CP R70 Internet Installation and UpgradeGuide
-
Upload
vijaysamuels1985 -
Category
Documents
-
view
17 -
download
0
Transcript of CP R70 Internet Installation and UpgradeGuide
-
Installation and Upgrade GuideInternet Security Product Suite
Version R70
701313 March 2, 2009
-
2003-2009 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.
TRADEMARKS:
Please refer to http://www.checkpoint.com/copyright.html for a list of our trademarks
For third party notices, see http://www.checkpoint.com/3rd_party_copyright.html.
-
Table of Contents 5
Contents
Installation Section
Chapter 1 Introduction Welcome......................................................................................................... 15Who Should Use This Guide.............................................................................. 16R70 Documentation......................................................................................... 16New Terms...................................................................................................... 17Related Documentation .................................................................................... 18For New Check Point Customers........................................................................ 19Endpoint Security Integration............................................................................ 20More Information ............................................................................................. 20Feedback ........................................................................................................ 20
Chapter 2 Getting Started Terminology .................................................................................................... 22Provider-1/SiteManager-1 Terminology............................................................... 23Hardware and Software Requirements................................................................ 24Compatibility Tables ........................................................................................ 25
Product Notes ............................................................................................ 25Platform Notes ........................................................................................... 26
Supported Upgrade Paths and Interoperability .................................................... 27Upgrade Paths and Interoperability............................................................... 27Upgrading Security Management Servers....................................................... 27Backward Compatibility For Gateways ........................................................... 27IPS-1 Upgrade Paths and Interoperability...................................................... 28
Licensing R70................................................................................................. 29Licensing R70............................................................................................ 29Licensing Provider-1/SiteManager-1 ............................................................. 30Licensing IPS-1.......................................................................................... 31Licensing Eventia Suite ............................................................................... 31
Chapter 3 Setup and Installation Overview ......................................................................................................... 34Installing on SecurePlatform............................................................................. 35
Installing SecurePlatform Using the CD ........................................................ 35Installing SecurePlatform from the Network................................................... 37Initially Configuring SecurePlatform.............................................................. 41Installing R70 Products on SecurePlatform ................................................... 42
-
6Configuring SecurePlatform Using WebUI ..................................................... 43Installing on Windows ...................................................................................... 44Installing on Solaris or Linux............................................................................. 46Installing on Nokia........................................................................................... 48
Enabling Native IPSO Security Servers.......................................................... 50Initially Configuring Products ............................................................................ 51
Configuration Tool Overview ......................................................................... 51Using the Configuration Tool on Windows Systems......................................... 52Using the Configuration Tool on Unix Systems............................................... 54Logging In for the First Time........................................................................ 55
Where To From Here?....................................................................................... 58
Chapter 4 Installing Provider-1 Overview ......................................................................................................... 60Creating the Provider-1 Environment ................................................................. 61
Setting Up Provider-1 Networking ................................................................ 61Install the Gateways .................................................................................... 62Installing and Configuring the Primary MDS .................................................. 62Installing SmartConsole and MDG Clients ..................................................... 70
Using the MDG for the First Time...................................................................... 71Launching the MDG .................................................................................... 71Adding Licenses using the MDG................................................................... 72
Where To From Here?....................................................................................... 75
Chapter 5 IPS-1 Setup and Installation Overview ......................................................................................................... 78
IPS-1 System Architecture........................................................................... 78Platforms ................................................................................................... 79
IPS-1 Deployment ........................................................................................... 80IPS-1 Sensor Deployment............................................................................ 80IPS-1 Management Deployment ................................................................... 81
IPS-1 Management Installation and Setup ......................................................... 84Installation of IPS-1 Management Servers ..................................................... 84
IPS-1 Sensor Appliances .................................................................................. 89Introduction ............................................................................................... 89IPS-1 Sensor Appliance Models ................................................................... 89
IPS-1 Sensor Installation.................................................................................. 94Connecting to IPS-1 Sensors........................................................................ 94Installing SecurePlatform and IPS-1 Sensors................................................. 94Initial Configuration of IPS-1 Sensors ........................................................... 95Initial Configuration of IPS-1 Power Sensor ................................................... 97IPS-1 Management Dashboard Installation .................................................... 99
Post-Installation Steps ................................................................................... 100Configuring NTP on SecurePlatform............................................................ 100Completing IPS-1 Management Setup ........................................................ 101Completing IPS-1 Sensor Setup ................................................................. 105
Where To From Here?..................................................................................... 108
-
Table of Contents 7
Chapter 6 Installing Eventia Suite Eventia Suite Installation................................................................................ 110Standalone Installation vs. Distributed Installation............................................ 111
Installing Eventia Suite on Multiple Versions of Security Management Server Management.......................................................................................... 111
Standalone Installation................................................................................... 112Windows Platform..................................................................................... 112Solaris & Linux Platforms .......................................................................... 113SecurePlatform......................................................................................... 113
Distributed Installation................................................................................... 114Windows Platform..................................................................................... 114Solaris and Linux and SecurePlatform......................................................... 115
Enabling Connectivity Through a Firewall ......................................................... 116Preparing Eventia Suite in Security Management server..................................... 117Preparing Eventia Suite on Provider-1 MDS...................................................... 118
For Provider-1/SiteManager-1 Version R55 .................................................. 118For Provider-1/SiteManager-1 Version R60 .................................................. 120For Provider-1/SiteManager-1 Version R61 and Up ...................................... 121
Upgrade Section
Chapter 7 Introduction to the Upgrade Process Documentation .............................................................................................. 126Contract Verification ...................................................................................... 126Supported Upgrade Paths and Interoperability .................................................. 127
Upgrading Management Servers ................................................................. 127Backward Compatibility For Gateways ......................................................... 128
Obtaining Software Installation Packages ......................................................... 129Terminology .................................................................................................. 130Upgrade Tools ............................................................................................... 132Upgrading Successfully .................................................................................. 132
Chapter 8 Service Contract Files Introduction .................................................................................................. 133Working with Contract Files ............................................................................ 134Installing a Contract File on Security Management server................................... 134
On a Windows Platform ............................................................................. 135On SecurePlatform, Linux, and Solaris ........................................................ 139On IPSO .................................................................................................. 142
Installing a Contract File on a Gateway ............................................................ 143On a Windows Platform ............................................................................. 143On SecurePlatform, and Linux.................................................................... 150On IPSO .................................................................................................. 154
-
8Managing Contracts with SmartUpdate ............................................................ 155Managing Contracts .................................................................................. 155Updating Contracts ................................................................................... 158
Chapter 9 Upgrading a Distributed Deployment Introduction .................................................................................................. 160Pre-Upgrade Considerations............................................................................ 161
Pre-upgrade Verification ............................................................................ 161Web Intelligence License Enforcement........................................................ 161Upgrading Products on a SecurePlatform Operating System.......................... 162UTM-1 Edge Gateways Prior to Firmware Version 7.5 ................................... 162
Upgrading the Security Management Server ..................................................... 163Using the Pre-Upgrade Verification Tool...................................................... 163Security Management Server Upgrade on a Windows Platform....................... 165Security Management Server Upgrade on SecurePlatform ............................. 166Gateway Upgrade on a UTM-1/Power-1 Appliance........................................ 168Security Management Server Upgrade on a Solaris Platform.......................... 169Security Management Server Upgrade on a Linux Platform............................ 171Security Management Server Upgrade on an IPSO Platform .......................... 173
