Check Point Security Administration Lab Manual

CNA Security Administration oR ETT} R77 EditionCheck Point Education Series Check Point Security Administration Lab Manual Check Point | SOFTWARE TECHNOLOGIES INC. PIN:705983© 2014 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distrib- tuted under licensing restricting their use, copying, distribution, and de-compilation. No part of this, product or related documentation may be reproduced in any form or by any means without prior ‘written authorization of Check Point, While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and fea- tures described herein are subject to change without notice, RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subpara~ graph (c)(1)Gi) of the Rights in Technical Data and Computer Software clause at DFARS 252.227- 7013 and FAR 52.227-19. TRADEMARKS: Retr tothe Copyright page (htip:/wwcheckpoint conveopyright. html) fra ist of our trademarks. Refer tothe Third Party copyright notices (hit:!/ www.checkpoint. com! S3rd_party_ copyright him) for a list of relevant copyrights and third-party licensesTtervational Headquarters” | 5 Ha'Solelim Strost 1 Tt avr 7897, ee 20h) races 4555 US Headquarters: | 959 Skyway Road, Suite 300 ae ~ | san Carlos, CA 94070 “re: 6504282000 »[ roe ss0-ssea5 “Technical Support, Education | 6330 Commerce Drive, Suite 120 & Professional Services: Irving, TX 75063 Tagr2ate6612 Fax. 9725067913 gal any comments or quetion shout os courseware “nunenanun ecko om For questions or emmt sto! ler Check Point suena (CF Tesh Feesack chaps “Document # | | DOC-Manval-Lab-CCSA-R77 Revision: R702 Content: Toey Witt “Graphics: | Chunming Jia Contributions = | Beta Testing and Technical Review Abdelhadi Guendonzi - Westcon - France Alejandro Diez Rodriguez - fina - Spain Anthony Joubaite - Artow ECS - France Chris Alblas - Arow ECS - UK ‘Chris Warlick - Check Point USA, rik Wagemans - ICA - Belgium Julie Paul ~ Check Point - USA Kishin Fatnani - K-Seoure - India, "Nader Assi - Sequris Group - USA. Rutger Truyers~ Westcon - Belgium ‘Test Developmes Ken Finley ‘Cheek Point Techni Rochelle Fisher, DalyYam, Eli Har-Even, Paul Grigg, Richard Levine, Rivkeh Albinder, Shira Rosenfield, Yaakov SimonEi facebook.com/CheckPointEducationContents Preface peer Lab 1: Distributed Installation ......... Installing the Security Management Server . Configure Security Management Server Using the Gaia Portal 16 Configuring the Management Server . . 30 Installing the Corporate Security Gateway . faa] Configure Corporate Security Gateway Using the Web UI 39 Configuring the Corporate Security Gateway 52 Installing SmartConsole .... 60 Lab 2: Branch Office Security Gateway Installation . ee) 70 Install SecurePlatform on the Branch Gateway wes Configure Branch Office Security Gateway with the First Time Configuration Wizard . .76 Use the Gaia Portal to Configure the Branch Office Security Gateway ea] Lab 3: CLI Tools .. : 97 ‘Working in Expert Mode = 98 Applying Useful Commands cect eteeeeeeee 101 ‘Add and Delete Administrators via the CLI ....... ee 08 Perform backup and restore... oe 108 Lab 4: Building a Security Policy ......... HI sll Create Security Gateway Object Create GUI Client Object Gaceunooogedaccaaccod C5) Create Rules for Corporate Gateway Goocuscod5g 125 Save the Policy 131 Install the Policy 132 Test the Corporate Policy : | : “BS Create the Remote Security Gateway Object fees goqcau 136 Create a New Policy for the Branch Office 143 148 Combine and Organize Security Policies Lab Manual‘Table of Contents Lab 5: Configure the DMZ ........+ Peis) Create DMZ Objects in SmartDashboard .......... , 160 Create DMZ Access Rule .. ‘i a 162 Test the Policy ..... poe G2) Lab 6: Monitoring with SmartView Tracker ......+000++++ see 165 Launch SmartView Tracker . a 166 Track by Source and Destination a 167, ‘Modify the Gateway to Activate SmartView Monitor ee 170: ‘View Traffic Using SmartView Monitor ..... . im Lab 7: Configuring NAT . £179 Configure Static NAT on the DMZ voce 180 Test the Static NAT Address. v4 Configure Hide NAT on the Corporate Network 0.000.000. 135 Test the Hide NAT Address. : 189 Observe Hide NAT Tre Using mnior : 192 Configure Wireshark ....... es 195 Observe the Traffic 7 198 Observe Static NAT Traffic Using fw monitor (optional) oe 199 Lab 8: Configuring User Directory : Seponsnoncooae Ld Connect User Ditectory to Security Management Server 2 206 Verify SmartDashboard Integration ....2...e.ce0.0000e+ 217 ‘Test LDAP Integration Piel ceenesss 220 Lab 9: Identity Awareness... pecon000 2221 Configuring the Security Gateway . beste 202 Defining the User Access Role... ae voles 228 Applying User Access Roles to the Rule Base : 232 “Testing Identity Based Awareness S285 Prepare Rule Base for Next Lab viciens 237 Lab 10: Site-to-Site VPN Between Corporate and Branch Office 2 239 Define the VPN Domain . vocevtvereeeeas 240 Create the VPN Community Din 248 Create the VPN Rule and Modifying the Rule Base .- fee 251 “Test VPN Connection vocereeetevevevivnieoeee 254 VPN Troubleshooting». 0. 0.00.0... vole 289 ii Check Point Security EngineeringPreface Before beginning any labs, you should have been presented with a virtual environment configured in either VMware Workstation or ESX. Each student should have the following machines configured in the environment: > AGUI + A-SMS + AGW » A-DMZ » BGW » B-GUI These environments are self contained sandbox configurations, meaning that every student has the same virtual machines to work with, all with identical IP addressing and interface information. Though Intemet connectivity is not required for this class, it may be added by your instructor. Lab Manual 1Preface 2 (Check Point Security Administration(an ul ep cn Mog 4085 EF AZojodo) geq uolejsiulmpy Ajunzas julog y9a4D Lab ManualPreface Check Point Security AdmitLab 1: Distributed Installation Scenario: You are implementing the Check Point Security Gateway in a distributed topology. Install SmartConsole on a Windows machine, and the Gateway and Security Management server on Gaia machines. ‘Topics: » Installing the Security Management Server © Configure Security Management Server > Installing Gaia on the Corporate Security Gateway + Configuring the Corporate Security Gateway, using the WebUI *° Installing SmartConsole » Launching the SmartDashboard al Lab ManualLab 1: Distributed Installation installing the Security Management Server Install the R77.10 Management Server blade on the A-SMS virtual machine. The management server will manage the corporate gateway and a branch gateway installed in a later lab. 1. In VMware, create a new Virtual Machine (VM) using the iso image or DVD provided by your instructor. Verify that this VM is defined as follows: + Name: A-SMS + OS: Other + Version: Other * Disk Space: 20GB + Memory: 2GB One Interface (ethO) + eth + Connect at power on + LAN Segment: LAN 2 Note: Your classroom configuration may be different. Check with your instructor before continuing to the next step. 2. Before powering on your VM, verify that it is configured as defined above. 6 Check Point Security AdministrationInstalling the Security Management Server 3. Power on the A-SMS virtual machine and the Welcome to Check Point Gaia 77.10 screen appears: Sng tg Re Figure 1 — Welcome to Check Point Gala R77.10 4, Highlight the option Install Gaia on this system, 5. Press the Enter key within 60 seconds to launch the installation. Lab Manual 7Lab 1: 6. The system displays the Starting Installation screen: Figure 2 — Starting Installation Screen 8 Check Point Security AdministrationInstalling the Secu Management Server 7. When the system is prepared for you to begin the operating system installation, it displays the Welcome screen: Reece) eit Sreeietes cote Figure 3 — Welcome 8. Tab to Machine Info. Lab Manual 99. Press Enter, and the installation wrapper scans the VM, displaying the details, of the system: CEE a eee eras Coenen nis erect ene Figure 4 — Hardware Scan Details 10. Use the down arrow to review the hardware information. LL. Tab over to Back, and press Enter. 12, Highlight OK on the Welcome screen. 10 ‘Check Point Security AdministrationInstalling the Security Management Server 13. Press Enter, and the system displays the Keyboard Selection screen. 14, Select the keyboard to suit your region 15. Highlight OK. 16. Press Enter, and the system displays the Partitions Configuration screen: rata Fra Eee) Figure 5 — Partitions Configuration Note: Review the suggested configuration. In this lab, we will use the default settings. Lab Manual inLab 1: Distributed Installation 17. Tab to OK and press Enter. The system displays the Account Configuration screen: Figure 6 — Network Interface Configuration Note: At this step, you are configuring the password for the “admin” user, the default OS level administrator, 18, Enter and confirm ypn123 as the admin account password. Note: Verify that NumLock is on. Itis not on by default after installation. If you haven't already tured it on, do so now and re-enter and confirm your password, If you enter this password without turning NumLock on, you will not be able to log into the system. 2 ‘Check Point Security AdministrationInstalling the Security Management Server 19. Tab to OK and press Enter. The system displays the Management Interface Configuration screen: Check FoIn Gale N77 Ii ees naa nes aes fae Ea Deserta ia ee eee ers Figure 7 — Management interface Configuration 20. Use the following information to configure the Network Interface Configuration screen: IP Address: 10.1.1.101 Netmask: 255.255.255.0 Default Gateway (IP): 10.1.1. Lab ManualLab 1: Distributed Installation 21. Select OK and press Enter. The system displays the Confirmation screen: oor Figure 8 — Confirmation 22. In the Confirmation screen, select OK and press Enter to proceed. 4 ‘Check Point Security AdministrationInstalling the Security Management Server 23. After the drive is formatted and the installation is complete, the system displays the following screen: eee eee ner re rere aceasta ecru eras eet fis = Figure 9 — Installation Complete Note: If you used a DVD for installation rather than an iso, you may need to eject your DVD manually before the reboot is complete if the eject does not happen automatically. 24, Press Enter to reboot your system 2. After reboot, the system displays the following prompt: Figure 10 — Login PromptLab 1: Distributed Installation 26, Attempt to log in using the following credentials: Usemame: admin Password: vpni23 27. Press Enter, and the system displays the following message: tt fof authorize eet Figure 11 — First Time Wizard Message Note: Notice the prompt here. The system generates this prompt for each installation. Your prompt will appear different to the one shown here, Configure Security Management Server Using the Gaia Portal Follow these steps to activate the default trial license, Your instructor will provide alternate directions, if you use other licenses. 1. From the A-GUI virtual machine, launch an Internet browser such as Firefox or Internet Explorer. 2. In the address field, type the following https: //10.1.1.102 Note: Be sure that you are using HTTPS. You may also need to verify that the LANs in VMware are configured properly before you are able to connect. Both the GUI client machine (A-GUT and the Security Management Server (A-SMS) reside on LAN 2, if you are following the recommended classroom topology. Consult your instructor, if you are using @ different configuration. 3. Press Enter, and your browser should warn you that the site’s Security Certificate is from an untrusted source, 16 Check Point Security AdministrationConfigure Security Management Server Using the Gaia Portal 4. Ignore this warming and continue to the site. The system displays the login screen: Figure 12 — Gaia Portal 5. Log into A-SMS with the following credentials: Login: admin Password: vpni23 Lab Manual 7Lab 1: Distributed Installation 6. Press Enter, and the system displays the following message: Gaia First Time Configuration Wizard Figure 13 — Gaia First Time Configuration Wizard 18 Check Point Security AdministrationConfigure Security Management Server Using the Gaia Portal 7. Click Next, and the system displays the Deployment options page: (Check Point” Gaia Sag Deslobens cone 0507 Hcannlen © wee og seat Figure 14— Deployment Options 8, Verify that the following option is selected: Continue with Gaia R77.10 configuration Lab Manual “ 19Lab 1: Distributed Installation 9. Click Next, and the system displays Network Connection window: Figure 18 — Network Connection 10, Use the information below to verify that the Security Management Server's network connection is configured properly: Interface: eth Configure IPv4: Manually IPv4 Address; 10.1.1.101 Subnet Mask: 255.255.255.0 Default Gateway: 10.111 Configure IPv6: Off 20 Check Point Security AdministrationConfigure Security Management Server Using the Gaia Portal IL. Click Next, and the system displays the Device Information page. 12. Use the following information to configure the Device Information page: HostName: A-SMS Domain Name: alpha.cp Primary DNS Server: 10.1.1.201 Figure 16 — Device Name Configured Note: Check Point prohibits the use of underscores in some object names, Lab Manual HtLab 1: Distributed Installation 13, Click Next, and the system displays the Date and time Settings: Ses oO “8 ee (hee) nod ez cape nc i amy ~~ FS © to inate eto Figure 17 — Date and Time Settings 14, Select the option Use Network Time Protocol (NTP). 15, In the Primary NTP Server field, type 10.1.1.201. 16, Select the correct Time Zone for your location. 