{"id":835,"date":"2017-04-01T20:21:00","date_gmt":"2017-04-01T20:21:00","guid":{"rendered":"https:\/\/jay-miah.co.uk\/?p=835"},"modified":"2024-11-17T20:34:45","modified_gmt":"2024-11-17T20:34:45","slug":"835","status":"publish","type":"post","link":"https:\/\/jay-miah.co.uk\/index.php\/835\/","title":{"rendered":"Deploying a Checkpoint Firewall Solution (GAIA-R77.30)"},"content":{"rendered":"

Checkpoint is known\u00a0as being a next generation firewall vendor due to being able to support advanced features up to layer 7 of the OSI model, these include \u201cApplication Filtering\u201d, \u201cDeep Packet Inspection(DPI)\u201d, \u201cIPS\u201d, \u201cSSL Inspection\u201d, \u201cAV scanning\u201d, \u201cIdentity Management\u201d, \u201cURL Filtering\u201d and many more.<\/p>\n

Checkpoint Firewalls are not zone based Firewalls unlike your Cisco or Juniper. These firewalls can either be physical or virtual. the main differences between the two types is that physical devices have the hardware capability to perform at much higher levels compared to the VM instances. However they all have the same software versions available to run either on physical hardware or \u00a0as a virtual machine.<\/p>\n

Checkpoint firewalls are\u00a0managed in a different way in comparison to other vendors, to manage a \u201cSecurity Gateway\u201d you need to use a \u201cManagement Server\u201d, and in order to use the management server you need to use \u201cSmart Tools\u201d, these tools consist of \u201cSmart Dashboard\u201d, Smartview Tracker\u201d, Smartview Monitor\u201d, SmartDomain Manager\u201d and a few others. The tools are normally installed on a workstation which then connects to the management server to create and manage policies. The polices are then installed on the security gateway.<\/p>\n

\"CP\"<\/p>\n

 <\/p>\n

You can run a \u201cManagement Server\u201d from a physical firewall appliance, a windows machine or a virtual appliance running the OS GAIA.<\/p>\n

The management server in most cases is another GAIA appliance with capability for logging, there are options to deploy a gateway and management server in one appliance, this is known as a distributed deployment.<\/p>\n

In this step by step guide we will run through the process of deploying a checkpoint security solution, using R77.30. We will first deploy a \u201cSecurity Management Server\u201d and install the \u201cSmart Tools\u201d on a workstation. Then we will deploy a separate appliance that will be the \u201cSecurity Gateway\u201d and add it into the management server to be able to install security polices. For this Lab we will use VMware ESXI, the same concepts apply to physical firewalls, in most cases they come pre-built with the latest software so its just a matter of assigning a management IP to the device and running through the web GUI configuration.<\/p>\n

The Topology:<\/strong><\/p>\n

\"CP<\/p>\n

 <\/p>\n

 <\/p>\n

Anchor Links:<\/p>\n

Deploy the Management Server<\/strong><\/a><\/p>\n

Install the Smart Tools<\/strong><\/a><\/p>\n

Deploy the Security Gateway<\/strong><\/a><\/p>\n

 <\/p>\n

Lets get started!<\/p>\n

Deploy the Management Server<\/strong>
\n1.<\/strong>\u00a0From vSphere, right click the host and select\u00a0\u201cNew Virtual Machine\u201d<\/p>\n

\"1\"<\/p>\n

2.\u00a0<\/strong>Click Custom and click\u00a0\u201cNext\u201d<\/p>\n

\"2\"<\/p>\n

3.<\/strong>\u00a0Give the VM a name and click\u00a0\u201cNext\u201d\u00a0\u2013 as this will be the management server i have called it\u00a0\u201cCheckpoint MGMT\u201d<\/p>\n

\"3\"<\/p>\n

4.<\/strong>\u00a0Select the data store to store the VM and click\u00a0\u201cNext\u201d<\/p>\n

\"4\"<\/p>\n

5.<\/strong>\u00a0Select\u00a0\u201cVirtual Machine Version: 11\u201d\u00a0and click\u00a0\u201cNext\u201d.\u00a0If your ESXI is below version 6 use version 10.<\/p>\n

