Checkpoint Firewalls are not zone based Firewalls so have a different type of policy compared to ASA and Juniper. A typical build consist of a Security Gateways managed by a centralised Management Server using the Checkpoint Smart Dashboard software. Firewall policies are created and managed on the management server and pushed to the security gateway.
Table Of Contents
The software deployed on a management server and gateway is the same, you just need to designated the devices role when running through the initial First Time Configuration Wizard. A a distributed deployment is when the gateway and management server are deployed as one appliance.
Use the following specifications when deploying in ESX (VMtools are automatically installed):
- Guest OS: Other Linux (32 bit)
- CPU: 2 Cores per socket
- Memory: Minimum 4GB (works with 2, but need 4 for initial build)
- SCSI Controller: LSI Logic Parallel
- Disk: Thick Provision Lazy Zeroed (At least 70GB for manager, 32 for gateway)
Mount the ISO and when prompted choose the size of the partitions, admin password and IP address for the interface the device will be managed from. If the VM has insufficient memory during the build it will get stuck on Finalize Configuration in the wizard.
Once the initial OS (GAIA) has been installed log in via a web browser (GAIA portal) and run the First Time Configuration Wizard. Once this has been done you can then configure any other settings via ssh or GUI.
After configuring the IP details, DNS and NTP on the Installation Type window select Security Gateway or Security Management.
In the Products window select Security Management and under Define Security Management set the device as Primary. If it was a HA setup could select Secondary or if the device as only going to be a reporter Log server/ Smartevent only.
On the next window create an Administrator user. The default admin account has privileges for SSH and web GUI access to the device itself, where as the administrator account will be the main account to be used in the Smart Dashboard. Optionally set the networks that are allowed to access the device. Only once the the First Time Wizard is complete can the remaing configuration be done from the CLI.
To change any of the wizard configured settings:
set dns suffix
stesworld.comset dns primary 10.10.20.254set dns secondary 188.8.131.52set domainname stesworld.comset hostname ckp-mgmt1set ntp active onset ntp server primary 10.10.10.51version 3set management interface eth0
Turn off update, configure SNMP, users and the banner
set installer policy check-for-updates-period
0set installer policy periodically-self-update offset snmp agent onset snmp community st3sw0r1d_c0mmun1tyread-onlyadd snmp interface eth0set snmp location DC1add user user1uid 0 homedir /home/set user user1gid 100 shell /bin/bashset user user1passwordadd rba user user1roles adminRoleset message banner on msg value my_bannerset message motd on msg value my_message
smart dashboard is used to login into the mangers and administer them, this can be downloaded directly from the manager.
The installation procedure is the same as the mangers. Only need to the one management interface in the First Time Configuration Wizard,others can be configured after. On the products page select Security Gateway and check Automatically download Blades Contracts and other important data.
The Secure Internal Communication onetime password is what will be used to form the trust between gateway and Management Server.
Once the installation is complete log into the CLI to add additional interfaces and any other configuration such as routing.
installer policy check-for-updates-period
0set installer policy periodically-self-update offinstaller agent update To manually update if turn periodic offset snmp agent onset snmp community my_c0mmun1tyread-onlyadd snmp interface eth1set snmp location homeadd netflow collector ip 10.10.10.71port 2055export-format Netflow_V9 srcaddr 184.108.40.206enable yesset interface eth0 comments Outside (n7k1)set interface eth0 state onset interface eth0 ipv4-address 192.168.1.4mask-length 24set router-id 220.127.116.11set ospf area backboneon The backbone is area0set ospf interface eth0area backboneonset ospf interface eth0priority 255set ospf interface eth1area 1on
Static routes can be redistributed from GUI (but don’t show in cli) or from the cli using a route-map. Route-maps can match multiple things such as interface, IP/network, protocol, route-type, tag, community or AS.
