participating tab, click on Add and select all the Firewalls,

(79)

Under the Shared Secret tab, select each firewall and click on Edit and specify the shared secret key

(80)
(81)

Under Advanced VPN options, select the appropriate DH groups and check Disable NAT inside the VPN community

Create a Rule above the Stealth Rule and specify source and destination, under VPN section right click and select Edit cell

(82)

Select, only connections encrypted in specific VPN communities

Policy should look like this,

(83)

Remote Access SSL VPN

To configure the Remote Access VPN we need to go to Network Objects tab, right click the CP module and click on Edit

(84)
(85)

Selecting a Demo application for testing

Creating a Test User

(86)
(87)

References

Download now ( PDF - 87 Page - 2.67 MB )

Related documents

ProCurve Identity Driven Manager

To display the User Report select a username in the Users tab of the Access Policy Group or RADIUS Server window, and then click the User Report icon in the toolbar.. Creating

Website Builder RWI 2 User Guide. Version August 21, 2008

On the Order Management page, in the Create Order For Existing User field, enter the username , select Transfer from the drop-down list, and click Create.. Alternatively , click

Beginners Guide to CQG FX

To change the preferences of any window simply click on that window you would like to change and then go to the Set up button on the left toolbar left click and select

JORAM 3.7 Administration & Monitoring Tool

To create a new user on a JORAM server, right-click on the server on which you want to create it under the Admin tab of the navigation panel and select the Create User option in

EventTracker: Support to Non English Systems

‘EventTracker Agent on Non-English System’. Right click the newly created GPO name, and click Edit. In the Group Policy Management Editor, go to ‘Language and Regional options’ [User

RSM Web Gateway RSM Web Client INSTALLATION AND ADMINISTRATION GUIDE

Click on the Add User option in the menu bar above the list of All Users to display the Enter new user details window, as shown below:. Click in the Username box and enter

Connecting to the University Wireless Network

In the Network Authentication window that appears, enter your network user name and password (i.e. username and password you use to login to the lab PCs).. Click OK

AVerMedia Central Management System User Manual

i User also can select the DVR icon and right click the mouse button on the map, a function list window will show up.. User can select the function to add, edit, and delete DVR, edit