Upgrading the Gateway .................................................................................. 175Upgrading a Clustered Deployment............................................................. 175Upgrading the Gateway Using SmartUpdate ................................................ 176Gateway Upgrade Process on a Windows Platform ........................................ 180Gateway Upgrade on SecurePlatform .......................................................... 182Gateway Upgrade on an IPSO Platform ....................................................... 183
Chapter 10 Backup and Revert for Security Gateways Introduction .................................................................................................. 186Backing Up Your Current Deployment .............................................................. 187Restoring a Deployment.................................................................................. 188SecurePlatform Backup and Restore Commands ............................................... 189
Backup.................................................................................................... 189Restore .................................................................................................... 191
SecurePlatform Snapshot Image Management .................................................. 192Snapshot ................................................................................................. 193Revert...................................................................................................... 194
Reverting to Your Previous Deployment ............................................................ 195
Chapter 11 Upgrading a Standalone Deployment Introduction .................................................................................................. 200Pre-Upgrade Considerations............................................................................ 201
Upgrading Products on a SecurePlatform Operating System.......................... 201Reverting to Your Previous Software Version ................................................ 201Using the Pre-Upgrade Verification Tool...................................................... 202
Standalone Security Gateway Upgrade on a Windows Platform ........................... 203Standalone Security Gateway Upgrade on SecurePlatform.................................. 204
Uninstalling Packages ............................................................................... 205
-
Table of Contents 9
Standalone Upgrade on a UTM-1/Power-1 Appliance......................................... 206Uninstalling Packages ............................................................................... 206
Standalone Gateway Upgrade on an IPSO Platform ........................................... 207Enabling Native IPSO Security Servers........................................................ 209Uninstalling Previous Software Packages..................................................... 209
Chapter 12 Advanced Upgrade of Security Management servers & Standalone Gate-ways
Introduction .................................................................................................. 212Migrate Your Current Server Configuration and Upgrade..................................... 213
Introduction ............................................................................................. 213Advanced Upgrade on a Windows Platform .................................................. 214Advanced Upgrade on a Linux Platform....................................................... 215Advanced Upgrade on SecurePlatform ........................................................ 219Advanced Upgrade on an IPSO Platform ..................................................... 221Advanced Upgrade on a Solaris Platform..................................................... 223Migration to a New Machine with a Different IP Address............................... 226
Migrate Your Current Security Gateway Configuration & Upgrade ........................ 228Advanced Upgrade on a Windows Platform .................................................. 228Advanced Upgrade on a Linux Platform....................................................... 230Advanced Upgrade on SecurePlatform ........................................................ 233Advanced Upgrade on an IPSO Platform ..................................................... 235
Chapter 13 Upgrading ClusterXL Deployments Tools for Gateway Upgrades ............................................................................ 237Planning a Cluster Upgrade ............................................................................ 238
Permanent Kernel Global Variables ............................................................. 238Ready State During Cluster Upgrade/Rollback Operations ............................. 239Upgrading OPSEC Certified Third-Party Cluster Products .............................. 239
Minimal Effort Upgrade on a ClusterXL Cluster ................................................. 240Zero Downtime Upgrade on a ClusterXL Cluster ................................................ 240
Supported Modes...................................................................................... 240Full Connectivity Upgrade on a ClusterXL Cluster .............................................. 243
Understanding a Full Connectivity Upgrade ................................................. 243Supported Modes...................................................................................... 244Performing a Full Connectivity Upgrade ...................................................... 245
Chapter 14 Upgrading Provider-1 Introduction .................................................................................................. 250
Supported Versions and Platforms .............................................................. 250Before You Begin ...................................................................................... 250
Provider-1 Upgrade Tools ............................................................................... 251Pre-Upgrade Verifiers and Fixing Utilities .................................................... 251Installation Script ..................................................................................... 252export_database........................................................................................ 253merge_plugin_tables ................................................................................. 255migrate_assist .......................................................................................... 256
-
10
cma_migrate ............................................................................................ 257migrate_global_policies ............................................................................. 262Backup and Restore .................................................................................. 262
Provider-1 Upgrade Practices.......................................................................... 264In-Place Upgrade...................................................................................... 264Replicate and Upgrade.............................................................................. 266Gradual Upgrade to Another Machine ......................................................... 267Migrating from Security Management to a CMA ........................................... 269
Upgrading in a Multi-MDS Environment ........................................................... 272Pre-Upgrade Verification and Tools............................................................. 272Upgrading a Multi-MDS System ................................................................. 273
Restarting CMAs............................................................................................ 276Restoring Your Original Environment................................................................ 277
Before the Upgrade................................................................................... 277Restoring Your Original Environment........................................................... 277
Renaming Customers ..................................................................................... 278Identifying Non-Compliant Customer Names................................................ 278High Availability Environment .................................................................... 278Automatic Division of Non-Compliant Names............................................... 278Resolving Non-Compliance ........................................................................ 279Advanced Usage ....................................................................................... 280
Changing the MDS IP Address and External Interface........................................ 282IP Address Change.................................................................................... 282Interface Change ...................................................................................... 282
IPS in Provider-1 ........................................................................................... 283
Chapter 15 Upgrading SmartLSM ROBO Gateways Planning the ROBO Gateway Upgrade.............................................................. 286ROBO Gateway Upgrade Package to SmartUpdate Repository............................. 287License Upgrade for a VPN-1 Power/UTM ROBO Gateway .................................. 287
Using SmartProvisioning to Attach the Upgraded Licenses............................ 287License Upgrade on Multiple ROBO Gateways ............................................. 288
Upgrading a ROBO Gateway Using SmartProvisioning........................................ 289Upgrading a VPN-1 Power/UTM ROBO Gateway ........................................... 289Upgrading a UTM-1 Edge ROBO Gateway.................................................... 291Upgrading a VPN-1 Power/UTM ROBO Gateway In Place .............................. 292
Using the Command Line Interface.................................................................. 293SmartLSM Upgrade Tools .......................................................................... 293Upgrading a VPN-1 Power/UTM ROBO Gateway Using LSMcli....................... 295Upgrading a UTM-1 Edge ROBO Gateway Using LSMcli ............................... 296Using the LSMcli in Scripts ....................................................................... 297
Chapter 16 Upgrading Eventia Overview ....................................................................................................... 300Upgrading Eventia Reporter ............................................................................ 300
For Standalone Deployments...................................................................... 300For Distributed Deployments...................................................................... 301Advanced Eventia Reporter Upgrade ........................................................... 303
-
Table of Contents 11
Enabling Eventia Analyzer after Upgrading Reporter ..................................... 305Upgrading Eventia Analyzer ............................................................................ 306
Upgrading Eventia Analyzer to R70 ............................................................ 306Verifying the Events Database Has Been Moved ........................................... 308Enabling Eventia Reporter ......................................................................... 308
Chapter 17 Upgrading IPS-1 IPS-1 Upgrade Paths ..................................................................................... 310
Upgrading from R65.1 to R65.2 ................................................................ 310Upgrading IPS-1 Management Servers ........................................................ 310
Upgrading IPS-1 Sensors................................................................................ 311Upgrading IPS-1 Power Sensors ...................................................................... 311
Remotely Upgrading an IPS-1 Power Sensor................................................ 311Reinstalling an IPS-1 Power Sensor ............................................................ 312
Upgrading Legacy Sensor Appliances............................................................... 313100C and 200C ....................................................................................... 314200F....................................................................................................... 314310C....................................................................................................... 314320C....................................................................................................... 314320F....................................................................................................... 314500C (pre-Jan 2006) ................................................................................ 314500C (post-Jan 2006) .............................................................................. 315500F (pre-Jan 2006) ................................................................................ 315500F (post-Jan 2006)............................................................................... 315
-
12
-
Installation SectionThis section covers installing the current version
-
14
-
15
Chapter 1Introduction
In This Chapter
WelcomeThank you for choosing Check Points Internet Security Product Suite. We hope that you will be satisfied with this solution and our support services. Check Point products provide your business with the most up to date and secure solutions available today.
Check Point also delivers worldwide technical services including educational, professional, and support services through a network of Authorized Training Centers, Certified Support Partners, and Check Point technical support personnel to ensure that you get the most out of your security investment.
