Checkpoint Part 2 – Installing GAiA – Smart Console

We have ended up with the VMware setup to launch the Checkpoint (GAiA Virtual Edition) 💡  Begin With Checkpoint.

We will now begin the procedure of installing GAiA(R76).


[responsivevoice voice=”UK English Male” buttontext=”Listen”]

Lets start with checkpoint. Second tutorial on Checkpoint. Covers installation of GAia operating system and smart console, setup configuration of policy based access control using smart console. Look at the contents of this tutorial. . VMware Setup Review . Installation of GAiA . Start GAiA Virtual Machine from VMware Workstation (Open and Power On) . Install GAiA in Virtual Machine . Verification og GAiA Virtual Machine . Launching the Checkpoint-VM . Verification of Management Connectivity (Ping test from cmd prompt) . Checkpoint Firewall Gateway and Security Management Server Setup (Standalone Setup) . Network Adapter Status of VMnet0 (Host:: Physical Computer IP:: 192.168.0.2/24) . Browse the GAiA machine management IP (url :: htps://192.168.0.1) . Resolve the security exception error (SSL certificate authority unknown – Locally signed SSL certificate) . GAiA Portal Login . Confirmation Wizard . Date and Time Settings . Device Name – Domain Name – DNS Configuration . Management Interface Configuration – Network Connection Wizard . Configuring Installation Type (SMART / Multidomain) . Security Management GUI Policy Configuration (Users Administrative Rights) . SMART Architecture (Standalone / Distributed) . SAMART Administrator Configuration . First Time Configuration Wizard – Complete Setup . Checkpoint(GAiA R-76) Web Console . Setting up the topology using the Network Configuration Wizard . Policy and Access Control Mechanism Using Smart Console . Network Components – DMZ(Linux Servers) – Office Network (Linux Host) . DMZ – Demilitarized Zone (Dam Small Linux – DSL Server hosted in VMware workstation) – Virtual Network Adapter: VMnet1 . Office Host – Internal Office network component (DS Linux Host Virtual Machine) – Virtual Network Adapter: VMnet2 . Policy Implementation Using Smart Console . SmartDashboard Login . Network Objects . Gateway : Checkpoint R-76 . Nodes: SMART Console . Networks: DMZ, Internal Office, Internet . Access Control Policy . Installation of policy . Verification of policies . Allow_icmp . Allow HTTP We will now begin the procedure of installing GAiA(R76). VMware Setup Review Category VMnet0, VMnet1, VMnet2 and VMnet8 mapped with Smart Console, Web Servers, Soho Components and Internet respectively. Start GAiA Virtual Machine from VMware Workstation (Open and Power On) Steps. . Step 1 of 6 – User Agreement . Step 2 of 6 – Language Selection . Step 3 of 6 – Memory Allocation . Step 4 of 6 – User Account Configuration . Step 5 of 6 – Management Port Configuration (Port: Eth0 IP: 192.168.0.1/24) . Step 6 of 6 – User Confirmation . The Welcome menu allows the administrator to request additional information on identified hardware devices (Device List), to install additional hardware drivers from a diskette (Add Driver), to abort installation (Cancel) or to proceed with normal installation (OK). Driver installation may be required for some hardware platforms, as indicated in the hardware configuration guidance. Only install drivers whose origin and integrity can be verified. This can be determined where the drivers are received directly from the hardware vendor using verifiable delivery procedures, or by calculating the driver MD5 or SHA-1 hash and verifying it against valid hashes provided by Check Point or by the hardware vendor. Note – In any case, do not install network interface card (NIC) drivers. NIC drivers are critical to the correct operation of the evaluated security functionality; installing unevaluated NIC driver code will take the product outside of its evaluated configuration. . If the installation is performed using a directly-connected keyboard (instead of a terminal connected to a console port), the Keyboard Selection menu is displayed: Select keyboard type by using the up and down arrow keys, then use tab to navigate to the OK button and press Enter. . The Partitions Configuration menu allows you to change the default partitioning on machine. . The Account Configuration menu allows you to set your password. . The Networking Device menu is displayed if there are more than one connected network devices. Select the network interface (link) by using the up and down arrow keys, then use tab to navigate to the OK button and press Enter. Select the interface to which you will connect to for later management and configuration of your machine. At this step you must be familiar with your network configuration so you will configure the correct network device as your management interface. . Once the correct link was selected you will be prompted to enter additional data for the network interface configuration. In the Network Interface Configuration menu, specify the Management Interface IP address, netmask and default gateway of the network interface, and select OK.  IP address – The IP address assigned to the network interface.  