Checkpoint Fundamentals :
Like every other firewall checkpoint is also a security device but comes with advance features which are not present on many other vendor firewall. Palo Alto is one such firewall but we are strictly going to discuss Checkpoint in this series of blogs :
Here, I am not going to discuss how a general network security firewall works but will discuss strictly functioning of a checkpoint firewall.
Checkpoint uses a 3 Tier Architecture which is named as SMART (It’s actually smart) but the real nomenclature is Security Management Architecture.
SMART Architecture :
Console, Management, & Gateway (FW)
In this course, we are going to call gateway as firewall.
Management Server also called as : Secure management Server (SMS) or Smart Center Security Server
Smart Console : It’s the administrator’s PC (Also called as SMART Dashboard) who actually control the management server. Make policies on the server and contain some software blades or we can say tools : SMART View Tracker, Smart Monitor, Smart log, Smart Event and a many more…
It’s a 2-way communication between Admin PC to Mgmt server and then to firewall.
Like : Admin PC make policies on Mgmt server and server pushes those policies to actual firewall
and similarly, gateway send logs to the management server and we can export those logs on our admin PC.
Also , Mgmt server can be used to manage hundred of firewalls centrally. Thus provides central management system.
Traffic Control Mechanism :
- Packet filtering : Works on layer 3/4 of the OSI model means filtering on the basis of IP and Port number.
- Stateful inspection : like in every other firewall , we don’t open 2-way access, we always allow 1 way access and the return traffic is allowed automatically based on session parameters (Session gets created when packet first hits the firewall). In Checkpoint we call it as Inspect Engine.
- Application Awareness : Firewall not only looking at layer 3 and 4 of the TCP/IP model but actually looking at the application or i would say “content”. Let’s say an example : if users are allowed to go to a social network site like Facebook but they are denied to play any game over that website. So, it provides granularity up to application traffic level.
Operating system History :
- IPSO : Based on free BSD based Linux system
- SPLAT (Secure Platform) : Uses Red Hat Linux Platform but optimizes to use as an OS to Checkpoint
But the above two OS had certain vulnerabilities and then in 2012, they took the advantages of both the legacy platforms and built a new OS named GAIA which has the best of last 2 OS.
- GAIA : Currently in use
Most of the deployments will have distributed environment (Separate Mgmt, Gateway devices) but it is also possible to use same device as Mgmt server as well as gateway (Standalone deployment )in small environments but that is very rare.
Installing GAIA :
–First we are going to work on single HQFW (Headquarter Firewall) and then on BRFW (Branch firewall), creating VPN and managing both firewall from same management server. And in the end we are going to deploy these firewalls in HA.
For the gateway as well as management server same Checkpoint OS is going to be used. This all will differ at the time of installation : if you want to make that particular device as gateway or as a MGMT server or both (Standalone).
I’ll be doing this on Vsphere Client virtual machine on ESXI. On Booting below screen will appear :
–Keep on clicking ok (it will show resources) till it ask admin password. Give admin password there.
Then it will ask for the configuration of network port/IP config.
–Give IP on the respective interface you are going to take SSH access from your admin PC. In our case it is 10.1.1.100 on Eth1 then click on ok then various packages will be installed on the device and eventually ask for reboot.
Then access the GAIA interface from admin PC through any of internet browser and login through admin credentials:
Click on next and configure : NTP settings, hostname, Domain name, DNS server details, Ethernet IP configuration and default gateway.
Next it will ask for what kind of installation you want to make :
Choose with care here :
–Here we mention , either in gateway mode or in management server mode. Also for HA which cluster mode you want : XL or VRRP. In most of the cases we take it as VRRP cluster mode.
Say DAIP (Dynamically assigned IP) as no in next window.
Make sure we remember the activation key which we’ll give in next step:
Then it’ll ask for few more things , just click finish and then again it will reboot and come up as an firewall device.
Same steps needs to be performed for management server.
A few little things needs to keep in mind while creating the management server : Like this :
Check in the topology and IP should be 10.1.1.20 with gateway as 10.1.1.100 which is configured on the gateway.
Now, once you login into the MGMT server post reboot then configure of the first time wizard is like gateway but make sure this time you select this image to boot as MGMT server instead of gateway like this : Here you can also mention MGMT server as primary or secondary.
After this give the administrator username and password.
Now, we’ll define who can access this management gateway : In our case I have selected only my Admin-PC with IP (10.1.1.15). See Below:
And then click on finish to continue.
Once you login into GAIA, you can tell if this is a MGMT server or a gateway device by looking at system overview. See this :
Gateway is mentioned with Version.
