Checkpoint Gateway and Mangers

how to setup checkpoint environment

14 July 2017   8 min read

Checkpoint Firewalls are not zone based Firewalls so have a different type of policy compared to ASA and Juniper. A typical build consist of a Security Gateways managed by a centralised Management Server using the Checkpoint Smart Dashboard software. Firewall policies are created and managed on the management server and pushed to the security gateway.


Table Of Contents



Build

The software deployed on a management server and gateway is the same, you just need to designated the devices role when running through the initial First Time Configuration Wizard. A a distributed deployment is when the gateway and management server are deployed as one appliance.

Use the following specifications when deploying in ESX (VMtools are automatically installed):

  • Guest OS: Other Linux (32 bit)
  • CPU: 2 Cores per socket
  • Memory: Minimum 4GB (works with 2, but need 4 for initial build)
  • SCSI Controller: LSI Logic Parallel
  • Disk: Thick Provision Lazy Zeroed (At least 70GB for manager, 32 for gateway)

Mount the ISO and when prompted choose the size of the partitions, admin password and IP address for the interface the device will be managed from. If the VM has insufficient memory during the build it will get stuck on Finalize Configuration in the wizard.
Once the initial OS (GAIA) has been installed log in via a web browser (GAIA portal) and run the First Time Configuration Wizard. Once this has been done you can then configure any other settings via ssh or GUI.

Manager

After configuring the IP details, DNS and NTP on the Installation Type window select Security Gateway or Security Management.

In the Products window select Security Management and under Define Security Management set the device as Primary. If it was a HA setup could select Secondary or if the device as only going to be a reporter Log server/ Smartevent only. product

On the next window create an Administrator user. The default admin account has privileges for SSH and web GUI access to the device itself, where as the administrator account will be the main account to be used in the Smart Dashboard. Optionally set the networks that are allowed to access the device. Only once the the First Time Wizard is complete can the remaing configuration be done from the CLI.

To change any of the wizard configured settings:

set dns suffix stesworld.com
set dns primary 10.10.20.254
set dns secondary 8.8.8.8
set domainname stesworld.com
set hostname ckp-mgmt1
set ntp active on
set ntp server primary 10.10.10.51 version 3
set management interface eth0

Turn off update, configure SNMP, users and the banner

set installer policy check-for-updates-period 0
set installer policy periodically-self-update off

set snmp agent on
set snmp community st3sw0r1d_c0mmun1ty read-only

add snmp interface eth0
set snmp location DC1

add user user1 uid 0 homedir /home/
set user user1 gid 100 shell /bin/bash
set user user1 password
add rba user user1 roles adminRole

set message banner on msg value my_banner
set message motd on msg value my_message

smart dashboard is used to login into the mangers and administer them, this can be downloaded directly from the manager.

Gateway

The installation procedure is the same as the mangers. Only need to the one management interface in the First Time Configuration Wizard,others can be configured after. On the products page select Security Gateway and check Automatically download Blades Contracts and other important data. product1

The Secure Internal Communication onetime password is what will be used to form the trust between gateway and Management Server. sic

Once the installation is complete log into the CLI to add additional interfaces and any other configuration such as routing.

installer policy check-for-updates-period 0
set installer policy periodically-self-update off
installer agent update                                  To manually update if turn periodic off
set snmp agent on
set snmp community my_c0mmun1ty read-only
add snmp interface eth1
set snmp location home
add netflow collector ip 10.10.10.71 port 2055 export-format Netflow_V9 srcaddr 172.168.255.4 enable yes

set interface eth0 comments Outside (n7k1)
set interface eth0 state on
set interface eth0 ipv4-address 192.168.1.4 mask-length 24

set router-id 172.168.255.4
set ospf area backbone on                            The backbone is area0
set ospf interface eth0 area backbone on
set ospf interface eth0 priority 255
set ospf interface eth1 area 1 on

Static routes can be redistributed from GUI (but don’t show in cli) or from the cli using a route-map. Route-maps can match multiple things such as interface, IP/network, protocol, route-type, tag, community or AS.

set routemap CONN->OSPF id 1 on
set routemap CONN->OSPF id 1 allow
set routemap CONN->OSPF id 1 match protocol static
set ospf export-routemap CONN->OSPF preference 1 on
area 1 range on                                     Advertise a summary route
area 1 range restrict on                             Is not advertised to other areas

Updates

Check and install updates Hotfixes and HFAs (minor versions) and Majors.