Netmask – The network mask for the IP address. Installing the Gaia Operating System Check Point Software Technologies LTD. R77.30 Installation Guide Version1.0 | 7  Default gateway IP – The IP address of the default Gateway assigned to your machine’s IP address. . The Confirmation screen is displayed. Select OK to proceed: . The following installation operations are performed:  Hard drive formatting  Software package installation  File copying procedure This step can take several minutes, after which the Installation Complete screen is displayed. Select OK to complete the installation: . The system will now reboot. Make sure to remove the CD, or diskette that you used during the installation process. On most systems the CD will be ejected automatically after selecting OK in the Installation Complete menu. . During the boot process, an option is presented to display a boot menu. There is no need to select this option. If the boot menu is displayed, select the Start in normal mode option. Download Smart Console from Checkpoint Web Wizard – Installation Smart Console Smartconsole Components SmartDashboard SmartView Tracker SmartEndpoint SmartLog SmartDomain Manager SmartEvent Intro SmartEvent SmartView Monitor SmartReporter SmartProvisioning SmartUpdate Smartconsole Tools Check Point Go Password Reset Secure Client Packaging Tool 37 3 Policy and Access Control Mechanism Using Smart Console Now time to decide the access control policy to tune the traffic inward and outward in Checkpoint. Here we have taken a simple example of access control mechanism using policy in SmartDashboard. The table bellow describe how we are going to manage our traffic in/out. The diagram bellow describe the inward and outward flow of network traffic. Untitled Diagram(11) – Copy Network Components – DMZ(Linux Servers) – Office Network (Linux Host) DMZ – Demilitarized Zone (Dam Small Linux – DSL Server hosted in VMware workstation) – Virtual Network Adapter: VMnet1 We have used a small strip-down version of linux server hosted in virtual environment (WMware workstation). The name of the OS is DSL. Please open the link to download it ➡ DSL Linux GUI Version Download Link Bellow here the snapshot of DSL setup in VMware attached. We have taken one Virtual Network Adapter (VMnet1) as described in the topology diagram above. show typology diagram >>> Diagram 38 Here we set up the IP Address (192.168.1.4/24) of the DMZ server and we have also hosted a web service from the same server. The network adapter of DMZ server is attached with VMnet1 virtual network. Diagram 40 Office Host – Internal Office network component (DS Linux Host Virtual Machine) – Virtual Network Adapter: VMnet2 Here also we have used the same DS linux OS but no server setup has been done. We have taken one Virtual Network Adapter (VMnet2) as described in the topology diagram above. Diagram 39 Here we set up the IP Address (192.168.2.4/24) of the Linux Host. The network adapter of Linux Host is attached with VMnet2 virtual network. Diagram 41 Policy Implementation Using Smart Console Once again take a look at the policy structure of the topology. To implement the above policy in SMART topology we have used the SmartConsole wizard(SmartDashboard component). SmartDashboard Login Network Objects The components of the above mentioned topology are treated as network objects in checkpoint platform. These objects are differentiated in three types Gateway, Nodes and Networks. Gateway : Checkpoint R-76 There could be one or more numbers of gateways in a smart topology. The Checkpoint Hardware appliance located in a distributed or a centralized manners are treated a the Gateways. Nodes: SMART Console Nodes are the end devices of smart topology. The smart console is a kind of end device here, so treated as a node. Networks: DMZ, Internal Office, Internet Networks are the subnets connected via different interfaces of the FW-GW. Access Control Policy We will now discuss how to setup policy using network objects, protocol numbers/ port numbers, actions and events. Every policy has a unique name and it consists of the following components. Name : Source : ///// Destination: ///// Type of the traffic: / type of Service / Protocol Number / Port Number : // Action: /// Target of Action: Example: Name Source Destination Type of Traffic Type of Service Action Target allow_icmp _any _any _any _icmp _allow _Checkpoint-R76 The above policy will allow all icmp traffic in both direction. The bellow snapshot describes the policy implemented in Checkpoint. Diagram 2 There are thre policy implemented above. Allow_icmp : Allow icmp(ping, traceroot) traffic both direction Allow-HTTP-DMZ-Inbound : Allow internet users to access HTTP service from outside. Allow-Internet-Office-Outbound : Allow internal office users to use internet but not vice versa. Installation of policy After successfully creating the policy just need to go to the policy installation wizard from smart dashboard. Diagram 2 Now need to choose the target to install the policies. Diagram 3 Verification of policies 1. Allow_icmp Now we are able to ping the self ip (192.168.2.4 & .1)and the remote ip (192.168.1.4 & .2) of the DMZ server from Office internal network host. Diagram 5 2. Allow HTTP We are now able to browse the website(hosted from DMZ Server IP:: 192.168.1.4 url:: http://192.168.1.4) from Office host.

