CCSM R80.10-Lab Setup Guide

CHECK POINT SOFTWARE TECHNOLOGIES
Education Services
Check Point
Security Master
Lab Setup Guide
EDUCATION SERVICES
Check Point Security Master

Lab Setup Guide
 Check Point Software Technologies

www.CheckPoint.com
courseware@checkpoint.com
6330 Commerce Dr., Suite 120, Irving, TX 75063
January 12, 2018

C H E C K P O I N T S E C U R I T Y M A S T E R - L A B S E T U P G U I D E
Configuring the Lab Environment

The Check Point Security Master course topology was designed as a “sandbox” environment. All student
machines have the same set of IP addresses. The virtual machines do connect to the Internet, NATed
through the host machine. Internet connectivity is required for each host machine used by students attending
the course.
Follow the steps below to configure the virtual machines needed for the students to perform all Security
Administration labs. ATCs may use whatever virtualization software they choose, but Check Point assumes
most Virtual Machines will be created in either a VMware Workstation or an ESX environment. Our tests
were all performed on VMware Workstation 12.
Configuring Virtual Machine Settings

All virtual machines should be configured with the following options:
 Snapshots – Just Power off

 VMware Tools – Installed
 Remove the Floppy from the Hardware Settings
 Time Synchronization – Synchronization between Guest and Host should be active.
Additional Files
Check_Point_R80.10_T421_Fresh_Install_and_Upgrade_from_R7X.tgz – Install on all Virtual
Machines where a Check Point Security Management Server or Security Gateway system is required. The
build number may change but you will need to build the Check Point VMs with the latest “fresh install”
build of R80.10.
LDAP Information
Configure the virtual machines on the Alpha Internal network to be in the alpha.cp domain. All users
should log into the domain and not the local virtual machine.
Beginning Lab Topology

Configure each student machine with the following virtual environment:
Once the setup is complete, all windows Host and Server machines should be able to reach the internet and
all machines should be able to ping each other and the Router.
3
Configuring the Virtual Machines

Configure each of the virtual machines listed below on all student machines. The specifications shown here in
terms of Hard Drive and RAM are considered minimum requirements. For better performance, these
numbers should be increased. All user, OS, and application passwords should be: Chkp!234
A-GUI
Use the information below to configure the GUI Client virtual machine:
Name: A-GUI Check Point Modules Installed:

OS: Windows Client
Hard Drive: 40GB  SmartConsole R80.10
RAM: 2GB
Use the following information to configure the interface for the virtual machine:
IP Address: 10.1.1.201
Subnet Mask: 255.255.255.0
Default Gateway: 10.1.1.1
Interface: eth0
LAN: Management (LAN 1)
Special instructions for the Alpha GUI Client virtual machine:
1. Install the following applications:
 WinSCP
 Putty
 WireShark
2. Configure a folder on the desktop that can be shared with Read/Write privileges to anonymous users.
This will be used to transfer files through FTP.
3. Install and configure an FTP client and server.
4. Install and configure an updated web browser.

A-SMS
Use the information below to configure the Alpha Management Server virtual machine:
Name: A-SMS Check Point Modules Installed:

OS: R80.10 Gaia
Hard Drive: 80GB  Security Management Server
RAM: 10GB
Use the following information to configure the interface for this virtual machine:
Subnet Mask: 255.255.255.0
Interface: eth0
LAN: Alpha Management (LAN 1)
Special instructions for the Alpha Management Server virtual machine:
1. Configure the system administrator credentials to be as follows:
Username: admin
Password: Chkp!234
2. The server should be fully licensed with licenses obtained from the BCK. This server should contain three
Central licenses. Use SmartUpdate launched from SmartConsole on A-GUI to assign licenses to the two
pre-configured Security Gateways in this environment.
5
A-SMS-02
Use the information below to configure the Alpha Management Server virtual machine:
Name: A-SMS Check Point Modules Installed:

OS: R80.10 Gaia
Hard Drive: 80GB  Security Management Server
RAM: 10GB
Subnet Mask: 255.255.255.0
Interface: eth0
LAN: Alpha Management (LAN 1)
Special instructions for the secondary Alpha Management Server virtual machine:
1. Configure the system administrator credentials to be as follows:
Username: admin
Password: Chkp!234
2. The server should be fully licensed with licenses obtained from the BCK.
3. This server should be fully configured and ready for the student to use for the lab, but should be powered
off until the lab in which it is required, in order to save resources.
6
A-GW-01
Use the information below to configure the first Security Gateway virtual machine:
Name: A-GW-01 The following Check Point modules