\"5\"<\/p>\n

6.<\/strong>\u00a0Select\u00a0\u201cLinux\u201d\u00a0as the guest operating system. From the drop down menu select\u00a0\u201cOther Linux (32 bit)\u201d\u00a0as the\u00a0\u201cVersion\u201d<\/p>\n

\"6\"<\/p>\n

7.<\/strong>\u00a0Assign the VM CPU according to the hardware capability of the ESX host. In this case i have assigned\u00a0\u201c2 Virtual sockets\u201d\u00a0and\u00a0\u201c2 Cores per socket\u201d. Click\u00a0\u201cNext\u201d<\/p>\n

\"7\"<\/p>\n

8.<\/strong>\u00a0Give the VM a minimum of 4GB RAM and click\u00a0\u201cNext\u201d<\/p>\n

\"8\"<\/p>\n

9.<\/strong>\u00a0Give the Management server 1 NIC and assign it to the appropriate VLAN on the inside network. In our case this is\u00a0\u201cVLAN60\u201d, we need to be able to reach this management server from the workstation which will also be on VLAN60 and have the smart tools installed. Click\u00a0\u201cNext\u201d<\/p>\n

\"9\"<\/p>\n

10.<\/strong>\u00a0Select\u00a0\u201cLSI Logic Parallel\u201d\u00a0and click\u00a0\u201cNext\u201d<\/p>\n

\"10\"<\/p>\n

11.<\/strong>\u00a0Select\u00a0\u201cCreate a new virtual disk\u201d\u00a0and click\u00a0\u201cNext\u201d<\/p>\n

\"11\"<\/p>\n

12.<\/strong>\u00a0Specify the size of the disk in GB, make sure the size is at least\u00a0\u201c70GB\u201d\u00a0as the logs will be stored on this device and the disk space could fill up quick. Select\u00a0\u201cThick Provision Lazy Zeroed\u201d\u00a0and Click\u00a0\u201cNext\u201d<\/p>\n

\"12\"<\/p>\n

13.<\/strong>\u00a0Select\u00a0\u201cSCSI (0:0)\u201d\u00a0and click\u00a0\u201cNext\u201d<\/p>\n

\"13\"<\/p>\n

14.<\/strong>\u00a0At the summary screen, verify all the details are correct, tick\u00a0\u201cEdit the virtual machine settings before completion\u201d\u00a0and click\u00a0\u201cContinue\u201d<\/p>\n

\"14\"<\/p>\n

15.<\/strong>\u00a0From the \u201cVirtual Machine Properties\u201d\u00a0select\u00a0\u201cNew CD\/DVD (adding)\u201d. Tick\u00a0\u201cConnect at power on\u201d\u00a0, select\u00a0\u201cDatastore ISO File\u201d. Click\u00a0\u201cBrowse\u201d<\/p>\n

\"15\"<\/p>\n

16.<\/strong>\u00a0Browse the datastore and select the Checkpoint ISO image, (This will need to be uploaded prior to creating the VM). Once selected click\u00a0\u201cOK\u201d<\/p>\n

\"16\"<\/p>\n

17.<\/strong>\u00a0The ISO should now be present inside the Datastore ISO File field. Click\u00a0\u201cFinish\u201d<\/p>\n

\"17\"<\/p>\n

18.<\/strong>\u00a0Once the VM has been created, right click the VM and select\u00a0\u201cOpen Console\u201d<\/p>\n

\"18\"<\/p>\n

19.<\/strong>\u00a0Click the green\u00a0\u201cPlay\u201d\u00a0button to power on the virtual machine. As the VM boots, it will load the specified checkpoint ISO, select\u00a0\u201cInstall GAIA on this system\u201d<\/p>\n

\"19\"<\/p>\n

20.<\/strong>\u00a0At the\u00a0\u201cWelcome\u201d\u00a0screen select\u00a0\u201cOK\u201d\u00a0to proceed with the install.<\/p>\n

\"20\"<\/p>\n

21.<\/strong>\u00a0Select\u00a0\u201cUS\u201d\u00a0and click\u00a0\u201cOK\u201d<\/p>\n