[/responsivevoice]


VMware Setup Review

+----------+-----------------+----------------------------------+------------------+ | Category | Components | Virtual Components | Subnets | +----------+-----------------+----------------------------------+------------------+ | VMnet 0 | Smart Console | Virtual Nerwork 8 | 192.168.0.0/24 | | | | Connected with Physical Computer | | +----------+-----------------+----------------------------------+------------------+ | VMnet 1 | Web Servers | DSL VM | 192.168.1.0/24 | | | | Connected to Virtual Network 1 | | | | | Act as a Web Server | | +----------+-----------------+----------------------------------+------------------+ | VMnet 2 | SOHO Components | DSL VM | 192.168.2.0/24 | | | | Connected to Virtual Network 2 | | | | | Act as a client computer | | +----------+-----------------+----------------------------------+------------------+ | VMnet8 | NAT Engine, | Virtual Nerwork 8 | 192.168.137.0/24 | | | Public Network | Connected to Physical Computer | | | | | Nated and shared witjh internet | | +----------+-----------------+----------------------------------+------------------+

2

Installation of GAiA

Start GAiA Virtual Machine from VMware Workstation (Open and Power On)

1

Install GAiA in Virtual Machine

12 13

Step 1 of 6 – User Agreement

14

Step 2 of 6 – Language Selection

15

Step 3 of 6 – Memory Allocation

16

Step 4 of 6 – User Account Configuration

17

Step 5 of 6 – Management Port Configuration (Port: Eth0 IP: 192.168.0.1/24)

18

Step 6 of 6 – User Confirmation

19


Verification og GAiA Virtual Machine

Launching the Checkpoint-VM

20

Verification of Management Connectivity (Ping test from cmd prompt)

21

 Checkpoint Firewall Gateway and Security Management Server Setup (Standalone Setup)

Topology Diagram

Untitled Diagram(11) Untitled Diagram(13)

Network Adapter Status of VMnet0 (Host:: Physical Computer IP:: 192.168.0.2/24)

24

Browse the GAiA machine management IP (url :: htps://192.168.0.1)

22

Resolve the security exception error (SSL certificate authority unknown – Locally signed SSL certificate)

Add the certificate and confirm the security exception. 23

GAiA Portal Login

25

Confirmation Wizard

26

Date and Time Settings

27

Device Name – Domain Name – DNS Configuration

28

Management Interface Configuration – Network Connection Wizard

29

Configuring Installation Type (SMART / Multidomain)

30

Security Management GUI Policy Configuration (Users Administrative Rights)

31

SMART Architecture (Standalone / Distributed)

32

SAMART Administrator Configuration

33

First Time Configuration Wizard – Complete Setup

34

Checkpoint(GAiA R-76) Web Console

35

Setting up the topology using the Network Configuration Wizard
+--------------------+-----------------+------------------+-----------------+------------------+ | Network Name | VMware Network | Checkpoint Port | Components | Subnets | +--------------------+-----------------+------------------+-----------------+------------------+ | SMART Mgmt Network | VMnet 0 | Eth0 | Smart Console | 192.168.0.0/24 | +--------------------+-----------------+------------------+-----------------+------------------+ | DMZ | VMnet 1 | Eth1 | Web Servers | 192.168.1.0/24 | +--------------------+-----------------+------------------+-----------------+------------------+ | Office Network | VMnet 2 | Eth2 | SOHO Components | 192.168.2.0/24 | +--------------------+-----------------+------------------+-----------------+------------------+ | Internet | VMnet 8 | Eth3 | NAT Engine, | 192.168.137.0/24 | | | | | Public Network | | +--------------------+-----------------+------------------+-----------------+------------------+

36


Download Smart Console from Checkpoint Web Wizard – Installation Smart Console Smartconsole Components

  • SmartDashboard
  • SmartView Tracker
  • SmartEndpoint
  • SmartLog
  • SmartDomain Manager
  • SmartEvent Intro
  • SmartEvent
  • SmartView Monitor
  • SmartReporter
  • SmartProvisioning
  • SmartUpdate

Smartconsole Tools

  • Check Point Go Password Reset
  • Secure Client Packaging Tool

37 3


Policy and Access Control Mechanism Using Smart Console

Now time to decide the access control policy to tune the traffic inward and outward in Checkpoint. Here we have taken a simple example of access control mechanism using policy in SmartDashboard. The table bellow describe how we are going to manage our traffic in/out.

