Check Point Distributed Deployment

In this LAB we will going to configure Check Point Distributed Deployment.

LAB Requirement

In this LAB we require .

1. Check Point Smart Management Server VM

a. 1 GB RAM

b. 1 CPU Core

c. 1 Ethernet Adapter Member of virtual switch VM1[Host]  

2. Check Point Security Gateway VM

a. 1 GB RAM

b. 1 CPU Core

c. 1 Ethernet Adapter Member of virtual switch VM1[Host]

d. 1 Ethernet Adapter Member of virtual switch VM2[Host]

3. GNS3 Cisco Topology

a. 1 Cisco router 7200

LAB Topology

Let's UConfigIt

Step 1. Complete the first requirement of LAB(Install Check Point Smart Management Server)

Step 2. Complete the Second requirement of LAB(Install Check Point Security Gateway)

Step 3. Complete the Second requirement of LAB(Install Check Point Smart Console)

Note all traffic goes through Security Gateway.

Step 4. Take the log in on Smart Dashboard(Smart Console)

Step 5. Include the Security Gateway in Smart Management Server Because as we know that all Security Gateway manage by Smart Management Server so we can configure Security Gateway by using Smart Management Server.

Step 6. Now select the fist wizard mode.

Step 7. Now initialize the SIC(Secure Internal Communication) process and enter the Security Gateway IP address or SIC Key(Security Gateway installation time configured Activation Key)

if you forget your Security Gateway SIC Key then you can restore it(Option 5).

cpconfig
Note  In case you will change the SIC Key then exit the cpconfig mode for apply the changes. 

Step 8. Click on Finish 

Step 9. Now Security Gateway has included.

Step 10. Now we study about Security Policy.

Firewall > Policy 

In Policy Section we have configuration place

No. Priority value of policy

Hits Number of request

Name  Name of Rule 

Source Source IP address and network

Destination  Destination IP address and network

VPN for VPN traffic

Service any type of protocol

Action eider you can allow and deny it

Track real time inform using alert and log

Install On policy push on gateway

Time for policy life cycle

Comment any decryption about policy 

Step 11. Now click on Add Rule at the Bottom and create a security policy.

Step 12. edit the Destination field

Add the network and host(Click on InternalZone and select Host or Network)

For DMZ Zone(Server Zone)

Edit the Network or Host field

Step 13: In Check Point basic rule of policy creation
Policy A (Management Rule)-In this type of policy we create a rule for Smart Console(Access Security Policy for Smart Console to Smart Management Server).
--------------------------~~~---------------------
Policy Name : Management Rule
No. : 1
Source : CPSC(192.168.1.5/24)
Destination : CPSMS(192.168.1.10/24), CPSG(192.168.1.20/24)
Service : Any
Action : Accept
Track : Log
Install On : Security Gateway
Time : Any
Comment : Management Rule because only Smart Console can access to Smart Management Server and Security Gateway
-------------------------~~~----------------------

Policy B (Stealth Rule)-In this policy if any hacker want to access our Smart MAnagement Server and Security Gateway then all request packets will drop.
--------------------------~~~---------------------
Policy Name : Stealth Rule
No. : 2
Source : Any
Destination : CPSG(192.168.1.20/24)
Service : Any
Action : Drop
Track : Log
Install On : Security Gateway
Time : Any
Comment : All Hacker remote request will Deny.
-------------------------~~~----------------------

Policy C (Network Policy)-In this field you can create any security policy according to organization requirement.
--------------------------~~~---------------------
Policy Name : Create a Policy Name (either Department based or Host based)
No. : Set the Policy Priority
Source : Define the Host and Network IP(Source)
Destination : Define the Host and Network IP(Destination)
Service : Define the Service for host
Action : Either accept it or deny it
Track : Hits information based on log and alert
Install On : Policy install on Security Gateway
Time : if policy based on time.
Comment : According to organization
-------------------------~~~----------------------

Policy D (Cleanup Rule)- By default if firewall have receive unknown request then all request will deny but without cleanup rule we can't get the logs.
--------------------------~~~---------------------
Policy Name :Cleanup Rule
No. : Always Least Policy
Source : Any
Destination : Any
Service : Any
Action : drop
Track : Log
Install On : Security Gateway
Time : Any
Comment : Cleanup rule for deny unnecessary traffic with log.
-------------------------~~~----------------------

Step 14: Now create the policy for Cisco Router(Smart Console ping can my Cisco router).
--------------------------~~~---------------------
Policy Name : Internet Access
No. : 3
Source : CPSC(192.168.1.5/24)
Destination : Cisco Router (172.168.1.10/24)
Service :http(80), https(443), TCP(14356), ICMP
Action : Accept
Track : None
Install On : Security Gateway
Time : Any
Comment : For Internet Access
-------------------------~~~----------------------

Add the service from ISP

we can add the service request group

so finally we have group request service

Step 15: firstly verify the policy on firewall in virtual environment.

click on OK and approve it.