\"21\"<\/p>\n

22.<\/strong>\u00a0Allocate 40% of your disk space for \u201cLogs (GB)\u201d and select \u201cOK\u201d in this case 30GB is around 43%.<\/p>\n

\"22\"<\/p>\n

23.<\/strong>\u00a0Create the\u00a0\u201cadmin\u201d\u00a0password and click\u00a0\u201cOK\u201d<\/p>\n

\"23\"<\/p>\n

24.<\/strong>\u00a0Give the Management server an IP address, in this case we have used \u2013\u00a0\u201c10.1.1.2\/24\u201d\u00a0and 10.1.1.1 as the default gateway which will be the setup later as the\u00a0\u201cSecurity Gateway\u201d\u00a0Click\u00a0\u201cOK\u201d<\/p>\n

\"25\"<\/p>\n

25.<\/strong>\u00a0At the confirmation screen click\u00a0\u201cOK\u201d,\u00a0the device will reformat the HDD and install the GAIA OS.<\/p>\n

\"26\"<\/p>\n

26.<\/strong>\u00a0Once installation is complete the device will prompt to\u00a0\u201cReboot\u201d\u00a0click\u00a0\u201cReboot\u201d<\/p>\n

\"28\"<\/p>\n

27.<\/strong>\u00a0once the system as rebooted and is ready it will display the logon prompt<\/p>\n

\"29\"<\/p>\n

28.<\/strong>\u00a0From a workstation that is able to reach\u00a0\u201cVLAN60\u201d\u00a0Launch a browser and navigate to\u00a0\u201chttps:\/\/10.1.1.2\u201d\u00a0at the warning prompt, click \u201cadvanced\u201d and click\u00a0\u201cProceed to 10.1.1.2 (unsafe)\u201d<\/p>\n

\"30\"<\/p>\n

29.<\/strong>\u00a0at the login prompt for\u00a0\u201cGAIA\u201d\u00a0use the username\u00a0\u201cadmin\u201d\u00a0and the password that was set at the previous step.<\/p>\n

\"31\"<\/p>\n

30.<\/strong>\u00a0Once logged in, the device will display a\u00a0\u201cFirst Time Configuration Wizard\u201d\u00a0to complete the initial setup. At the prompt click\u00a0\u201cNext\u201d<\/p>\n

\"32\"<\/p>\n

31.<\/strong>\u00a0Select\u00a0\u201cContinue with Gaia R77.30 configuration\u201d\u00a0and click\u00a0\u201cNext\u201d<\/p>\n

\"33\"<\/p>\n

32.<\/strong>\u00a0Verify the IP address details are correct and click\u00a0\u201cNext\u201d<\/p>\n

\"34\"<\/p>\n

33.\u00a0<\/strong>Give the device a\u00a0\u201cHost Name\u201d,\u00a0\u201cDomain Name\u201d\u00a0and\u00a0\u201cDNS server\u201d\u00a0details. Click\u00a0\u201cNext\u201d<\/p>\n

\"36\"<\/p>\n

34.<\/strong>\u00a0Ensure the time setting are correct and click\u00a0\u201cNext\u201d<\/p>\n

\"37\"<\/p>\n

35.<\/strong>\u00a0Select\u00a0\u201cSecurity Gateway or Security Management\u201d\u00a0Click\u00a0\u201cNext\u201d<\/p>\n

\"38\"<\/p>\n

36.<\/strong> From the checkbox option, select\u00a0\u201cSecurity Management\u201d\u00a0set the device as\u00a0\u201cPrimary\u201d\u00a0and check the\u00a0\u201cAutomatically download Blades Contracts and other important data (highly recommended)\u201d\u00a0box. Click\u00a0\u201cNext\u201d<\/p>\n

\"39\"<\/p>\n

37.<\/strong>\u00a0Create an Administrator user for the\u00a0\u201cManagement Server\u201d\u00a0this account is different to the\u00a0\u201cadmin\u201d\u00a0account. The admin account has privileges for SSH and web GUI access to the device itself, where as the administrator account will be the main account to be used with the\u00a0\u201cSmart Tools\u201d. \u00a0Click\u00a0\u201cNext\u201d<\/p>\n

