Scribd
Upload
93 views

Check Point Security Master: Lab Setup Procedures

This document provides instructions for configuring a virtual lab environment for a Check Point Security Master class. It includes details on configuring virtual machines for Alpha and Bravo sites, including Security Management Servers, Security Gateways, and GUI clients. It also lists required files and outlines the beginning lab topology diagram. Configuration steps are provided for each virtual machine as well as recommendations for security policy objects to configure.

Uploaded by

Rakesh Rakee
Copyright
© © All Rights Reserved
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
93 views

Check Point Security Master: Lab Setup Procedures

This document provides instructions for configuring a virtual lab environment for a Check Point Security Master class. It includes details on configuring virtual machines for Alpha and Bravo sites, including Security Management Servers, Security Gateways, and GUI clients. It also lists required files and outlines the beginning lab topology diagram. Configuration steps are provided for each virtual machine as well as recommendations for security policy objects to configure.

Uploaded by

Rakesh Rakee
Copyright
© © All Rights Reserved
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
You are on page 1/ 20

CHECK POINT SOFTWARE TECHNOLOGIES

Education Services

Check Point
Security Master
Lab Setup Procedures
E D U C AT I O N S E RV I C E S

Check Point Security Master


Lab Setup Procedures

ã Check Point Software Technologies


www.CheckPoint.com
[email protected]
8333 Ridgepoint Dr., Suite 150, Irving, TX 75063
C H E C K P O I N T S E C U R I T Y M A S T E R - L A B S E T U P P R O C E D U R E S

Configuring the Lab Environment


The Check Point Applied Technology class topology was designed as a “sandbox” environment. All
virtual machines at the student sites have the same set of IP addresses. No connection to the Internet or
classroom router is required.

Follow the steps below to configure the virtual machines for each student site. This configuration was
tested using VMware Workstation. Additional steps or a different configuration may be required when
working with VMware ESX.

Configuring Virtual Machine Settings


All virtual machines should be configured with the following options:

 Snapshots – Just Power off


 VMware Tools – Installed
 Time Synchronization – Synchronization between Guest and Host should be active.

Additional Files
Alpha.zip – Import these objects and rules into A-SMS.
Bravo.zip – Import these objects and rules into B-SMS
Check_Point_R77.10_T157_Install_and_Install_and_Upgrade.Gaia.iso – Install on all Virtual
Machines where a Check Point Security Management Server or Security Gateway system is required.
DSL.zip – Use this Linux distribution as clients to demonstrate Route based VPNs.

You will need to deploy an internal router for both the IPv6 and VPN Routing portions of this class. It is
possible to use a Check Point SecurePlatform image in VMWare and configure it accordingly. If you
want to use a more real world router, we recommend that you download and deploy a Vyatta router.
http://www.vyatta.org/
C H E C K P O I N T S E C U R I T Y M A S T E R - L A B S E T U P P R O C E D U R E S

Beginning Lab Topology


Configure each student machine with the following virtual environment:

Once the setup is complete, you will need to have all of the machines in this diagram running and test the
configuration by running traffic to and from the Alpha and Bravo sites.

4
C H E C K P O I N T S E C U R I T Y M A S T E R - L A B S E T U P P R O C E D U R E S

Configuring the Virtual Machines


Configure each of the virtual machines listed below on all student machines.

Alpha GUI Client


Use the information below to configure the GUI Client virtual machine:

Name: A-GUI Check Point Modules Installed:


OS: Windows 2008 Server R2
Hard Drive: 40GB  SmartConsole
RAM: 2GB

Use the following information to configure the interface for the GUI Client virtual machine:

IP Address: 10.1.1.201

Subnet Mask: 255.255.255.0


Default Gateway: 10.1.1.1
Interface: eth0
LAN: LAN 1

Special instructions for the GUI Client virtual machine:

1. Install WinSCP.

2. Configure A-GUI as the DNS, NTP, FTP, and Web Server for the alpha.cp domain.
C H E C K P O I N T S E C U R I T Y M A S T E R - L A B S E T U P P R O C E D U R E S

Alpha Management Server


Use the information below to configure the Alpha Management Server virtual machine:

Name: A-SMS Check Point Modules Installed:


OS: R77.10 Gaia
Hard Drive: 20GB  Security Management Server
RAM: 2GB

Use the following information to configure the interface for the A-SMS virtual machine:

