In this LAB we will going to configure Check Point Distributed Deployment.
LAB Requirement
In this LAB we require .
1. Check Point Smart Management Server VM
a. 1 GB RAM
b. 1 CPU Core
c. 1 Ethernet Adapter Member of virtual switch VM1[Host]
2. Check Point Security Gateway VM
a. 1 GB RAM
b. 1 CPU Core
c. 1 Ethernet Adapter Member of virtual switch VM1[Host]
d. 1 Ethernet Adapter Member of virtual switch VM2[Host]
3. GNS3 Cisco Topology
a. 1 Cisco router 7200
LAB Topology
Let's UConfigIt
Step 1. Complete the first requirement of LAB(Install Check Point Smart Management Server)
Step 2. Complete the Second requirement of LAB(Install Check Point Security Gateway)
Step 3. Complete the Second requirement of LAB(Install Check Point Smart Console)
Note all traffic goes through Security Gateway.
Step 4. Take the log in on Smart Dashboard(Smart Console)
Step 5. Include the Security Gateway in Smart Management Server Because as we know that all Security Gateway manage by Smart Management Server so we can configure Security Gateway by using Smart Management Server.
Step 6. Now select the fist wizard mode.
Step 7. Now initialize the SIC(Secure Internal Communication) process and enter the Security Gateway IP address or SIC Key(Security Gateway installation time configured Activation Key)
if you forget your Security Gateway SIC Key then you can restore it(Option 5).
cpconfig
Note In case you will change the SIC Key then exit the cpconfig mode for apply the changes.
Note In case you will change the SIC Key then exit the cpconfig mode for apply the changes.
Step 8. Click on Finish
Step 9. Now Security Gateway has included.
Step 10. Now we study about Security Policy.
Firewall > Policy
In Policy Section we have configuration place
No. Priority value of policy
Hits Number of request
Name Name of Rule
Source Source IP address and network
Destination Destination IP address and network
VPN for VPN traffic
Service any type of protocol
Action eider you can allow and deny it
Track real time inform using alert and log
Install On policy push on gateway
Time for policy life cycle
Comment any decryption about policy
Step 11. Now click on Add Rule at the Bottom and create a security policy.
Step 12. edit the Destination field
Add the network and host(Click on InternalZone and select Host or Network)
For DMZ Zone(Server Zone)
Edit the Network or Host field
Step 13: In Check Point basic rule of policy creation
Policy A (Management Rule)-In this type of policy we create a rule for Smart Console(Access Security Policy for Smart Console to Smart Management Server).
--------------------------~~~---------------------
Policy Name : Management Rule
No. : 1
Source : CPSC(192.168.1.5/24)
Destination : CPSMS(192.168.1.10/24), CPSG(192.168.1.20/24)
Service : Any
Action : Accept
Track : Log
Install On : Security Gateway
Time : Any
Comment : Management Rule because only Smart Console can access to Smart Management Server and Security Gateway
-------------------------~~~----------------------
Policy B (Stealth Rule)-In this policy if any hacker want to access our Smart MAnagement Server and Security Gateway then all request packets will drop.
--------------------------~~~---------------------
Policy Name : Stealth Rule
No. : 2
Source : Any
Destination : CPSG(192.168.1.20/24)
Service : Any
Action : Drop
Track : Log
Install On : Security Gateway
Time : Any
Comment : All Hacker remote request will Deny.
-------------------------~~~----------------------
Policy C (Network Policy)-In this field you can create any security policy according to organization requirement.
--------------------------~~~---------------------
Policy Name : Create a Policy Name (either Department based or Host based)
No. : Set the Policy Priority
Source : Define the Host and Network IP(Source)
Destination : Define the Host and Network IP(Destination)
Service : Define the Service for host
Action : Either accept it or deny it
Track : Hits information based on log and alert
Install On : Policy install on Security Gateway
Time : if policy based on time.
Comment : According to organization
-------------------------~~~----------------------
Policy D (Cleanup Rule)- By default if firewall have receive unknown request then all request will deny but without cleanup rule we can't get the logs.
--------------------------~~~---------------------
Policy Name :Cleanup Rule
No. : Always Least Policy
Source : Any
Destination : Any
Service : Any
Action : drop
Track : Log
Install On : Security Gateway
Time : Any
Comment : Cleanup rule for deny unnecessary traffic with log.
-------------------------~~~----------------------
Step 14: Now create the policy for Cisco Router(Smart Console ping can my Cisco router).
--------------------------~~~---------------------
Policy Name : Internet Access
No. : 3
Source : CPSC(192.168.1.5/24)
Destination : Cisco Router (172.168.1.10/24)
Service :http(80), https(443), TCP(14356), ICMP
Action : Accept
Track : None
Install On : Security Gateway
Time : Any
Comment : For Internet Access
-------------------------~~~----------------------
so finally we have group request service
click on OK and approve it.
Step 16: Finally install the policy on Security Gateway.
and install Policy>Install
Now select the Security Gateway and install(select on Check Box and click on OK)
go to advanced
and click on OK
wait for policy installation
Now check your connection between CPSC and Cisco Route(ISP)
ping smart console to cisco ISP router
in this case ISP traffic deny by check point so now create a policy for public network to private network.
--------------------------~~~---------------------Policy Name : DC(Data Center)
No. : 4
Source : Cisco Router(172.168.1.10/24)
Destination : CPSC (192.168.1.5/24)
Service : ICMP
Action : Accept
Track : None
Install On : Security Gateway
Time : Any
Comment : For DMZ Access
-------------------------~~~----------------------
Thanks
No comments:
Post a Comment