\"40\"<\/p>\n

38.<\/strong>\u00a0At this screen we can define which devices can connect to the\u00a0\u201cManagement Server\u201d\u00a0we can simply allow any IP addresses or a specific subnet. In this case we will only allow the\u00a0\u201c10.1.1.0\/24\u201d\u00a0network. Click\u00a0\u201cNext\u201d<\/p>\n

\"41\"<\/p>\n

39.<\/strong>\u00a0Click\u00a0\u201cFinish\u201d\u00a0at the summary screen to begin configuration.This process will take a few minutes to complete.<\/p>\n

\"42\"<\/p>\n

40.<\/strong>\u00a0Once the configuration is complete click\u00a0\u201cOK\u201d<\/p>\n

\"43\"<\/p>\n

41.<\/strong>\u00a0The device will automatically log in to the web GUI.<\/p>\n

\"44\"<\/p>\n

The \u201cManagement Server\u201d Installation and configuration is now complete. the next step is to install the smart tools on to a workstation.<\/p>\n

 <\/p>\n

Install the Smart Tools<\/strong><\/p>\n

1.<\/strong>\u00a0Navigate to the\u00a0\u201cCheckpoint GAIA ISO\u201d\u00a0on the Workstation that will be used to connect to the\u00a0\u201cManagement Server\u201d\u00a0right click the .ISO image and extract the contents to a new folder.<\/p>\n

\"01\"<\/p>\n

2.<\/strong>\u00a0Once the files have extracted navigate within the extracted folder into\u00a0\u201cLinux-windows\u201d. Right click\u00a0\u201cSmartConsole\u201d\u00a0and again extract the contents into a new folder.<\/p>\n

\"02\"<\/p>\n

3.<\/strong>\u00a0From the extracted contents double click\u00a0\u201cSmartConsole\u201d\u00a0and run the installation wizard. At the Wizard\u00a0\u201cWelcome\u201d\u00a0prompt click\u00a0\u201cNext\u201d<\/p>\n

\"03\"<\/p>\n

4.<\/strong>\u00a0At the UAP Click\u00a0\u201cYes\u201d<\/p>\n

\"04\"<\/p>\n

5.<\/strong>\u00a0Click\u00a0\u201cNext\u201d<\/p>\n

\"05\"<\/p>\n

6.<\/strong>\u00a0Leave the default settings as is to install\u00a0all<\/strong>\u00a0the smart tools and click\u00a0\u201cNext\u201d<\/p>\n

\"06\"<\/p>\n

7.<\/strong>\u00a0the installation process will begin and take around two mins to complete.<\/p>\n

\"07\"<\/p>\n

8.<\/strong>\u00a0Once the installation is complete, tick the checkbox\u00a0\u201cAdd Smartconsole shortcuts on desktop\u201d\u00a0and click\u00a0\u201cFinish\u201d<\/p>\n

\"08\"<\/p>\n

9.<\/strong>\u00a0The tools should now be visible on the desktop.\u00a0Click and launch\u00a0\u201cSmartDashboard\u201d\u00a0form the desktop. this is the main tool used to connect to the management server.<\/p>\n

\"09\"<\/p>\n

10.<\/strong>\u00a0At the prompt for login, Specify the\u00a0\u201cAdministrator\u201d\u00a0login details. And use the IP address of the management server,\u00a0\u201c10.1.1.2\u201d. Click\u00a0\u201cLogin\u201d<\/p>\n

\"10\"<\/p>\n

11.<\/strong>\u00a0The device will display the fingerprint, verify this is correct to ensure you are connecting to the right device.<\/p>\n

\"11\"<\/p>\n

12.<\/strong>\u00a0Log into the web GUI from a browser at\u00a0\u201chttps:\/\/10.1.1.2\u201d. Navigate to\u00a0\u201cCertificate Authority\u201d\u00a0and verify the fingerprint matches to the one displayed on smart dashboard. \u00a0If this matches (Which it should) click\u00a0\u201cApprove\u201d\u00a0on smart dashboard to connect.<\/p>\n

\"12\"<\/p>\n

13.<\/strong>\u00a0The device will display the trial message. Click\u00a0\u201cOK\u201d<\/p>\n