IP Address: 10.1.1.101

Subnet Mask: 255.255.255.0


Default Gateway: 10.1.1.1
Interface: eth0
LAN: LAN 1

Special instructions for the Alpha Management Server virtual machine:

1. Configure the system administrator credentials to be as follows:

Username: admin

Password: vpn123

6
C H E C K P O I N T S E C U R I T Y M A S T E R - L A B S E T U P P R O C E D U R E S

Alpha Security Gateway


Use the information below to configure the Security Gateway virtual machine:

Name: A-GW Check Point Products Installed:


OS: Gaia R77.10  Security Gateway
Hard Drive: 20GB
RAM: 2GB

Use the following information to configure the interfaces for the Security Gateway virtual machine:

IP Address: 172.21.101.1 IP Address: 10.1.1.1


Subnet Mask: 255.0.0.0 Subnet Mask: 255.255.255.0
Default Gateway: 172.22.102.1 Interface: eth1
Interface: eth0 LAN: LAN 1
LAN: LAN 0

Special instructions for the Security Gateway virtual machine:

1. Install the Security Gateway in a distributed configuration.

2. Confirm policy install and policy enforcement, including VPN.

3. Configure the system administrator credentials to be as follows:

Username: admin

Password: vpn123

Configure the Alpha Security Policy Objects


The following objects should be configured prior to beginning the labs:

 A-GW (Check Point Security Gateway)

 A-GUI (Host Node)

 B-GW (Externally Managed VPN Gateway)

 net-alpha (Network)

 net-bravo (Network)

7
C H E C K P O I N T S E C U R I T Y M A S T E R - L A B S E T U P P R O C E D U R E S

Bravo GUI Client


Use the information below to configure the GUI Client virtual machine:

Name: B-GUI Check Point Modules Installed:


OS: Windows 7
Hard Drive: 20GB  SmartConsole
RAM: 2GB

Use the following information to configure the interface for the GUI Client virtual machine:

IP Address: 10.2.2.201

Subnet Mask: 255.255.255.0


Default Gateway: 10.2.2.1
Interface: eth0
LAN: LAN 3

Special instructions for the GUI Client virtual machine:

1. Install SmartConsole R77.10.

2. Install and configure the FTP and NTP server for Bravo.

3. Install WinSCP and Putty.

8
C H E C K P O I N T S E C U R I T Y M A S T E R - L A B S E T U P P R O C E D U R E S

Bravo Management Server


Use the information below to configure the Bravo Management Server virtual machine:

Name: B-SMS Check Point Modules Installed:


OS: R77.10 Gaia
Hard Drive: 20GB  Security Management Server
RAM: 2GB

Use the following information to configure the interface for the B-SMS virtual machine:

IP Address: 10.2.2.101

Subnet Mask: 255.255.255.0


Default Gateway: 10.2.2.1
Interface: eth0
LAN: LAN 3

Special instructions for the Bravo Management Server virtual machine:

1. Configure the system administrator credentials to be as follows:

Username: admin

Password: vpn123

9
C H E C K P O I N T S E C U R I T Y M A S T E R - L A B S E T U P P R O C E D U R E S

First Bravo Security Gateway Cluster Member


Use the information below to configure the Security Gateway virtual machine:

Name: B-GW-01 Check Point Products Installed:


OS: Gaia R77.10  Security Gateway
Hard Drive: 20GB
RAM: 2GB

Use the following information to configure the interfaces for the Security Gateway virtual machine:

IP Address: 172.22.102.2 IP Address: 10.2.2.2


Subnet Mask: 255.0.0.0 Subnet Mask: 255.255.255.0
Default Gateway: 172.21.101.1 Interface: eth1
Interface: eth0 LAN: LAN 3
LAN: LAN 0

IP Address: 192.168.102.2
Subnet Mask: 255.255.255.0
Interface: eth2
LAN: LAN2

Special instructions for the Bravo Security Gateway Cluster Member virtual machine:

1. Configure the system administrator credentials to be as follows:

Username: admin

Password: vpn123

10
C H E C K P O I N T S E C U R I T Y M A S T E R - L A B S E T U P P R O C E D U R E S

Second Bravo Security Gateway Cluster Member


Use the information below to configure the Security Gateway virtual machine:

Name: B-GW-02 Check Point Products Installed:


