http://www.techexams.net/technotes/networkplus/osimodel.shtml
CheckPoint Manage Easy
Friday, September 9, 2011
Creating a basic Route Based VPN between 2 Check Point Firewalls
Within this example we will build a Route Based VPN between 2 SPLAT R65 NGX Check Point Firewalls. Static Routes will used to direct the traffic via the VPN Tunnel Interfaces.
In this example both Firewalls are managed by the same manager. The gateways are :
Site A - External 192.168.1.1 Inside 10.1.1.1
Site B - External 192.168.2.1 Inside 10.1.2.1
In order to build a route based vpn we need to create VPN Tunnel Interfaces. A VPN Tunnel Interface is a virtual interface on a VPN-1 module, which is associated with an existing VPN tunnel, and is used by IP routing as a point to point interface directly connected to a VPN peer gateway.
Virtual Tunnel Interfaces (VTI's)
VTIs can be created only on SPLAT and IPSO (3.9 or above). Though you can only create numbered VTIs within SPLAT. A numbered tunnel interface has a unique IP address assigned to it, while an unnumbered tunnel interface does not.
In order to create VTI`s you will need to ensure you are running SPLAT Pro. And that the Dynamic Routing feature is enabled. You will also need the nessecary license for this feature.
Steps
Create Object
Create a Group Object called Empty containing no objects within SmartDashboard
Site A
Create the VTI by running the command on Site A's CLI :
1.
vpn shell i a n 22.22.22.1 22.22.22.2 SiteB
Within the Gateway Object under Topology add you Object named Empty as your VPN Domain.
Within the Gateway Object under Topology use the "Get" icon to retrive your new VPN Tunnel Interface (VTI).
Site B
Create the VTI by running the command on Site B's CLI :
1.
vpn shell i a n 22.22.22.2 22.22.22.1 SiteA
Within the Gateway Object under Topology add you Object named Empty as your VPN Domain.
Within the Gateway Object under Topology use the "Get" icon to retrive your new VPN Tunnel Interface (VTI).
General
Create a new Meshed Site-2-Site Community within the VPN Community Tab.
Under General select Accept All Encrypted Traffic
Under Paricitpating Gateways add both Site A and Site B.
Push the Policy to both gateways.
Add Static Routes
On Site A add the following commands via the CLI :
1.
route add -net 10.1.1.0 netmask 255.255.255.0 dev vt-SiteB ; route --save
On Site B add the following commands via the CLI :
view sourceprint?
1.
route add -net 10.1.2.0 netmask 255.255.255.0 dev vt-SiteA ; route --save
In this example both Firewalls are managed by the same manager. The gateways are :
Site A - External 192.168.1.1 Inside 10.1.1.1
Site B - External 192.168.2.1 Inside 10.1.2.1
In order to build a route based vpn we need to create VPN Tunnel Interfaces. A VPN Tunnel Interface is a virtual interface on a VPN-1 module, which is associated with an existing VPN tunnel, and is used by IP routing as a point to point interface directly connected to a VPN peer gateway.
Virtual Tunnel Interfaces (VTI's)
VTIs can be created only on SPLAT and IPSO (3.9 or above). Though you can only create numbered VTIs within SPLAT. A numbered tunnel interface has a unique IP address assigned to it, while an unnumbered tunnel interface does not.
In order to create VTI`s you will need to ensure you are running SPLAT Pro. And that the Dynamic Routing feature is enabled. You will also need the nessecary license for this feature.
Steps
Create Object
Create a Group Object called Empty containing no objects within SmartDashboard
Site A
Create the VTI by running the command on Site A's CLI :
1.
vpn shell i a n 22.22.22.1 22.22.22.2 SiteB
Within the Gateway Object under Topology add you Object named Empty as your VPN Domain.
Within the Gateway Object under Topology use the "Get" icon to retrive your new VPN Tunnel Interface (VTI).
Site B
Create the VTI by running the command on Site B's CLI :
1.
vpn shell i a n 22.22.22.2 22.22.22.1 SiteA
Within the Gateway Object under Topology add you Object named Empty as your VPN Domain.
Within the Gateway Object under Topology use the "Get" icon to retrive your new VPN Tunnel Interface (VTI).
General
Create a new Meshed Site-2-Site Community within the VPN Community Tab.
Under General select Accept All Encrypted Traffic
Under Paricitpating Gateways add both Site A and Site B.
Push the Policy to both gateways.
Add Static Routes
On Site A add the following commands via the CLI :
1.
route add -net 10.1.1.0 netmask 255.255.255.0 dev vt-SiteB ; route --save
On Site B add the following commands via the CLI :
view sourceprint?