\"13\"<\/p>\n

14.<\/strong>\u00a0Once the user is logged in,\u00a0\u201cSmartDashboard\u201d\u00a0will display the the management interface. We can see that there are no\u00a0\u201cSecurity Gateways\u201d\u00a0to manage.<\/p>\n

\"14\"<\/p>\n

The installation of the \u201cSmartTools\u201d is now complete, using the smartdashboard we are able to access the management server. we use the management server to create policies and configuration we then push these out to \u201cSecurity Gateways\u201d we now need a Security Gateway to manage.<\/p>\n

 <\/p>\n

Deploy the Security Gateway<\/strong><\/p>\n

1.<\/strong>\u00a0From vSphere, right click the host and select\u00a0\u201cNew Virtual Machine\u201d<\/p>\n

\"1\"<\/p>\n

2.<\/strong>\u00a0\u00a0Select\u00a0\u201cCustom\u201d\u00a0and click\u00a0\u201cNext\u201d<\/p>\n

\"2\"<\/p>\n

3.<\/strong>\u00a0Give the VM a name, In this instance its called\u00a0\u201cCheckpoint-GW-01\u201d<\/p>\n

\"3\"<\/p>\n

4.\u00a0<\/strong>Select the data store to store the VM and click\u00a0\u201cNext\u201d<\/p>\n

\"4\"<\/p>\n

5.<\/strong>\u00a0 Select\u00a0\u201cVirtual Machine Version: 11\u201d\u00a0and click\u00a0\u201cNext\u201d.<\/p>\n

\"5\"<\/p>\n

6.\u00a0<\/strong>\u00a0Select\u00a0\u201cLinux\u201d\u00a0as the guest operating system. From the drop down menu select\u00a0\u201cOther Linux (32 bit)\u201d\u00a0as the\u00a0\u201cVersion\u201d<\/p>\n

\"6\"<\/p>\n

7.\u00a0<\/strong>Assign the VM CPU according to the hardware capability of the ESX host. In this case i have assigned\u00a0\u201c2 Virtual sockets\u201d\u00a0and\u00a0\u201c2 Cores per socket\u201d. Click \u201cNext\u201d<\/p>\n

\"7\"<\/p>\n

8.<\/strong>\u00a0Give the VM a minimum of 4GB RAM and click\u00a0\u201cNext\u201d<\/p>\n

\"8\"<\/p>\n

9.<\/strong>\u00a0Give the\u00a0\u201cSecurity Gateway\u201d\u00a03 NIC\u2019s and assign it to the appropriate VLANs. In our case\u00a0\u201cVLAN2\u201d\u00a0will be for the outside network,\u00a0\u201cVLAN60\u201d\u00a0will be for the inside network and\u00a0\u201cVLAN30\u201d\u00a0will be for the DMZ. Click\u00a0\u201cNext\u201d<\/p>\n

\"9\"<\/p>\n

10.\u00a0<\/strong>Select\u00a0\u201cLSI Logic Parallel\u201d\u00a0and click\u00a0\u201cNext\u201d<\/p>\n

\"10\"<\/p>\n

11.\u00a0<\/strong>Select\u00a0\u201cCreate a new virtual disk\u201d\u00a0and click\u00a0\u201cNext\u201d<\/p>\n

\"11\"<\/p>\n

12.<\/strong>\u00a0Specify the size of the disk in GB, make sure the size is at least\u00a0\u201c30GB\u201d\u00a0Select\u00a0\u201cThick Provision Lazy Zeroed\u201d\u00a0and select\u00a0\u201cStore with virtual machine\u201dClick\u00a0\u201cNext\u201d<\/p>\n

\"12\"<\/p>\n

13.\u00a0<\/strong>Select\u00a0\u201cSCSI (0:0)\u201d\u00a0and click\u00a0\u201cNext\u201d<\/p>\n

\"13\"<\/p>\n

14.\u00a0<\/strong>\u00a0At the summary screen, verify all the details are correct, tick\u00a0\u201cEdit the virtual machine settings before completion\u201d\u00a0and click\u00a0\u201cContinue\u201d<\/p>\n