2 ‘Check Point Security AdministrationConfigure Security Management Server Using the Gaia Portal 17. Click Next, and the system displays the Installation Type window: | eomaremereterv met fesse Figure 18 — Network Configuration - Host Name Options 18. Select Security Gateway or Security Management, and click Next, The system displays the Products window. 19, Use the information below to configure the Products window: Products: Security Management Clustering: Define Security Management as: Primary Note: Do NOT select the Security Gateway option, 20. Verify that the following option is selected: Automatically download Blade Contracts and other important data Lab Manual 2BLab 1: Distributed Installation 21. Verify that the Products window is configured as follows: ‘eGheek Point Gaia [p}seoay trent Figure 19 — Products Configured 24 Check Point Security AdministrationConfigure Security Management Server Using the Gaia Portal 22. Click Next, and the system displays the following: iCheck Pons |) sare eS | | I ieee Figure 20 — Security Management Administrator 23. Enter epadmin for the Administrator name and enter and confirm ypn123 as the password. Note: In this step you are configuring the Security Administrator for Check Point SmartConsole, the application admin. You can use the same name and password for both the OS admin and the application admin to keep things simple in your classroom configuration. Lab Manual 25Lab 1: Distributed Installation 24, Click Next, and the system displays the Security Management GUI Clients window, 25. Select the following option: This Machine k Point Gaia- Seeutty Management GUI Cliems hc gt te Seay Morag ie Otay, : enema Cha ee Potions (OTR 7 \ One = E O Benet tn: Figure 21 — Security Management GUI Clients Configured 26 Check Point Security AdministrationConfigure Security Management Server Using the Gaia Portal 26. Click Next, and the system displays the Summary page: 1 cana time conta are tonnay | ican noc | t | | epee pre earner ate (| ety Figure 22 — Summary 27. Click Finish, and the system prompts you for a response to the following question: 2 Figure 23 — First Time Configuration Wizard Message Lab Manual 27Lab 1: Distributed Installation 28. Click Yes, and the system proceeds with the configuration: “er cndnabe a) carpe ff trtin Figure 24 — Summary (Progress) 29. Once complete, it displays a message indicating that the configuration was successful: Figure 25 — Message 28 Check Point Security AdministrationConfigure Security Management Server Using the Gaia Portal 30. Click No, and the Web UI displays the configuration settings of the newly configured Security Management Server: Figure 26 — Check Point Web UI - Security Management Server Configured Lab Manual 39Lab 1: Distributed Installation Configuring the Management Server In this section, you will configure the default gateway and greeting message of the newly installed Security Management Server. 1, Locate the Network Management section of the navigation pane. 2. Click LPv4 Static Routes, and the following page appears: Figure 27 —IPv4 Static Routes Configured 3. Verify that the IP address 10.1.1.1 appears as the Gateway in the Default static route. 30 ‘Check Point Security AdministrationConfiguring the Management Server 4, In the toolbar, locate the Search field. 5. Type the following in the Search field, and click the Search icon: Messages Figure 28 — Search Results 6. Click Messages, and the system displays the Messages page: Figure 29 — Messages Lab Manual 31Lab 1: Distributed Installation 7. In the Banner Message field, replace the default text with the following: A-sMs Unauthorized access of this server is prohibited and punishable by law. Click the Apply button. 9, In the toolbar, click Sign Out. 32 ‘Check Point Security AdministrationInstalling the Corporate Security Gateway In this section you will configure the corporate Security Gateway. 1. In VMware, create a new Virtual Machine (VM) using the iso image provided by your instructor. This VM should be defined as follows: > Name: A-GW + OS: Other » Version: Other Disk Space: 20GB + Memory: IGB + Four Interfaces (eth0 through eth3) © etho * Connect at power on + LAN Segment: LAN 1 + ethl + Connect at power on + LAN Segment: LAN 2 > eth2 = Connect at power on > LAN Segment: LAN 3 > eth3 + Uncheck Connect at power on Note: Your classroom configuration may be different. Check with your instructor before continuing to the next step. 2. Before powering on your VM, verify that it is configured as defined above. Lab Manual 33Lab 1: Distributed Installation 3. Power on the A-GW virtual machine and the Welcome to Check Point Gaia 77.10 screen appears: iS] Figure 30 — Welcome to Check Point Gaia R77.10 4, Highlight the option Install Gaia on this system. 5. Press the Enter key within 60 seconds to launch the installation. When the system is prepared for you to begin the operating system installation, it displays the Welcome screen. 7. Highlight OK, 8. Press Enter, and the system displays the Keyboard Selection screen. 9. Select the keyboard to suit your region. 10. Highlight OK. LL. Press Enter, and the system displays the Partitions Configuration screen. 12, Tab to OK and press Enter. The system displays the Account Configuration screen. 34 Check Point Security AdministrationInstalling the Corporate Security Gateway 13. Enter and confirm vpni23 as the admin account password. Note: Verify that NumLock is on. Itis not on by default after installation. Ifyou haven’t already turned it on, do so now and re-enter and confirm your password. If you enter this password without turning NumLock on, you will not be able to log into the system. 14. Highlight OK. 15, Press Enter, and the system displays the Management Port screen, 16. Use the arrow keys to highlight etht: porary Bee reece: Figure 31 — Managed Port Configured 17. Tab to OK, Lab ManualLab 1: Distributed Installation 18. Press Enter, and the system displays the Management Interface Configuration screen: eee ot Figure 32 — Management interface Configuration 19, Use the following information to configure the Network Interface Configuration screen: IP Address: 10.1.1.1 Netmask; 255.255.255.0 Default Gateway (IP): Clear the system defined address and leave blank. 36 ‘Check Point Security AdministrationInstalling the Corporate Security Gateway 20. Select OK and press Enter. The system displays the Confirmation screen: eee ees Breer ieee cient Figure 33 — Confirmation 21. In the Confirmation screen, select OK and press Enter to proceed Lab ManualLab 1: Distributed Installation 22. After the drive is formatted and the installation is complete, the system displays the following screen: pene ee sor Pe eee es eee cee Figure 34 — Installation Complete Note: Ifyou used a DVD for installation rather than an iso, you may need to eject your DVD manually before the reboot is complete if the eject does, not happen automatically. 23. Press Enter to reboot your system, 24. After reboot, the system displays the following prompt Figure 35 — Login Prompt 38 (Cheek Point Security AdministrationConfigure Corporate Security Gateway Using the Web UI Configure Corporat Follow these steps to activate the default trial license. Your instructor will provide alternate diections, if you use other licenses. 1, From the A-GUI virtual machine, launch an Internet browser such as Firefox or Internet Explorer. 2, In the address field, type the following: https://10.1.1.1 Note: Be sure that you are using HTTPS, You may also need to verify that the LANs in VMware are configured properly before you are able to connect. ‘The GUI client machine (A-GUI) and the management interface of the Security Gateway (A-GW) reside on LAN 2, if you are following the recommended classroom topology. Consult your instructor, if you are using a different configuration, 3. Press Enter, and your browser should wam you that the site’s Security Certificate is from an untrusted source. 4, Ignore this warning and continue to the login screen, 5. Log into A-GW with the following credentials: Login: admin Password: vpni23 Lab Manual 39Lab 1: Distributed Installation 6. Press Enter, and the system displays the following message: || Weleame tthe ae Gaia First Time Configuration Wizard — ‘Yue it afew sep yk wing you new Glasto! |} Glocioa to entgue ya sytem Figure 36 — Gala First Time Configuration Wizard 40 ‘Check Point Security AdministrationConfigure Corporate Security Gateway Using the Web UL 7. Click Next, and the system displays the Deployment Options: || Check Points Geia cteccronr | || ooo Deploymenr Opsions Shek Point | | Ghat tame dven Figure 37 — Deployment Options 8. Verify that the following option is selected: Continue with Gaia R77.10 configuration Lab Manual 41Lab 1: Distributed Installation 9. Click Next, and the system displays Management Connection window: | Check Point Gaia (checkpoint onagerent Conredton Figure 98 — Management Connection 10. Use the information below to verify that the Security Gateway’s network connection is configured properly: Interface: eth Configure IPv4: Manually IPv4 Address: 10.1.1.1 Subnet Mask: 255.255.255.0 Default Gateway: Leave Blank Configure IPv6: OffConfigure Corporate Security Gateway Using the Web UL 11. Click Next, and the system displays the Connection to UserCenter page: Hl Ghee Point” Gaia fBlcneckrace Connection toUserentr ) Ghee ot cetgon te erent cece ara ton) | me SE | comune [ait ie] Figure 39 — Connection to UserCenter 12, Click Next, and the system displays the Device Information page. Lab Manual a3Lab 1: Distributed Installation 13. Use the following information to configure the Device Information page: Host Name: A-GW Domain Name: alpha.cp Primary DNS Server: 10.1.1.201 Figure 40 — Device Information 44 Check Point Security AdministrationConfigure Corporate Security Gateway Using the Web UI 14, Click Next, and the system displays the Date and time Settings: ‘Check Point~ Gaia ‘Digheek Poin | One ae pit ' | Figure 41 — Date and Time Setings 15. Select the option Use Network Time Protocol (NTP). 16. In the Primary NTP Server field, type 10.1.1.201. 17. Select the correct Time Zone for your location. 45 Lab ManualLab 1: Distributed Installation 18. Click Next, and the system displays the Installation Type window: Berea | al Figure 42 — Network Configuration - Host Name Options 19, Select Security Gateway or Security Management, and click Next. TI displays the Products window. 20. Use the information below to configure the Products window: Products: Security Gateway Clustering: Leave Unchecked Note: Use the Do NOT select the Security Management option. 21. Verify that the following option is selected: Automatically download Blade Contracts and other important data een ey 46 Check Point Security AdministrationConfigure Corporate Security Gateway Using the Web UL 22. Verify that the Products window is configured as follows: i " — | Check Point: Gaia (Gichece Point | — I amen | plumeaptatacnaucnee [Sans fe) i ma tnttinapnatas fi i —- ee eee eee eee i | i ay | Figure 43 — Products ConfiguredLab 1: Distributed Installation 23. Click Next, and the system displays the following: ‘Check Point Gal yay Aig PS Figure 44 —Dynamicaly Assigned IP 24. Verify that No is selected. 48 ‘Check Point Security AdministrationConfigure Corporate Security Gateway Using the Web UL 25, Click Next, and the system displays the Secure Internal Communications (SIC) window: Check Point: Gaia |. Secure Invest Com Figure 45 — Secure internal Communications (SIC) 26. Enter and confirm abe123 as the Activation Key. Lab ManualLab 1: Distributed Installation 27. Click Next, and the system displays the Summary window: Gdarcat rane Conurton id Suman, eee leva “Yau doesnot te hv as Figure 46 — Summary 28. Click Finish, and the system asks you if you want to start the configuration process. 29. Click Yes. 30. Once the configuration process is complete, the system notifies you with a message. Figure 47 — Check Point Configuration Wizard 31. Click OK, continues with the installation and reboots. — 50 (Check Point Security AdministrationConfigure Corporate Security Gateway Using the Web UI 32. At the login window, after the reboot, log into the system with the following credentials: Username: admin Password: vpn123 33. After logging in, the system displays the following question epacarcargaci : t DQ ‘Ck ¥en m sens deven da le he us recommend eval: dawned ead natatsians. lL ate Figure 48 — Help Check Point Improve Software Updates 34. Click No, and the Gaia Portal displays the configuration settings of the newly configured Security Gateway: Figure 49 — Check Point Web Ul - Security Gateway Lab Manual 31Lab 1: Distributed Installation Configuring the Corporate Security Gateway 1. In the navigation pane of the Gaia Portal, identify the Network Management section. 2. Click Network Interfaces, and the system displays the Interfaces page: lui pine Figure 50 — Interfaces Note: Notice how only eth! is configured. This is your Management Interface, In this lab, this also represents your internal network. 52 Check Point Security AdministrationConfiguring the Corporate Security Gateway 3. Select ethl, and click Edit. The system displays the Caution message: a ‘etait igen | Figure 51 — Caution Message 4. Click OK, and the system displays the Edit window: on tates way 2 vsete ny Ft ates Eee Figure 62 — Edit etht In the comment field, type: Internal Click OK, and the system saves the new eth! configuration, Double-click eth0, and the system displays the Edit window. Use the information below to configure eth0: Enable: Checked Comment: External IPv4 Address: 172.21.101.1 Subnet Mask: 255.0.0.0 eA Aw Lab Manual 3Lab 1: Distributed Installation 9. Click OK. 10. Double-click eth2, and the system displays the Edit window. 