Documente Academic
Documente Profesional
Documente Cultură
For a CheckPoint Appliance, this step should take several minutes which in its end a reboot will
be required (reboot it by holding Ctrl+C):
installation program checks the hardware platform to verify that it is compatible with Gaia
hardware requirements. If the hardware is suitable, the Welcome menu is displayed:
Select keyboard type by using the up and down arrow keys, then use tab to navigate to the OK
button and press Enter.
5. The Partitions Configuration menu allows you to change the default partitioning on machine.
7. The Networking Device menu is displayed if there are more than one connected network
devices. Select the network interface (link) by using the up and down arrow keys, then use tab to
navigate to the OK button and press Enter. Select the interface to which you will connect to for
later management and configuration of your machine. At this step you must be familiar with your
network configuration so you will configure the correct network device as your management
interface.
8. Once the correct link was selected you will be prompted to enter additional data for the network
interface configuration. In the Network Interface Configuration menu, specify the Management
Interface IP address, netmask and default gateway of the network interface, and select OK.
IP address - The IP address assigned to the network interface.
Netmask - The network mask for the IP address.
Default gateway IP - The IP address of the default Gateway assigned to your machine's IP
address.
This step can take several minutes, after which the Installation Complete screen is displayed.
Select OK to complete the installation:
11. The system will now reboot. Make sure to remove the CD, or diskette that you used during the
installation process. On most systems the CD will be ejected automatically after selecting OK in
the Installation Complete menu.
12. During the boot process, an option is presented to display a boot menu. There is no need to
select this option. If the boot menu is displayed, select the Start in normal mode option.
Console Login
1. Login to the Gaia console interface:
First Time Login - If you are logging on for the first time, use admin and your chosen
password or admin as both username and password in case of a Check Point Appliance.
Note - The password for the admin account is only used for the installation
process. Do not perform a console login once the evaluated configuration is
operational.
3. In order to continue the installation process, we’ll have to define the Gaia Portal on specific port:
Type “set web ssl-port <port_number>”
Type “y” and press “enter” to confirm.
1. Connect the Gaia portal using HTTPS on the defined port (disregard the security certificate
warning if displayed):
3. The Welcome window is displayed and the platform is displayed. Click Next.
Click Next.
5. The Management Connection window is displayed:
Click Next.
Click Next.
7. The Device Name window is displayed:
Type the desired host name, domain name, and DNS servers. Click Next to continue.
8. The Date and Time Settings window is displayed:
Set the current Date, Time and Time Zone. Click Next.
Click Next.
10. The Products window is displayed:
Select both the Security Gateway and Security Management product. Click Next.
11. The Alert window is displayed:
Click Yes.
12. For the Primary Management server, the Security Management Administrator window is
displayed:
Check that the Summary is OK. Click Finish and approve it by clicking Yes.
15. Run: "fw unloadlocal"
Installing HFAs
1. Install the required addon/HF:
a) Copy the Check_Point_R77_30_T204_Add-on_Gaia.tgz to the machine.
b) Run: “tar xvfz Check_Point_R77_30_Add-on_linux.tgz”
c) Run: “./UnixInstallScript”
d) Reboot
2. Install the required HF:
a) Copy the fw1_wrapper_HOTFIX_R77_30_CERT_HF.tgz to the machine.
b) Run: “tar xvfz fw1_wrapper_HOTFIX_R77_30_CERT_HF.tgz”
c) Run: “./fw1_wrapper_HOTFIX_R77_30_CERT_HF_990050004_1”
d) Reboot
3. Install the required HF:
a) Copy the sim_HOTFIX_R77_30_CERT_HF.tgz to the machine.
b) Run: “tar xvfz sim_HOTFIX_R77_30_CERT_HF.tgz”
c) Run: “./sim_HOTFIX_R77_30_CERT_HF_990050002_1”
d) Reboot
4. Install the required HF:
a) Copy the SecurePlatform_HOTFIX_GEYSER_HF_BASE_095.tgz to the machine.
b) Run: “tar xvfz SecurePlatform_HOTFIX_GEYSER_HF_BASE_095.tgz”
c) Run: “./SecurePlatform_HOTFIX_GEYSER_HF_BASE_095.tgz”
d) Reboot
Installation Settings
1. Enter the following commands from the console in expert mode to disable functionality that is not
available in the evaluated configuration (optional):
cpd_config –d avsu
cpd_config –d RemoteLic
cpd_config –d SicUpgrade
cpd_config –d RoamingAdmin
cpd_config –d dlpSync
cpd_config –d PAServerAddon
cpd_config –d PAHBServerAddon
cpd_config –d LSMServerAddon
2. You may now perform any or all of the configuration steps described in the Installation Settings
that require Security Management Server console access before you move on to the next step.