\"14\"<\/p>\n

15.<\/strong>\u00a0From the\u00a0\u201cVirtual Machine Properties\u201d\u00a0select\u00a0\u201cNew CD\/DVD (adding)\u201d. Tick\u00a0\u201cConnect at power on\u201d\u00a0, select\u00a0\u201cDatastore ISO File\u201d. Click\u00a0\u201cBrowse\u201d<\/p>\n

\"15\"<\/p>\n

16.<\/strong>\u00a0Browse the datastore and select the Checkpoint ISO image. Once selected click\u00a0\u201cOK\u201d<\/p>\n

\"16\"<\/p>\n

17.\u00a0<\/strong>\u00a0The ISO should now be present inside the Datastore ISO File field. Click\u00a0\u201cFinish\u201d<\/p>\n

\"17\"<\/p>\n

18.<\/strong>\u00a0Once the VM has been created, right click the VM and select\u00a0\u201cOpen Console\u201d<\/p>\n

\"18\"<\/p>\n

19.\u00a0\u00a0<\/strong>Click the green \u201cPlay\u201d button to power on the virtual machine. As the VM boots, it will load the specified checkpoint ISO, select\u00a0\u201cInstall GAIA on this system\u201d<\/p>\n

\"19\"<\/p>\n

20.<\/strong>\u00a0At the\u00a0\u201cWelcome\u201d\u00a0screen select\u00a0\u201cOK\u201d\u00a0to proceed with the install.<\/p>\n

\"20\"<\/p>\n

21.\u00a0<\/strong>Select\u00a0\u201cUS\u201d\u00a0and click\u00a0\u201cOK\u201d<\/p>\n

\"21\"<\/p>\n

22.<\/strong>\u00a0Allocate the defaults and select\u00a0\u201cOK\u201d<\/p>\n

\"22\"<\/p>\n

23.\u00a0<\/strong>Create the\u00a0\u201cadmin\u201d\u00a0password and click\u00a0\u201cOK\u201d<\/p>\n

\"23\"<\/p>\n

24.<\/strong>\u00a0From the menu select\u00a0\u201ceth1\u201d,\u00a0so that this can be configured as the management IP.<\/p>\n

\"24\"<\/p>\n

25.<\/strong>\u00a0The inside network will be\u00a0\u201c10.1.1.0\/24\u201d\u00a0we will use\u00a0\u201c10.1.1.1\/24\u201d\u00a0as the IP. We wont specify a default gateway as its not required- later we can add a static default route via the web GUI as the next hop.<\/p>\n

\"25\"<\/p>\n

26.<\/strong>\u00a0\u00a0At the confirmation screen click\u00a0\u201cOK\u201d, the device will reformat the HDD and install the GAIA OS.<\/p>\n

\"26\"<\/p>\n

27.\u00a0<\/strong>Once installation is complete the device will prompt to\u00a0\u201cReboot\u201d\u00a0click\u00a0\u201cReboot\u201d<\/p>\n

\"28\"<\/p>\n

28.<\/strong>\u00a0Once the system as rebooted and is ready it will display the logon prompt<\/p>\n

\"29\"<\/p>\n

29.<\/strong>\u00a0From the workstation launch a browser and navigate to\u00a0\u201chttps:\/\/10.1.1.1\u201d\u00a0at the warning prompt, click\u00a0\u201ccontinue to this webpage (not recommended)\u201d<\/p>\n

\"45.1\"<\/p>\n

30.<\/strong>\u00a0At the login prompt for \u201cGAIA\u201d use the username\u00a0\u201cadmin\u201d\u00a0and the password that was set at the previous step.<\/p>\n

\"45.2\"<\/p>\n

31.\u00a0<\/strong>Once logged in, the device will display a\u00a0\u201cFirst Time Configuration Wizard\u201d\u00a0to complete the initial setup. At the prompt click\u00a0\u201cNext\u201d<\/p>\n

\"32\"<\/p>\n

32.\u00a0<\/strong>Select\u00a0\u201cContinue with Gaia R77.30 configuration\u201d\u00a0and click\u00a0\u201cNext\u201d<\/p>\n

\"33\"<\/p>\n

33.\u00a0<\/strong>Verify the IP address details are correct and click\u00a0\u201cNext\u201d<\/p>\n