11. Use the information below to configure eth2: Enable: Checked Comment; — DMZ IPv4 Address: 192.0.2.1 Subnet Mask: 255.255.255.0 12, Click OK, to return to the Interfaces page. 13, Verify that your interfaces appear as follows: emeiriee Figure §3 — Interfaces Configured Note: Notice that we did not configure eth3. It is not used in this course and should, therefore, remain disabled (down).Configuring the Corporate Security Gateway 14. In the navigation pane, click IPv4 Static Routes: Figure 54 — IPv4 Static Routes Lab Manual 35Lab 1: Distributed Installation 15. Double-click the Default route, and the system displays the Edit Destination Route window: Figure 85 — Edit Destination Route: Default 16. In the Add Gateway section, click the Add Gateway button. 17. Select IP Address, and the Add IP Address Gateway window appears: Figure 56 — Add IP Address Gateway 56 Check Point Security Administration‘Configuring the Corporate Security Gateway 18, In the IPv4 Address field, add the following: 172.22.102.1 19. Click OK, and the system adds the new gateway to the Default Route list: Figure 57 — Edit Destination Route Lab ManualLab 1: Distributed Installation 20. Click the Save button, and verify that the newly configured default route appears as follows: Figure 58 — |Pv4 Static Routes 21. In the navigation pane, locate the System Management section. 58 Check Point Security AdministrationConfiguring the Corporate Security Gateway 22. Click Messages, and the system displays the Messages page: Figure 59 — Messages 23. In the Banner Message field add the following text before the default message: A-GW Unauthorized access of this server is prohibited and punishable by law. 24, Click the Apply button 25. In the toolbar, click Sign Out. Lab Manual 59Lab 1: Distributed Installation Installing SmartConsole In this section, you will install SmartConsole on the A-GUI virtual machine. 1. From A-GUL, use HTTPS to connect to the A-SMS (10.1.1.101). 2. On the overview page, click the Download Now button to download the SmartConsole exe: Figure 60 — Download Now Button 60, Check Point Security AdministrationInstalling SmartConsole 3. Double-click the downloaded SmartConsole .exe file. The Welcome screen displays: (cafes Figure 61 — Welcome Lab Manual 6Lab 1: Distributed Installation 4, Click Next, and the system displays the License Agreement: stele Greco fi Sur Uae GA aL Te rrooucrconsrures youn ASSENT 0 10 “Se AGREE MNTIEN PEDIC TSK Pe REO To aOR cor ste Figure 62 — Check Point License Agreement 5. Select the I accept.... option to accept the terms of the license before continuing, oe Check Point Security AdministrationInstalling SmartConsole 6. Click Next and the following window appears: Figure 63 — Destination Folder Lab Manual 63Lab 1: Distributed Installation 7. Click Next, and the system displays the SmartConsole window: Figure 64 — Installation Type 8. Verify that the Full option is selected. 64 Check Point Security AdministrationInstalling SmartConsole 9. Click Install, and the system displays the Thank You window: Figure 65 — Thank You 10. Uncheck the Launch SmartDashboard... option. 11. Click the Finish button, to complete the SmartConsole installation. Lab Manual 65Lab 1: Distributed Installation Launch SmartDashboard Launch SmartDashboard to verify that SmartConsole is installed and can connect to the Security Management Server. 1. From the Start menu, click All Programs > Check Point SmartConsole R77.10 > SmartDashboard and the system displays the login window: Figure 65 — SmartDashboard Login 2. Use the following information to configure the login window: User Name: epadmin Password: vpn123 Server name or IP address: 10.1.1.101 ——— 66 ‘Check Point Security AdministrationInstalling SmartConsole 3. Click the Login button, and the system displays the fingerprint: Teheran Tsien (oe raptor etogest be contacon ooh -mesmvetotis Eng DeyouareretsHngepint ate? Figure 67 — Fingerprint 4, Click the Approve button, to approve the fingerprint. Lab Manual 61Lab 1: Distributed Installation 5. Ifyou are using the built-in software trial period, a notification screen showing the days left of the trial period will appear: ‘Check Point procit ‘al petod wil expire in 15 days. oe thi oe Figure 68 — Check Point Trial Period Screen 6. Check the box Do not show this again. 7. Click OK and SmartDashboard R77.10 displays the Firewall blade Overview: EE mementos Figure 69 — SmartDashboard R77.10 Overview END OF LAB ‘Check Point Security Administration 68Lab 2: Branch Office Security Gateway Installation Scenario: You are implementing the Check Point Security Gateway at a branch office. To do this, you decide to install only the Security Gateway at the remote site and manage it from the existing Management Server at the corporate headquarters. Topics: ° Installing Gaia on the Branch Gateway + Configuring the Branch Gateway via the Gaia Portal Lab ManualLab 2: Branch Office Security Gateway Installation install SecurePlaiform on the Branch Gateway Follow these instructions to install the GAiA OS 1. In VMware, create a new Virtual Machine (VM) using the iso image or DVD provided by your instructor. Verify that the VM is defined with as follows: + Name: B-GW + OS: Other + Version: Other * Disk Space: 20GB + Memory: 1GB © Two Interfaces (eth0 and etht) + etho * Connect at power on + LAN Segment: LAN I + ethl * Connect at power on + LAN Segment: LAN 4 Note: Your classroom configuration may be different, Check with your instructor before continuing to the next step. 2. Before powering on your VM, verify that it is configured as defined above. 70 ‘Check Point Security AdministrationInstall SecurePlatform on the Branch Gateway 3. Power on the B-GW virtual machine and the Welcome to Check Point Gaia R77.10 screen appears: Figure 70 — Welcome to Check Point Gaia R77.10 Highlight the option Install Gaia on this system. 5. Press the Enter key within 60 seconds to launch the installation, When the system is prepared for you to begin the operating system installation, it displays the Welcome screen. 7. Highlight OK. 8. Press Enter, and the system displays the Keyboard Selection screen 9. Select the keyboard to suit your region, 10. Highlight OK. 11. Press Enter, and the system displays the Partitions Configuration screen Lab Manual uaLab 2: Branch Office Security Gateway Installation 12. Tab to OK and press Enter. The system displays the Account Configuration screen. Note: Again, at this step, you are configuring the password for the “admin” user, the default OS level administrator. 13. Enter and confirm vpn123 as the admin account password. Note: Verify that NumLock is on. Itis not on by default after installation. If you haven't already turned it on, do so now and re-enter and confirm your password. If you enter this password without turning NumLock on, you will not be able to log into the system. 14. Highlight OK. 15. Press Enter, and the system displays the Management Port screen. 16. Use the arrow keys to highlight eth Peete earners Sorat ent Figure 71 — Management Port Configured 17. Tab to OK. RD Check Point Security AdministrationInstall SecurePlatform on the Branch Gateway 18. Press Enter, and the system displays the Management Interface Configuration sereen: rca Peete eee Figure 72 — Management interface Configuration 19. Use the following information to configure the Network Interface Configuration screen IP Address: 10.2.2.1 ‘Netmask: 255.255.255.0 Default Gateway (IP): Clear the default IP address and leave blank.Lab 2: Branch Office Security Gateway Installation 20. Select OK and press Enter. The system displays the Confirmation screen: Persea omar icra Pai eeteeri were tect fee ee eee Figure 73 — Confirmation 21. In the Confirmation screen, select OK and press Enter to proceed. 4 Check Point Security AdministrationInstall SecurePlatform on the Branch Gateway 22, After the drive is formatted and the installation is complete, the system displays the following screen: Pcearats Leipetetyeee Figure 74 — Installation Complete Note: If you used a DVD for installation rather than an iso, you may need to eject your DVD manually before the reboot is complete if the eject does not happen automatically. 23. Press Enter to reboot your system. 24, After reboot, the system displays the following prompt: Figure 75 — Login Prompt Lab Manual 75Lab 2: Branch Office Security Gateway Installation Configure Branch Office Security Gateway with the First Time Configuration Wizard Follow these steps to activate the default trial license. Your instructor will provide alternate directions, if you use other licenses. 1. From the B-GUI Virtual Machine, launch an Internet browser, such as Firefox or Internet Explorer. 2. Inthe address field, there the following: hetps://10.2.2.1 Note: Be sure that you are using HTTPS. You may also need to verify that the LANs in VMware are configured properly before youare able to connect. Both the GUI client machine (B-GUI) and the Security Gateway and Security Management Server (B-GW) reside on LAN 4, if you are following the recommended classroom topology. Consult your instructor, if you are using a different configuration. 3. Press Enter, and your browser should war you that the site’s Security Certificate is from an untrusted source. 4, Ignore this warning and continue to the login screen, 5, Log into B-GW with the following credentials: Login: admin Password: ypni23 6 ‘Check Point Security Administration: | : : | j | | | Configure Branch Office Security Gateway with the First Time Configuration Wizard 6. Press Enter, and the system displays the following message: Gaia First Time Configuration Wizard ‘oxi juts i lps say Eo sng your new Gan syst | | vetoes | | ehtishamargns vmware Figure 76 — Gaia First Time Configuration Wizard ‘Lab ManualLab 2: Branch Office Security Gateway Installation 7. Click Next, and the system displays the Deployment Options page: i © Check Point: Gaia [EB}check Point 5 Deployment Options Serre 19 Cvoe wn e7 cntmeen la en chek Pt battens en Q metennnn inst es Figure 77’ —Deployment Options 8. Verify that the following option is selected: Continue with Gaia R77.10 configuration B ‘Check Point Security AdministrationConfigure Branch Office Security Gateway with the First Time Configuration Wizard 9. Click Next, and the system displays Management Connection page: conane re [ait B 10. Use the information below to verify that the Security Gateway’s network connection is configured properly: Interface: eth Configure 1Pv4: Manually IPv4 Address: 10.2.2.1 Subnet Mask: 255.255.255.0 Default Gateway: Leave Blank Configure IPv6: OffLab 2: Branch Office Security Gateway Installation 11. Click Next, and the system displays the Connection to UserCenter page: ‘Check Point- Gaiz Figure 79 — Connection to UserGenter 12. Click Next, and the system displays the Device Information page. 13. Use the following information to configure the Device Information page: Host Name: B-GW Domain Name: Leave Blank ee 80 ‘Check Point Security Administration‘Configure Branch Office Security Gateway with the First Time Configuration Wizard 14. Click Next, and the system displays the Date and time Settings: Check Point: Gaia inne Set (@ setmenme te [Fie The [eh | i i a Figure 80 — Date and Time Settings 15. Select the option Use Network Time Protocol (NTP). 16. In the Primary NTP Server field, type 10.2.2.201. 17. Select the correct Time Zone for your location, Lab Manual 81Lab 2: Branch Office Security Gateway Installation 18. Click Next, and the system displays the Installation Type window: (@ SoorySayaye Sooty nape Ota Domi sin Network Configuration - Host Name Options. Figure 81 19. Select Security Gateway or Security Management, and click Next. The system displays the Products window. 20. Use the information below to configure the Products window: Products: Security Gateway Clustering: Leave Unchecked 2 ‘Check Point Security AdministrationConfigure Branch Office Security Gateway with the 21. Verify that the Products window is configured as follows: Check Point: Gaiar Biicheek Poinr (Bloor ever ‘ [ser tae i (iunteerscatecantge [Bini Jy) 5 eon Be att nso ara hy meme) to ee | Adon Figure 82 — Products Configured Lab Manual Time Configuration WizardLab 2: Branch Office Security Gateway Installation 22. Click Next, and the system displays the following: Figure 83 — Dynamically Assigned (P 23. Verify that No is selected. 84 Check Point Security AdministrationConfigure Branch Office Security Gateway with the Configur: rst Time ion Wizard 24. Click Next, and the system displays the Secure Internal Communications (SIC) window: Figure 84 — Secure Internal Communications (SIC) 25. Enter and confirm vpn123 as the Activation Key. Lab ManualLab 2: Branch Office Security Gateway Installation 26. Click Next, and the system displays the Summary window: Figure 85 — Summary 27. Click Finish, and the system asks you if you want to start the configuration. 28. Click Yes. 29. Once the configuration process is complete, the system notifies you with a message. 30. Click OK. 31. After successful login, the system displays the following question: Figure 86 — Help Check Point Improve Software Updates 32. Click No, and the Web UI displays the configuration settings of the newly configured Security Gateway. 86 Check Point Security AdministrationUse the Gaia Portal (o Configure the Branch Office Security Gateway Use the Gaia Portal to Configure the Branch Office Security Gateway Define the interfaces and login message for the branch office gateway. 