OS: Gaia R80.10 should be installed and configured:
Hard Drive: 60GB
RAM: 1GB  Security Gateway
Use the following information to configure the interfaces for this virtual machine:
IP Address: 10.1.1.2 IP Address: 203.0.113.2

Subnet Mask: 255.255.255.0 Subnet Mask: 255.255.255.0
Interface: eth0 Default Gateway: 203.0.113.254
Network: Alpha Management (LAN 1) Interface: eth3
Network: External (vmnet8 - NAT)

Interface: eth1 Interface: eth4
Network: Alpha Internal (LAN 11) Network: Alpha DMZ (LAN 12)
IP Address: 192.168.10.2
Subnet Mask: 255.255.255.0
Interface: eth2
Network: Alpha Synchronization (LAN 10)
Special instructions for the Alpha Security Gateway cluster member virtual machine:
1. Configure the server with four cores, each assigned a single processor. Multi-threading will impact
performance in the virtual environment and should be avoided.
2. Create a snapshot with the virtual machine configured with only two cores for the purposes of one of the
labs.
7
A-GW-02
Use the information below to configure the second Security Gateway virtual machine:
Name: A-GW-02 The following Check Point modules

OS: Gaia R80.10 should be installed and configured:
Hard Drive: 60GB
RAM: 1GB  Security Gateway
Use the following information to configure the interfaces for this virtual machine:

Network: Alpha Management (LAN 1) Interface: eth3

Network: Alpha Internal (LAN 11) Network: Alpha DMZ (LAN 12)
IP Address: 192.168.10.3
Subnet Mask: 255.255.255.0
Interface: eth2
Network: Alpha Synchronization (LAN 10)
Special instructions for the Alpha Security Gateway cluster member virtual machine:
3. Configure the server with four cores, each assigned a single processor. Multi-threading will impact
performance in the virtual environment and should be avoided.
4. Create a snapshot with the virtual machine configured with only two cores for the purposes of one of the
labs.
8
A-Host
Use the information below to configure a protected host virtual machine:
Name: A-Host
OS: Windows Client
Hard Drive: 20GB
RAM: 2GB
IP Address: 192.168.11.201
Subnet Mask: 255.255.255.0
Interface: eth0
Network: Alpha Internal (LAN 11)
Special instructions for the Alpha host virtual machine:
4. A-Host must be part of the alpha.cp domain.
5. Install and configure a mail client. (optional)
Note: The Mail server is not currently used in the CCSM class but will be used in other courses and may
be used at a later date.
9
A-LDAP
Use the information below to configure the Alpha LDAP server virtual machine:
Name: A-LDAP
OS: Windows Sever
Hard Drive: 40GB
RAM: 2GB
IP Address: 192.168.11.101
Subnet Mask: 255.255.255.0
Interface: eth0
Network: Alpha Internal (LAN 11)
Special instructions for the Alpha Active Directory virtual machine:
1. Configure the following rules in the Manage Your Server applet:
 Active Directory Server (LDAP)
1. The domain for this site is: alpha.cp
2. The following are the required users. Each should be configured with Chkp!234 as their password.
 User1
 User2
 User3
 User4
 Guest
3. The following are the required groups.
 Odd (include all odd numbered users)
 Even (include all even numbered users)
Note: The Guest user is not part of any user group.
4. Configure A-LDAP to be the DNS server for the Alpha site.
5. Install and configure the NTP server for the Alpha site.
10
A-DMZ
Use the information below to configure the FTP, SMTP, and Web Server virtual machine:
Name: A-DMZ
OS: Windows Server
Hard Drive: 40GB
RAM: 2GB
Use the following information to configure the interface for the FTP and Web Server virtual machine:
IP Address: 192.168.12.101
Subnet Mask: 255.255.255.0
Interface: eth0
Network: Alpha DMZ (LAN 12)
Special instructions for the Alpha DMZ virtual machine:
1. Configure a Web Server to run at startup.
2. Install and configure an FTP server.
3. Install and configure a Web server.
4. Install and configure a Mail server. (optional)
Note: The Mail server is not currently used in the CCSM class but will be used in other courses and may
be used at a later date.
11
Configure Gaia on Alpha Check Point Modules

Configure an SCP user on the following Alpha virtual machines:
 A-SMS
 A-SMS-02
 A-GW-01
 A-GW-02
Configure each user with the following settings:
Name: scpAdmin
Password: Chkp!234
Shell: scponly
Roles: adminRole
Define the interfaces for each module, based on the CCSM Classroom Topology.
Define the Message for each module.
12
Define the following static routes on both Security Gateways in the Alpha site:
 Default Gateway: 203.0.113.254
 10.2.2.0/24 203.0.113.100 “Bravo Management”
 192.168.21.0/24 203.0.113.100 “Bravo Internal”
13
Configure the Alpha Security Policy