installer check-for-updates not-interactive                          Check for updates
show installer packages                                   To see what is installed/ available
installer verify ?                                       List the available updates
installer verify                                         Choose update to see can install it or not
installer download                                      Download the update
installer install                                         Install the update

Hotfixes contain all the latest hot fixes combined, they are generally not new features. Can be downloaded and installed from the device or downloaded directly from Checkpoint and copied over.

set user admin shell /bin/bash
scp Check_Point_R77_30_JUMBO_HF_1_Bundle_T216_FULL.tgz admin@ckp-gw1:
set user admin shell /etc/cli.sh

installer agent update
show installer packages installed
show installer packages imported
installer import local /home/admin/Check_Point_R77_30_JUMBO_HF_1_Bundle_T216_FULL.tgz
show installer packages imported Will list all hotfixes, look for accumulator
installer verify                                 Enter the number of the accumulator
installer install

Join Gateway to the Manager

Within SmartDashboard under network objects, right click Gateways and servers and choose gateways. In the next window choose classic mode and enter a name and IPv4 Address. join_gateway

Finally click Communication, once initialization is complete the certificate state will be Trust established. If you encounter any issues at this stage the password may need to be reset. comms

A window will appear with all the interfaces of the security gateway to indicate this is what has been discovered when the gateway was added and secure communication was established. Finally choose install database from the main menus which creates the objects and save the changes to the manger

Configuration

Install database just pushes to manager, whist install policy pushes to both the managers and the gateways

Enabling smartevent on the manager adds audit and logs to the Smart Dashboard logging and monitoring tab. Enabling smartevent server and smartevent collation adds views and reports.

Policy

Before applying policy must first define the interfaces roles; whether they lead to internal or external networks. Double-click the gateway, select network management and either let Checkpoint discover interface roles and the networks behind them using (get interfaces) or manually define them.

For all interfaces except external can enable spoofing specifying a group of all networks that can be accessed through that interface.

For control plane traffic to the gateways such as ICMP or OSPF will need to allow that within the policy. Any features that are run on the checkpoint such as IPSEC or Identity awareness will use the default stealth rule 0.

NAT

The translated object within the NAT policy will either have a H for Hide NAT or S for Static NAT. This can be changed by by right clicking on the translated object.
Hide NAT is the same as PNAT where everything is translated behind the same IP.
Static and Hide NATs are both one-way.

There are two methods for configuring NAT:

  • Automatic NAT - Configure the NAT under the network object and the NAT rules will be automatically created. Under the NAT tab of the network object tick add automatic Address Translation and choose either:

    • static - Specify an IP to create 2 static NAT entries (inbound & outbound) in the NAT table
    • hide - Specify an IP or interface to create 2 NAT entries, 1 NONAT for the internal traffic and 1 PAT for outbound traffic
  • Manual NAT - Manually added NATs to the NAT policy. It is a better option than doing auto NAT (with network objects) as you have more control over the structure of the NAT policy. By default NAT rules are only uni-directional, to make them bidirectional need a rule in either direction.

In addition to the NAT may also need to use proxy ARP to tell the gateway to respond to requests for this IP. This is enabled in global properties » NAT » merge manual proxy ARP config and a static entry added in the CLI./ Even though enter proxy arp from cli, the policy needs to be pushed for it to take effect.

add arp proxy ipv4-address 192.168.1.253 interface eth0          Can also optionally add fw int IP
show arp proxy all                                               Will show even if policy not pushed
expert
fw ctl arp                              Wont show in here until policy is pushed

Manual Hide NAT (PAT) uni-directional rules can be created in the same manner by creating by defining the translated source object as Hide. If not using the interface IP for the PAT will also need add a Proxy ARP entry.

Extra Gateway configuration

To add an extra vNIC on a virtual Gateway it will need to be rebooted it to see it.

To add a trunk and add or remove a VLAN over it.

set interface eth2 state on
add interface eth2 vlan 99                       Add VLAN to the interface
set interface eth2.99 state on                           Create the sub interface
set interface eth2.99 comments blah Give it a description
set interface eth2.99 ipv4-address ip mask-length mask Define the IP details

delete interface eth2 vlan num Delete the vlan removes sub-interface and all its config

Set default or static route.

set static-route default nexthop gateway address next_hop_ip priority 1 on
set static-route network/mask comment blah
set static-route network/mask nexthop gateway address next_hop_ip priority 1 on
set static-route network/mask nexthop gateway address next_hop_ip priority 2 on

set static-route network/mask nexthop gateway address next_hop_ip off To delete the route