1.
route add -net 10.1.2.0 netmask 255.255.255.0 dev vt-SiteA ; route --save
Labels:
VPN
Tuesday, June 28, 2011
Check Point Authentication Methods
Authentication feature of checkpoint ensures the users trying to access resources in your network are actually authorized to do so.With this feature instead of simply allowing a client access a device, the administrator can request the client to authenticate first before permitting access.
Checkpoint supports the following three types of authentication methods:
Checkpoint User Authentication:
In this type of authentication, for every traffic that passes through the firewall, the client user needs to first authenticate.
This ensures that only valid authenticated users only are able to access the destination resources. The limitation is user authentication
only supports Telnet, HTTP, FTP and RLOGIN attempts.
Checkpoint Client Authentication:
In this type of authentication, the user needs to first telnet to the firewall on port 259 or http to port 900, once the user is authenticated the client IP is then permitted. The advantage of using client authentication over user authentication is that in this case all the protocols are permitted. The disadvantage is that its less secure since its based on client IP.
Checkpoint Session Authentication:
In this type of authentication, a session agent is installed on client machine, this agent communicates with the firewall on port 261 for user authentication. The advantage of using this authentication is that it works for all protocols, the disadvantage over the earlier types is that the session agent needs to be installed on every client which in turn leads to more support overhead.
The placement of authentication rules is also critical, make sure the authentication rule is placed above the stealth rule since the client needs to authenticate against the firewall.
Checkpoint supports the following three types of authentication methods:
Checkpoint User Authentication:
In this type of authentication, for every traffic that passes through the firewall, the client user needs to first authenticate.
This ensures that only valid authenticated users only are able to access the destination resources. The limitation is user authentication
only supports Telnet, HTTP, FTP and RLOGIN attempts.
Checkpoint Client Authentication:
In this type of authentication, the user needs to first telnet to the firewall on port 259 or http to port 900, once the user is authenticated the client IP is then permitted. The advantage of using client authentication over user authentication is that in this case all the protocols are permitted. The disadvantage is that its less secure since its based on client IP.
Checkpoint Session Authentication:
In this type of authentication, a session agent is installed on client machine, this agent communicates with the firewall on port 261 for user authentication. The advantage of using this authentication is that it works for all protocols, the disadvantage over the earlier types is that the session agent needs to be installed on every client which in turn leads to more support overhead.
The placement of authentication rules is also critical, make sure the authentication rule is placed above the stealth rule since the client needs to authenticate against the firewall.
Labels:
Authentication
Friday, June 24, 2011
XOSL Installation
How to Install XOSL .
Installation:
1. Boot the system with Xosl cd.
2.To create partitions for Xosl and windows operating system use pqmagic tool
3. Navigate to pqmagic folder and run pqmagic
4. Using pqmagic GUI screen create a fat32 partition and make its status to none and create another NTFS partition for server operating system, make its status to none. Reboot the system.
5. Load the system with Xosl CD, copy the Xosl folder from cd to Xosl partition. i.e. C:\ Xosl
6. Run the Xosl tool from c:\xosl folder
7. Select install on dos partition option and run Xosl tool, after installing copy system files from a:\ to c:\ using a command A:\sys C:
8. Reboot the pc with Xosl cd.
9. Open pqmagic tool and make Xosl partition to none. Make server operating system to Active and save and exit.
10. Install server operating system.
11. Load the pc again with Xosl cd and restore the Xosl software by selecting dos partition as installation partition.then A:\ sys c:
12. Login to server operating system and make Xosl partition as active.(Not compulsary)
Installation:
1. Boot the system with Xosl cd.
2.To create partitions for Xosl and windows operating system use pqmagic tool
3. Navigate to pqmagic folder and run pqmagic
4. Using pqmagic GUI screen create a fat32 partition and make its status to none and create another NTFS partition for server operating system, make its status to none. Reboot the system.
5. Load the system with Xosl CD, copy the Xosl folder from cd to Xosl partition. i.e. C:\ Xosl
6. Run the Xosl tool from c:\xosl folder
7. Select install on dos partition option and run Xosl tool, after installing copy system files from a:\ to c:\ using a command A:\sys C:
8. Reboot the pc with Xosl cd.
9. Open pqmagic tool and make Xosl partition to none. Make server operating system to Active and save and exit.
10. Install server operating system.
11. Load the pc again with Xosl cd and restore the Xosl software by selecting dos partition as installation partition.then A:\ sys c:
12. Login to server operating system and make Xosl partition as active.(Not compulsary)
Labels:
Help
Thursday, June 16, 2011
Setting up the ICA Management Tool
Print Email
Setting up the ICA Management Tool
Solution ID: sk30501
Product: Security Gateway, Security Management
Version: NG AI R54, NG AI R55
Last Modified: 25-Dec-2008
Did this solution solve your problem?