The following objects should be configured prior to beginning the labs:
 A-GW-Cluster (Security Gateway Cluster - 203.0.113.1)
 A-GW-01 (Security Gateway – 10.1.1.2)
 A-GW-02 (Security Gateway – 10.1.1.3)
 A-GUI (Host – 10.1.1.201)
 A-Host (Host – 192.168.11.201)
 A-LDAP (Host – 192.168.11.101)
 A-DMZ (Host – 192.168.12.101)
 B-GW (Externally Managed VPN Gateway – 203.0.113.100)
 A-MGMT-NET (Network – 10.1.1.0)
 A-INT-NET (Network – 192.168.11.0)
 A-DMZ-NET (Network – 192.168.12.0)
 Alpha-Nets (Group)
 B-MGMT-NET (Network – 10.2.2.0)
 B-INT-NET (Network – 192.168.21.0)
14
Configure the following rules in the Alpha_Standard Policy:
 Do Not Log
 Management
 Stealth
 DNS
 DMZ
 Outgoing
 LDAP
 Cleanup
15
Configure Hide NAT for all internal Alpha networks. Then, configure the Static NAT objects:
Object NAT IP Address
A-SMS Static 203.0.113.151
A-LDAP Static 203.0.113.161
A-DMZ Static 203.0.113.171
A-MGMT-NET Hide Gateway IP Address (203.0.113.1)
A-INT-NET Hide Gateway IP Address (203.0.113.1)
A-DMZ-NET Hide Gateway IP Address (203.0.113.1)
16
Next, complete the Alpha Security Policy by configuring the following Global Policy settings:
 Accept ICMP Requests – First
 Log Implied Rules
17
Router
The router may be either a specific virtual machine or you may use the virtualization software’s router
function. In our testing, we use VMware’s Network Editor to configure a NAT address on the
203.0.113.0/24 network that NATs “guest” VM traffic out through the “host” machine’s physical address.
All external interfaces of gateways in the topology should all point to 203.0.113.254 (router) as their default
gateway. Network routes for all internal networks should be placed on both the Alpha and Bravo gateways.
This will allow traffic between the two sites but also traffic to exit the environment and reach the Internet.
Attacker
Use the information below to configure the Attacker virtual machine:
Name: Attacker
OS: IPS Demo Toolkit
Hard Drive: 20GB
RAM: 1GB
IP Address: 203.0.113.37
Subnet Mask: 255.255.255.0
Interface: eth3
This information is just for your reference. The actual interface configuration is completed as part of the lab
which uses the Attacker machine.
18
B-GW
Use the information below to configure the Bravo Security Gateway virtual machine:
Name: B-GW Install and configure the following Check Point modules
OS: Gaia R80.10
Hard Drive: 80GB  Security Gateway
RAM: 10GB  Security Management Server
Use the following information to configure the interfaces for the Bravo Security Gateway virtual machine:
IP Address: 10.2.2.1 IP Address: Disabled

Subnet Mask: 255.255.255.0 Subnet Mask: Disabled
Network: Bravo Management (LAN 2) Network: Bravo Sync (LAN 20)

Network: Bravo Internal (LAN 21) Interface: eth3
Note: The eth2 interface for B-GW is not used in this class but should be configured so that the eth1
connects to the internal network and the eth3 interface connects to the external network. The other interface
(eth2) should not be powered on.
19
Bravo GUI Client

Use the information below to configure the GUI Client virtual machine:
Name: B-GUI Check Point Modules Installed:

OS: Windows Client
Hard Drive: 20GB  SmartConsole
RAM: 2GB
Use the following information to configure the interface for the GUI Client virtual machine:
Subnet Mask: 255.255.255.0
Interface: eth0
Network: Bravo Management (LAN 2)
Special instructions for the GUI Client virtual machine:
1. Install SmartConsole R80.10.
5. Install and configure NTP server for Bravo.
6. Install WinSCP and Putty.
20
Bravo Host
Use the information below to configure the B-Host virtual machine:
Name: B-Host
OS: Windows Client
Hard Drive: 20GB
RAM: 2GB
IP Address: 192.168.21.201
Subnet Mask: 255.255.255.0
Interface: eth0
Network: Bravo Internal (LAN 21)
Special instructions for the B-Host virtual machine:
21
Configure Gaia on Bravo Check Point Modules