These steps describe installation settings that have been documented and evaluated as being
compatible with the evaluated security policy.
3. The Welcome window is displayed and the platform is displayed. Click Next.
Click Next.
5. If the Security Gateway is a Check Point Power Appliance, the Authentication Details window
is displayed:
Use the Network Connection menu to configure your management network connection.
Configure its IP address, netmask and default GW. Click Next.
7. If the Security Gateway is on an Open Server, the Date and Time Settings window is displayed:
Set the current Date, Time and Time Zone. Click Next.
8. The•Device Name windows is displayed:
Type the desired host name, domain name and DNS servers. Click Next to continue.
Click Yes.
11. The Dynamically Assigned IP window is displayed:
Click Next.
15. Check that the Summary is OK. Click Finish and approve it by clicking Yes.
16. Run: "fw unloadlocal"
Installing HFAs
1. Install the required HF:
a) Copy the fw1_wrapper_HOTFIX_R77_30_CERT_HF.tgz to the machine.
b) Run: “tar xvfz fw1_wrapper_HOTFIX_R77_30_CERT_HF.tgz”
c) Run: “./fw1_wrapper_HOTFIX_R77_30_CERT_HF_990050004_1”
d) Reboot
2. Install the required HF:
a) Copy the sim_HOTFIX_R77_30_CERT_HF.tgz to the machine.
b) Run: “tar xvfz sim_HOTFIX_R77_30_CERT_HF.tgz”
c) Run: “./sim_HOTFIX_R77_30_CERT_HF_990050002_1”
d) Reboot
Check Point Software Technologies LTD. R77.30 Installation Guide Version1.0 | 21
Evaluation Configuration
Installation Settings
1. Enter the following commands to disable functionality that is not available in the evaluated
configuration using expert mode:
cpd_config –d avsu
cpd_config –d RemoteLic
cpd_config –d SicUpgrade
cpd_config –d dlpSync
cpd_config –d LSMAgentAddon
cpd_config –d simplePA
sed –i –e 's/.*stormd.*//' $FWDIR/conf/fwauthd.conf
sed –i –e 's/.*sdsd.*//' $FWDIR/conf/fwauthd.conf
sed –i –e 's/.*dlp*.*//' $FWDIR/conf/fwauthd.conf
2. It is highly recommended (though not required) to set up an NTP client on all Security Gateways
and on the Security Management Server in order to synchronize clocks with an NTP time server:
# ntp <secret> <interval> <server1> [<server2> [<server3>]]
# ntpstart
(Where <secret> is the NTP server MD5 shared secret, <interval> is the polling interval in
seconds, and server1, server2, server3 are IP addresses for NTP servers that are to be polled.)
Note - If you configure NTP, specify a shared secret <secret> to protect NTP
communication. Secrets should be chosen out of a sufficiently large range (at least 16
random octets) in order to provide protection against exhaustive search attacks. It is also
recommended to periodically change shared secrets.
3. Exit expert mode. Execute the following shell command to disable WebUI:
set web daemon-enable off
4. You may now also perform any or the entire configuration steps described in Installation Settings
that require Security Gateway console access before you move on to the next step. These steps
describe additional installation settings that have been documented and evaluated as being
compatible with the evaluated security policy.