Also in above snapshot see the little Pen Mark , it is telling us if we can make changes in GUI or not. If this is like Pen then we can make changes in GUI and not in CLI. To make changes through CLI we first have to use “lock database override” command.
And if this sign is like this
then we can’t make any changes through GUI. Simply click on it if you wish to edit anything in GUI and it will change its shape from lock to Pen.
Connect the Manager and firewall :
Once firewall gets rebooted and up and running as gateway, log into the gateway and configure the interfaces on GAIA:
If you want to edit something (to make any change in port settings like speed/duplex/MTU/disable) , just click on the interface and press edit.
- Configure default route on the firewall towards router R1. Create Banner if you wish to.
- Also on the main page of the GAIA, you’ll below option to download the SMART console
As I mentioned earlier, smart console have all the necessary tools to manage, troubleshoot and analyze, audit the different traffic and to do all the activities on the gateway.
Also in first time installation, either download the SMART Console as given in below snapshot or it will ask you to download Smart Console on our GAIA main page.
Use Dashboard to add the firewall objects and to link the firewall to the manager.
Once SMART console is downloaded then install it and include all the blades which you want to use (eg : Smart monitor) we can then use the tools like SMART Dashboard to manage the Checkpoint infrastructure.
But before installing Smart Console there are some pre requisites (For Virtual Lab):
- RAM on the PC should be more than 1 GB.
- Microsoft .net frame (V4)
- Adobe Flash Player (V10 Minimum)
–Use Message under System management on GAIA for any Banner message.
–Once Smart console is installed , login into Smart Dashboard :
Use admin credentials which we gave at the time of installation.
(Here is a cool thing, if you don’t have gateway then you can use it in Demo mode or we can login either in write mode or in read mode just by clicking on the read only icon.
The very first message will be the finger print like this :
This is to verify are we login on to the correct server :
Match this with the pattern on our console :
go to MGMT console and type : Cpconfig
Now, chose option 7
and now match the finger print with the one showing on Smart Dashboard, if these two are same means you are logging into the correct server.
Approve the fingerprint and Continue…..
For test users, message will Pop up that license will be expired in 15 days. Click on ok and you’ll see the blank dashboard like this :
Now. it’s time for our manager to tell us about the gateway (Our Checkpoint Firewall) :
–See the network Object and MGMT server object would be there. We’ll see more objects there under Checkpoint.
–Now to discover the gateway, right click on the checkpoint under network object and click on Security gateway/Management and choose the classic mode. (I’ll give you the demo of Wizard mode while discovering another firewall).
Give the firewall Name, IP , Any comment, Color. Choose hardware as Open Source as we are on virtual machine. We are using OS GAIA version 76.
Here, It is not necessary to give the internal IP as 10.1.1.100 in our case , you can give outside interface IP (192.168.10.100) as well to discover the firewall.
Choose the above given Network security blades and management blades which gives different functionality to the box. Licensing of all these features are independent of each other.
Now Test the SIC (Secure Internal Communication) :
Now give the one time password we defined during firewall installation. Once we click on Initialize the status , certificate state will go from Uninitialized to Trust Established.
MGMT server has a certificate service running on it. it is going to create a certificate for the firewall , install the certificate on the firewall and from that time forward , use that certificate for authentication of each other.
To check the SIC Status through CLI :
There are 2 modes in CLI, Clish and expert. In expert mode you can run the Linux based commands and in Clish mode normal show commands like any other vendor. I’ll give more insight into this when we’ll discuss the Command Line series on Checkpoint.
For now, got to expert mode (we must set up expert password for that by set expert-password command) and fire the below command.
This is one time Password , if SIC fails then there is different method to again initialize the SIC which we’ll see later in next parts of this series.
Once we click on Ok, it’ll fetch the whole topology. See Below :
Now, if you see the topology, 1 interface would be showing as external and other as internal. WHY ?
It’s because based on default route it assumed interfaces as external and other as internal.
We can edit the topology here but for now we just going to click Ok.
And now the Overview in Smart Dashboard will look like this :
In the above diagram you can see firewall/gateway is enabled but policy is still not installed.
Here, we can create objects : host object / network object /group them in a group object.
In our next Series, we are going to create some other objects and install policy on the firewall.
- Checkpoint – Checkpoint Fundamentals and first time configuration Wizard – Part I
- Checkpoint – Pushing Policy, NAT , Policy Packages and database Versions – Part II
- Checkpoint – SMART View Tracker and SMART View monitor – Part III
- Checkpoint – LDAP, identity Awareness, HTTPS inspection, App control and URL Filtering – Part IV
- Checkpoint – Command line Interface and IPSEC VPN – Part V
- Checkpoint – SMART Update, Remote Access VPN and High Availability – Part VI