Welcome page 15
Who Should Use This Guide page 16
R70 Documentation page 16
Related Documentation page 18
For New Check Point Customers page 19
Endpoint Security Integration page 20
More Information page 20
Feedback page 20
-
Who Should Use This Guide
16
To extend your organizations growing security infrastructure and requirements, we recommend that you consider adopting the OPSEC platform (Open Platform for Security). OPSEC is the industry's open, multi-vendor security framework, which has over 350 partners and the largest selection of best-of-breed integrated applications and deployment platforms.
For additional information on the Internet Security Product Suite and other security solutions, go to: http://www.checkpoint.com or call Check Point at 1(800) 429-4391. For additional technical information, go to:
http://support.checkpoint.com.
For more information about the current release, see the latest version of the Release Notes at:
http://support.checkpoint.com
Welcome to the Check Point family. We look forward to meeting all of your current and future network, application, and management security needs.
Who Should Use This GuideThis guide is intended for administrators responsible for installing and upgrading Check Point security products on the corporate network.
R70 DocumentationTechnical documentation is available on your CD-ROM at: CD3\Docs\CheckPoint_Suite. These documents can also be found at:http://support.checkpoint.com
To find out about what's new in R70, read the R70 Getting Started Guide.
For upgrading Endpoint Security, refer to the Endpoint Security Installation Guide.
-
New Terms
Chapter 1 Introduction 17
New TermsThe following product and technology names have been changed for this version.
Table 1: Product and Technology Names
Versions NG and NGX Products and Technologies
Version R70 Products and Technologies
Firewall-1 FirewallIntegrity Endpoint SecurityIntegrity Clientless Security Endpoint Security On DemandROBO Gateway Check Point SmartLSM Security
GatewaySmartCenter server Security Management serverSmartDefense IPSSmartLSM management SmartProvisioningSmartPortal Management PortalVPN-1 (Power/UTM) Gateway Check Point Security GatewayVPN-1 UTM Edge UTM-1 EdgeWeb Filtering URL FilteringWeb Intelligence IPS Web Intelligence
Table 2: SmartDashboard Tab Titles
Versions NG and NGX SmartDashboard Tabs
Version R70 Products SmartDashboard Tabs
Address Translation NATConnectra SSL VPNContent Inspection Anti-Virus and URL FilteringMessaging Security Anti-Spam and MailSecurity FirewallVPN IPSec VPN
-
Related Documentation
18
Related DocumentationThe current release includes the following documentation.
TABLE P-1 Check Point Documentation
Title Description
Internet Security Installation and Upgrade Guide
Contains detailed installation instructions for Check Point network security products. Explains the available upgrade paths from versions R60 to the current version.
High-End Installation and Upgrade Guide
Contains detailed installation instructions for the Provider-1 and VSX products, including hardware and software requirements and licensing requirements. Explains all upgrade paths for Check Point products specifically geared towards upgrading to the current version.
Security Management Administration Guide
Explains Security Management solutions. This guide provides solutions for control over configuring, managing, and monitoring security deployments.
Firewall Administration Guide
Describes how to control and secure network access and VoIP traffic; how to use integrated web security capabilities; and how to optimize Application Intelligence with capabilities such as Content Vectoring Protocol (CVP) applications, URL Filtering (UFP) applications.
IPS Administration Guide Describes how to use IPS to protect against attacks.
VPN Administration Guide Describes the basic components of a VPN and provides the background for the technology that comprises the VPN infrastructure.
-
For New Check Point Customers
Chapter 1 Introduction 19
For New Check Point CustomersNew Check Point customers can access the Check Point User Center in order to:
Manage users and accounts
Activate products
Get support offers
Open service requests
Search the Technical Knowledge Base
To access the Check Point User Center, go to: https://usercenter.checkpoint.com/pub/usercenter/get_started.html.
Eventia Reporter Administration Guide
Explains how to monitor and audit traffic, and generate detailed or summarized reports in the format of your choice (list, vertical bar, pie chart etc.) for all events logged by Check Point Security Gateways, SecureClient and IPS.
SecurePlatform/ SecurePlatform Pro Administration Guide
Explains how to install and configure SecurePlatform. This guide will also teach you how to manage your SecurePlatform machine and explains Dynamic Routing (Unicast and Multicast) protocols.
Provider-1/SiteManager-1 Administration Guide
Explains the Provider-1 security management solution. This guide provides details about a three-tier, multi-policy management architecture and a host of Network Operating Center oriented features that automate time-consuming repetitive tasks common in Network Operating Center environments.
TABLE P-1 Check Point Documentation (continued)
Title Description
-
Endpoint Security Integration
20
Endpoint Security IntegrationFor in-depth documentation of Provider-1/Security Management server integration with Check Point Endpoint Security products, refer to:
Endpoint Security Installation Guide
R70 Security Management Server Administration Guide
More Information For additional technical information about Check Point products, consult Check
Points SecureKnowledge at http://support.checkpoint.com.
To view the latest version of this document in the Check Point User Center, go to: http://support.checkpoint.com.
FeedbackCheck Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments to:
-
21
Chapter 2Getting Started
In This Chapter
This chapter contains information and terminology related to installing R70.
Terminology page 22
Provider-1/SiteManager-1 Terminology page 23
Hardware and Software Requirements page 24
Compatibility Tables page 25
Supported Upgrade Paths and Interoperability page 27
Licensing R70 page 29
-
Terminology
22
TerminologyThe following terms are used throughout this chapter:
Distributed Deployment: When the gateway and the Security Management server are installed on separate machines.
Gateway: The software component that enforces the organizations security policy and acts as a security enforcement point.
Security Policy: The policy created by the system administrator that regulates the flow of incoming and outgoing communication.
Security Management server: The server used by the system administrator to manage the security policy. The organizations databases and security policies are stored on the Security Management server and downloaded to the gateway.
SmartConsole: GUI applications that are used to manage various aspects of security policy enforcement. For example, SmartView Tracker is a SmartConsole application that manages logs.
SmartDashboard: A SmartConsole GUI application that is used by the system administrator to create and manage the security policy.
Standalone Deployment: When Check Point components responsible for the management of the security policy (the Security Management server and the gateway) are installed on the same machine.
-
Provider-1/SiteManager-1 Terminology
Chapter 2 Getting Started 23
Provider-1/SiteManager-1 TerminologyThe following Provider-1/SiteManager-1 terms are used throughout this chapter.
Customer: A business entity or subdivision of a business entity whose networks are protected by security gateways, UTM-1 Edge appliances or other Check Point compatible firewalls. The Customers security policies and network access are managed using Provider-1/SiteManager-1.
Customer Log Module (CLM): A log server for a single Customer.
Customer Management Add-on (CMA): The Provider-1 equivalent of the Security Management server for a single Customer. Using the CMA, an administrator creates security policies and manages customer gateways.
GUI Client: A computer running Check Point GUI interfaces, such as the Provider-1 MDG, and other SmartConsole applications.
Internal Certificate Authority (ICA): In addition to authenticating administrators and users, the ICA creates and manages X.509 compliant certificates for Secure Internal Communication (SIC) between security gateways. The MDS has an ICA that secures the Provider-1 management domain. Each CMA has its own ICA to secure its customers management domain.
Multi-Domain Log Module (MLM): An MDS Container dedicated to collecting and storing logs. An MLM is a Container of Customer Log Modules (CLMs).
Multi-Domain Server (MDS): A server that houses Provider-1 system information. The MDS contains information on Provider-1 deployment, administrators, and customer management. The MDS has two modes:
Manager: Runs the Provider-1 deployment and is the administrators entry point into the Provider-1 environment.
Container: Holds the Customer Management Add-ons (CMAs).
An MDS can be a Manager, a Container or both.
Provider-1 Administrator: A security administrator, assigned with granular permissions, that manages specific parts of the Provider-1 system. Administrators can be assigned one of the following four permission levels:
Provider-1 Superuser: Manages the entire Provider-1 system, which includes all MDS servers, administrators (with all permission levels), Customers and customer networks.