1. Review the system’s Overview page: Figure 87 — Check Point Web UI - Security Gateway 2, In the navigation pane of the Gaia Portal, identify the Network Management section, ‘Tab Manual @Lab 2: Branch Office Security Gateway Insta 3. Click Network Interfaces, and the system displays the Interfaces page: Figure 88 — interfaces Note: Notice how only eth] is configured, This is your Management Interface. In this lab, this also represents your internal network. ee 88 ‘Check Point Security AdministrationUse the Gaia Portal to Configure the Branch Office Security Gateway 4, Select eth!, and click Edit. The system displays the Caution message. 5. Click OK, and the system displays the Edit window: Figure 89 —Ecit etht In the comment field, type: Internal Click OK, and the system saves the new eth! configuration Double-click eth0, and the system displays the Edit window. Use the information below to configure eth0: Enable: Checked Comment: External IPv4 Address: 172.22.102.1 Subnet Mask: 255.0.0.0 yeas Lab Manual 39Lab 2: Branch Office Security Gateway Installation 10. Verify that the newly configured eth0 appears as follows: ap be ne Pots: Babee [Wz ot] / sana (ESO Figure 90 — Edit etho 11. Click OK, to retum to the Interfaces page. 90 Check Point Security AdministrationUse the Gaia Portal to Configure the Branch Office Security Gateway 12. Verify that your interfaces appear as follows: Figure 91 ~ Interfaces Configured 13. In the Management Interface section of the page, notice that the current Management Interface is set to eth] Note: Since we are going to manage this remote Security Gateway from the Alpha site, you need to change the Management Interface to the external interface, 14, Click the Set Management Interface button. 15, Select eth0 as the Management Interface: Figure 82 — Management interface Lab Manual afLab 2: Branch Office Security Gateway Installation 16. Click OK, and the system asks you to confirm the management interface change: Figure 93 — Caution 17. Click OK, and verify that the system displays eth0 as the Management Figure 94— Management Interface Configured 18. In the navigation pane, click IPv4 Static Routes. 92 ‘Check Point Security AdministrationUse the Gaia Portal to Configure the Branch Office Security Gateway 19. Double-click the Default route, and the system displays the Edit Destination Route window: iar [ia | | oat cr vd ce i | ety ut dec ng | Boshi rode ! igure 95 — Edit Destination Routo: Default 20, In the Add Gateway section, click the Add Gateway button. 21. Select IP Address, and the Add IP Address Gateway window appears: Figure 96 — Add IP Address Gateway Lab ManualLab 2: Branch Office Security Gateway Installation 22. In the IPv4 Address field, add the following: 172.21.101.1 23. Click OK, and the system adds the new gateway to the Default Route list: Figure 97 — Edit Destination RouteUse the Gaia Portal to Configure the Branch Office Security Gateway 24. Click the Save button, and verify that the newly configured default route appears as follows: Figure 98 — |Pv4 Static Routes 25. In the navigation pane, locate the System Management section. Lab Manual 95Lab 2: Branch Office Security Gateway Installation 26. Click Messages, and the system displays the Messages page: Figure 99 — Messages 27. In the Banner Message field add the following text before the default message: B-GH Unauthorized access of this server is prohibited and punishable by law. 28. Click the Apply button, 29, From the toolbar, click Sign Out. END OF LAB 96 ‘Check Point Security AdministrationLab 3: CLI Tools Scenario: Learn commands to perform basic operations via the command line on the Security Gateway. This lab will cover basic administrative tools, including those in the Command Line Interface (CLD). Topics: + Setting Expert Password + Applying Other Useful Commands * Adding and Deleting Administrators via the CLI » Performing backup and restoreLab 3: CLI Tools Working in Expert Mode GAiA has two modes. In order to run some CLI commands, you must be in expert mode. Log into GAiA on the corporate gateway virtual machine (A-GW). 2. Then, from the CLI type the following and press Enter: set expert-password 3. When prompted to enter a new password for expert mode, type and confirm the following: vpni23 4. At the prompt, type the following and press Enter. save config 5. Atthe prompt, type the following: expert 6. Press Enter, and the system prompts you for the newly configured Expert mode password. 7. Type the following, and press Enter: vpn23 98 ‘Check Point Security AdministrationWorking in Expert Mode 8. Once in expert mode, you are in a separate shell. Notice the difference in the prompt when you are logged into expert mode: ere Figure 100 — Expert Mode 9. Type exit and press Enter, so that you are at the CLISH prompt. Note: To exit to the login prompt, you would type excd.t again. 10. From the CLI, run the following command: tepdump -nni ethi 11, Press Enter, and the system displays the following message: eeu Cai tetera Figure 101 — Invalid Command 12, Enter expert mode, Lab ManualLab 3: CLI Tools 13. From the expert shell, run the following command and press Enter: topdump -nni eth pereetiec eras i pares Cenetieciseerrec tat Siete Figure 102 — topdump Note: This runs a packet sniff on eth 14, Type Control-c to stop: Vistent Sn Reese siete cre epee Ree Eee m PereTe cee Rec ec rete Reet feee ee eee Te eee ee eer) Pert nan Figure 103 — tepdump Stopped Note: More commands worth noting are shutdown, reboot. CLISH again. 15, Type exit and press Enter, so that you are Check Point Security AdministrationApplying Useful Commands There are many commands commonly used in troubleshooting on the gateway. ‘Commands to try are those beginning with £w. 1. Type the following command at the prompt, and press Enter. This displays the name of the Security Policy installed on the gateway: fw stat Dooce peeeen re ertret| Figure 104 —fw stat ‘Type the following command at the prompt, and press Enter. This unloads the current Security Policy, and implements the default policy: fw unloadlocal ea ec es i Figure 105 — fw unloadlocal 3. Type the following command at the prompt, and press Enter: fw stat Figure 106 — tw stat Lab Manual tolLab 3: CLI Tools 4. Type the following command and press Enter at the prompt, to display the gateway version: fw ver ee eee Note: For more information about each command from the prompt, type the command name followed by --help. For example, fw --help. 5. Type the following command and press Enter, to display the system interfaces: show interfaces Figure 107 — show interfaces Check Point Security AdministrationApplying Useful Commands 6. Type the following command and press Enter, to display information on eth0: show interface etho Cen ec ere eet) Street erates en ee Figure 108 — show interface etho 7. Type the following command and press Enter, to display route information: show route ay Figure 109 — show route Lab Manual Cheeta ae on en) Ree eC ae aero set a enoneLab 3: CLI Tools 8. Type the following command and press Enter, to display the routing table: netstat -rn ae eens es Figure 110 —netstat -m 9. Type the following command and press Enter: netstat -an pi a ae Figure 111 —netstat-an 104 ‘Check Point Security AdministrationApplying Useful Commands 10. Type the following command and press Enter, to display interface information: fw getifs Reina acne tems Figure 112 — fw gets Note: Using the Support Center or the Help files, take some time later to look ‘up common ep commands. For example, cpstop and cpstart commands stop or start the services running on the gateway. Lab Manual 105Lab 3: CLI Tools Add and Delete Administrators via the CLI CLISH supports multiple administrators to the regular shell. This is important for audit purposes. In the following steps, you will create user “sam” with password “vpnl23”, 1. From the CLISH prompt, type the following command and press Enter: add user sam uid 200 homedir /home/sam Figure 113 — Add User 2. Type the following command and press Enter, to set the user’s password: set user sam newpase vpn123 Note: When adding users in CLISH, you must assign a permissions profile in addition to the password. Since in this example we do not have any permission profiles defined, we are not going to do this step. 3. Type the following command and press Enter, to set the user’s role: add rba user sam roles adminRole 106 Check Point Security AdministrationAdd and Delete Administrators via the CLI 4. To show all users, type: show users fa : tees ere an cor Figure 114 — show users 5. To delete the administrator, type the following command and press Enter. delete user sam Figure 115 — delete user 6. To show all users, type: show users a aes Figure 116 — show users 7. Ver that Sam is no longer in the list of configured users. Lab ManualLab 3: CLI Tools Perform backup and restore 1. From the , type the following command and press Enter. add backup local Loe Stee eee ee ce ee ed ern ies hal emer ae Figure 117 — Add Backup 2. At the prompt, type the following command and press Enter. show backup status ee ee eee Ha Ue etre Figure 118 — Show Backup Status 3. Type expert and enter vpn123, to enter Expert mode. 4, To navigate to the backup files, type the following in Expert mode and press Enter. ed /var/cPbackup/backups 108 ‘Check Point Security AdministrationPerform backup and restore 5. Next, type the following and press Enter: ls -1h eee eet ter hare reece Figure 119 —Is th Note: You will notice your backup file in this directory. This is the default directory for backups if you do not specify a location. Exit Expert mode, In CLISH, type the following command: set backup restore local Note: When you press tab, the system auto completes the command by adding. the name of the backup file, You may need to press Tab twice 8. Press Enter, and the system displays a message telling you to reboot after the restore completes: Figure 120 — Restore Complete Lab Manual, 109Lab 3: CLI Tools 9. Afier a few minutes, type the following command and press Enter. show backup status ea eet Figure 121 — show backup status Note: You can ignore or errors relating to down services that have not yet been started, 10. Once you confirm that the process is complete, type reboot. 11. Press Enter, and they system displays the following message: Figure 122 — System Message 12, Type y, and press Enter. 13. Confirm reboot. END OF LAB ‘Check Point Security AdministrationLab 4: Building a Security Policy Scenario: You will create a Security Policy by developing a Rule Base, or modify an existing one using newly created network objects and headers, and understand how to apply global properties. Topics * Creating Security Gateway Object © Creating GUlelient Object » Creating Rules for Corporate Gateway ® Saving the Policy * Installing the Policy * Testing the Corporate Policy © Creating the Remote Security Gateway Object » Creating a New Policy for the Branch Office * Combining Policies Lab Manual nnLab 4: Building a Security Policy Create Security Gateway Object ‘A Security Policy is made up of Security Gateway settings, and explicitly and implicitly defined rules. Each rule is made up of objects and actions that define how the Gateway treats each connection. To define a Security Policy, you must first define the objects that represent your current network topology. 1, From the A-GUI Virtual Machine, open SmartDashboard: | 90 aie @ 0 ditbiea Figure 123 — SmartDashboard 2. Review the SmartDashboard Overview page and notice that in the My Organization section, No Security Gateways are displayed. 2 ‘Check Point Security AdministrationCreate Security Gateway Object 3. From the Objects tree in the bottom-left of SmartDashboard, right-click Check Point and choose the option Security Gateway/Management.. eT | costs RESTS Figure 124 — SmartDashboard - Network Objects - Check Point Menus 4. The system displays the creation dialog window. adie meLab 4: Building a Security Policy 5, Select the option Don’t show this again. 6. Click the Classic mode button, and the system displays the following: Figure 126 — General Properties 4 ‘Check Point Security AdministrationCreate Security Gateway Object 7. Use the information below to configure the Gateway object: Name: AGW IP Address: 172.21.101.1 Comment: Alpha Security Gateway os: Gaia Check Point Products: Firewall Monitoring 8. Click the Color drop-down menu. 9. Select Manage, and the system displays the Color Manager: Figure 127 — Color Manager 10. Click, the Add button. Lab Manual nsLab 4: Building a Security Policy 11. From the Color drop-down, select the dark red option (Firebrick), and the system displays the following: Figure 128 — Add Color 12. Click OK, and the system adds the new color to the color list. 13. Click OK, to close the Color Manager. 14. Now, you can select Firebrick from the Color drop-down list on the object's General Properties screen. 116 Check Point Security AdministrationCreate Security Gateway Object 15. Verify that the object is configured as follows: TF untraeng F DastanPmein F tetematon ros Figure 129 ~ General Properties Configured Lab Manual 7Lab 4: Building a Security Policy 16, From the General Properties page of the gateway object, click the Communication button. The system displays the following: Figure 130 — Trusted Communication 17. Enter and confirm the Activation Key entered on the Security Gateway during setup (abel23). us. Check Point Security AdministrationCreate Security Gateway Object 18. Click Initialize, and the system verifies the communication state: Figure 131 — Establish SIC with AGW Lab Manual n9Lab 4: Building a Security Policy 19. Click OK, and the system displays the interface information retrieved from the newly configured gateway: 20. Click Close, and the imported topology information is associated with the gateway object. 21. Select Topology in the left-hand panel of the Security Gateway object. i 120 ‘Check Point Security AdministrationCreate Security Gateway Object 22. Verify that the interface information appears as follows: fist fen tat Figure 133 — Topology Configured Note: Anti-spoofing is enabled by default when choosing the Get Interfaces with Topology option. 