Step 16: Finally install the policy on Security Gateway.

and install Policy>Install

Now select the Security Gateway and install(select on Check Box and click on OK)

go to advanced

and click on OK

wait for policy installation

Now check your connection between CPSC and Cisco Route(ISP)

ping smart console to cisco ISP router

in this case ISP traffic deny by check point so now create a policy for public network to private network.

--------------------------~~~---------------------
Policy Name : DC(Data Center)
No. : 4
Source : Cisco Router(172.168.1.10/24)
Destination : CPSC (192.168.1.5/24)
Service : ICMP
Action : Accept
Track : None 
Install On : Security Gateway
Time : Any
Comment : For DMZ Access
-------------------------~~~----------------------

Now check ping from Cisco ISP router to CPSC Before installation of policy and after installation of policy.

Thanks

Himanshu

Check Point Smart Console installation

A Smart Console is sat of SMS(Smart Management Server) configuration tools.

LAB Requirement

1. Windows Computer

2. Smart Console Tools

Let's UConfigIt

Step 1. Download the Smart Console Setup and install it(Click on Download Now)

Step 2. Click on Next button.

Step 3. Accept the license Yes.

Step 4. Select the use full tools then click on Next button.

Step 5. Wait for installation.

Step 6. Now check the SMS Certificate Fingerprint for first time log in using flowing command
cpconfig

Step 7. Select the option 7 then enter.

Step 8. Open the Check Point Smart Dashboard(Smart Console).

Step 9. Click the button Approve before check the server certificate fingerprint.

Step 10. Wait for data retrieve from SMS to SC.

Step 11. Now configure the SMS by using the SC.

All traffic goes through SG(Security Gateway) and all SG manage by SMS(Smart Management Server).

Thanks
Himanshu

Check Point Gaia R77.30 installation on VMware

In this blog we will discus about Check Point Gaia operating system version R77.30 install in VMware.

LAB Requirement 

1. VMware Workstation(any virtualization application software)
2. Windows PC minimum I3 RAM 4GB 1/2tb hard drive(SSD)
3. ISO image file Check Point Gaia R77.30

Let's UConfigIt

Step 1. Turn on the virtualization in computer BIOS.

Step 2. Now start your computer and open VMware application software and select File option then click on New Virtual Machine.

Step 3. Now select the Typical radio button and click on Next.

Step 4. Now select the Installer disk image file (iso)

and Browse the ISO image of Check Point R77.30 Gaia

then click on Next button.

Step 5. Now select the Guest operating system(Linux Red Hat).

Step 6: Now rename the virtual machine and select the configuration location.

Step 7: Configure disk space for virtual machine and select the radio button Store virtual disk as a single file.

Step 8: At last configure the 1 CPU Core and 1GB(1024MB) RAM click on Finish.

finally virtual machine has created now run the virtual machine.

Step 9: Start the virtual machine and select the Install Gaia on this system.

Step 10: Select OK

Step 11: Select keyboard type US. 

Step 12: Configure the disk size according to requirement/default.

By Default

5% for System-swap

26% for System-root

36% for Logs

31% for Backup and upgrade

Step 13: Configure the password for default user admin.

Step 14: Now configure the IP address for Web access.

Step 15: Now click on OK

Step 16: After the system software installation click on Reboot.

Step 17: Wait for start SMS(Smart Management Server)

Take the log in of SMS default username admin and password Step 13

After log in check the IP Interface Table

To check IP Interface Table write the command cpstat os -f ifconfig

Now Check Point Gaia R77.30 installation process has completed. Finally take the Web access.

Step 18: Take the web access from web browser using assign IP address on SMS. Log in the SMS

Step 19: Click on Next button.

Step 20: Select radio button Continue with Gaia R77.30 configuration then click on Next

Step 21: If you want to change IP address then change it 

Step 22: Change the Host Name and Device Name and DNS according to LAB requirement.

Step 23: Change the SMS time and zone according to location and if NTP available then assign the NTP IP address and authentication configuration.

Step 24: According requirement select the installation type for SG(Security Gateway) and SM(Security Management).

Step 25: Select the configuration Product for SG(Security Gateway)

Configure as SM(Security Management)

In case of standalone deployment select the both check box then click on Next button

Step 26: In case of  multiple SG(Security Gateway) you require DHCP based IP assign method or not, Click on radio button according to your requirement.

Step 27: In case SG(Security Gateway) we required a SIC(Activation Key) key so create a strong key.

Step 28: Click on Finish button

Step 29: For configuration process click on Yes button. 

Step 30: Wait for end process. 

Step 31: After end process wait for reboot.

Step 32: After reboot system if you want to change management IP address then by using command you can configure it

For IPv4 address configure on interface

set interface eth1 ipv4-address 172.168.1.5 subnet-mask 255.255.255.0

Tern on the interface

set interface eth1 state on

Step 33: Finally installation has completed of Check Point R77.30   

By using SC(Smart Console) we can configure the Check Point but firstly we required to include the SG(Security Gateway) in SMS(Smart Management Server).

Thanks

Himanshu