Customer Superuser: Manages all administrators (with lower permission levels), Customers and customer networks.
-
Hardware and Software Requirements
24
Global Manager: A new type of administrator account in the MDG. With access to Global SmartDashboard, a Global Manager is capable of managing global policies and global objects. For a Global Manager to have additional access to CMA policies, read-write or partial access rights must be specifically assigned.
Customer Manager: Manages customer networks for specific Customers. Administrators with this permission level can use the MDG application, but they can only view and manage their assigned customers.
None: Manages customer networks for specific Customers, but cannot access the MDG application.
Hardware and Software RequirementsFor all hardware and software requirements for each product and platform, see the latest version of the relevant Release Notes at:
http://support.checkpoint.com
-
Compatibility Tables
Chapter 2 Getting Started 25
Compatibility TablesIf the existing Check Point implementation contains products that are not supported by R70, the R70 installation process terminates. Table 2-1 and Table 2-2 lists supported Check Point products and VPN clients by platform.
Table 2-1 Supported Products by Platform
Product Notes1. Anti-Virus and Web Filtering are included on SecurePlatform.
2. Eventia Suite includes Eventia Reporter Server, Eventia Analyzer Server, and Eventia Analyzer Correlation Unit.
Product / Management Blade
Check Point
RHEL 5.0 Nokia Crossbeam Solaris
Secure Platform
Server 2003
(SP1-2)
Server 2008
kernel 2.6.18
IPSO 6.0.7
X-SeriesUltra-SPARC8, 9, 10
Check Point Security Gateway X X X X X
Security Management X X X X X X
Provider-1/SiteManager-1 Server (MDS)
X X X
Performance Pack X X X
Advanced Routing X X X
Management Portal X X X X X
Eventia Suite X X X X X
ClusterXL X X X X X
CoreXL X X X
SmartProvisioning - Enabled SmartLSM Gateways
X X X X
SmartProvisioning - Enabled Management
X X X X X
SSL Network Extender Server X X X X
Endpoint Security Server X X X XVSX Security Gateway X (IPSO 5) X
OSE Supported Routers
Platform and Operating System
Cisco OS Versions: 9.x, 10.x, 11.x, 12.x
Windows
-
Platform Notes
26
3. ClusterXL is supported only in third party mode with VRRP or IP Clustering. The maxiumum number of cluster members is eight.
4. Management Portal is supported on the following Web browsers: Internet Explorer 6 and 7, and Mozilla Firefox 1.5-2.0.
Platform Notes1. UTM-1 Edge devices cannot be managed from a Security Management running
on a Nokia IPSO platform.
2. UserAuthority is not supported on Nokia flash-based platforms.
3. HA Legacy mode is not supported on Windows Server 2003.
4. Only UltraSPARC 64-bit is supported; for Security Management only (not for gateways).
Table 2-2 Supported Clients by Platform
Notes to Supported by Platform Table1. To run SmartConsole applications on Windows 2000, you must have Microsoft
Installer 3.0 installed.
2. Microsoft Installer support is required for installation of Endpoint Security clients.
Check Point Product
Mac Mac Linux2000 Server /
Advanced Server
(SP1-4)
2000 Pro (SP1-4)/
XP Home & Pro (SP3)
Mobile 2003
2003SE 5.0, 6.0,
6.1
Server 2003
(SP1-2)
Vista (SP1)
Server 2008
OS 10.4
OS 10.5
SmartConsole X X X X X
Provider-1/SiteManager-1 MDG X X X X X
SecuRemote X X X
SecureClient X X X X X X
SecureClient Mobile X
SSL Network Extender X X X X X
Endpoint Security Client X X
Endpoint Connect Client X X
Platform and Operating System
Windows1
-
Supported Upgrade Paths and Interoperability
Chapter 2 Getting Started 27
Supported Upgrade Paths and Interoperability
In This Section:
Upgrade Paths and InteroperabilitySecurity Management servers and security gateways exist in a wide variety of deployments. Consult Table 2-3 and Table 2-4 to determine which versions of your management server and gateways can be upgraded to R70.
Upgrading Security Management ServersThe following Security Management server versions can be upgraded to R70:
Table 2-3 Security Management server Upgrade Paths
Backward Compatibility For GatewaysR70 Security Management server supports the following gateway versions:
Upgrade Paths and Interoperability page 27
Upgrading Security Management Servers page 27
Backward Compatibility For Gateways page 27
IPS-1 Upgrade Paths and Interoperability page 28
Release VersionNGX
R60, R60A, R61, R62, R65R65 with HFA 30 with the Connectra NGX R66 Plug-in R65 with Messaging SecurityR65 with the VPN-1 Power VSX NGX R65 Management Plug-inR65 with the SmartProvisioning Plug-inR65 UTM-1R65 Power-1
-
IPS-1 Upgrade Paths and Interoperability
28
Table 2-4 Backward Compatibility for Gateways
IPS-1 Upgrade Paths and Interoperability
Upgrade PathsNon-Power Sensors installed on SecurePlatform cannot be upgraded to the current version. A new installation is required.
Alerts Concentrators and IPS-1 Management Servers, including NFR Sentivist Servers and Enterprise Servers, and IPS-1 Power 1000 and 2000 Sensors, of versions 5.x, can be upgraded to the current version. From earlier versions, completely reinstall.
InteroperabilityManagement components of the current release, such as IPS-1 Management Server, Alerts Concentrators and Management Dashboard, are compatible with Sensors of versions 4.1 onwards.
The different management components (IPS-1 Management Server, Alerts Concentrators and Management Dashboard) must always be of the same version.
Release VersionNGX R60, R60A, R61, R62, R65 InterSpect NGX R60Connectra NGX R61, R62, R62CM, R66UTM-1 Edge 7.5.x and aboveEndpoint Security
Note - R70 cannot manage gateway versions NG, NG FP1, or NG FP2
-
Licensing R70
Chapter 2 Getting Started 29
Licensing R70Most of the software on this CD is automatically enabled for a 15-day evaluation period. To obtain a permanent license, or to extend the evaluation period, go to the Check Point User Center at:
https://usercenter.checkpoint.com
Customers new to the Check Point User Center should go to:
https://usercenter.checkpoint.com/pub/usercenter/get_started.html
For further licensing assistance, contact Account Services at: [email protected], or US +1 972-444-6600, option 5.
Licensing R70Licenses are required for the Security Management server and security gateways. No license is required for SmartConsole management clients.
Check Point gateways enforce the license installed on the gateway by counting the number of users that have crossed the gateway. If the maximum number of users is reached, warning messages are sent to the console.
The Check Point software is activated using a certificate key, which is located on the back of the software media pack. The certificate key is used to generate a license key for products that you want to evaluate or purchase. To purchase Check Point products, contact your reseller.
Obtaining a License KeyTo obtain a license key from the Check Point User Center:
1. Add the required Check Point products/evaluations to your User Center account by selecting Accounts & Products > Add Products.
2. Generate a license key for your products/evaluations by selecting Accounts & Products > Products.
Select your product(s) and click Activate License. The selected product(s) evaluations have been assigned license keys.
3. Complete the installation and configuration process by doing the following:
a. Read and accept the End Users License Agreement.
-
Licensing Provider-1/SiteManager-1
30
b. Import the product license key. Licenses are imported using the Check Point Configuration Tool or SmartUpdate. SmartUpdate allows you to centrally upgrade and manage Check Point software and licenses. The certificate keys associate the product license with the Security Management server, which means that:
The new license remains valid even if the IP address of the Check Point gateway changes.
Only one IP address is needed for all licenses.
A license can be detached from one Check Point gateway and assigned to another.
Upgrading LicensesThe upgrade procedure is free of charge to purchasers of the Software Subscription service (Enterprise Base Support).
The license upgrade procedure runs the license_upgrade command, which makes it easy to automatically upgrade licenses.
