• Training Queries: +91 8383 961 646
  • Business Queries: +91 9818 239 009
  • Mail Us: info@uninets.com

Check Point Initial Setup – First Time Configuration Wizard

Check Point Initial Setup – First Time Configuration Wizard

Platform: https://racks.uninets.com

Lab Name: Check Point

Access full Checkpoint lab guide here:

CCSA Lab Guide

CCSE Lab Guide

 

This post will give your detailed overview of how to setup “Initial Configuration of Check Point”

 

Task

  • Configure Security Management Server (SMS) With hostname firewall-server give IP-address to management interface  172.11.1.1/24 and took GUI from management interface with default  credential and did remaining configuration
  • Basic understanding of  the SMART Architecture of Checkpoint
  • Configure Security Gateway (SG) With hostname firewall-Gateway and  give  IP-address to management interface 172.11.2.1/24 and took GUI from management interface with default  credential and did remaining configuration
  • Configure IP- address for internal network  and external network on firewall – firewall-Gateway  for internal-NW  interface eth1 172.11.3.1 and for external-NW eth2 172.11.4.1  through  on CMD
  • Identify the operating system versions on SM and SG  and whether  it’s a SM or SG

 

Explanation

The checkpoint Security Management Architecture (SMART) is the core component of checkpoint’s unified security architecture. SMART enables administrators to centrally configure, manage, monitor and report on all security devices including endpoints from a single console (the Smart Dashboard)

The Checkpoint core system has the following components

  • Smart Console
  • Security Management Server
  • Security Gateway

Checkpoint Three Tier System

 

Smart Console

Smart Console is comprised of several clients used to manage the checkpoint security environment. One of these Smart Console clients is Smart Dashboard, which provides a single GUI interface for defining and managing multiple elements such as firewall security, VPNs, NAT, QoS and VPN clients. and monitoring

Security Management Server

Security Management Server stores and distribute security policies to multiple security gateways. These security policies are defined using Smart Dashboard and saved on Security Management Server. The Security Management server maintains the Checkpoint database. When policies are created or modified they are distributed to Security Gateways. Security is efficiently improved because of security policies are always updated on all Security Gateways.

Security Gateway

Security Gateway is the firewall where firewall software is installed and do State full Inspectio. Security policies are defined using Smart Dashboard and saved in Security Management Server then inspection scripts are generated from policies and inspection code is compiled from inspection script then inspection code distributes to Security Gateways where it is installed which protects the network.

Configuration

 Get the console access of firewall-server, open putty

and put username – admin and password-uninets@123

This system is for authorized use only.

login: admin

Password:

In order to configure your system, please access the Web UI and finish the First Time Wizard.

gw-0e6046>

The default shell of the CLI is called clish so now we are in clish mode here we can use

Now we have give hostname- firewall-server  IP-address to interface eth0 172.11.1.1/24

firewall-server> show interface eth0

state on

mac-addr 50:13:00:04:00:00 gw-0e6046>

gw-0e6046> set hostname firewall-server

255.0all-server> set interface eth0 ipv4-address 172.11.1.1 subnet-mask 255.255.255.0

firewall-server> save config

 

firewall-server> show interface eth0

type ethernet

link-state link up

mtu 1500

ipv4-address 172.11.1.1/24

Now we have take GUI of SM from management interface ip-address  with username-admin and uninets@123 and open  any browser and type https://172.11.1.1 and put credential

 

2.2

and click on login and now we have click on next

Checkpoint First Time Configuration Wizard

here we we have to select ios installation method

Deployment Options

and we will choose first option and click on next here if we want change IP-address of interface and we can also provide default -gateway and click to next

Management Connection

here if we want configure another interface we can configure from here but its optional and we will configure it later on according to need

Connection to user-center

Here we can change the hostname and give domain-name and primary DNS and secondary DNS all details are optional so we not configuring it now we will configure it according to need

Device Information

here we to configure time zone and time for device we have two methods one is manual and another is through NTP but here we don’t have any NTP server so we selected manual method and click on next  

Date and Time Setting

Here we are configuring our IOS working we two options one is for act as a security gateway or security management and one is multi-domain server and its use for manage multiple security managements but we have one security management we will choose first and click on next

Installation Type

Deployment modes:

1- Standalone Deployment – In this Security Management Server and the Security Gateway are installed on the same computer or appliance

2- Distributed Deployment – In this Security Gateway and the Security Management Server are installed on different computers or appliances

3- Standalone Full HA – In this Security Management server and Security Gateway are each installed on one appliance, and two appliances work in High Availability mode.