23. Click OK to close the Security Gateway object. Lab ManualLab 4: Building a Security Policy 24. Review the Overview page again. Has anything changed? The My Organization section should now display the newly configured Security Gateway (A-GW): Figure 134 — SmartDashboard - Security Gateway Added — 12 Check Point Security AdministrationCreate GUI Client Object Greate GUI Client Object 1, From the Objects tree in the SmartDashboard, right-click Nodes and select ‘Node > Host. The system displays the following: Figure 135 — Host Node Note: In SmartDashboard, objects and policy names cannot contain spaces. Lab Manual 123Lab 4: Building a Security Policy 2. In the General Properties page of the object, enter the following information: ‘Name: A-GUI Color: Blue IP Address: 10.1.1.201 Comment; Alpha GUI Client Figure 196 — A-GUI 3. Click OK to save the object and return the SmartDashboard Overview page. 124 ‘Check Point Security AdmiCreate Rules for Corporate Gateway 1. Right-click Networks and choose Network. 2. Use the following information to configure the Network object. Name: Alpha-Internal Comment: Alpha Internal Network Network Address: 10.1.1.0 Net Mask: 255,255.255.0 Figure 137 — Internal Corporate Network 3. Click OK. Lab ManualLab 4: Building a Security Policy In the navigation pane (top left), click Policy to view the blank Security Policy: Figure 138 — Security Policy From the main menu, click Launch Menu icon ([5)). Select Rules > Add Rule > Top, or click on the Add Rule at the Top icon on the toolbar, to add a rule into the Rule Base: Figure 139 — Default Rule 126 ‘Check Point Security AdministrationCreate Rules for Corporate Gateway 7. Name this rule, CleanUp by right-clicking in the Name field and selecting Edit, or double-click the Name cell in the rule. 8. Right-click in the Track column and select Log. Figure 140 — CleanUp Rule 9. Add a new rule above the newly configured CleanUp Rule. Note: To insert a new nile, right-click on a nule number, and select Add Rule, then Above or Below, or use the Add Rule icons from the toolbar. In addition, you can add any object to arule base by dragging and dropping from the objects list pane or from another rule. 10. Name the new rule the Management, 1. In the Source column, click the + icon, and the system displays the object picker: Faget |Saes eal Figure 141 — Object Picker Lab Manual 127Lab 4: Building a Security Policy 12, Use the Object Picker to add A-GUI and A-SMS to the Source field. 13, Use the information below to complete the configuration of the Management Rule: Destination: A~-GW Service: Action: ‘Track: SSH HTTPS Accept Tacos me Figure 142 — Management Rule Note: When modifying any of the cells within a rule, right-click in the cell for specific options. For example, in the Service column, selecting Add Objects will bring up a selection box (or click the plus sign in the cell) To locate the service you want, begin typing the name of the service, and the scroll bar will move to that point in the list. 14, Add the Stealth rule to the Rule Base above the Clean-up rule: ‘Name: Source: Stealth Any Destination: ~A-GW Service: Action: Track: Any Drop Log Figure 143 — Stealth Rule 128 ‘Check Point Security AdministrationCreate Rules for Corporate Gateway 15, Add the Internal Traffic rule to the Rule Base above the Clean-up rule: Name: Internal Traffic Source: Alpha-Internal Destination; Any Service ‘Any Action: Accept Track: Log Figure 144 — Internal Traffic Rule 16. To allow ICMP traffic so you can PING to test connectivity on your network, click on the Launch Menu icon. 17. Select Policy > Global Properties. Lab Manual 129Lab 4: Building a Security Policy 18. In the FireWall Implied Rules page, check Accept ICMP requests and select First from the drop-down box. 19. In the Track section, check Log Implied Rules: Figure 145 — Global Proper 20. Click OK. $e 130 Check Paint Security AdministrationSave the Policy Save the Policy 1, From the Launch Menu, click File > Save As. 2. ‘Type Alpha_Standard in the Name field of the Save Policy Package As window: Figure 146 — Save Policy Package As Note: Remember, no spaces in Policy or object names. 3. Click Save. Confirm that the name of the Policy Package is displayed at the top of the screen: Figure 147 — New Policy Package Name Lab ManualLab 4: Building a Security Policy install the Policy 1. Push policy by clicking on the Install Policy icon in the toolbar or click Policy > Install from the Launch Menu. The system displays the following: Figure 148 — Install Policy 2. Note the AGW object is selected as a target. 3. Click the down arrow next to Advanced to see more options. ney 132 ‘Check Point Security Administration,Install the Policy Figure 149 — Install Policy - Advanced Configured Note: It is best practice to always use database revision control. Lab Manual 133Lab 4: Building a Security Policy 5. Name the revision, Basic Policy and comment as desired. 6. Click OK, and the system displays the following: Figure 150 — Check Point SmartDashboard 7. Click OK, and the policy installation begins automatically. Figure 151 — Basic Policy Revision Creation 8. Click Close when complete. 134 ‘Cheek Point Security Administration‘Test the Corporate Policy Test the Corporate Policy 1. Open a browser on the A-GUI, and access the WebUI of the corporate Security Gateway by typing HTTPS: //10.1.1.1. Verify you have connectivity when the browser displays the login screen: Figure 152 — Gaia Portal Login Note: Do NOT log in here! You are simply testing access. If you see the login screen, your have successfully completed this portion of the lab. Lab Manual 135Lab 4: Building a Security Policy Create the Remote Security Gateway Object In SmartDashboard, define a Security Gateway object for the branch office, Bravo. 1. Inthe Network Security tab of SmartDashboard, highlight Network Objects in the objects tree pane. 2. Select right-click Check Point and select Security Gateway/Management. 3. Use the information below to configure a gateway object for the branch office: ‘Name: BGW Color: Firebrick IP Address: 172.22.102.1 Comment: Bravo Security Gateway (Branch Location) Check Point Products; Firewall — 136 Check Point Security AdministrationCreate the Remote Security Gateway Object 4, Verify that the Security Gateway object is configured as follows: Seri ewe | set Tr apeenComsi Mabon | resem Future Inoteene kon eri {Tirso — Fbaalonhevin iced Finaeacene —T Thewnatbn Set Cheese Fes Agencia i i anv ae ” Pee, oes 1PM Figure 153 — Gateway Properties Lab Manual 137Lab 4: Building a Security Policy Estal h SIC with the Remote Office aa nn nen nnn 1. Click the Communication button and enter the Activation Key (abe123). 2. Click Initialize: a = ——<— | SESE Figure 154— Trusted Communication 138 Check Point Security AdministrationCreate the Remote Security Gateway Object 3. Once trust is established, click OK. The system displays the interface information retrieved from the newly configured Security Gateway: iatshe eter fondo pve, fa pies hens aaa oo dom a Tata as808 uae saase [ie see ero arcmae eather Figure 185 — Get Topology Results 4. Click Close. Lab Manual 139Lab 4: Building a Security Policy . Select Topology from the left-hand pane: 6. To confirm anti-spoofing settings, double-click the external interface. 7. From the Topology tab of the Interface Properties window, verify that this interface is set to External. 140 ‘Check Point Security Administration; Create the Remote Security Gateway Object 8. Confirm that Perform Anti-Spoofing based on interface topology is checked: end esa |i ote] Teo — 6 aera hairore tama eel tt ea nee 1 Presteea itn “Cates Figure 157 — External Anti-Spoofing 9. Click OK. 10. Double-click the internal interface. Lab Manual M41Lab 4: Building a Security Policy 11. In the Topology tab, verify that this interface is set to Internal and the options, Network defined by the interface IP and Net Mask. 12. Verify that the option Perform Antispoofing based on interface topology is, checked: Figure 168 — Internal Ant-Spoofing 13. Click OK. 14, Click OK again to save the object. a ee ee ee 142 ‘Check Point Security AdministrationCreate a New Policy for the Branch Office Create a New Policy for the Branch Office 1. Click on the Launch Menu icon, 2. Select File > New and the system displays the following message: j, eteemtontnerrr re Smarts prc te tn ‘ina itsnehesrer obra else, eae ee] Figure 159 — Check Point SmartDashbaord Click Cancel, to clear the message. 4, Click the Save button, 5. Now that the policy is saved, from the Launch Menu, select File > New and the system displays the New Policy Package window: MerhloRei | taakentaeee pre Gree ress Cleans ane es et ‘ [eieses ce | Foam phate sient i Figure 160 — New Policy Package 6. Enter Bravo Standard, as the name of the branch office gateway policy. Lab Manual 143Lab 4: Building a Security Policy 7. In the Include the following Policy types section, select the option Firewall, ‘Address Translation and Application & URL Filtering: Figure 161 — New Policy Package 8. Click OK, and a blank Rule Base displays with the new package name shown at the top of the screen: Figure 162 — Bravo_Standard — 144 Check Point Security Administration,Create a New Policy for the Branch Office 9. Create an object for the Bravo site’s intemal network, using the information below: Name: Bravo-Internal Comment: Internal Network at Bravo Network Address: 10.2.2.0 Net Mask: 255.255.255.0 Broadcast address: Included 1 ann aos eked Figure 183 — Network Properties Lab ManualLab 4: Building a Sect Policy 10. Create a similar Rule Base as you did for the corporate Security Gateway: Management | A-SMS BGW SSH Accept — | Log. A-GUL HTTPS "| Stealth “Any BGW ‘Any Drop Log Intemal bravo-internal | Any “Any ‘Accept | Log ‘Traffic Cleanup ‘Any “Any “Any Drop | Log Note: One way to quickly create a new policy is to copy and paste previously created rules and modify them as shown above. 11. Verify your Rule Base resembles the following: Figure 164 — Branch Office Rule Base Note: ‘The global properties for ICMP are already enforced. 12, From the Launch Menu, select File > Save to save this Policy Package. 13. Click the Install Policy icon in the toolbar or click Policy > Install from the Launch Menu. 14, Uncheck the A-GW installation target in the Install Policy window, so that this Policy does not install on your corporate Security Gateway. 146 ‘Check Point Security AdministrationCreate a New Policy for the Branch Office 15. Create a policy revision package for the database. Figure 165— Basic Branch Policy 16, Click OK. 17, Once the system indicates successful policy installation, test the Security Policy on the branch office gateway, From A-GUI, open a browser and attempt to connect to 172.22.102.1 with HTTPS Lab ManualLab 4: Building a Security Policy Combine and Organize Security Policies 1. From SmartDashboard and with the branch office policy (Bravo-Standard) open, select Rule I, then hold down the Shift key and click Rule 4 to highlight all the rules in the Policy. 2. From the Launch Menu, click Edit > Copy, then switch to your corporate gateway Policy (File > Open > Alpha-Standard).. 3. With the corporate Policy open, highlight the last rule. 4, Click the Launch Menu icon, then select Edit > Paste Rule > Below: Figure 168 — Copy/Paste Rules Note: You can also right-click on the last rule and click, Paste > Below. 148 ‘Check Point Security AdministrationCombine and Organize Security Policies 5. Note that you have duplicate rules in the Rule Base: aS Wines aay Gavin lan Brae Figure 167 — Duplicate Rules 6. Delete the duplicate CleanUp rule: re Jermain 1 Figure 168 — CleanUp Rules Note: Which duplicate rule should you eliminate? Well, think about where the rules appear. You should not have a CleanUp rule in the middle of the Rule Base. 7. Now, make sure that the Stealth rule at the top has both Security Gateway objects. 8. Delete the second Stealth rule. Edit the Management rule at the top of the Rule Base and add the missing gateway object to the destination field. 10, Delete the second Management rule. Lab Manual 49Lab 4: Building a Security Policy 11. Rename the Internal Traffic rule for each gateway to be Alpha Outgoing and Bravo Outgoing. 12. In the Install On column of the Rule Base, designate A-GW as the target for the Alpha Outgoing rule and B-GW as the target for the Bravo Outgoing rule. Figure 169 — Ouigoing Rules 13. Add a new rule to the Rule Base above the Cleanup rule as follows: Name: Alpha Incoming Source: Any Destination: Alpha-Internal FIP Accept Log AGW a Se 3S IIS ‘ joni Aime Baa Btw Figure 170 — Alpha incoming Traffic 150 Check Point Security AdministrationCombine and Organize Security Policies 14, Add a new rule to the Rule Base above the Cleanup rule as follows: Name: Bravo Incoming Source: ‘Any Destination: Bravo-Internal Service: HTTP Action: Accept Track: Log Install On: B-GW. i ve Rise Si hm seem 091 moms saat on an 250 somon A twenme ow ont Figure 171 — Bravo Incoming Tratfic Note: Remember, you can drag objects between rules, and even re-order rules by dragging rules themselves. Click the rule number to drag a rule to another location, ‘Lab Manual 151Lab 4: Building a Security Policy 15, Add the following rule above the Management Rule: Name: NetBIOS Source: Any Destination: Any Service: _udp-high-ports bootp NBT rip Action: drop Track: None Install On: Policy Targets fee Figure 172 — NetBIOS Rule 16, Right-click rule 1, and select Add Section Title > Above. 17.In the Header box, type the name, Management Rules. 