Licensing Provider-1/SiteManager-1Provider-1/SiteManager-1 licenses are associated with the IP address of the licensed entity. The Provider-1 Multi-Domain Server (MDS) license is based on the server type: Manager, Container, Combined Manager and Container, or Multi-Domain Log Manager (MLM).
Manager: A license for the administrator's entry point into the Provider-1/SiteManager-1 environment. The Multi-Domain GUI (MDG) and the Global SmartDashboard tools can connect only to MDS servers with this license.
Container: A license that defines the maximum number of CMAs running on the MDS machine. With the exception of Provider-1 Enterprise Edition licenses, multiple container licenses can be added together on one container to enable the container to hold up to a maximum of 250 CMAs. In addition, each CMA requires its own CMA license. CMA Pro Add-on licenses, allowing additional management features at the CMA level, can be purchased in bulk. These purchase packages are called Pro Add-ons for MDS.
Combined Manager and Container: These licenses combine a Manager license with a Container license for a specific number of CMAs. In the case of SiteManager-1 licenses, there are no separate Manager and Container versions available, only the Combined Manager and Container license.
-
Licensing IPS-1
Chapter 2 Getting Started 31
MLM: A comprehensive license that includes the Customer Log Modules (CLMs) it hosts. There is no need for a separate CLM license if CLMs are hosted on an MLM. A CLM hosted on an MDS server requires its own CLM license.
Each gateway requires its own license. Licenses are determined according to the number of computing devices (nodes) protected by the gateway. Provider-1 licenses can be imported using the Check Point command-line licensing tool or Provider-1's MDG. For additional information, refer to the Provider-1/SiteManager-1 Administration Guide.
Licensing IPS-1The IPS-1 Management Server requires a license, defined with the ability to manage a fixed maximum number of Sensors. In a Combined installation where the Alerts Concentrator installed together with the IPS-1 Management Server, the Alerts Concentrator shares the IPS-1 Management Servers license.
For any separate Alerts Concentrators and for all Sensors, obtain and add licenses. Licenses are added using IPS-1s Management Dashboard.
The IPS-1 Management Dashboard does not require a license. However, without a licensed IPS-1 Management Server, the IPS-1 Dashboard will function only in Demo mode.
All licenses are stored on the IPS-1 Management Server and must have been generated according to the IPS-1 Management Servers IP address.
Licensing Eventia SuiteAll Eventia Suite licenses are installed on the Eventia Suite Server (not on the Security Management server).
Correlation Units are licensed by the number of units that are attached to the Eventia Analyzer Server.
-
Licensing Eventia Suite
32
-
33
Chapter 3Setup and Installation
In This Chapter
Overview page 34
Installing on SecurePlatform page 35
Installing on Windows page 44
Installing on Solaris or Linux page 46
Installing on Nokia page 48
Initially Configuring Products page 51
Where To From Here? page 58
-
Overview
34
OverviewCheck Point software is designed to work across multiple platforms and pre-configured appliances. Each installation differs depending on the product and the platform.
For upgrading an existing installation, see the upgrade section.
Check Point products can be installed in the following two types of deployments:
Standalone Deployment: Check Point components that are responsible for the management of the security policy (the Security Management server and the gateway) are installed on the same machine.
Distributed Deployment: The Security gateway and the Security Management server are installed on different machines.
In both deployments, SmartConsole can be installed on any machine by performing the following steps:
Install the components that manage or enforce the security policy (for example, the Security Management server, the security gateway, and the log server).
Install one or more SmartConsole clients to manage different aspects of the deployment. For example, SmartDashboard is used by the system administrator to manage and create the security policy. Any number of SmartConsole GUI applications can be installed on the same machine
Note - The TCP/IP network protocol must be installed, properly configured, and operational before you begin the installation process.
-
Installing on SecurePlatform
Chapter 3 Setup and Installation 35
Installing on SecurePlatformIn This Section:
Installing SecurePlatform Using the CDTo install SecurePlatform using the CD:
1. Insert CD1 from the media pack into the CD drive, and boot the computer from the CD. After booting, the Welcome message appears. If you do not press Enter within 90 seconds, the computer boots from the hard drive.
The installation program is loaded.
2. The following options are displayed:
Device List: When selected, the Hardware Scan Details menu displays.
Add Driver: When selected, the Devices menu opens. Sometimes updated hardware is incompatible with the previous versions driver and you receive an error message during installation because the operating system could not find the appropriate hard disk driver. Alternatively, the installation may be complete, but the hardware does not function properly. The Add Driver option enables you to add the missing driver during the installation process. To continue, Select OK.
3. A list of software blades is displayed:
Installing SecurePlatform Using the CD page 35
Installing SecurePlatform from the Network page 37
Initially Configuring SecurePlatform page 41
Installing R70 Products on SecurePlatform page 42
Configuring SecurePlatform Using WebUI page 43
Security Gateway
Security Management server
Eventia Suite
Endpoint Security (CD2)
Performance Pack
Management Portal
-
Installing SecurePlatform Using the CD
36
4. Use the space bar to select the appropriate products and select OK.
5. Select the type of system to install:
SecurePlatform
SecurePlatform Pro (which includes the advanced dynamic routing suite)
6. The Keyboard Selection menu opens.
7. Select a keyboard type.
8. From the Network Interface Configuration menu, define the
IP address of the management interface
Netmask and Default gateway for the first network interface (eth0 on most systems).
9. From the HTTPS Server Configuration menu, enable or disable web-based configuration using SecurePlatforms WebUI.
10. Select OK.
A message confirms that you are about to format your hard drive.
Warning - The formatting procedure erases all information located on your hard drive.
11. Select OK to:
Format your hard drive
Extract, copy files, and install SecurePlatform software blades.
Perform post install configuration
Install the boot loader
The installation process can take several minutes to complete.
12. When the Installation Complete message appears, remove the installation CD from the drive, and select OK to reboot the system.
Continue to Initially Configuring SecurePlatform on page 41.
Note - If you intend to deploy remote access or Endpoint Security software, select a port other than 443.
-
Installing SecurePlatform from the Network
Chapter 3 Setup and Installation 37
Installing SecurePlatform from the Network
In This Section
General WorkflowThe clients requirements are minimal. Only PXE is required. On the server, you must install:
A DHCP daemon,
A TFTP daemon,
The PXE boot loader,
The kernel
The ramdisk.
Then:
1. The client boots from the network, using the PXE network loader.
2. The client sends a broadcast request, using the BOOTP protocol.
3. The server responds to the client, by providing the clients assigned IP address and a filename (pxelinux.0 by default), to which to download the PXE boot loader.
4. The client downloads the PXE Boot Loader, using TFTP, and executes it.
5. The PXE boot loader downloads a PXE configuration file from the server, containing the names of the kernel and the ramdisk that the client requires.
6. The PXE boot loader downloads the kernel and the ramdisk.
7. The kernel is run, using ramdisk as its environment.
8. The Installer is executed.
9. At this point the installation can be configured to load files from the FTP server.
General Workflow page 37
Client Setup page 38
Server Setup page 38
-
Installing SecurePlatform from the Network
38
Client SetupOn the client machine, enable the network boot, using PXE, from the BIOS setup. (It sometimes appears as DHCP.)