[Click on the stars to rate]
SOLUTION
Overview of Procedures:
====================
- Setting up the ICA Management Tool connection (creating a Certificate user)
- Enabling the ICA Management Tool on the SmartCenter Server
- Importing the user Certificate to the Client
- Accessing the ICA Management Tool
PROCEDURES:
===========
Setting up ICA Management Tool Connection:
-----------------------------------------------------
1) Log into SmartDashboard, and select Manage > Users and Administrators.
2) In the Users and Administrators dialog box, select New > User by Template > Default.
3) in the User Properties dialog box > General tab, enter the user login name (e.g., John_Smith) in the Login Name field.
4) Select the Personal tab, and verify the Expiration Date is set to a valid future date (e.g., 31-dec-2008).
5) Select the Certificates tab, and click the Generate and save button.
NOTE:
A dialog box with the following message will be displayed:
Check Point SmartDashboard
The generation of the certificate for the user cannot be undone, unless you click Revoke.
Ok to continue?
6) Click OK.
7) In the Enter Password dialog box, enter the desired user password in the Password field.
8) Confirm the user password.
9) Click OK.
10) In the dialog box Save Certificate File As, select the desired location to save the Certificate file.
11) Verify the user login name (e.g., John_Smith) is displayed in the File name field.
12) Verify that "Certificate Files (*.p12)" is selected in the Save as type drop-down list.
13) Click Save.
14) On the Certificates tab, observe the information in the DN field, which should look something like this:
CN=John_Smith,OU=users,O=saturn.detroit.com.k7ekvo15) Click OK in the User Properties dialog box.
16) Click Close in the Users and Administrators dialog box.
17) Select File > Save.
18) Transfer the *.p12 file (e.g. (e.g., John_Smith.p12) to the Client that is connecting to the ICA Management Tool.
NOTE:
The *.p12 file is in the directory designated in step 10.
Enabling the ICA Management Tool on the SmartCenter Server:
--------------------------------------------------------------------------
1. On the SmartCenter Server, type at prompt:
cpca_client set_mgmt_tool on -a "CN=John_Smith,OU=users,O=saturn.detroit.com.k7ekvo"
NOTE 1:
The following message will be displayed before the command prompt returns:
Successfully set the management tool.
The authorized administrators:
(
: ("CN=John_Smith,OU=users,O=saturn.detroit.com.k7ekvo")
)
The authorized users:
()
Note 2:
Once the ICA Management Tool is started, the SmartCenter Server will be listening on TCP port 18265 (FW1_ica_mgmt_tools service).Importing the user Certificate to the Client:
-------------------------------------------------
1) Open Internet Options from the Windows Control Panel.
2) In the Internet Options dialog box, select the Content tab.
3) On the Content tab, click the Certificates button.
4) In the Certificates dialog box, select the Personal tab.
5) Click the Import button.
6) Click Next on the Welcome to the Certificate Import Wizard dialog box.
7) In the File to Import Window, browse to the the location of the *.p12 (e.g., John_Smith.p12) file.
8) In the Open dialog box, verify that "Personal Information Exchange (*.pfx,*.p12)" is selected in the Files of type drop-down list.
9) Select the file *.p12 in the window.
10) Click the Open button.
11) In the File to Import dialog box, click Next.
12) In the Password dialog box, enter the user Certificate password in the Password field.
NOTE: Clear the following two boxes:
Enable strong private key protection. You will be
prompted every time the private key is used by an
application if you enable this option.
Mark the private key as exportable
13) Click Next.
14) In the Certificate Store dialog box, verify that "Automatically select the certificate store based on the type of certificate" is selected.
15) Click Next.
16) In the Completing the Certificate Import Wizard dialog box, click Finish.
NOTE:
A message similar to the following will be displayed:
Root Certificate Store
Do you want to ADD the following certificate to the Root Store?
Subject: saturn.detroit.com.k7ekvo
Issuer: Self Issued
Time Validity: Saturday, January 15, 2005 through Friday, January 10, 2025
Serial Number: 01
Thumbprint (sha1): A776E94B CC724593 7573BC8D 08622B95 6F384CD0
Thumbprint (md5): 9AE76B7E 16CE87FF 46F2AEF9 BC9FD754
17) Click Yes.