\"34\"<\/p>\n

34.<\/strong>\u00a0leave the settings for \u201ceth0\u201d as default, as we will configure this later via the web GUI. Click\u00a0\u201cNext\u201d<\/p>\n

\"35\"<\/p>\n

35.\u00a0<\/strong>Give the device a\u00a0\u201cHost Name\u201d,\u00a0\u201cDomain Name\u201d\u00a0and\u00a0\u201cDNS server\u201d\u00a0details. Click\u00a0\u201cNext\u201d<\/p>\n

\"36\"<\/p>\n

36.<\/strong>\u00a0Ensure the time setting are correct and click\u00a0\u201cNext\u201d<\/p>\n

\"37\"<\/p>\n

37.<\/strong>\u00a0Select\u00a0\u201cSecurity Gateway or Security Management\u201d\u00a0Click\u00a0\u201cNext\u201d<\/p>\n

\"38\"<\/p>\n

38.<\/strong>\u00a0From the checkbox option, select\u00a0\u201cSecurity Gateway\u201d\u00a0and check the\u00a0\u201cAutomatically download Blades Contracts and other important data (highly recommened)\u201d\u00a0box. Click\u00a0\u201cNext\u201d<\/p>\n

\"39\"<\/p>\n

39.<\/strong>\u00a0Select\u00a0\u201cNo\u201d\u00a0and click click\u00a0\u201cNext\u201d<\/p>\n

\"40\"<\/p>\n

40.<\/strong>\u00a0Enter a one time password for\u00a0\u201cSIC\u201d\u00a0(Secure Internal Communication). This password will be used later when we add the gateway into the \u201cManagement Server\u201d.<\/p>\n

\"41\"<\/p>\n

41.<\/strong>\u00a0Click\u00a0\u201cFinish\u201d\u00a0at the summary screen to begin configuration. This process will take a few minutes to complete.<\/p>\n

\"42\"<\/p>\n

42.<\/strong>\u00a0Click\u00a0\u201cYes\u201d\u00a0at the prompt.<\/p>\n

\"43\"<\/p>\n

43.<\/strong>\u00a0Once the configuration is complete, click\u00a0\u201cOK\u201d\u00a0to allow the device to reboot.<\/p>\n

\"44\"<\/p>\n

44.<\/strong>\u00a0The device will reboot, which will take around 2 minutes to complete.<\/p>\n

\"45\"<\/p>\n

45.<\/strong>\u00a0Once the device comes back up, from a workstation launch a browser and navigate to\u00a0\u00a0\u201chttps:\/\/10.1.1.1\u201d. Click\u00a0\u201cContinue to this webpage (not recommended)\u201d<\/p>\n

\"45.1\"<\/p>\n

46.<\/strong>\u00a0At the login prompt for\u00a0\u201cGAIA\u201d\u00a0use the username\u00a0\u201cadmin\u201d\u00a0and the password that was set at the previous step.<\/p>\n

\"45.2\"<\/p>\n

47.<\/strong>\u00a0Navigate to\u00a0\u201cNetwork Interfaces\u201d, highlight\u00a0\u201cEth0\u201d\u00a0and click\u00a0\u201cEdit\u201d,\u00a0the status of the interface should be down.<\/p>\n

\"45.3\"<\/p>\n

48.<\/strong>\u00a0Tick\u00a0\u201cEnable\u201d\u00a0give the interface the name\u00a0\u201cOutside Interface\u201d\u00a0and specify the IP address that will be used on the outside. in this case we will use\u00a0\u201c192.168.0.245\/24\u201d. Click\u00a0\u201cOK\u201d<\/p>\n

\"45.4\"<\/p>\n

49.<\/strong>\u00a0Select\u00a0\u201cEth2\u201d\u00a0and click\u00a0\u201cEdit\u201d.<\/p>\n

\"45.5\"<\/p>\n

50.<\/strong>\u00a0Tick\u00a0\u201cEnable\u201d\u00a0and give the interface a name. In this instance we will use this as the\u00a0\u201cDMZ interface\u201d. the IP address will be\u00a0\u201c172.16.1.1\/24\u201d. Click\u00a0\u201cOK\u201d.<\/p>\n