Server Setup
In This Section
Required Packages
The following packages are required for server setup:
DHCP daemon (located on the Checkpoint CDROM and installed, by default, on SecurePlatform)
Xinetd (/SecurePlatform/RPMS/xinetd-2.3.11-4cp.i386.rpm on the Checkpoint CDROM)
TFTP daemon (/SecurePlatform/RPMS/tftp-server-0.32-5cp.i386.rpm) FTP server (/SecurePlatform/RPMS/ftpd-0.3.3-118.4cp.i386.rpm) TCP-Wrappers package
(/SecurePlatform/RPMS/tcp_wrappers-7.6-34.4cp.i386.rpm) Kernel (can be found on the SecurePlatform CD at /SecurePlatform/kernel) Ramdisk (can be found on the SecurePlatform CD at
/SecurePlatform/ramdisk-pxe)
Required Packages page 38
DHCP Daemon Setup page 39
TFTP and FTP Daemon Setup page 40
Hosting Installation Files page 41
Note - To access files on Check Point CDROM, insert the CDROM into the CDROM drive and enter the command: # mount/mnt/cdrom
-
Installing SecurePlatform from the Network
Chapter 3 Setup and Installation 39
PXELINUX Configuration Files
/SecurePlatform/RPMS/tftp-server-0.32-4cp.i386.rpm includes a default configuration file (located under /tftpboot/pxelinux.cfg) that will serve the kernel and ramdisk to any host. Because more than one system may be booted from the same server, the configuration file name depends on the IP address of the booting machine.
PXELINUX will search for its config file on the boot server in the following way:
1. PXELINUX will search for its config file, using its own IP address, in upper case hexadecimal, e.g. 192.0.2.91 -> C000025B.
2. If that file is not found, PXELINUX will remove one hex digit and try again. Ultimately, PXELINUX will try looking for a file named default (in lower case).
As an example, for 192.0.2.91, PXELINUX will try C000025B, C000025, C00002, C0000, C000, C00, C0, C, and default, in that order.
Assuming the kernel and ramdisk files are named kernel and ramdisk, respectively, a default configuration file, which will serve these to all clients, will look like this:
DHCP Daemon Setup
To setup the DHCP Daemon, perform the following procedure:
1. Enter the sysconfig utility and enable the DHCP server.
default bootnetlabel bootnet kernel kernel append initrd=ramdisk lang= devfs=nomount \ ramdisk_size=80024 console=tty0
-
Installing SecurePlatform from the Network
40
2. Edit the daemons configuration file, found at /etc/dhcpd.conf. The configuration file should include a subnet declaration for each subnet, the DHCP server is connected to. In addition, configuration should include a host declaration, for each host that will use this server for remote installation. A sample configuration file follows:
TFTP and FTP Daemon Setup
To setup the TFTP and FTP Daemons, perform the following procedure:
1. Install /SecurePlatform/RPMS/tcp_wrappers-7.6-34.4cp.i386.rpm (The TCP wrappers package)
2. Install /SecurePlatform/RPMS/xinetd-2.3.11-4cp.i386.rpm. (The xinetd package is a prerequisite for the tftp-server and ftpd.)
3. Install the TFTP Daemon RPM:
# rpm -i/SecurePlatform/RPMS/tftp-server-0.32-5cp.i386.rpm4. Install the FTP Daemon RPM:
# rpm -i/SecurePlatform/RPMS/ftpd-0.3.3-118.4cp.i386.rpm5. Force xinted to reread its configuration:
# service xinetd restart
subnet 192.92.93.0 netmask 255.255.255.0 {
}host foo {
# The clients MAC address
hardware ethernet xx:xx:xx:xx:xx:xx;
# The IP address that will be assigned to the
# client by this server fixed-address 192.92.93.32;
# The file to upload
filename "/pxelinux.0";
}
-
Initially Configuring SecurePlatform
Chapter 3 Setup and Installation 41
Hosting Installation Files
An FTP server installed on SecurePlatform will be used to host the installation files. During the installation process, you will be asked to supply the IP of the installation server, the credentials on that server, and the path to the installation packages. Supply the IP of the SecurePlatform installation server, the Administrator's credentials, and the path to the SecurePlatform packages.
You can also use different FTP servers, or HTTP servers, to host SecurePlatform installation files.
Initially Configuring SecurePlatformAfter the operating system installation is complete and the computer has rebooted:
1. From the SecurePlatform boot menu, Start in normal mode.
2. Log in using admin as your username and password.
3. When prompted, change the default username and password. Ensure that the new password contains more than six characters and has a combination of upper and lower cases letters and numbers.
4. On the command line, run: cpconfig. 5. A first-time configuration wizard for the SecurePlatform device opens, and
displays a Welcome message.
6. Press n to proceed to the next menu.
The following Network Configuration menu options are displayed:
7. Use the menu options to configure:
The host name
The domain name and at least one DNS server
Option Purpose
Host Name Sets and displays the host name
Domain Name Sets and displays the Domain name
Domain Name Servers
Adds, removes, displays Domain name servers
Network Connections
Adds, configures, removes, displays network connections.
Routing Sets and shows a default gateway
-
Installing R70 Products on SecurePlatform
42
The computers network interfaces
The default gateway (if required)
8. Once Network Configuration is complete, select the Time and Date Configuration menu option and configure the following:
Time zone
Date
Local time
Show date and time settings
9. Press n.
The Import Check Point Products Configuration window opens and displays the Fetch Import file from TFTP Server option. If you exported the configuration of another SecurePlatform installation, you can now import that configuration.
For additional information, see: Advanced Upgrade on SecurePlatform on page 219.
10. Press n to continue to products installation.
Installing R70 Products on SecurePlatformThe Check Point product installation wizard continues from SecurePlatforms first-time system configuration (sysconfig) wizard. 1. The welcome message appears, beginning the installation wizard. Press n.
2. Read and accept the End User License agreement.
3. Select either:
New Installation
Installation Using Imported Configuration
4. A product list is displayed:
Security Gateway
User Authority
Security Management
Eventia Suite
-
Configuring SecurePlatform Using WebUI
Chapter 3 Setup and Installation 43
5. Select the appropriate products and press n.
6. If you selected Security Management server, decide whether it should be installed as a primary or secondary Security Management server and whether a Log server should also be installed.
7. If you selected Eventia Suite, select Eventia product should be installed: Reporter, Coorelation unit, or Analyzer.
8. A message validates your choice of products. Press n.
The required installation files are extracted and products installed. If you chose to install Security Management server, the Check Point Configuration program opens and guides you through the configuration of:
a. Licenses
b. Administrators (name and password)
c. GUI clients
d. A random pool of data for cryptographic operations
e. A Certificate authority and saving the fingerprint
See: Using the Configuration Tool on Unix Systems on page 54.
9. Reboot the machine. IP forwarding is automatically disabled and a default security policy is applied to the gateway. The default Security Policy forbids all inbound connections, except for control connections, for example, install policy operations. This policy remains in place until you have installed the first Security Policy.
Configuring SecurePlatform Using WebUIYou can also use the WebUI to configure network settings, apply a license, and install and configure products. After system reboot, use your browser to connect to the IP address specified in step 8 on page 36.
Endpoint Security (CD2 required)
Performance Pack
Management Portal
-
Installing on Windows
44
Installing on WindowsThe installation on a Windows platform is GUI based. The windows displayed during installation differ depending on the installed Check Point components.
To perform a new installation on a Windows platform:
1. Log on as Administrator and insert the CD. The installation wizard automatically starts and a Congratulations message displays.
2. Review the Evaluation Options then click Forward.
3. Accept the terms of the End Users License Agreement.
4. Select one of the following installation options:
Demo installation (SmartConsole only)
New installation
Installation using an imported configuration (for additional information, see: Advanced Upgrade on a Windows Platform on page 228.
5. Click Forward.
If you selected Installation Using Imported Configuration, you are prompted to provide the location of the imported configuration file.
A list of products is displayed:
6. Select the products you wish to install and click Forward.
7. If you selected Security Management server, decide whether it should be installed as a primary or secondary Security Management server and whether a Log server should also be installed.
8. Confirm installation of selected products. Click Forward.
The selected products are installed. For first time installations, the Check Point Configuration Tool runs automatically and prompts you to (for Security Management server):
-
Installing on Windows
Chapter 3 Setup and Installation 45
a. Add licenses
b. Add administrators
c. Specify remote clients from which an administrator can log into Security Management server
d. Initialize the Internal Certificate Authority
e. Export the Security Management server fingerprint to a text file
For additional information, refer to the Configuration Tool Overview on page 51.