Evaluation Configuration
1. Set routes on the GW, SA and windows machines.
2. Run: "set web daemon-enable off".
3. For automation:
Install the Automation Agent:
a) On /var: tar- zxf SPLAT_AIG_PACKAGE_516.tgz
b) Chsh –s /bin/tcsh root
c) Export LC_ALL=C
d) ./install_splat.csh
e) Edit $FWDIR/conf/defaultfilter.pf file and add below entry:
f) all@all
g) accept (tcp, inbound, (dport = 12321 or sport = 12321) , DEFAULT_RECORD());
h) Run $FWDIR/bin/comp_init_policy to recomplile new initial policy
i) Change /etc/init.d/aigagent
j) Chmod 777 /etc/init.d/aigagent
k) /etc/init.d/aigagent stop; /etc/init.d/aigagent start
l) On /tmp: tar –xvzf FireBall-Agent-0.37.tar.tar
m) Perl install_AIG.pl
n) reboot
o) Fw ver –f check
p) Cat check
q) Mkdir $FWDIR/conf_<build number>
r) Chmod 777 $FWDIR/conf_<build number>
s) Cp –rf $FWDIR/conf/* $FWDIR/conf_<build number>/
t) Touch $FWDIR/conf_<build number>/finishedcopy
4. On the SA run: "fips_mgmt on"
5. For automation: Add to /etc/ntp/keys: 45 M hello
6. For automation: Edit the $FWDIR/conf/fwauthd.conf accordingly:
21 fwssd in.aftpd wait -1.
23 fwssd in.atelnetd wait -1.
25 fwssd in.asmtpd wait -1.
7. Using CLI, execute "expert" and type the administrator password.
8. Run the command "echo export PASSWORD_MIN_LENGTH=15 > /etc/environment".
9. Open GUIDBEdit > set the "enable_internal_user_password_validation" to true, save and exit.
10. Enable GUI timeout on the GUI machine:
a) Run "regedit".
b) HKEY_CURRENT_USER > Software > CheckPoint > Management Clients > 6.4.3 >
R77.30 > Check Point Smart Dashboard > General Settings.
c) Create new DWORD entry, name it ExitOnTimeout, set its value to 1 and exit.
11. Uncomment the line below from the $FWDIR/lib/table.def file on both SA and GW:
allowed_ipv6_extension_headers = { <EXTHDR_ROUTING>, <EXTHDR_HOPOPTS>,
<EXTHDR_DSTOPTS>, <EXTHDR_AH>, <EXTHDR_MOBILE> };
12. Set host names on the GW, SA and windows machines (CA hostname) using the command:
" echo >> /etc/hosts '10.90.49.202 w2k8ca' "
13. Add an environment variable by editing $CPDIR/tmp/.CPprofile.sh and adding the following
line:
"USE_ONLY_GOOD_ENTROPY=1 ; export USE_ONLY_GOOD_ENTROPY"
14. Open Smart Dashboard and edit the SA object (Right Click > Edit), set the IPsec VPN, IPS, and
Monitoring blades.
15. Open the Topology tab > Get > Interface with Topology… > Yes > Accept.
16. Create new Security GW object (Right click on Check Point > Security
Gateway/Management… > Classic Mode), set the IPsec VPN, IPS, and Monitoring blades.
17. Establish SIC.
18. Create a new Security GW object (Right click on Check Point > Security
Gateway/Management… > Classic Mode), set the IPsec VPN, and Monitoring blades.
25. Define the CA retrieve the certificates from it according to the external CA documentation
(disable CRL caching): Global properties > disable: "accept control connections" and "Accept
outgoing packets originating from Gateway"
Launch Menu > Manage > Network Objects > New > Group > Group with Exclusion: Name:
VPN_Group. In Objects In, select encryption_net. In except, select excluded_net.
4. Issue external certificates for each of the gateways/clusters/VS (according to the External CA
documentation).
5. Configure VPN topology with a Site to Site star community topology:
a) Gateway A (SA1): center gateway.
b) Gateway B (GW1): remote gateway (Satellite gateway).
Gateway A is a Central Gateway of a simple star community.
Gateways B is Satellite Gateway member of the same community
6. Click on Manage > VPN Communities > New > Site To Site > Star. In Name, enter
Star_Community.
7. Behind gateway A is host A (fw_host), behind gateway B is host B (gw1_host) Create a network
object group named Common_Group. Put all gateways and hosts in it.
8. Encryption > select Custom Encryption
The community VPN parameters:
IKE Properties:
Key Exchange Encryption: AES-256.
Data Integrity: SHA-256.
IPSec Properties:
IPSec Data Encryption: AES-256.