NOTE:
A window with the following message will be displayed:
Certificate Import Wizard
The import was successful.
18) Click OK.Accessing the ICA Management Tool:
--------------------------------------------
1) Launch Internet Explorer from the Client, enter the appropriate URL, and connect to TCP port 18265 via the HTTPS protocol.
Example: https://192.168.2.100:18265
NOTE:
A dialog box with the following message will be displayed:
Client Authentication
Identification
The Web site you want to view requests identification.
Select the certificate to use when connecting.
2) Select the appropriate Certificate (e.g., John_Smith) for authenticating to the ICA Management Tool.
3) Click OK.
4) In the Security Alert dialog box, click Yes.
Setting up the ICA Management Tool
Solution ID: sk30501
Product: Security Gateway, Security Management
Version: NG AI R54, NG AI R55
Last Modified: 25-Dec-2008
Did this solution solve your problem?
[Click on the stars to rate]
SOLUTION
Overview of Procedures:
====================
- Setting up the ICA Management Tool connection (creating a Certificate user)
- Enabling the ICA Management Tool on the SmartCenter Server
- Importing the user Certificate to the Client
- Accessing the ICA Management Tool
PROCEDURES:
===========
Setting up ICA Management Tool Connection:
-----------------------------------------------------
1) Log into SmartDashboard, and select Manage > Users and Administrators.
2) In the Users and Administrators dialog box, select New > User by Template > Default.
3) in the User Properties dialog box > General tab, enter the user login name (e.g., John_Smith) in the Login Name field.
4) Select the Personal tab, and verify the Expiration Date is set to a valid future date (e.g., 31-dec-2008).
5) Select the Certificates tab, and click the Generate and save button.
NOTE:
A dialog box with the following message will be displayed:
Check Point SmartDashboard
The generation of the certificate for the user cannot be undone, unless you click Revoke.
Ok to continue?
6) Click OK.
7) In the Enter Password dialog box, enter the desired user password in the Password field.
8) Confirm the user password.
9) Click OK.
10) In the dialog box Save Certificate File As, select the desired location to save the Certificate file.
11) Verify the user login name (e.g., John_Smith) is displayed in the File name field.
12) Verify that "Certificate Files (*.p12)" is selected in the Save as type drop-down list.
13) Click Save.
14) On the Certificates tab, observe the information in the DN field, which should look something like this:
CN=John_Smith,OU=users,O=saturn.detroit.com.k7ekvo15) Click OK in the User Properties dialog box.
16) Click Close in the Users and Administrators dialog box.
17) Select File > Save.
18) Transfer the *.p12 file (e.g. (e.g., John_Smith.p12) to the Client that is connecting to the ICA Management Tool.
NOTE:
The *.p12 file is in the directory designated in step 10.
Enabling the ICA Management Tool on the SmartCenter Server:
--------------------------------------------------------------------------
1. On the SmartCenter Server, type at prompt:
cpca_client set_mgmt_tool on -a "CN=John_Smith,OU=users,O=saturn.detroit.com.k7ekvo"
NOTE 1:
The following message will be displayed before the command prompt returns:
Successfully set the management tool.
The authorized administrators:
(
: ("CN=John_Smith,OU=users,O=saturn.detroit.com.k7ekvo")
)
The authorized users:
()
Note 2:
Once the ICA Management Tool is started, the SmartCenter Server will be listening on TCP port 18265 (FW1_ica_mgmt_tools service).Importing the user Certificate to the Client:
-------------------------------------------------
1) Open Internet Options from the Windows Control Panel.
2) In the Internet Options dialog box, select the Content tab.
3) On the Content tab, click the Certificates button.
4) In the Certificates dialog box, select the Personal tab.
5) Click the Import button.
6) Click Next on the Welcome to the Certificate Import Wizard dialog box.
7) In the File to Import Window, browse to the the location of the *.p12 (e.g., John_Smith.p12) file.
8) In the Open dialog box, verify that "Personal Information Exchange (*.pfx,*.p12)" is selected in the Files of type drop-down list.
9) Select the file *.p12 in the window.
10) Click the Open button.
11) In the File to Import dialog box, click Next.
12) In the Password dialog box, enter the user Certificate password in the Password field.
NOTE: Clear the following two boxes:
Enable strong private key protection. You will be
prompted every time the private key is used by an
application if you enable this option.
Mark the private key as exportable
13) Click Next.
14) In the Certificate Store dialog box, verify that "Automatically select the certificate store based on the type of certificate" is selected.
15) Click Next.
16) In the Completing the Certificate Import Wizard dialog box, click Finish.