9. Reboot the machine. IP forwarding is automatically disabled and a default security policy is applied to the gateway. The default Security Policy forbids all inbound connections, except for control connections, for example, install policy operations. This policy remains in place until you have installed the first Security Policy.
-
Installing on Solaris or Linux
46
Installing on Solaris or LinuxInstallation on Linux and Solaris platforms is run from a command line, with a wizard that guides you through installation. For SecurePlatform there is a separate installation procedure which is described in Installing on SecurePlatform on page 35.
To perform a new installation on a Linux or Solaris platform:
1. Mount the CD on the appropriate subdirectory.
2. From the root directory of the CD, run:
./UnixInstallScriptThe wrapper welcome message appears, beginning the installation wizard. Press n.
3. Read and accept the terms of the End User License Agreement.
4. Select New Installation and press n.
5. A product list is displayed:
6. Select the products you wish to install and press n.
7. If you selected Security Management server, decide whether it should be installed as a primary or secondary Security Management server, and whether a Log server should also be installed.
8. Confirm the selected products by pressing n.
9. Once product installation is complete, the Check Point Configuration tool will prompt for various configuration options. For a Security Management server, the stages are:
Security Gateway
User Authority
Security Management
Eventia Suite
Endpoint Security
Performance Pack
Management Portal
-
Installing on Solaris or Linux
Chapter 3 Setup and Installation 47
a. Add licenses. The Check Point Configuration program only manages local licenses on this machine. The recommended way to manage licenses is using SmartUpdate.
b. Configure GUI clients (a list of hosts that are able to connect to the Security Management server using SmartConsole).
c. Configure group permissions by specifying a group name.
d. Configure the Certificate Authority, and save the CAs Fingerprint to a file.
10. Reboot the machine.
IP forwarding is automatically disabled and a default security policy is applied to the gateway. The default Security Policy forbids all inbound connections, except for control connections such as install policy operations. This policy remains in place until you have installed the first security policy.
-
Installing on Nokia
48
Installing on NokiaInstallation on Nokia platforms is performed from a console or Nokia Network Voyager (a secure web-based network element management application). Use a console to perform the initial configuration.
You can also use Nokia Horizon Manager to install and configure Check Point components on multiple Nokia appliances simultaneously. For additional information, refer to Nokia Horizon Manager documentation on the Nokia Support website:
http://support.nokia.com
A software package for Nokia IPSO 6.07 is available from the Check Point download center at:
http://www.checkpoint.com/techsupport/downloads.jsp.
If you have a Nokia gateway with IPSO 4.2 already installed, then skip to step 13 on page 49.
If you are performing a new installation on an older IPSO gateway, then start here:
Before Installing:
From the Check Point website, download: IPSO_Wrapper_R70.tgz.
From Nokia, download: UTM-Base Build 004
To install with UTM functionality:
1. Enter the Network Voyager and open a CLI console.
2. Click System Configuration > Install New IPSO Image.
The New Image Installation Upgrade window opens.
3. Enter the following information (for IPSO 4.2):
Enter URL to the image location
Enter HTTP Realm (for HTTP URLs only)
Enter Username (if applicable)
Enter Password (if applicable)
Note - Verify from Nokia that you have IPSO 4.2 with UTM compatibility (IPSO 4.2 Build 041)
-
Installing on Nokia
Chapter 3 Setup and Installation 49
4. Click Apply.
You are informed that the file download and image installation may take some time.
5. Click Apply.
A message is displayed indicating that the new image installation process has started.
6. When you receive a Success message, click UP > UP > Manage IPSO Images.
The IPSO Image Management window opens.
7. Under the title Select an image for next boot, select the last downloaded image: IPSO 4.2
8. Click Test Boot.
9. Access the CLI console to see when the Reboot is complete. Once the Reboot is complete, go back to the Network Voyager to verify that the image was set properly.
10. In the Network Voyager, click Refresh and log in.
11. If you are not returned to the last window you were in, clickSystem Configuration > Manage IPSO Images.
You should be able to see that the relevant IPSO Image is selected.
12. Select Commit testboot and click Apply.
13. Access the CLI console, and log in.
14. Type newpkg, and press Enter.
15. Use the FTP menu option to transfer the UTM-Base package.
16. Install the UTM-Base package.
Wait until a message informs you that the process is complete.
17. Activate the UTM-Base package.
18. In Voyager, verify that the UTM Base package is turned ON.
19. On the CLI, type newpkg, and press Enter.
20. Use the FTP menu option to transfer the IPSO_Wrapper_.tgz package.
21. Install the IPSO_Wrapper_R70 package.
Wait until a message informs you that the process is complete.
-
Enabling Native IPSO Security Servers
50
22. Type Reboot and press Enter.
23. From a console connection, run cpconfig.24. Select an installation type, Stand Alone or Distributed.
25. Select Security Management server from the selection list.
26. Specify the Security Management server type as Primary or Secondary. Note - Only relevant for a distributed deployment.
27. Add Licenses.
28. Configure an administrator name and password.
29. Configure the GUI clients and hosts which can access the Security Management server using SmartConsole.
30. Configure Group Permissions.
31. Configure a pool of characters for use in cryptographic operations. Type randomly until the progress bar is full.
32. Configure the Certificate Authority, and save the CAs Fingerprint to a file.
33. Start the installed products.
If you opt not to start the installed products at this time, they can be started later by running cpstart.
34. Reboot.
Enabling Native IPSO Security ServersOnce Anti-virus and Web filtering is enabled, the relevant traffic is blocked from passing through the gateway. If the relevant traffic is not blocked, run the fwlinux2ipso command on the gateway to manually activate the native IPSO security servers. (When the UTM-Base package was installed and activated, the native IPSO security servers should have been activated as well).
-
Initially Configuring Products
Chapter 3 Setup and Installation 51
Initially Configuring ProductsIn This Section:
Configuration Tool OverviewThe Configuration Tool runs automatically once the installation process is complete. The Configuration Tool can also be run manually by running the cpconfig command.The configuration options vary according to installed product. The examples in this chapter are for a Security Management server.
The Configuration Tool is used to configure:
Licenses: Generates a license for the Security Management server and the gateway.
Administrators: Creates an administrator with Security Management server access permissions. The administrator must have Read/Write permissions in order to create the first security policy.
GUI Clients: Creates a list of names or IP addresses for machines that can connect to the Security Management server using SmartConsole.
Key Hit Session: Creates a random seed for use in various cryptographic operations.
Certificate Authority: Provides definitions that are used to initiate the Internal Certificate Authority, which enables secure communication between the Security Management server and its gateways. For some operating systems, such as Windows, you must specify the name of the host where the ICA resides. You may use the default name or provide your own. The ICA name should be in the hostname.domain format, for example, ica.checkpoint.com.
Fingerprint: Verifies the identity of the Security Management server the first time you log in to SmartConsole. Upon SmartConsole login, a Fingerprint is displayed. This Fingerprint must match the Fingerprint shown in the
Configuration Tool Overview page 51
Using the Configuration Tool on Windows Systems page 52
Using the Configuration Tool on Unix Systems page 54
Logging In for the First Time page 55
-
Using the Configuration Tool on Windows Systems
52
Configuration Tool window in order for authentication to succeed. You may want to export this Fingerprint for verification purposes when you log in to SmartConsole for the first time.
Using the Configuration Tool on Windows SystemsTo configure using the Configuration Tool on Windows systems:
1. Open the Configuration Tool by selecting Start > Run > cpconfig.
2. In the Licenses tab, perform one or both of the following procedures:
a. Fetch one or more licenses from a file.
i. Click Fetch from File.
ii. Browse to the license file, select it and click Open. The license(s) that belong to this host are added.
b. Add a license manually.
i. Click Add. The Add License window opens.
ii. Configure the appropriate options in the Add License window.
iii. Click OK to add the newly configured license.
