Monday, January 12, 2015

Checkpoint Lab - 5 (Manager & Firewall hookup) Tutorial

Additional Manager and Firewall configuration - 

At this point folks who are following the lab setup should be able to access Manager and Firewall gateway devices/VM's from browser. Take some time to go over options presented in the browser GUI and get yourself familiar. If you need any information post them I will try to answer the best I can if time permits. One thing you can do right away after logging in is change the Inactivity time out to something like 680 min so that it would stop kicking you out after default 10 min. You can make this change both or manager and firewall. Please don't make similar change in your production environment. Left hand side  System Management --> Session

























Start exploring different options under "Network Management" and validate ip address, DNS, check routes that were added by default.

Since we plan to administer multiple gateway devices centrally by using manager (Distributed environment) hookup between manager and firewall needs to happen before we can continue further. As mentioned in previous labs the communication between different checkpoint products happen by using SIC. This involves defining one time passphrase to add one device/component/balde. My preference would be follow the below house keeping tasks first.

Assign the network ip address to the firewall/gateway
We just assigned eth1 (10.1.1.222) in the previous installation section. Now as per the lab scenario we need to configure eth0 and eth2 with Net0 and Net2 ip's respectively. You can access "Network Interfaces" Option, double click the interface to set up and enter ip address, subnet mask and Check the "Enable" field. You can add comments as shown.





























Should look something like below after the config is done.








Now we need to add a default route to the firewall to send traffic that is destined to - other networks, excluding the above 3.
So to do this select "IPV4 Static Routes" and add the default route of ISP's gateway. Since the lab is setup in home environment it would be gateway ip of your cable modem or home router. Select "Add Gateway" and "IP Address"





































For the manager configuration we already specified the gateway as firewall. So if you look at the route in the manager web gui the gateway should be the firewall ip. 
In addition will need to download the SmartConsole executable and install it on the ClientA machine @ Main Office. The SmartConsole provides clients to manager and maintain different aspects of checkpoint devices. You will be able to create rules and policies, view logs, initiate backups, update licenses and many more. Some of the components/clients which you will be using in your day to day activities are "Smart Dash Board, Smart View Tracker, Smart View Monitor, Smart Log, Smart Reporter, Smart Update ect". The manager GUI provides the link to download the exe to install these clients, highlighted below in overview section. Also note the Platform Info is being shown as VMware since I am using VMware to set this lab. I will cover the components more in detail later but right now the focus is to finish up with the prerequisite if you will to get a working model.
























Download the exe and install it on ClientA machine (double click and accept the defaults).
 Choose "Select All"



This concludes the installation of "Components" on ClientA machine. now using these components you will connect to Manager which in turn manages firewall - Distributed Environment

Smart Dashboard - You will be using this the most. For now open this installed component and connect to the Manager - 10.1.1.150
























Once you login the last task remaining is to connect Manager and Firewall. So when the Smartdashboard connects to the manager you should see something like below screen shot...Plain vanila...Nothing setup....No Gateway or Firewall info.















































If you look at the "Network Objects" tab as shown...under "Checkpoint" you see the Manager added. To add the firewall right click the Checkpoint and select "Security Gateway/Management" option



















You will be presented with the option of how to connect the firewall wizard modes...I like Classic Mode. You can also Choose "Wizard mode" it acheives the same goal...
















Once you click the classic mode you will see the below screen. Fill the information out as per the lab setup.


































Input the name - MainOffice_Firewall (No Spaces), For the IPv4 address give the external ISP internet interface, since the gateway is configured for the Firewall (Default Route) it will be able to resolve or you can select the internal interface ip 10.1.1.222. Click the "Communication" button to enter the passphrase for the manager to connect to firewall initially.






























Click "Initialize" and you should see the below successful connection.































Now on the Smart Dashboard you should be able to see your First Main Office Gateway. Inspect the "Topology" and see if you can get all the interfaces on the gateway which should be 3. Use the "Get" option to populate the Topology.









Hopefully you will be seeing the below. If you want to change the properties or topology then just double click the HQ_Firewall to see the options.

2 comments:

Unknown said...

Dear,

I have a problem and I was wondering if you could help me.
I'm new to checkpoint and I'm learning it thru online course.
I have deployed checkpoint on a HQ site with a management and firewall server and everything works well. I created a branch site with one firewall and I connected the management server of the HQ site to the branch firewall and i created a separate policy for the branch firewall but when I want to push the policy on the branch firewall I get the error: Installation failed. Reason: TCP connectivity failure ( port = 18191 )( IP = )[ error no. 10 ].
I have been fighting with this for more than a week now. Your help would be so much appreciated.

Regards

GlobalITLinks said...

Hello Pape...Port 18191 is an implied rule defined port on the CP gateway. Did you disable those rules? Also Is the SIC working from Manager to Br Firewall? ( I am assuming it is) Can you recheck real quick and let me know.