\"45.6\"<\/p>\n

51.<\/strong>\u00a0The status of all 3 interfaces should now be up. the device will automatically save any changes made in the web GUI.<\/p>\n

\"45.7\"<\/p>\n

52.<\/strong>\u00a0Back on the workstation, from\u00a0\u201cSmartDashboard\u201d\u00a0right click\u00a0\u201cCheckpoint\u201d\u00a0scroll right to\u00a0\u201cCheckpoint\u201d\u00a0and click\u00a0\u201cSecurity Gateway\/Management\u201d<\/p>\n

\"46\"<\/p>\n

53.<\/strong>\u00a0From the menu select\u00a0\u201cClassic Mode\u201d<\/p>\n

\"47\"<\/p>\n

54.<\/strong>\u00a0The gateway properties window will appear, insert the host name in the\u00a0\u201cName\u201d\u00a0field, and insert the IP address inside\u00a0\u201cIPv4 Address\u201d. Finally click\u00a0\u201cCommunication\u201d<\/p>\n

\"48\"<\/p>\n

55.<\/strong>\u00a0Insert the one time password created earlier and click on\u00a0\u201cInitialize\u201d<\/p>\n

\"49\"<\/p>\n

56.<\/strong>\u00a0Once initialization is complete the page will become grey and a small notice will be displayed as\u00a0\u201cTrust established\u201d. If you encounter any issues at this stage \u2013 the password may need to be reset, use the the following step outlined in this article to complete this. Click\u00a0\u201cOK\u201d<\/p>\n

\"50\"<\/p>\n

57.<\/strong>\u00a0A window will appear with all the interfaces of the security gateway to indicate this is what has been discovered when the gateway was added and secure communication was established. Click\u00a0\u201cAccept\u201d<\/p>\n

\"51\"<\/p>\n

58.<\/strong>\u00a0Click\u00a0\u201cOK\u201d\u00a0to close the gateway properties.<\/p>\n

\"52\"<\/p>\n

59.<\/strong>\u00a0From \u201cSmartDashboard\u201d on the top left select \u201cPolicy\u201d and click the add new rule icon located at the top center.<\/p>\n

\"53\"<\/p>\n

60.<\/strong>\u00a0An empty rule will appear as shown below, for the time being we don\u2019t need to start creating policies, but we can test the installation of the policy by simply using a blank rule and clicking\u00a0\u201cInstall Policy\u201d\u00a0to ensure it completes successfully. Click\u00a0\u201cInstall Policy\u201d<\/p>\n

\"54\"<\/p>\n

61.<\/strong>\u00a0At the\u00a0\u201cInstall Policy\u201d\u00a0window click\u00a0\u201cOK\u201d<\/p>\n

\"55\"<\/p>\n

62.<\/strong>\u00a0the installation of the policy may take a few minutes to complete, and once done it will display a\u00a0\u201cInstallation completed successfully\u201d\u00a0message. Click\u00a0\u201cOK\u201d\u00a0to close the window.<\/p>\n

\"56\"<\/p>\n

All aspects of the solution is now complete, we have the basics in place from here we can start creating our rule base and NAT policies. The first policy installation has validated that our\u00a0\u201cSmart Tools\u201d,\u00a0\u201cManagement Server\u201d\u00a0and\u00a0\u201cSecurity Gateway\u201d\u00a0are all working and have been setup correctly.<\/p>\n","protected":false},"excerpt":{"rendered":"

Checkpoint is known\u00a0as being a next generation firewall vendor due to being able to support advanced features up to layer 7 of the OSI model,<\/p>\n","protected":false},"author":1,"featured_media":870,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,6],"tags":[39,54,42,96,98,97],"class_list":["post-835","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-checkpoint-firewall","category-security","tag-checkpoint","tag-gaia","tag-management-server","tag-security-gateway","tag-smart-dashboard","tag-smart-tools"],"_links":{"self":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/835","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=835"}],"version-history":[{"count":2,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/835\/revisions"}],"predecessor-version":[{"id":957,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/835\/revisions\/957"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media\/870"}],"wp:attachment":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=835"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/categories?post=835"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/tags?post=835"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}