3. Click Next.
4. In the Administrators tab, click Add. Add an administrator that uses SmartConsole to connect to the Security Management server. From NGX version R60, only one administrator can be added using the Configuration Tool. Additional administrators can be added using SmartDashboard.
5. From the Add Administrator window, configure the required parameters and click OK.
6. Click Next.
7. On the GUI Clients tab, add a GUI client.
8. Type the GUI clients name in the Remote hostname field.
9. Click Add. You can add a GUI client using any of the following formats:
IP address: For example, 1.2.3.4.
Note - If you do not define at least one GUI client, you can only manage the Security Management server from a GUI client that runs on the same machine as the Security Management server.
-
Using the Configuration Tool on Windows Systems
Chapter 3 Setup and Installation 53
IP/netmask: A range of IP addresses, for example, 192.168.10.0/255.255.255.0.
Machine name: For example, Alice, or Alice.checkpoint.com. Any: Any IP address.
IP1-IP2: A range of IP addresses, for example, 192.168.10.8 - 192.168.10.16.
Wild cards: For example, 192.168.10. 10. Click Next.
11. In the Certificate Authority tab, add a name using the . format, for example, .checkpoint.com. This option enables you to initialize an Internal Certificate Authority (ICA) on the Security Management server and a Secure Internal Communication (SIC) certificate for the Security Management server. SIC certificates authenticate communication between Check Point communicating components, or between Check Point communicating components and OPSEC applications.
12. Click Next. The Fingerprint window opens and displays the Fingerprint of the Security Management server. The Fingerprint, a text string derived from the Security Management server certificate, is used to verify the identity of the Security Management server that is being accessed through SmartConsole.
13. From the Fingerprint window, click Export to file and save the file. The Fingerprint is exported to a text file that can be accessed from the SmartConsole client machine(s) and used to confirm the Fingerprint of the Security Management server.
14. Once configuration using the Configuration Tool is complete, do the following:
a. From SmartConsole, perform a first time connection to the Security Management server. The Fingerprint of the Security Management server displays.
b. Ensure that the Security Management server Fingerprint matches the Fingerprint displayed in SmartConsole.
Note - Components can communicate with each other only once the Certificate Authority is initialized and each component has received a SIC certificate.
Note - Do not perform a first time connection to the Security Management server from SmartConsole unless the Security Management server Fingerprint is accessible and you can confirm that it matches the Fingerprint displayed in SmartConsole.
-
Using the Configuration Tool on Unix Systems
54
15. Close the Configuration Tool.
Using the Configuration Tool on Unix SystemsTo complete the installation process, use the Check Point Configuration Tool to configure the Security Management server or security gateway.
To configure using the Configuration Tool on Unix systems:
1. Access the Configuration Tool.
1. Add licenses. A license can be added manually or fetched from a file.
2. Add administrators. Add an administrator that uses SmartConsole to connect to the Security Management server. Only one administrator can be added using the Configuration Tool. Additional administrators can be added using SmartDashboard.
3. Define GUI clients. You can add GUI clients using any of the following formats:
IP address: For example, 1.2.3.4. IP/netmask: A range of IP addresses, for example,
192.168.10.0/255.255.255.0. Machine name: For example, Alice, or Alice.checkpoint.com. Any: Any IP address.
IP1-IP2: A range of IP addresses, for example, 192.168.10.8 - 192.168.10.16.
Wild cards: For example, 192.168.10. 4. Initialize the Internal Certificate Authority.
Note - For first time installations, the Configuration Tool runs automatically. The Configuration Tool can also be run after installation is complete using the cpconfig command.
-
Logging In for the First Time
Chapter 3 Setup and Installation 55
This option enables you to initialize an Internal Certificate Authority (ICA) on the Security Management server and a Secure Internal Communication (SIC) certificate for the Security Management server. SIC certificates authenticate communication between Check Point communicating components, or between Check Point communicating components and OPSEC applications.
5. Export the Security Management servers fingerprint to a text file. The fingerprint, a text string derived from the Security Management server certificate, is used to verify the identity of the Security Management server that is being accessed through SmartConsole. The first time SmartConsole connects to the Security Management server, compare this string to the string displayed in SmartDashboard.
6. Start the installed products.
Logging In for the First TimeThe Login Process
Administrators connect to the Security Management server through SmartDashboard using the same process as SmartConsole clients. The administrator and the Security Management server are first authenticated (to create a secure channel of communication) and then the selected SmartConsole starts.
After the first login, the administrator can create a certificate for subsequent logins. For additional information on how to create a certificate, refer to the R70 Security Management server Administration Guide.
Authenticating the Administrator
To authenticate the administrator:
Note - Components can communicate with each other only once the Certificate Authority is initialized and each component has received a SIC certificate.
-
Logging In for the First Time
56
1. Open SmartDashboard by selecting Start > Programs > Check Point SmartConsole > SmartDashboard.
2. Log in using the User Name and Password defined in the Configuration Tools Administrators page during the Security Management server installation.
If you are using a locally stored certificate to authenticate your connection, browse to its location and enter the certificates password. The certificates password can be changed by expanding the More Options link and clicking Change Password.
3. Specify the name or IP address of the target Security Management server and click OK.
4. Decide whether to connect in Read Only mode. This mode enables you to view the current configuration without accidentally changing it. It also gives access to Security Management server when another designated administrator is already connected.
5. More Options. Clicking the More Options link enables you to fine tune how SmartDashboard connects to Security Management server.
The Change Password button in the Certificate Management area of the dialog enables you to change the password that protects the certificate.
-
Logging In for the First Time
Chapter 3 Setup and Installation 57
Session Description. Descriptive information entered here populates the Session ID field available in SmartView Trackers Audit Mode. The field can be used to explain why a particular administrator is connecting to Security Management server.
Use compressed connection. This option optimizes the connection to Security Management server. By default, the connection to Security Management server is compressed. For a very large configuration database, disabling the compression may help reduce load on the Security Management server.
Do not save recent connections information. By default, SmartDashboard server remembers the last user ID and Security Management server to which a connection was made. Select this option to prevent SmartDashboard from displaying the last administrator and Security Management server to which the administrator successfully connected.
Plug-in Demo Mode. This option enables SmartDashboard demo mode to display windows and options specific to a particular Plug-in. Select the Plug-in from the Versions drop-down box.
6. Manually authenticate the Security Management server using the Fingerprint provided during the configuration process.
Note - This step is only necessary the first time you log in from a given client computer, since once the Security Management server is authenticated, the Fingerprint is saved in the SmartConsole computers registry.
-
Where To From Here?
58
Where To From Here?You have now learned the basics that you need to get started. The next step is to obtain more advanced knowledge of your Check Point software.
Check Point documentation is available in PDF format on the Check Point CD and the Technical Support download site at: http://support.checkpoint.com
Be sure to also use the Check Point Online Help when you are working with the Check Point SmartConsole clients.
For additional technical information about Check Point products, consult Check Points SecureKnowledge at: http://support.checkpoint.com
-
59
Chapter 4Installing Provider-1
In This Chapter:
Overview page 60
Creating the Provider-1 Environment page 61
Where To From Here? page 75
-
Overview
60
OverviewA typical Management Service Provider (MSP) manages and protects many customer networks. Provider-1 ensures compatibility with a wide range of security schemes and product deployments.Figure 4-1 Sample Provider-1 Deployment
The components of a basic Provider-1 deployment are:
MDS: Each Provider-1 network must have at least one Manager and one Container. They can be installed on the same server or separately.
MDG and SmartConsole Applications: Installed on a GUI client (a computer running Check Point GUI) and support centralized system management.
CMAs: Installed on a Container MDS. Each CMA manages the network of a single customer domain.
Customer Gateways: Protect the customers networks.
NOC Gateways: Protect the MSP headquarters and network/security operations centers: