Customize Checkpoint. Part 1. Installation and initial configuration
Good all the time of day. Today I want to start a cycle about the configuration and operation of Checkpoint firewalls.
Chekpoint is a company that has been developing network security solutions since 1993. The company is positioning itself as the developer of its own management architecture \ interaction - SMART (SecurityManagment Architecture). Based on this concept, the Gaia operating system was ultimately created by combining the IPSO OS (Nokia) and the SPLAT OS (an early development of CPs based on Unix-oriented systems). This software implements a number of technologies related to the security of data exchange (for example, packet filtering, IPS), as well as proprietary Stateful Inspection whose main task is to monitor specific connections in real time . Wikipedia .
Alas, on Habré there are not so many articles devoted to this vendor. Although, in my opinion, he deserves more attention.
')
Experienced security engineers will most likely not find any new information in this and future articles. But for newbies, I hope they will be helpful. We will try to understand the principles of operation of the main modules and the system as a whole, as well as consider the configuration examples from “best practice".
Today on the agenda is the installation and initial configuration of the device. Welcome under cat.
Habré already had an article on how to install two firewall nodes and make a cluster of them. I will try to pay attention to issues that were not considered in that article.
Stage 0. Preparation
So, let's begin.
First of all we need to pick up the equipment. There are, in fact, only two options: either buy a device that is lovingly covered with Checkpoint labels and placed in a specially prepared case for it, or assemble the platform yourself. In any case, the choice of device will depend on a very large number of parameters. We can rely only on our experience and on the documentation that the vendor provides us with. The list of supported servers can be viewed at the link . You can also roughly calculate the load on which a specific device from Checkpoint will be calculated ( carefully PDF ). Unfortunately, Checkpoint does not provide information about the hardware installed in the device, only the amount of RAM and the number of interfaces, but on the Internet you can find some information about the CPU .
Step 1: Install the Gaia Operating System
Once we have chosen the platform, we proceed to install the operating system. By the way, about the operating system: Gaia (the last of Checkpoint's operating systems) is based on the RedHat 5.2 distribution. So, if you have previously worked with linux-based operating systems, then you will be pleased to see many familiar utilities and commands.
It will be considered Gaia R77.10 in a virtual environment. Installing previous and later versions of this operating system is no different. Today, the latest is Gaia R77.30.
Checkpoint does not provide distributions of its operating systems without registration
Now we are armed with everything necessary and can go directly to the installation.
Most of the following screenshots do not require explanation: further, then, ready. No one offers to install Mail. Agent or any other application that is not related to the subject.
The only thing I want to draw your attention to is the disk layout. The system will give an error and stop the installation if the hard disk size is less than 8GB. If there are from 8 to 15 GB, the system splits the disk on the partitions it needs. If the volume is more than 15GB, then we will be allowed to slightly affect this process, namely: change the size of partitions under system-root (/) and logs (/ var / logs /). This information can be useful to those who are going to put Checkpoint on a virtual machine. The rest is required to know only, the basic rule, which is that the size of the “Backup and upgrade" partition should be no less than the sum of system-root and logs, since the snapshots of the operating system are placed exactly there.
Now a few recommendations on disk layout for server management and firewall nodes.
Management server:
- Route should be at least 6GB, and if you plan to use additional components (blades), such as: IPS, Application Control, URL Filtering, you should increase the size, at least up to 10GB.
- Logs - our everything. At least on the management server. We allocate all the available space to them, because the main function of server management, in addition to setting rules, is storing all kinds of logs and updates.
Firewall:
- Ruth is the only section that the firewall really needs, and 10GB, with additional blades enabled, will also be quite enough.
- The size of the partition for logs is not so critical, because the logs are written to the management server, and on the firewall this directory is used mainly for updates, so even 5GB is enough.
Many pictures
Figure 1.1
Select the item “Install Gaia on this system":
Figure 1.2
Here we can see information about the installed equipment:
Figure 1.3
Choose a language:
Figure 1.4
Mark up the drive:
Figure 1.5
We create a password:
Figure 1.6
Here we can select and configure the interface, which we will later use to connect to the device via https and ssh.
Figure 1.7
Directly, customization.
After that, you will have to wait a little while the system is installed on the selected server.
Select the item “Install Gaia on this system":
Figure 1.2
Here we can see information about the installed equipment:
Figure 1.3
Choose a language:
Figure 1.4
Mark up the drive:
Figure 1.5
We create a password:
Figure 1.6
Here we can select and configure the interface, which we will later use to connect to the device via https and ssh.
Figure 1.7
Directly, customization.
After that, you will have to wait a little while the system is installed on the selected server.
Stage 2.1 Preparing for configuration
After we installed the operating system, it would be logical to go straight to setting up policies and other firewall delights. But it turns out that we need to pre-select what function our server will perform: it will be a firewall or a management server. Thus, the initial configuration includes the following items:
- Choosing a server role
- Interface management options
- Access rules
- Parameters DNS, NTP, Proxy servers (proxy only through WebUI)
The initial configuration of Checkpoint for further work with it is available in the article mentioned above. We are now trying to do the same, but using the command line, for this we do not need a separate computer, a network connection to the firewall and even a monitor, if you
In order to configure the firewall via the CLI, we have a special utility config_system , more precisely, this is a regular bash script, the contents of which you can view and edit. It lies in / bin / config_system .
This script edits the Gaia OS / config / db / initial database file.
Let's analyze the principle of its operation on the example of the function for changing the ip-address:
DBSET=/bin/dbset DBGET=/bin/dbget ........... # configure new ip for interface # $1 - interface name # $2 - ip # $3 - mask set_ip() { local cip # get current ip cip=$(dbget -c interface:$1:ipaddr) # if interface configured, delete old ip first if [[ ! -z $cip ]]; then log "Configure IPv4 - remove old ip:$cip from $1" $DBSET interface:$1:ipaddr:$cip $DBSET interface:$1:ipaddr:$cip:mask fi # now configure new ip/mask log "Configure IPv4 - interface:$1, new ip:$2, mask:$3" $DBSET interface:$1:state on $DBSET interface:$1:ipaddr:$2 t $DBSET interface:$1:ipaddr:$2:mask $3 } ........ $DBSET :save The current settings are retrieved from the database using the / bin / dbget utility , and the / bin / dbset command changes the configuration. Here is a piece of the file that describes the eth0 interface settings:
[Expert@Gaia_R77.10_test:0]# cat /config/db/initial | grep eth0 management:interface eth0 interface:eth0 t interface:eth0:link_speed 1000M/full interface:eth0:state on interface:eth0:ipaddr:192.168.1.2 t interface:eth0:ipaddr:192.168.1.2:mask 24 interface:eth0:duplicity full interface:eth0:speed 1000M interface:eth0:auto_negotiation on The parameter is separated from the value by a space. Now we can try to get some values using DBGET.
[Expert@Gaia_R77.10_test:0]# dbget -c interface:eth0:ipaddr 192.168.1.2 The -c switch is required to display the name of the child parameter with a non-zero value. To additionally show the value of this parameter, the -v option exists
[Expert@Gaia_R77.10_test:0]# dbget -cv interface:eth0:ipaddr 192.168.1.2 t We get a value equal to t , that is, true . In essence, this only means that the interface has an ip-address equal to 192.168.1.2.
And now we will change the ip-address on the interface. For this we need:
- Delete current ip-address and mask values
- Set a new ip address
- Set new mask value
- Save configuration
[Expert@Gaia_R77.10_test:0]# dbset interface:eth0:ipaddr:192.168.1.2 [Expert@Gaia_R77.10_test:0]# dbset interface:eth0:ipaddr:192.168.1.2:mask [Expert@Gaia_R77.10_test:0]# dbset interface:eth0:ipaddr:192.168.1.1 t [Expert@Gaia_R77.10_test:0]# dbset interface:eth0:ipaddr:192.168.1.1:mask 24 [Expert@Gaia_R77.10_test:0]# dbset :save Stage 2.2 Initial Configuration
The config_system accepts either a file or a string from the necessary parameters separated by an ampersand (&). The command syntax with a string as a parameter will look like this:
Gaia_R77.10_test> config_system "hostname=myhost&domainname=somedomain.com&timezone='UTC-3'&ftw_sic_key=aaaa&install_security_gw=true&gateway_daip=false&install_ppak=true&gateway_cluster_member=true&install_security_managment=false" The value of each of these parameters, we will analyze further. Now let's deal with the configuration file.
The configuration file contains all the same values, each on a separate line.
First of all, we will create a template for the configuration file, which we will edit later.