4- Bridge Mode – In this mode Add a Security Gateway to an existing environment without changing IP Routing.

so here we are operating devices in distributed mode so we will select Security management and click on next

Products

IF we want change our username & password from that tab and click on next

Security Management Administrator

Here we select from which ip address.an admin can take gui of our device for security concerns or can took from any ip-address of device but as of now we are selecting any option and click on next

Security management GUI Clients

Now we just have to click on finish

First time configuration wizard

This is final view of sm-installation once we finished correctly

14.14

SG -installation &configuration: –

Get the console access of firewall-Gateway, open putty

and put username – admin and password-uninets@123

This system is for authorized use only.

login: admin

Password:

In order to configure your system, please access the Web UI and finish the First Time Wizard.

login: admin

Password:

In order to configure your system, please access the Web UI and finish the First    Time Wizard.

gw-0e6046>  set hostname firewall-Gateway

firewall-Gateway>  set interface eth0 ipv4-address 172.11.2.1 subnet-mask 255.255.255.0

firewall-Gateway>  save config

firewall-Gateway>  show interface eth0

state on

mac-addr 50:13:00:03:00:00

type ethernet

link-state link up

mtu 1500

ipv4-address 172.11.2.1/24

firewall-Gateway>

 

Now we have taken GUI of SG from management interface ip-address with username-admin and uninets@123 and open any browser and type https://172.11.2.1 and put credential

15.15

and click on login

16.16

and we have click on next

17.17

and we will choose first option and click on next

18.18

here if we want change IP-address of interface and we can also provide default -gateway and click to next

19.19

Here we can change the hostname and give domain-name and primary DNS and secondary DNS all details are optional so we not configuring it now we will configure it according to need

20.20

here we to configure time zone and time for device we have two methods one is manual and another is through NTP but here we don’t have any NTP server so we selected manual method and click on next

21.21

Here we are configuring our IOS working we two options one is for act as a security gateway or security management and one is multi-domain server and its use for manage multiple security managements but we have one security management we will choose first and click on next

22.22

so here we are operating devices in distributed mode (As we discussed earlier) so we will select Security-Gateway and click on next

23.23

Here is asking for ip-gateway assignment to firewall from Dhcp but already give manual so we selecting here no and click on next

24.24

SIC is based on certificates. When our Security Management Server (SMS) is initially state, this is the initialization of the Internal Certificate The goal of initializing SIC/trust between an SMS and Security Gateway is to have the ICA create a certificate for the Security Gateway (FW-Cert) and assign it to the Security Gateway. Once that is accomplished, all communication between the SMS and Security Gateway is authenticated and encrypted using a certificate exchange.

Now-click on to finish

25.25

IF configured properly then it’s our final view

26.26

Now we have assign ip address on internal and external interfaces

firewall-Gateway> set interface eth1 state on

firewall-Gateway set interface eth1 ipv4-address 172.11.3.1 subnet-mask 255.255.255.0

firewall-Gateway> show interface eth1

state on

mac-addr 50:13:00:03:00:01

type ethernet

link-state link up

mtu 1500

ipv4-address 172.11.3.1/24

firewall-Gateway>

Now we have to configure for external-NW eth2 172.11.4.1

firewall-Gateway> set interface eth1 state on

firewall-Gateway>  set interface eth1 ipv4-address 172.11.4.1  subnet-mask 255.255.255.0

firewall-Gateway> show interface eth1

state on

mac-addr 50:13:00:03:00:01

type ethernet

link-state link up

mtu 1500

ipv4-address 172.11.4.1/24

 

Task-4

We have to verify operating system versions on SM and SG andwhether it’s a SM or SG

firewall-Gateway> show version all

Product version Check Point Gaia R77.30

OS build 204

OS kernel version 2.6.18-92cp

OS edition 32-bit

Here we are checking that which module is running its SM OR SG

firewall-Gateway> fw stat

HOST      POLICY     DATE

localhost InitialPolicy 21Mar2017 18:26:22 :  [<eth0]< strong=”” style=”box-sizing: border-box;”></eth0]<>

firewall-Gateway>

Its have firewall module because in firewall module we have local host initial policy file in firewall only not in sm (security-manager)

now login into Security-manager

firewall-server> fw stat

Local host is not a FireWall-1 module

So it’s a SM security-manager) because local host found in SG or firewall module only

About the author

jitender administrator

Leave a Reply