18, Click OK. 152 Check Point Security AdministrationCombine and Organize Security Policies 19. Create another section title called Site Traffic Rules above the incoming and outgoing traffic rules. 20. Create another section title called Check Point Best Practice above the CleanUp rule: ge oupee ee Lab Manual 153Lab 4: Building a Security Policy 21. Save your Policy and create a policy called Comprehensive Standard: 154 ‘Check Point Security AdministrationCombine and Organize Security Policies 22. Install the Security Policy on both Security Gateways: ea Poy Sinn era siasere dane ates ci ogee be Figure 175 — Install Policy 23. Click OK to begin installation of the policy on both gateways. Lab Manual 155Lab 4: Building a Security Policy 24, When warned that a gateway has a different policy installed and will be overwritten, click Yes to continue with the installation. 25. Click Close. 26. Test your Policy by opening an FTP session, and transferring a file in Binary mode from the B-GUI virtual machine to A-GUI (10.1.1.201). Note: Before proceeding, itis recommended that you save this package version of the Security Policy. Consider doing this whenever committing any ‘change in the Policy, even if not explicitly instructed. You can always go back to this policy version at a later time. EE 156 ‘Check Point Security AdministrationCombine and Organize Security Policies 27. Now, verify the status of the installed policies on both gateways, Locate the Policy Installation Status link at the bottom of the page: Figure 177 — Policy Installation Status Lab Manual 157Lab 4: Building a Security Policy 28. Click the link, and the system displays the following: Figure 178 — Policy installation Status 29. Review the targets listed and identify the following information: * Policy Package * Policy Status + Status Details, 30. Click Close. END OF LAB ee 158 ‘Check Point Security AdministrationLab 5: Configure the DMZ Scenario: In this exercise, you will build a DMZ. network and set up a rule to allow traffic to a server on the DMZ. Configure access to the DMZ on the Security Gateway and configure the Security Policy to permit traffic to DMZ resources. Topics: * Creating DMZ Objects in SmartDashboard * Creating DMZ Access Rule » Testing the Policy Lab Manual 159Lab 5: Configure the DMZ. Create DMZ Objects in SmartDashboard 31, From SmartDashboard, right-click Nodes, then select Node > Host. 32, Use the following information to configure the Host Node object: Name: ADMZ IP Address: 192.0.2.10 Comment: — Web, Mail, and FTP Server 160 ‘Check Point Security AdministrationCreate DMZ Objects in SmartDashboard 33. Click OK. 34, Right-click Networks, and select Network, 35. Enter the following information for the internal DMZ network: Name: Alpha-DMZ, Network Address: 192.0.2.0 Net Mask: 255.255.255.0 Comment: De-militarized Zone Network Figure 180 — DMZ Network Object 36. Click OK.Lab 5: Configure the DMZ. Create DMZ Access Rule 1. Right-click the Alpha Incoming Traffic Rule, and select Add Rule > Below. 2. Use the following information to modify the rule: ‘Name: Web Traffic - DMZ. Source: Any Destination: Alpha-DMZ Service: HTTP HTTP_and_HTTPS_Proxy Action: Accept Track: Log Install On: A-GW [pret Figure 181 — Web Rule 4, Install the Policy. 5. Start the A-DMZ virtual machine, ———— 162 ‘Check Point Security Administration‘Test the Policy From B-GUI, open a browser to the following location: http: //192.0.2.10 Verify that a Web page displays with the Web server's background image. pill (It worked.) Thank you for visiting the Alpha Web Server. Check Point ETWARE TECHNOL OG Figure 182 — Alpha DMZ Web Server END OF LAB Lab Manual 163Lab 5: Configure the DMZ, —_—_— 164 ‘Check Point Security AdministrationLab 6: Monitoring with SmartView Tracker Scenario: In this lab, you will track the connections from the previous labs using ‘SmartView Tracker and look at different ways of querying data. In addition, you will learn how to configure SmartView Monitor to view historical traffic; these steps are easily applied to viewing real-time trafic. Topics > Launching SmartView Tracker » Tracking by Source and Destination © Modifying the Gateway to Activate SmartView Monitor > Viewing Traffic Using SmartView MonitorLab 6: Monitoring with SmartView Tracker Launch SmartView Tracker 1. Launch SmartView Tracker by clicking on the SmartView Tracker icon on your desktop. 2. Enter the SmartConsole user name and password. Note: This is the same login used for SmartDashboard. 3. View the columns displayed in the log. EREEEEES. EEEESEEEEESEEGEGY 2S 166‘Track by Source and Destination 1. To track a packet by source, put the mouse over Source column and right-click 2. Choose Bait filter, and the system displays the following: Figure 184 — Custom Filter 3. On the Source filter screen, choose the A-GW icon and add to the query: Figure 185 — Source Filter Applied in SmartView Tracker Note: ‘Try using this same filter, substituting B-GW. It should result in more logs to view.Lab 6: Monitoring with SmartView Tracker 4, Click OK, and the system will display all packets sourced from the corporate gateway: TH ean Figure 186 — Source Filter Displays Packet Data from Corporate Gateway Note: You can also run this filter with the destination. 168 Check Point Security Administration‘Track by Source and Destination 5. With the source filter in place, add a destination filter for 10.2.2.201 © Recast roneney eit eke | 8 sete iat ae ead fae eee Figure 187 — Destination Filter Applied in SmartView Tracker 6. Click OK, and the FTP packets from the corporate gateway to the A-GUI are displayed: Figure 188 — Destination Filler Displays Packet Data to A-GUI 7. To clear this filter, right-click the source and destination columns and choose Clear Filter. Lab Manual 169Lab 6: Monitoring with SmartView Tracker Modify the Gateway to Activate SmartView Monitor 1, From SmartDashboard, double-click the A-GW object. 2. In the Software Blades section of the General Properties page, verify that the Monitoring software blade is selected: Tuning 1 aaterPevin 1 Patton 19 Bafa 9 Sauna s ss Figure 189 — Logging & Status Software Blade Selection 3. The product Monitoring Software Blade appears in the list on the left. 4, Select the Monitoring Software Blade branch in the options list. 170 ‘Check Point Security AdministrationModify the Gateway to Activate SmartView Monitor 5. In the SmartView Monitor page, select the options Traffic Connections, and Traffic Throughput (Bytes per second): METAS | ami et fer yt jee Pn ehh ameci Cfo nig) omnes We tetcooaes, i Pc F Rete Tingle ier’ ee | esse ; E ee Th amen Tether octamer re eocmeaitote Figure 190 — SmartView Monitor Page 6. Click OK. 7. Repeat this procedure for B-GW, and be sure to select Monitoring as a product on the object's General Properties page. 8. Install the Security Policy. Lab Manual mLab 6: Monitoring with SmartView Tracker View Traffic Using SmartView Monitor 1, From the SmartDashboard toolbar, select SmartConsole > ‘SmartView Monitor: Figure 191 — SmartView Monitor 2. From the list on the left, right-click Custom. 172 ‘Check Point Security Administration‘View Traffic Using SmartView Monitor 3. Select New Traffic View, and the system displays the following: 1 peowloanet baer | © etree Sie] oe Jes ee i Figure 192 — Query Properties Lab Manual 1BLab 6: Monitoring with SmartView Tracker 4, In the Type section of the page, select Real Time. 5. In the Target section of the page, select Specific Target. 6. From the Specific Target selection, click the Select button, and the system displays a list of available targets: Figure 193 — Select Gateway 7. In the Select Gateway box, select A-GW. 174 ‘Check Point Security Administration‘View Traffic Using SmartView Monitor 8. Expand the A-GW object to view the interface information: | Beano op-ed Figure 194 — Select Gatoway/interface - tem Expanded Lab Manual 175Lab 6: Monitoring with SmartView Tracker 9. Click OK, to add the target: 176‘View Traffic Using SmartView Monitor 10. Click Save in the Query Properties window. 11. In the details pane, select the Line View icon. A line graph will appear displaying the services along the x-axis, and the amount of traffic displayed along the y-axis in kbytes/sec. Figure 196 — Line Graph Displaying Common Traffic on A-GW Note: In the test environment, it may be necessary to generate traffic before seeing the chart populate with data, 12. Close SmartView Monitor. END OF LAB Lab ManualLab 6: Monitor 1g with SmartView Tracker 178 Check Point Security Administration,Lab 7: Configuring NAT Scenario: This exercise focuses on understanding the behavior of Network Address Translation in a network. You will first configure both static and hide NAT, then observe their behavior using packet captures. Topies: © Configuring Hide NAT on the Corporate Network » Testing the Hide NAT Address © Configuring Static NAT on the DMZ Server > Testing the Static NAT Address © Observing Hide NAT Traffic Using fw monitor © Observing Static NAT Traffic Using fw monitorLab 7: Configuring NAT Configure Static NAT on the DMZ Server q 2. In SmartDashboard, double-click to open the DMZ object (A-DMZ). Select NAT from the left-hand pane and check Add Automatic Address ‘Translation rules, and choose Static. Enter the static address of your corporate city’s DMZ machine as: 172.21.101.10 180 ‘Check Point Security AdministrationConfigure Static NAT on the DMZ Server 4, Inthe Install on Gateway drop-down box, select the corporate gateway (A-GW): Figure 197 — Host Node - NATLab 7: Configuring NAT 5. Click OK. In the navigation pane, click NAT and confirm the rule changes: Figure 198 — NAT Rules 7. In the navigation pane, click Policy. 8. Modify the Web Traffic - DMZ. rule (Rule 7) to include the DMZ server object (A-DMZ) in the Destination field: od Figure 199 — Web Traffic - DMZ Rule Configured Check Point Security Administration 182Configure Static NAT on the DMZ Server 9. Bait the Alpha Outgoing rule, and add the Alpha-DMZ object to the Source field: i fei mam EE ae |e etre iqise | Seae Benne cre eon Ienmann [By nt ta Lee ee Jom ee eae fee Wee Figure 200 — Alpha Outgoing Rule Configured 10. Save and install the Policy.Lab 7: Configuring NAT Test the Static NAT Address 1. From B-GUL, open a browser and navigate to the following address: HYIP: //172.21.101.10 2. Verify the browser displays the Alpha DMZ homepage. 3. Open SmartView Tracker. Click the down-arrow on the toolbar to view the last entries in the log-base. 4, Locate the HTTP log entries from your B-GUI to the DMZ machine where the originating gateway is A-GW. Double-click to open. 5. Note the entry, XlateDst information. Figure 201 — Static NAT Log Entry eee 184 ‘Check Point Security AdministrationConfigure NAT on the Corporate Network Configure Hide NAY on the Corpor: ite Network 1. From SmartDashboard on A-GUI, double-click the Security Management Server object (A-SMS), 2. Select the NAT option from the lefi-hand pane: Figure 202 — Check Point Host - NAT 3. Click the option Add Automatic Address Translation rules, 4, Select Static as the Translation method, Lab Manual 185Lab 7: Configuring NAT 5. Type IP address 172.21.101.125 (NAT ‘d address for the Security Management Server) in the Translate to IP Address field. 6. Install on the corporate gateway (A-GW) and check the box: Apply for Security Gateway control connections: Note: This option is must be checked to allow control connections to the remote site, including policy installation. ——— 186, ‘Check Point Security AdministrationConfigure Hide NAT on the Corporate Network 7. Click OK. 8. Double-click the corporate network object (Alpha-Internal) and select the NAT tab, 9. Check Add Automatic Address Translation mules, and select Hide. 10. Choose Hide Behind IP Address, 11. In the IPv4 Address field, enter the following: 172.21.101.77 12. In the Install on Gateway field, select A-GW: Figure 204 — Hide NAT Configured Lab ManualLab 7: Configuring NAT 13. Click OK. 14, Select NAT in the navigation pane of SmartDashboard. 15. Review the automatic NAT rules created when you configured Static NAT for the Security Management Server and Hide NAT: Figure 205 — NAT Tab Displays Hide and Static NAT Rules 16. Save and install the Policy. ee 188 Check Point Security Administration‘Test the Hide NAT Address - If your Policy pushed successfully, your Security Management Server static NAT configuration is working, 2. Test your Hide NAT settings by pinging 172.22,102.1 from A-SMS. (10.1.1.101). 