Data Integrity: SHA-256.
9. Change the DH group into group 14.
10. Excluded services tab > add the IKE service to the list.
11. Edit the SA1 object: In Topology, under VPN Domain, selects the Manually defined check-box
and Select the VPN_Group.
12. Install the policy on the remote member.
13. Check on the remote member that the policy was installed using "fw stat".
14. Install the policy on the SA1.
---GW SIC established—
15. Edit the GW properties > "IPSec VPN" > add the RA community > "VPN Clients" > set only the
"Endpoint Security VPN" and pick the relevant certificate > "Office Mode" > check the "Allow
Office Mode to all users" > OK.
16. In Global Properties > Authentication, clear the Authenticate internal users with this suffix only
check-box.
17. Assign the SA to the Remote Access community: in IPSec VPN tab > Communities > Right click
on Remote Access community > Edit > Participating Gateways tab> Add the Stand Alone
Management machine (SA1).
18. Before running the next step (creating external CA) verify that the signature algorithm of your CA
server is ECDSA SHA256/SHA384
19. (Optional) Go to your CA machine > open certificate authority client > right click on your CA >
properties > general tab > select the certificate #0 > view certificate > Details > make sure
signature algorithm value is ECDSA SHA256/SHA384
20. Configure the Stand Alone Management (SA1) to work with the external CA according to the
External CA Guide.
21. On the Stand Alone Management (SA1) properties:
a) VPN Clients > Office Mode > Check the box Allow Office Mode for all users and select the
default pool.
b) (Optional) Add route on SA1: default office mode network -> connecting machine
(192.168.90.202)
Check Point Software Technologies LTD. R77.30 Installation Guide Version1.0 | 27
General Guidance
22. Enable Visitor Mode on the SA: VPN Clients > Remote Access > Select the Support visitor mode
check-box. In Machine Interface drop-down list, select All Interfaces, (Optional) check the
Allow Secure Client to route traffic through this gateway
23. In VPN Clients tab, select both EndPoint Security VPN and SSL Network Extender checkboxes.
24. In Global Properties > Authentication, clear the Authenticate internal users with this suffix only
check-box.
25. Open Launch menu > Manage > Users and Administrators > New > User Group to create a user
group named allow_group > OK
26. Open Launch menu > Manage > Users and Administrators > New > User by Template > Default
> Define the User Name as admin_user > Groups tab > Add it to allow_group > OK > Close.
27. IPSec VPN tab> Communities > Right click on RemoteAccess community > Edit > Participant
User Groups tab > Add > Select the allow_group user group > OK.
28. "Remote Access" > "VPN - Authentication" > "Edit" > "IKE" tab > set the "Use encryption
algorithm" to "AES-128", the "Use Data Integrity" to "SHA256" and the "Diffie-Hellman groups" to
"Group 14 (2048 bit)" > "IPSEC Security Association (Phase 2)" tab > set "Encryption Algorithm"
to "AES-128" and "Data Integrity" to "SHA-256" > OK , OK.
29. Define and install the policy:
Source= Any, Destination= Any, VPN= Any, Service= IKE, Any Firewalled_gateways Any
IKE, IKE_tcp, IKE_NAT_TRAVERSAL, FW1_ica_services, CPMI, CP_rtm, CPD,
CPD_amon, tunnel_test, FW1_topo, FW1_amon, FW1_ela, FW1_lea, FW1_log,
FW1_ica_pull , FW1_ICA_push and https Accept None.
Allow_group@any Any RemoteAccess Any Accept Log.
Any CAWin2K8 Any HTTP, LDAP Accept Log.
Any Firewalled_gateways Any FW1_topo Accept None.
30. Connect to the SA according to the instructions in the Endpoint_security_guide.
31. Connect using the Smart Dashboard to the SA internal IP address.
---Client SIC established---
General Guidance
1. In order to DISCARD traffic, use a "drop" rule, In order to BYPASS traffic use "accept rule, In
order to PROTECT traffic create a VPN community.
2. For creating a rule, use the "add rule" buttons:
4. For changing the Phase 1 and Phase 2 rekey edit the VPN community > Advanced Settings >
Advanced VPN Properties > change renegotiation for IKE and IPSec.