OS: Gaia R77.10  Security Gateway
Hard Drive: 20GB
RAM: 2GB

Use the following information to configure the interfaces for the Security Gateway virtual machine:

IP Address: 172.22.102.3 IP Address: 10.2.2.3


Subnet Mask: 255.0.0.0 Subnet Mask: 255.255.255.0
Default Gateway: 172.21.101.1 Interface: eth1
Interface: eth0 LAN: LAN 3
LAN: LAN 0

IP Address: 192.168.102.3
Subnet Mask: 255.255.255.0
Interface: eth2
LAN: LAN 2

Special instructions for the Bravo Security Gateway Cluster Member virtual machine:

1. Configure the system administrator credentials to be as follows:

Username: admin

Password: vpn123

11
C H E C K P O I N T S E C U R I T Y M A S T E R - L A B S E T U P P R O C E D U R E S

Configure the Bravo Security Policy Objects


The following objects should be configured prior to beginning the labs:

 A-GW (Externally Managed VPN Gateway)

 A-GUI (Host Node)

 B-GUI (Host Node)

 B-GW (Check Point Security Gateway Cluster)

 B-GW-01 (Check Point Security Gateway)

 B-GW-02 (Check Point Security Gateway)

 net-alpha (Network)

 net-bravo (Network)

12
C H E C K P O I N T S E C U R I T Y M A S T E R - L A B S E T U P P R O C E D U R E S

Configure the Alpha/Bravo VPN


Configure a Meshed VPN between Alpha and Bravo for all traffic on the management networks:

1. At each site, edit the MyIntranet object and select both site’s gateways as participants:

13
C H E C K P O I N T S E C U R I T Y M A S T E R - L A B S E T U P P R O C E D U R E S

2. Define the Encryption settings as follows:

 Encryption Method: IKEv1 only

 Encryption Suite: VPN B

14
C H E C K P O I N T S E C U R I T Y M A S T E R - L A B S E T U P P R O C E D U R E S

3. Select the option Use only Shared Secret for all External members.

4. Define the peer name and set the Shared Secret as follows:

vpn123

15
C H E C K P O I N T S E C U R I T Y M A S T E R - L A B S E T U P P R O C E D U R E S

Configure the Alpha Rule Base


Configure the following rules in the Alpha Rule Base:

 NetBIOS: Any | Any | Any Traffic |udp-high-ports, bootp, NBT, rip | drop | None

 Management: net-alpha | A-GW | Any Traffic | https, ssh | accept | Log

 Stealth: Any | A-GW | Any Traffic | Any | drop | Log

 VPN: net-alpha, net-bravo | net-bravo, net-alpha | MyIntranet | Any | accept | Log

 Outbound: net-alpha | Any | Any Traffic | ftp | accept | Log

 Incoming: Any | net-alpha | Any Traffic | http | accept | Log

 Cleanup: Any | Any | Any Traffic | Any | drop | Log

16
C H E C K P O I N T S E C U R I T Y M A S T E R - L A B S E T U P P R O C E D U R E S

Configure the Bravo Rule Base


Configure the following rules in the Bravo Rule Base:

 NetBIOS: Any | Any | Any Traffic |udp-high-ports, bootp NBT, rip | drop | None

 Management: net-bravo | B-GW | Any Traffic | https, ssh | accept | Log

 Stealth: Any | B-GW | Any Traffic | Any | drop | Log

 VPN: net-bravo, net-alpha | net-alpha, net-bravo | MyIntranet | Any | accept | Log

 Incoming: Any | net-bravo | Any Traffic | ftp | accept | Log

 Outbound: net-bravo | Any | Any Traffic | http | accept | Log

 Cleanup: Any | Any | Any Traffic | Any | drop | Log

17
C H E C K P O I N T S E C U R I T Y M A S T E R - L A B S E T U P P R O C E D U R E S

1. In both Security Policies, configure the Global Properties to allow ICPM Before Last and log
implied rules.

2. Install the Security Policy at both sites.

Configure the Bravo Rule Base


1. From B-GUI, use HTTP to connect to A-WIN (10.1.1.201). The connection should succeed and
be encrypted.
2. From A-GUI, use FTP to connect to B-GUI (10.2.2.201). The connection should succeed and be
encrypted.

18
C H E C K P O I N T S E C U R I T Y M A S T E R - L A B S E T U P P R O C E D U R E S

19

You might also like