3. From A-GUI, launch SmartView Tracker from within the SmartDashboard application. Click the SmartConsole icon in the toolbar and select SmartView ‘Tracker from the drop-down lis 4. Click the blue down-arrow icon on the toolbar to view the last entries in the log base. 5. Locate the ICMP log entries from B-GUI where the origin gateway is A-GW: Figure 206 — ICMP Connection from NAT'd Address 189Lab 7: Configuring NAT 6. Note the entries, XlateSre and XlateDst information in the log generated by '‘A-GW. These indicate the source address has been NAT’d to the 172.21.101.125 address (ice, the corporate Security Management Server). Figure 207 — Record Details of Hide NAT cen 190 Check Point Security Administration‘Test the Hide NAT Address 7. Next, view the log from the Bravo Security Gateway. Which IP address does B-GW see? Potey Galo Ton 05101204 ey Menannent AHS Figure 208 — Record Details Note: We will discuss how to analyze NAT later in this lab 191Lab 7: Configuring NAT Observe Hide NA In this section, you will use the £w moni tor packet filter and Wireshark Network Protocol Analyzer on the corporate Security Gateway to view the Hide NAT configuration. \T Traffic Using fw monitor 1. Login to the corporate Security Gateway (A-GW) in expert mode. 2. Type the following command at the prompt, and press Enter: fwaccel off 3. Type the following command at the prompt, and press Enter: fw monitor -o hide_nat.out Paesereetiii Figure 209 — Start fw monitor Packet Capture 192 ‘Check Point Security AdministrationObserve Hide NAT Traffic Using fw monitor 4. From a browser on A-GUI, connect to B-GUI using HTTP: Lab Manual 193Lab 7: Configuring NAT 5. After you have connected to the website, type CTRL-C on the Security Gateway to stop the packet capture. Note: ‘The number at the bottom left-hand comer of the screen is the number of packets collected from the capture. fe eo ree eect Figure 211 — fw monitor Packet Captures 6. FTP the £w monitor output file to the A-GUI machine. Use username: anonymous, and press Enter for the password. fereri eon eg re Reey ert STURM) Figure 212 — FTP Procedure to Transfer Packet Capture File Note: Use binary mode when transferring files in FTP. 194 Check Point Security AdministrationConfigure Wireshark. Vireshark onfigurs ¥ Next, configure WireShark and open the hide_nat .out file from A-GUI. 1. On A-GUI, open WireSharle: Lab Manual ~ 195Lab 7: Configuring NAT 2. Click Edit > Preferences: oe oo Figure 213 — WireShark Preferences 3. Choose Protocols > Ethemet and check Attempt to Interpret as Firewall-1 monitor file. 4. Click Apply. While still in the Preferences window, go to User Interface > Columns. 5. Click the Add button at the bottom of the view. 6. Inthe New Column field, enter FW Chain. 7. From the drop-down menu, select FW-1 Monitor iffdirection. Note: These instructions are for WiteShark 1.2.4. The method for adding the protocol may differ in the version you are using. 196 ‘Check Point Security AdministrationConfigure Wireshark 8. Drag FW Chain up one level in the formatting window: “neat a es) cose ssucesaten ie etn Figure 214 — Configure Wireshark Columns Note: This allows you to view the new column you created in between the Protocol and Info columns, It may be necessary to restart Wireshark for the column change to take effect. 9. Click OK. Lab Manual 197Lab 7: Configuring NAT Observe the Traffic 1, Open the output file in Wireshark. 2. Expand the FW Data column (New Column) to see more information: Figure 215 — Wireshark Display of Packet Capture 3. Observe the firewall inspection points, i, I, o, O as the SYN packet leaves the gateway. Note: On what inspection point does the Hide NAT translate? What is the source port prior to translation? What is the source port when translation occurs? 198 Cheek Point Security AdministrationObserve Static NAT Traffic Using fw monitor (optional) bserve Static 1. In SmartDashboard, reconfigure the Alpha Incoming Traffic rule (Rule 6), by adding the Management Server object (A-SMS) to the Destination field. Also, add FTP to the Alpha Web Traffic rule: puro me fer Figure 216 — Reconfigured Rule 2. Install the Security Policy. 3. From the corporate Seourity Gateway (A-GW), login to expert mode.Lab 7: Configuring NAT 4. Run the following command at the prompt: fw monitor -o static_nat.out oa ree peeraets , Mere ee ee Reo Prose etter) puter} cee tere eee Figure 217 — fw monitor 5. From B-GUL, FTP to the Static NAT address for DMZ-Server. You may FTP via the command line, or use an FTP client of your choice. 6. ‘Type crRL-c on A-GW to stop the packet capture and FTP the file static_nat.out to the A-GUL 7, Enter Expert Mode and locate the newly created file: cores Figure 218 —Is 8. At the prompt, type the following and press Enter: fwaccel on 9, Transfer the file to A-GUI 200 Check Point Security AdministrationObserve Static NAT Traffic Using fw monitor (optional) 10. From the A-GUI, open the file static_nat. out in Wireshark. Figure 219 — Wireshark Static NAT Packet Captures Lab Manual 201Lab 7: Configuring NAT 11. Analyze the inspection points i, I, 0, O on the corporate gateway. Note: On what inspection point does NAT take place? Does the source port change? This static NAT exercise was an example of client-side NAT. ‘This means that translation occurs closest to the client, which you observed in Wireshark. Client-side NAT is the default setting in R77.10. ‘This setting can be found under Policy > Global Properties > NAT. 202 ‘Check Point Security AdministrationObserve Static NAT Traffic Using fw monitor (optional) 12, From SmartView Tracker, click Launch Menu > View, 13. Click on Query Properties. Note: There are many other columns that can be added to help troubleshoot packets going through the Security Gateway. Two that are very helpful are the NAT columns to see when the source and destination are translated. 14, Go down to the bottom of the query properties list and check xlateSre and xlateDst. Figure 221 — Add XlateSre 15. Click on Query Properties from Launch Menu > View > Query Properties. 16. From the Launch Memu, click Query > Save As.Lab 7: Configuring NAT 17. In the Save To Tree box, type All Records with NAT as the name for this query: Figure 222 — Save Query Dialog Box 18, Click Save, and Notice that this creates a query under Custom in the list pane on the left: EELEGOg ERED ' f HEHE Figure 223 — Custom Query Results Displayed 19, Identify translated traffic. 20. Close SmartView Tracker before continuing with the next lab. END OF LAB — 204 Check Point Security Administration,Lab 8: Configuring User Directory Scenario: You have decided to connect your Security Management system to your existing LDAP server. By doing so, you'll have access to the LDAP user database and can use this information for the purposes of authenticating users. ‘Topics © Connect User Directory to Security Management Server * Verifying SmartDashboard Integration Lab Manual 205Lab 8: Configuring User Directory Connect User Directory to Security Management Server Connect your site’s existing LDAP server to the Check Point Security deployment so that it ean provide authentication for your users needing secure access to the network from a remote location. 1. From SmartDashboard, click the Launch Menu button. Select Policy > Global Properties, and select User Directory. 3. Check Use User Directory (LDAP) for Security Gateways. a Figure 224 — Global Properties - User Directory (LDAP) 206 ‘Check Point Security AdministratConnect User Directory to Security Management Server 4. Click OK. 5. From the left-hand pane, select Nodes > Node > Host. 6. Use the information below to create a host object for the LDAP server: Name: Enterprise_Server IP Address: 10.1.1.201 Comment: Active Directory Server Figure 225 — Host Node Lab ManualLab 8: Configuring User Directory 7. Click OK to close, and the system displays the following warning t srs ea eee] Gy eteveter tot st hae nthe et Figure 226 — Check Point SmartDashboard Note: In our lab, we are using the GUI Client machine (A-WIN) as our LDAP and DNS server. In the real world, this is not likely to be done. 8. Click Yes, to clear the message. 9, From the Launch Menu, choose Manage > Servers and OPSEC Applications. The system displays the following: Figure 227 — Server and OPSEC Applications 208 Check Point Security AdministrationConnect User Directory to Security Management Server 10. Click New > LDAP Account Unit, and use the following information to create the object: Name: ActiveDirAU Profile: Microsoft_AD Domain: alpha.ep Account Unit Usage: CRL retrieval ‘User management Active Directory Query Figure 228 — LDAP Account Unit Properties - General Lab ManualLab 8: Configuring User Directory LI. Select the Servers tab: Note: Ina real-world environment, the Active Directory (or LDAP) team will create a separate login for the Active Directory server, specifically to allow Check Point User Directory access. 12. Click Add, and the system displays the LDAP Server Properties window. ee 210 Check Point Security AdministrationConnect User Directory to Security Management Server 13. In the LDAP Server Properties > General tab, add the following information. Host: Enterprise Server Port: 389 (636 if configuring the Encryption screen.) Username: Administrator’s username for the Active Directory Server Login DN: en=Administrator,cn-users,DC=alpha,DC=cp Password: Administrator's password for the Active Directory server Default Priority: 1 Cheek Point Gateways are allowed to: Select both options teaver EY oumtes, att a sede F Redeem Fivecaeemtiine Figure 230 — LDAP Server Properties - General Note: Negotiating LDAP access can be a challenge. Don’t tab between fields. Select each field before manipulating it {ab ManualLab 8: Configuring User Directory 14, Select the Encryption tab: Figure 231 — LDAP Server Properties - Encryption 15. Use the following information to configure the encryption tab: Use Encryption SSL: Enable Min/Max: Strong (both) Note: Ifyour AD Server is not set up for encryption, skip this step. 212 ‘Check Point Security AdministrationConnect User Directory (o Security Management Server 16. Click OK to close the LDAP Server Properties and return to the server tab: Sow ces Nicene | Mewieen) [ete eat mt | a i Looe co Figure 232 — LAP Account Unit Properties - Servers Lab Manual 213Lab 8: Configuring User Directory 17. Select the Objects Management tab, and click Fetch Branches to retrieve the branches on the LDAP server: a 24 ‘Check Point Security AdministrationConnect User tory to Security Management Server 18. On the Authentication tab, uncheck all options in the Allowed Authentication Schemes section. 19. Check only the option Check Point Password, 20. In the Users’ Default Value section, select the Default Authentication Scheme and select Check Point Password. Cte hanitee = leach est ala paee Greer asouise [EE nen Figure 234 — Authentication Tab Note: If you have configured a pre-shared secret key on your LDAP server, the encryption section of this page is where you will put it Lab Manual 215Lab 8: Configuring User Directory 21. Click OK to close the LDAP Account Unit Properties and add the object to the list of servers: Figure 235 — Server and OPSEC Applications 22. Close the Servers and OPSEC Applications window. ——— 216 ‘Check Point Security AdministrationVerify SmartDashboard Integration Dashboard Integration 1. In SmartDashboard, select the Users tab in the Objects Tree pane. 2. Double-click the ActiveDirAU object. This expands the LDAP server's Active Directory tree. 3. A list of users displays under the Users list in the Active Directory tree: Figure 236 — Active Directory Tree Lab ManualLab 8: Configuring User Directory 4, Double-click Alpha, to view user information displayed in a separate pane below the Rule Base. Figure 237 — ActiveDirAU User Information When working in VMware Workstation, you may need to pull the frame up from the bottom of the screen to see the users displayed. Note: 5, From the objects tree, right-click LDAP Groups, and select New LDAP Group. 218 ‘Check Point Security AdministrationVerify SmartDashboard Integration 6. Name the group, LDAPAccess, and select the ActiveDirAU object from the Account Unit drop-down box. Rete ny Te eros Figure 238 — LDAP Group Properties - LDAP Access 7. Click OK. The new group is added to the objects tree, Lab Manual 219Lab 8: Configuring User Directory Test LDAP Integration . In SmartDashboard, add a rule above the Stealth Rule, 2, Name the new rule LDAP Rule. In the Source field, add the following User Access group: » TDAPAccess@Any In the Destination field, add the Alpha-DMZ object. In the Action field, select Legacy > Client Auth > Partial Automatic. In the Track field, select Log. Disable Rule 8 (Web Traffic - DMZ). Install the Security Policy. From B-GUI, open a Web browser and use HTTP to connect to the Alpha DMZ server’s NATed address (172.21.101.10). pen ays Note: The system should prompt you to authenticate. 10. Use the following information to log in: Username: —_ pondt Passsword: P@ssw0rd 11, Delete the LDAP Rule. 12, Enable Rule 8 (Web Traffic - DMZ). 13, Install the Security Policy. END OF LAB 220 Cheek Point Security AdministrationLab 9: Identity Awareness Scenario: In this lab, you will be provide restricted access to resources in the DMZ. Using the Client Auth group configured in a previous lab, restrict access to the Web server on the DMZ to users of this group. Topics > Configuring the Security Gateway » Defining the User Access Role » Applying User Access Roles to the Rule Base © Testing Identify Awareness Connection Lab Manual 21Lab 9: Identity Awareness Configuring the Security Gateway 1. In SmartDashboard, open the corporate Security Gateway: Figure 239 — Check Point Gateway - General Properties eee 222 Check Point Security AdministrationConfiguring the Security Gateway 2. Below the Network Security tab of the General Properties page, select the Identity Awareness option, and the system displays the configuration wizard. 3. De-select AD Query and select Browser-Based Authentication: | seen |S raw | Cap ee at te nen oem te itertin Ee tworetcnetineennaha ed FT neice tena en Figure 240 — Methods for Acquiring Identity Configured Lab Manual 223Lab 9: Identity Awareness 4. Click Next. 5. Select the option I do not wish to configure an Active Directory at this time: Figure 241 — Integration with Active Directory Configured peel 224 ‘Check Point Security AdministrationConfiguring the Security Gateway 6. Click Next and the system displays the following: [ermine |B ay eae ts a | Mepotn aes chsh tena ties | Se Note: The system selects the extemal interface of the gateway by default Click the Edit button, and the system displays the following: Fetched ents Pea nc © haesatte emit cee | Figure 243 — Accessiblity 8. Select the option Through all interfaces. Lab ManualLab 9: Identity Awareness 9. Click OK, and notice the text above the Edit button now reads as follows: The portal is accessible through all interfaces. reputation i tran andere Nanune FRI 3 ‘hepa wcetheghel tan, Figure 244 — Identity Awareness Configuration 226 ‘Check Point Security AdministrationConfiguring the Security Gateway 10. Click Next and the system displays the following: Identity Awareness is Now Active! tty omen enteen pinay BS Stat ontentcensto dete ont Bend en atte Rae est ey 1 hy votre vege ed B wwe Figure 245 — Identity Awareness Configuration LL. Click the Finish button. 