CONN->OSPFid 1 onset routemap CONN->OSPFid 1 allowset routemap CONN->OSPFid 1 match protocol staticset ospf export-routemap CONN->OSPFpreference 1 onarea 1range on Advertise a summary routearea 1range restrict on Is not advertised to other areas
Check and install updates Hotfixes and HFAs (minor versions) and Majors.
installer check-for-updates not-interactive
Check for updatesshow installer packages To see what is installed/ availableinstaller verify ? List the available updatesinstaller verify Choose update to see can install it or notinstaller download Download the updateinstaller install Install the update
Hotfixes contain all the latest hot fixes combined, they are generally not new features. Can be downloaded and installed from the device or downloaded directly from Checkpoint and copied over.
set user admin shell /bin/bashscp
Check_Point_R77_30_JUMBO_HF_1_Bundle_T216_FULL.tgz admin@ckp-gw1:set user admin shell /etc/cli.shinstaller agent updateshow installer packages installedshow installer packages importedinstaller import local /home/admin/Check_Point_R77_30_JUMBO_HF_1_Bundle_T216_FULL.tgzshow installer packages imported Will list all hotfixes, look for accumulatorinstaller verify Enter the number of the accumulatorinstaller install
Join Gateway to the Manager
Within SmartDashboard under network objects, right click Gateways and servers and choose gateways. In the next window choose classic mode and enter a name and IPv4 Address.
Finally click Communication, once initialization is complete the certificate state will be Trust established. If you encounter any issues at this stage the password may need to be reset.
A window will appear with all the interfaces of the security gateway to indicate this is what has been discovered when the gateway was added and secure communication was established. Finally choose install database from the main menus which creates the objects and save the changes to the manger
Install database just pushes to manager, whist install policy pushes to both the managers and the gateways
Enabling smartevent on the manager adds audit and logs to the Smart Dashboard logging and monitoring tab. Enabling smartevent server and smartevent collation adds views and reports.
Before applying policy must first define the interfaces roles; whether they lead to internal or external networks. Double-click the gateway, select network management and either let Checkpoint discover interface roles and the networks behind them using (get interfaces) or manually define them.
For all interfaces except external can enable spoofing specifying a group of all networks that can be accessed through that interface.
For control plane traffic to the gateways such as ICMP or OSPF will need to allow that within the policy. Any features that are run on the checkpoint such as IPSEC or Identity awareness will use the default stealth rule 0.
The translated object within the NAT policy will either have a H for Hide NAT or S for Static NAT. This can be changed by by right clicking on the translated object.
Hide NAT is the same as PNAT where everything is translated behind the same IP.
Static and Hide NATs are both one-way.
There are two methods for configuring NAT:
Automatic NAT - Configure the NAT under the network object and the NAT rules will be automatically created. Under the NAT tab of the network object tick add automatic Address Translation and choose either:
- static - Specify an IP to create 2 static NAT entries (inbound & outbound) in the NAT table
- hide - Specify an IP or interface to create 2 NAT entries, 1 NONAT for the internal traffic and 1 PAT for outbound traffic
Manual NAT - Manually added NATs to the NAT policy. It is a better option than doing auto NAT (with network objects) as you have more control over the structure of the NAT policy. By default NAT rules are only uni-directional, to make them bidirectional need a rule in either direction.
In addition to the NAT may also need to use proxy ARP to tell the gateway to respond to requests for this IP. This is enabled in global properties » NAT » merge manual proxy ARP config and a static entry added in the CLI./ Even though enter proxy arp from cli, the policy needs to be pushed for it to take effect.
add arp proxy ipv4-address
192.168.1.253interface eth0 Can also optionally add fw int IPshow arp proxy all Will show even if policy not pushedexpertfw ctl arp Wont show in here until policy is pushed
Manual Hide NAT (PAT) uni-directional rules can be created in the same manner by creating by defining the translated source object as Hide. If not using the interface IP for the PAT will also need add a Proxy ARP entry.
Extra Gateway configuration
To add an extra vNIC on a virtual Gateway it will need to be rebooted it to see it.
To add a trunk and add or remove a VLAN over it.
eth2state onadd interface eth2vlan 99 Add VLAN to the interfaceset interface eth2.99state on Create the sub interfaceset interface eth2.99comments blah Give it a descriptionset interface eth2.99ipv4-address ipmask-length mask Define the IP detailsdelete interface eth2vlan num Delete the vlan removes sub-interface and all its config
Set default or static route.
set static-route default nexthop gateway address
next_hop_ippriority 1 onset static-route network/maskcomment blahset static-route network/masknexthop gateway address next_hop_ippriority 1 onset static-route network/masknexthop gateway address next_hop_ippriority 2 onset static-route network/masknexthop gateway address next_hop_ipoff To delete the route