[Expert@Gaia_R77.10_test:0]# config_system -t /home/admin/initial.conf initial.conf
######################################################################### # # # Products configuration # # # # For keys below set "true"/"false" after '=' within the quotes # ######################################################################### # Install Security Gateway. install_security_gw= # Install Acceleration Blade (aka Performance Pack). install_ppak= # Enable DAIP (dynamic ip) gateway. # Should be "false" if CXL or Security Management enabled gateway_daip="false" # Enable/Disable CXL. gateway_cluster_member= # Install Security Management. install_security_managment= # Optional parameters, only one of the parameters below can be "true". # If no primary of secondary specified, log server will be installed. # Requires Security Management to be installed. install_mgmt_primary= install_mgmt_secondary= # Provider-1 paramters # eg: install_mds_primary=true # install_mds_secondary=false # install_mlm=false # install_mds_interface=eth0 install_mds_primary= install_mds_secondary= install_mlm= install_mds_interface= # Automatically download Blade Contracts and other important data (highly recommended) # It is highly recommended to keep this setting enabled, to ensure smooth operation of Check Point products. # for more info see sk94508 # # possible values: "true" / "false" download_info="true" # Improve product experience by sending data to Check Point # If you enable this setting, the Security Management Server and Security Gateways may upload data that will # help Check Point provide you with optimal services. # for more info see sk94509 # # possible values: "true" / "false" upload_info="false" # In case of Smart1 SmartEvent appliance, choose # Security Management only, log server will be installed automatically ######################################################################### # # # Products Parameters # # # # For keys below set value after '=' # ######################################################################### # Management administrator name # Must be provided, if Security Management installed mgmt_admin_name= # Management administrator password # Must be provided, if Security Management installed mgmt_admin_passwd= # Management GUI client allowed eg any, 1.2.3.4, 192.168.0.0/24 # Set to "any" if any host allowed to connect to managment # Set to "range" if range of IPs allowed to connect to management # Set to "network" if IPs from specific network allowed to connect # to management # Set to "this" if it' a single IP # Must be provided if Security Management installed mgmt_gui_clients_radio= # # In case of "range", provide the first and last IPs in dotted format mgmt_gui_clients_first_ip_field= mgmt_gui_clients_last_ip_field= # # In case of "network", provide IP in dotted format and netmask length # in range 0-32 mgmt_gui_clients_ip_field= mgmt_gui_clients_subnet_field= # # In case of a single IP mgmt_gui_clients_hostname= # Secure Internal Communication key, eg "aaaa" # Must be provided, if primary Security Management not installed ftw_sic_key= ######################################################################### # # # Operating System configuration - optional section # # # # For keys below set value after '=' # ######################################################################### # Password (hash) of user admin. # To get hash of admin password from configured system: # dbget passwd:admin:passwd # OR # grep admin /etc/shadow | cut -d: -f2 # # IMPORTANT! In order to preserve the literal value of each character # in hash, inclose hash string within the quotes. # eg admin_hash='put_here_your_hash_string' # # Optional parameter admin_hash='' # Interface name, optional parameter iface= # Management interface IP in dotted format (eg 1.2.3.4), # management interface mask length (in range 0-32, e,g 24 ) and # default gateway. # Pay attention, that if you run first time configuration remotely # and you change IP, in order to maintain the connection, # an old IP address will be retained as a secondary IP address. # This secondary IP address can be delete later. # Your session will be disconnected after first time condiguration # process. # Optional prameter, requires "iface" to be specified # IPv6 address format: 0000:1111:2222:3333:4444:5555:6666:7777 # ipstat_v4 manually/off ipstat_v4= ipaddr_v4= masklen_v4= default_gw_v4= ipstat_v6= ipaddr_v6= masklen_v6= default_gw_v6= # Host Name eg host123, optional parameter hostname= # Domain Name eg checkpoint.com, optional parameter domainname= # Time Zone in format Area/Region (eg America/New_York or Etc/GMT-5) # Pay attention that GMT offset should be in classic UTC notation: # GMT-5 is 5 hours behind UTC (ie west to Greenwich) # Inclose time zone string within the quotes. # Optional parameter timezone='' # NTP servers # NTP parameters are optional ntp_primary= ntp_primary_version= ntp_secondary= ntp_secondary_version= # DNS - IP address of primary, secondary, tertiary DNS servers # DNS parameters are optional. primary= secondary= tertiary= In the template itself, each parameter is described in some detail. Therefore, I will simply give an example configuration for server management:
install_security_managment="true" mgmt_admin_name=admin mgmt_admin_passwd=password mgmt_gui_clients_radio="network" mgmt_gui_clients_ip_field=192.168.1.0 mgmt_gui_clients_subnet_field=24 admin_hash='HASH_OF_ADMIN_PASSWORD' install_mgmt_primary="true" iface=eth0 ipstat_v4=manual ipaddr_v4=192.168.1.1 masklen_v4=24 default_gw_v4=192.168.1.254 ipstat_v6=off hostname=Gaia_R77.10_MGMT timezone='Etc/GMT+3' primary=8.8.8.8 And one firewall:
install_security_gw="true" admin_hash='HASH_OF_ADMIN_PASSWORD' iface=eth0 ipstat_v4=manual ipaddr_v4=192.168.1.2 masklen_v4=24 default_gw_v4=192.168.1.254 ipstat_v6=off hostname=Gaia_R77.10_FW1 timezone='Etc/GMT+3' ftw_sic_key='onetimepassword' primary=8.8.8.8 The only thing you want to dwell on is the ftw_sic_key = "" parameter. SIC, or the Secure Internal Communication key is a one-time password that is needed so that the firewall can be managed from the server management (so we set it only on the firewall). We will need it once when adding a firewall to the server management control panel.
The last step is to give the resulting file to the script and wait for the configuration to complete:
[Expert@Gaia_R77.10_test:0]# config_system -f /home/admin/initial.conf Now we reboot the server and everything is ready.
Stage 3. Summing up
Now we have one management server and one firewall. They are ready for further customization.
In the next article we will learn how to add firewalls for management from a single server management. We learn how to organize a cluster of them, if initially we were not ready for this. Consider options for clusters and their principle of operation. And also we will go over the methods of setting up NATa and the simplest firewall policies.
Thanks for attention. I will be glad to answer your questions.
Source: https://habr.com/ru/post/259821/
All Articles