12, Click OK. 227 Lab ManualLab 9: Identity Awareness Defining the User Access Role 1. From the Users and Administrators tree in SmartDashboard, right-click Access Roles. 2, Select New Access Role, and the system displays the following: Figure 246 — Access Role 3. Use the following information to configure the Access Role: Name: DMZ_HTTP Color: Orange Comment: Restrict access to the Web server in the DMZ. 4, In the Networks tab, select the option Specific Networks. 228 Check Point Security AdministrationDefining the User Access Role 5. Click the green + icon to add a network to the role: Figure 247 — Access Roles - Object Selection Options Lab Manual 29Lab 9: Identity Awareness 6. Select Alpha-Internal from the list of available options. Figure 248 — Access Role - Networks 230 ‘Check Point Security AdministrationDefining the User Access Role 7. Select the Users tab, 8. Select the Specific user/groups option. 9. Click the Plus icon and filter for LDAP groups. 10. Add the LDAPAccess group to the list: Figure 249 — Access Role - Users Note: You must select a user group, 11. Click OK to create the new Access Role, Lab ManualLab 9: Identity Awareness, Applying User Access Roles to the Rule Base 1, Adda new mule above the Alpha Incoming Rule. 2. Use the following information to configure the Restricted Access Rule: Name: _Restrieted Access Source: DMZ_HTTP Destination: A-DMZ Service: HTTP Action: ‘Track: Log Install On: A-GW Selo Be eee Jom mtetnes | a Figure 250 — Restricted Access Rule 232 Check Point Security AdministrationApplying User Access Roles to the Rule Base 3. From the Action column of the new rule, Right-click the Accept icon. Select Edit Properties, and the system displays the Action properties window: | Reece exacts nn tetcer | 1 eteteiecina ennitesnreley acces es ae Figure 251 — Action Properties 5. Select the Captive Portal option and click OK. 6. Disable the Web Traffic rule (Rule 8): i sorome ‘3 towetent Ban im Game om ow {bom Figure 252 — Web Traffic Rule DisabledLab 9: Identity Awareness 7. Locate the Alpha Outgoing rule. 8. Modify this rule by adding A-DMZ to the Destination column. 9, Negate the A-DMZ object: Fame momen ASE est be fam mem ow | jou Figure 253 — Object Negated in Corporate Intemal Trafic Rule 10, Install the Security Policy. 234 Check Point Security AdministrationTesting Identity Based Awareness ing identity Based Awareness 1. From A-GUL, attempt an HTT? connection to A-DMZ (192.00. 10). The system displays the following login page: eso cess tga Figure 254 — Network Access Login 2. Use the following information to enter the login information: Username: pondt Password: — P@ssw0rd Note: Check with your instructor if you are unable to authenticate. The LDAP server in your classroom may have differently configured users. Lab Manual 235Awareness 3. Click OK, and the system allows the authenticated user to continue to the DMZ web server BILSON CM UF Ie) stew eR ensS8 (18 Figure 255 — Network Access Granted 4, In SmartView Tracker, view the Authentication logs. 236 Check Point Security AdministrationPrepare Rule Base for Next Lab repare Rule Base for Next Lab 1. Remove the negated object from the Alpha Outgoing rule. 2. Enable the Web Traffic - DMZ rule. 3. Delete the Restricted Access rule. 4 Verify your Rule Base appears as follows: Figure 256 — Rule Base - Identity Based Awareness Removed END OF LAB Lab Manual 237Lab 9: Identity Awareness —_ 238 ‘Check Point Security AdministrationLab 10: Site-to-Site VPN Between Corporate and Branch Office Scenario: In this lab, you will be defining a site-to-site VPN between the corporate and branch office Gateways. This is an example of a certificate VPN based on the SmartCenter Internal Certificate Authority (ICA). ‘Topics » Defining the VPN Domain * Creating the VPN Community * Creating the VPN Rule and Modifying the Rule Base » Testing VPN Connection * Troubleshooting a VPN Lab ManualLab 10: Site-to-Site VPN Between Corporate and Branch Office Define the YPN Domain 1. In SmartDashboard, open the corporate Security Gateway (A-GW). 2, In the Network Security tab of the General Properties page, select the IPSEC ‘VPN blade option: Bese Tae Seve Meese oes Tanita 1 ae Figure 257 — Check Point Gateway - General Prop ut aes Foal Pern 17 Test btn segeattonont pe al 240 Check Point Security AdministrationDefine the VPN Domain 3. Click on the Topology tab. In the VPN Domain section, choose Manually defined and choose your Alpha internal network object (Alpha-Intemnal): ee TPS pen | irene Pay 2 — fast orton) sassasse WA tre Po amore Figure 258 — Check Point Gateway - Topology Configured 4. Click OK.Lab 10: Site-to-Site VPN Between Corporate and Branch Office 5. Repeat the above steps for the branch office Security Gateway object, but select the Bravo internal network (Bravo-Internal) on the Topology page: Figure 259 — Branch VPN Domain Note: Take a moment to save this policy package that identifies it as a VPN Policy. Be sure to save it again before pushing Policy later in this lab. EET 242 Check Point Security AdministrationCreate the VPN Community Greate the VPN Community 1, From SmartDashboard, select the IPSec VPN tat mo fest ol id I. book cal cE SHIRRRgarasn eg yucur ene a Figure 260 — SmartDashboard - IPSec VPN - Overview 2. In the My Organization section, click the New button. Lab ManualLab 10: Site-to-Site VPN Between Corporate and Branch Office 3. Choose Star Community, and the system displays the following: 4. Inthe Star Community Properties screen, type Alpha-Bravo-Star as the name for this community. ————— 248 ‘Check Point Security AdministrationCreate the VPN Community 5. Click Center Gateways from the left-hand pane: Figure 262 — Star Community Properties - Center GatewaysLab 10: Site-to-Site VPN Between Corporate and Branch Office 6. Click Add and the system displays the following: Figure 263 — Add Center Gateways 7, Select A-GW as the center gateway. —_— 246 Check Point Security Administration8. Click OK, and the system displays the following: Create the VPN Community Figure 264 — Star Community Properties - Center Gateways Lab ManualLab 10: Site-to-Site VPN Between Corporate and Branch Office 9. Select Satellite Gateways and add B-GW as the satellite: Figure 265 — Choose Satelite Gateway 10. From the left-hand pane, click Advanced Settings > Advanced VPN Properties, ene 248 Check Point Security AdministrationCreate the VPN Community 11, Select Disable NAT inside the VPN community. This is very important if you have objects that are set to Static NAT. beeptse Menon ameteansy [FA ate eae Fibemsecens : || SSeS, rocinen s yeeros} Figure 266 — Advanced VPN Properties Note: Review the default settings for VPN Properties and Tunnel Management. ‘Whats the default setting for Tunnel Management? What are the default encryption methods and data integrity of Phase 1 and Phase 2? Review the properties of the Advanced Settings. What is the default VPN routing method? Why don't you need to define a pre-shared secret for this VPN? Lab Manual 249Lab 10: Site-to-Site VPN Between Corporate and Branch Office 12. Click OK to exit the Star Community Properties screen. Notice a new star community object is created in the IPSec VPN tab. ES Bot conmtor ner Figure 267 — Star Community Members en oy 250 Check Point Security AdministrationCreate the VPN Rule and Modifying the Rule Base Create the V! 1. Click the Firewall tab to return to the Rule Base. 2. Add a new rule below the Stealth Rule using the following information to begin configuration Name: VPN Traffic Source: Bravo-Internal Alpha-Internal Destination: Alpha-Internal Brayo-Internal Service: ‘Any Action: Accept Track: Log Install On: Policy Targets 3. For the VPN column, right-click the VPN cell in the rule. ‘Select Edit Cell and the VPN Match Condi (eee ee eran acl a te Ver ease Cees Figure 268 — VPN Match Conditions Lab Manual 251Lab 10: Site-to-Site VPN Between Corporate and Branch Office 5. Inthe VPN Match Conditions box, select the option Only connections encrypted in specific VPN Communities. 6. Click Add and the Add Community window appears: Figure 269 — Add Community to Rule 7. Select the Alpha-Bravo-Star object you created earlier, and click OK. The system adds the selected community to the conditions window: Figure 270 — VPN Match Conditions 8, Click OK again to retum to the Rule Base. Note: Since you are creating only one rule for both gateways, you will leave the Install on cell to Policy Targets. 252 ‘Check Point Security AdministrationCreate the VPN Rule and Modifying the Rule Base 9. Add a new Section title called VPN Rules above the newly configured VPN Traffic rule. 10. Verify your Rule Base resembles the following: S25 Saat me Bee ee | on ein le ew] am tne lao foaee BE cone te ser | Sa am ese anne | Eamine amt (Don mon | a a ae | [em Sy eave ey amy [as mtmtes Figure 271 — Added VPN Rule 11. Save and install the Security Policy on both Security Gateways. Note: Ensure your time and date settings on your gateways and Security ‘Management Server are synchronized. If time settings are not synchronized, Phase 1 of the encryption process can not take place. See the troubleshooting section later in this lab. Lab Manual 253Lab 10: Site-to-Site VPN Between Corporate and Branch Office Test VPN Connection Use Pury to conduct a VPN test. Verify that it is available on your machine. {UI virtual 1. Opena purty session from the branch office client (B-GUI) to the IP of A-SMS, and the following appears: Figure 272 — Putty Configuration Note: You can launch PuTTY either from the command line, or on the Windows desktop. From Windows, double-click putty. exe. 2. Click Open. 3. Click Yes, if prompted to accept the security fingerprint, and a CLI window appears. 254 ‘Check Point Security Administration‘Test VPN Connection 4. Log into your Security Management Server using your login credentials: (gale Figure 273 — PuTTY Session from Branch Office to SM Server 5. Open SmartView Tracker to view the VPN communication Note: From the left-hand pane in SmartView Tracker, expand Network Security Blades IPSEC VPN Blade, then select VPN. This will filter out all other traffic other than VPN traffic. Lab Manual 255Lab 10; Site-to-Site VPN Between Corporate and Branch Office 6. In SmartView Tracker, use the predefined VPN filter to identify encryption traffic. 7. Locate the logs with keys representing phase | and phase 2 completed, and the accepted SSH session with a lock indicating that encryption and decryption is occurring. Figure 274 — VPN Logs in SmartView Tracker 256 Check Point Security Administration‘Test VPN Connection 8. Double-click an SSH log to view the details: [Opes Qrat — (Bowydets | sar anemartneme Jassisnessi0) eae “ame Sagworazisa1) om Bown © nig zzr0eossae 257 Lab ManualLab 10: ite-to-Site VPN Between Corporate and Branch Office 9, Using the slide bar, move to the far right to the Information column. 10. Locate the messages that phasel and phase 2 completed. Figure 276 — Information Colurnn Note: This can be very helpful in troubleshooting a VPN problem. —_— 258 ‘Check Point Security Administration‘There are several tools available for troubleshooting a VPN connection. The first VPN Troubleshooting isthe vpn tu utility. This is a CLI tool on the Security Gateway. Re vpn tu Log in to the CLI on the corporate Security Gateway. ‘Type the following command at the prompt: 3. Press Enter, and the system displays the following: een eee Figure 277 Lab Manual Peer arr vpn tuLab 10: Site-to-Site VPN Between Corporate and Branch Office 4, Type 1 to see a list of all IKE SAs. 5. Press Enter, and the system displays the following: wD peer) a Ares Peete) & Pera @ oo Figure 278 — VPN tu Option Note: This option shows all SAs for al peer Gateways. 6. Press Enter, to return to the menu. 260 Check Point Security AdministrationVPN Troubleshooting 7. Type 2 and press Enter. The system displays the IPSec SAs for all peers & Pace oy or ae fear Rec etree Figure 279 — VPN tu Option 2 Note: When troubleshooting a VPN problem, you can delete phase | and/or phase 2 keys for a given peer to reset the VPN and force anew key exchange. 8. Press Enter, to return to the menu. Lab Manual(e-to-Site VPN Between Corporate and Branch Office 9. Type 7 and press Enter, to delete both IKE and IPSec SAs for the branch office: reese etree or rn @ a par presi era a) o (ee aoe ee ry Peer een ae ae aT cr acs Figure 280 — Clear SAs 10. Type 172.22.102.1 and press Enter. 11. Next, try the PUTTY test again between the Security Management Server and the branch office client. (It will take some time for phase 1 and phase 2 to re-establish.) Note: Re-installing the Poticy will also re-establish phase I and 2. 2. Check logs and there will be new keys exchanged. 13. Return to the CLI on the Security Gateway. 14. Type Q and press Enter, to exit the function END OF LAB 262 ‘Check Point Security AdministrationCheck Point Security Administration lutions. ence ee eco coe ass ona : uy a secure network and implement a virtual private network for inter Tees Who Should Attend? CSc Sone er tee fee M alto

Check Point Security Administration Lab Manual

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Check Point Security Administration Lab Manual

Hochgeladen von

Copyright:

Verfügbare Formate

Das könnte Ihnen auch gefallen