NOTE:
A message similar to the following will be displayed:
Root Certificate Store
Do you want to ADD the following certificate to the Root Store?
Subject: saturn.detroit.com.k7ekvo
Issuer: Self Issued
Time Validity: Saturday, January 15, 2005 through Friday, January 10, 2025
Serial Number: 01
Thumbprint (sha1): A776E94B CC724593 7573BC8D 08622B95 6F384CD0
Thumbprint (md5): 9AE76B7E 16CE87FF 46F2AEF9 BC9FD754
17) Click Yes.
NOTE:
A window with the following message will be displayed:
Certificate Import Wizard
The import was successful.
18) Click OK.Accessing the ICA Management Tool:
--------------------------------------------
1) Launch Internet Explorer from the Client, enter the appropriate URL, and connect to TCP port 18265 via the HTTPS protocol.
Example: https://192.168.2.100:18265
NOTE:
A dialog box with the following message will be displayed:
Client Authentication
Identification
The Web site you want to view requests identification.
Select the certificate to use when connecting.
2) Select the appropriate Certificate (e.g., John_Smith) for authenticating to the ICA Management Tool.
3) Click OK.
4) In the Security Alert dialog box, click Yes.
Labels:
Management portals
Wednesday, June 8, 2011
Enable email alerts for cluster failover
To enable an email alert for a cluster failover one must first configure internal sendmail script and then change the log tracking to mail alert.
1. Open smart dashboard
2.Click policy global services
3.Expand log and alert. Then click on alerts
4.Configure the sendmail script as
In SmartDashboard:
Select 'Global Properties > Log and Alert > Alert Commands'.
Check 'Send mail alert to SmartView Status'.
Check 'Run mail alert script'.
Enter script:
internal_sendmail [-s] [-t ] [-f ] ...
Example (default):
internal_sendmail -s alert -t mailserver_ip mail_account
In the Rule Base, define a rule that will generate an alert. In the Track field, enter 'Mail'.
Install the Security Policy.
5. Open the properties of the cluster. Then click on clusterXL and change tracking to mail alert. push policy
1. Open smart dashboard
2.Click policy global services
3.Expand log and alert. Then click on alerts
4.Configure the sendmail script as
In SmartDashboard:
Select 'Global Properties > Log and Alert > Alert Commands'.
Check 'Send mail alert to SmartView Status'.
Check 'Run mail alert script'.
Enter script:
internal_sendmail [-s
Example (default):
internal_sendmail -s alert -t mailserver_ip mail_account
In the Rule Base, define a rule that will generate an alert. In the Track field, enter 'Mail'.
Install the Security Policy.
5. Open the properties of the cluster. Then click on clusterXL and change tracking to mail alert. push policy
Labels:
Logs
Creating mail alerts using internal_sendmail indicator
The internal_sendmail indicator is not a script. It is an internal Security Gateway indicator that directs the Check Point alerts daemon to send email, using the specified arguments. It does not require a mail server or mail client to be installed on the SmartCenter Server.
If the subject is longer than one word, it must be written within quotation marks.
The internal_sendmail indicator can be used in any of the script options on the 'Alert Commands' configuration page.
When choosing logging actions in rules or other Gateway logging properties, set the action to correspond to the alert you define on the 'Global Properties > Log and Alert > Alert Commands' property screen.
In SmartDashboard:
Select 'Global Properties > Log and Alert > Alert Commands'.
Check 'Send mail alert to SmartView Status'.
Check 'Run mail alert script'.
Enter script:
internal_sendmail [-s] [-t ] [-f ] ...
Example (default):
internal_sendmail -s alert -t mailserver_ip mail_account
In the Rule Base, define a rule that will generate an alert. In the Track field, enter 'Mail'.
Install the Security Policy.
If the subject is longer than one word, it must be written within quotation marks.
The internal_sendmail indicator can be used in any of the script options on the 'Alert Commands' configuration page.
When choosing logging actions in rules or other Gateway logging properties, set the action to correspond to the alert you define on the 'Global Properties > Log and Alert > Alert Commands' property screen.
In SmartDashboard:
Select 'Global Properties > Log and Alert > Alert Commands'.
Check 'Send mail alert to SmartView Status'.
Check 'Run mail alert script'.
Enter script:
internal_sendmail [-s
Example (default):
internal_sendmail -s alert -t mailserver_ip mail_account
In the Rule Base, define a rule that will generate an alert. In the Track field, enter 'Mail'.
Install the Security Policy.
Labels:
Logs
Subscribe to:
Posts (Atom)