+--------------------+-------------------+--------------------+-----------------+---------------- | Network Name |Internet Traffic IN|Internet Traffic OUT| Components | Subnets +--------------------+-------------------+--------------------+-----------------+---------------- | DMZ | YES | YES | Smart Console | 192.168.0.0/24 +--------------------+-------------------+--------------------+-----------------+---------------- | Management Server | NO | YES | Web Servers | 192.168.1.0/24 +--------------------+-------------------+--------------------+-----------------+---------------- | Office Network | YES | NO | SOHO Components | 192.168.2.0/24 +--------------------+-------------------+--------------------+-----------------+----------------

The diagram bellow describe the inward and outward flow of network traffic. Untitled Diagram(11) - Copy


Network Components – DMZ(Linux Servers) – Office Network (Linux Host)

 

DMZ – Demilitarized Zone  (Dam Small Linux – DSL Server hosted in VMware workstation) – Virtual Network Adapter: VMnet1

We have used a small strip-down version of linux server hosted in virtual environment (WMware workstation). The name of the OS is DSL. Please open the link to download it  ➡ DSL Linux GUI Version Download Link Bellow here the snapshot of DSL setup in VMware attached. We have taken one Virtual Network Adapter (VMnet1) as described in the topology diagram above.   [showhide type=”post” more_text=”show typology diagram >>>” less_text=”<<<hide topology diagram”] Untitled Diagram(13) [/showhide] 38 Here we set up the IP Address (192.168.1.4/24) of the DMZ server and we have also hosted a web service from the same server. The network adapter of DMZ server is attached with VMnet1 virtual network. 40

Office Host – Internal Office network component (DS Linux  Host Virtual Machine) – Virtual Network Adapter: VMnet2

Here also we have used the same DS linux OS but no server setup has been done. We have taken one Virtual Network Adapter (VMnet2) as described in the topology diagram above. 39 Here we set up the IP Address (192.168.2.4/24) of the Linux Host. The network adapter of Linux Host is attached with VMnet2 virtual network. 41


Policy Implementation Using Smart Console

Once again take a look at the policy structure of the topology.

+--------------------+-------------------+--------------------+-----------------+---------------- | Network Name |Internet Traffic IN|Internet Traffic OUT| Components | Subnets +--------------------+-------------------+--------------------+-----------------+---------------- | DMZ | YES | YES | Smart Console | 192.168.0.0/24 +--------------------+-------------------+--------------------+-----------------+---------------- | Management Server | NO | YES | Web Servers | 192.168.1.0/24 +--------------------+-------------------+--------------------+-----------------+---------------- | Office Network | YES | NO | SOHO Components | 192.168.2.0/24 +--------------------+-------------------+--------------------+-----------------+----------------

  To implement the above policy in SMART topology we have used the SmartConsole wizard(SmartDashboard component).

SmartDashboard Login

1

Network Objects

The components of the above mentioned topology are treated as network objects in checkpoint platform. These objects are differentiated in three types Gateway, Nodes and Networks.

Gateway : Checkpoint R-76

There could be one or more numbers of gateways in a smart topology. The Checkpoint Hardware appliance located in a distributed or a centralized manners are treated a the Gateways.

Nodes: SMART Console

Nodes are the end devices of smart topology. The smart console is a kind of end device here, so treated as a node.

Networks: DMZ, Internal Office, Internet

Networks are the subnets connected via different interfaces of the FW-GW.

Access Control Policy

We will now discuss how to setup policy using network objects, protocol numbers/ port numbers, actions and events. Every policy has a unique name and it consists of the following components.

  • Name : <any name>
  • Source : <network objects>/<ip address>/<subnets>/<host>/<any>/<none>
  • Destination:  <network objects>/<ip address>/<subnets>/<host>/<any>/<none>
  • Type of the traffic: <VPN>/<any>
  • type of Service / Protocol Number / Port Number : <http>/<port:: 80>/<https>
  •  Action: <accept>/<deny>/<drop>/<allow>
  • Target of Action: <FW-GW>

Example:  

Name Source Destination Type of Traffic Type of Service Action Target
allow_icmp _any _any _any _icmp _allow _Checkpoint-R76

The above policy will allow all icmp traffic in both direction. The bellow snapshot describes the policy implemented in Checkpoint. 2 There are thre policy implemented above.

  1. Allow_icmp : Allow icmp(ping, traceroot) traffic both direction
  2. Allow-HTTP-DMZ-Inbound : Allow internet users to access HTTP service from outside.
  3. Allow-Internet-Office-Outbound : Allow internal office users to use internet but not vice versa.
Installation of policy

After successfully creating the policy just need to go to the policy installation wizard from smart dashboard. 2 Now need to choose the target to install the policies. 3

Verification of policies
1. Allow_icmp

Now we are able to ping the self ip (192.168.2.4 & .1)and the remote ip (192.168.1.4 & .2) of the DMZ server from Office internal network host. 5

2. Allow HTTP

We are now able to browse the website(hosted from DMZ Server IP:: 192.168.1.4 url:: http://192.168.1.4) from Office host. 6


We will keep posted on this topic. Thank you.

  Previous Next  

Leave a Reply