Configure an SCP user on the Bravo Security Gateway, using the following settings:
Name: scpAdmin
Password: Chkp!234
Shell: scponly
Roles: adminRole
Define the interfaces for B-GW, based on the CCSM Classroom Topology.
Define the Message for B-GW.
22
Define the following static routes on the Bravo Security Gateway:
 Default Gateway: 203.0.113.254
 10.1.1.0/24 203.0.113.1 “Alpha Management”
 192.168.11.0/24 203.0.113.1 “Alpha Internal”
 192.168.12.0/24 203.0.113.1 “Alpha DMZ”
23
Configure the Bravo Security Policy

The following objects should be configured prior to beginning the labs:
 A-GW (Externally Managed VPN Gateway – 203.0.113.1)
 A-GUI (Host – 10.1.1.201)
 A-Host (Host – 192.168.11.201)
 A-DMZ (Host – 203.0.113.171)
 B-GUI (Host Node – 10.2.2.201)
 B-Host (Host Node – 192.168.21.201)
 B-GW (Security Gateway – 203.0.113.100)
 A-MGMT-NET (Network – 10.1.1.0)
 A-INT-NET (Network – 192.168.11.0)
 B-MGMT-NET (Network – 10.2.2.0)
 B-INT-NET (Network – 192.168.21.0)
 Bravo-Nets (Group)
24
Configure the following rules in the Bravo_Standard Policy:
 Noise
 Management
 Stealth
 DNS
 Outgoing
 Incoming
 Cleanup
25

CCSM R80.10-Lab Setup Guide

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

CCSM R80.10-Lab Setup Guide

Hochgeladen von

Copyright:

Verfügbare Formate

CHECK POINT SOFTWARE TECHNOLOGIES

Check Point Security Master

 Check Point Software Technologies

January 12, 2018

Configuring the Lab Environment

Configuring Virtual Machine Settings

 Snapshots – Just Power off

Beginning Lab Topology

Configuring the Virtual Machines

Name: A-GUI Check Point Modules Installed:

Special instructions for the Alpha GUI Client virtual machine:

1. Install the following applications:

3. Install and configure an FTP client and server.

4. Install and configure an updated web browser.

Name: A-SMS Check Point Modules Installed:

Special instructions for the Alpha Management Server virtual machine:

1. Configure the system administrator credentials to be as follows:

Name: A-SMS Check Point Modules Installed:

1. Configure the system administrator credentials to be as follows:

Name: A-GW-01 The following Check Point modules

IP Address: 10.1.1.2 IP Address: 203.0.113.2

IP Address: 192.168.11.2 IP Address: 192.168.12.2

Name: A-GW-02 The following Check Point modules

IP Address: 10.1.1.3 IP Address: 203.0.113.3

IP Address: 192.168.11.3 IP Address: 192.168.12.3

Special instructions for the Alpha host virtual machine:

2. Install and configure an FTP client and server.

3. Install and configure an updated web browser.

4. A-Host must be part of the alpha.cp domain.

5. Install and configure a mail client. (optional)

Special instructions for the Alpha Active Directory virtual machine:

1. Configure the following rules in the Manage Your Server applet:

 Active Directory Server (LDAP)

1. The domain for this site is: alpha.cp

3. The following are the required groups.

 Odd (include all odd numbered users)

 Even (include all even numbered users)

Note: The Guest user is not part of any user group.

4. Configure A-LDAP to be the DNS server for the Alpha site.

Special instructions for the Alpha DMZ virtual machine:

1. Configure a Web Server to run at startup.

2. Install and configure an FTP server.

3. Install and configure a Web server.

4. Install and configure a Mail server. (optional)

Configure Gaia on Alpha Check Point Modules

Configure each user with the following settings:

Define the Message for each module.

 Default Gateway: 203.0.113.254

 10.2.2.0/24 203.0.113.100 “Bravo Management”

 192.168.21.0/24 203.0.113.100 “Bravo Internal”

Configure the Alpha Security Policy

 A-GW-Cluster (Security Gateway Cluster - 203.0.113.1)

 A-GW-01 (Security Gateway – 10.1.1.2)

 A-GW-02 (Security Gateway – 10.1.1.3)

 A-GUI (Host – 10.1.1.201)

 A-Host (Host – 192.168.11.201)

 A-LDAP (Host – 192.168.11.101)

 A-DMZ (Host – 192.168.12.101)

 B-GW (Externally Managed VPN Gateway – 203.0.113.100)

 A-MGMT-NET (Network – 10.1.1.0)

 A-INT-NET (Network – 192.168.11.0)

 A-DMZ-NET (Network – 192.168.12.0)

 B-MGMT-NET (Network – 10.2.2.0)