CP R70 Internet Installation and UpgradeGuide

Installation and Upgrade GuideInternet Security Product Suite

Version R70

701313 March 2, 2009

2003-2009 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

Please refer to http://www.checkpoint.com/copyright.html for a list of our trademarks

For third party notices, see http://www.checkpoint.com/3rd_party_copyright.html.

Table of Contents 5

Contents

Installation Section

Chapter 1 Introduction Welcome......................................................................................................... 15Who Should Use This Guide.............................................................................. 16R70 Documentation......................................................................................... 16New Terms...................................................................................................... 17Related Documentation .................................................................................... 18For New Check Point Customers........................................................................ 19Endpoint Security Integration............................................................................ 20More Information ............................................................................................. 20Feedback ........................................................................................................ 20

Chapter 2 Getting Started Terminology .................................................................................................... 22Provider-1/SiteManager-1 Terminology............................................................... 23Hardware and Software Requirements................................................................ 24Compatibility Tables ........................................................................................ 25

Product Notes ............................................................................................ 25Platform Notes ........................................................................................... 26

Supported Upgrade Paths and Interoperability .................................................... 27Upgrade Paths and Interoperability............................................................... 27Upgrading Security Management Servers....................................................... 27Backward Compatibility For Gateways ........................................................... 27IPS-1 Upgrade Paths and Interoperability...................................................... 28

Licensing R70................................................................................................. 29Licensing R70............................................................................................ 29Licensing Provider-1/SiteManager-1 ............................................................. 30Licensing IPS-1.......................................................................................... 31Licensing Eventia Suite ............................................................................... 31

Chapter 3 Setup and Installation Overview ......................................................................................................... 34Installing on SecurePlatform............................................................................. 35

Installing SecurePlatform Using the CD ........................................................ 35Installing SecurePlatform from the Network................................................... 37Initially Configuring SecurePlatform.............................................................. 41Installing R70 Products on SecurePlatform ................................................... 42

6Configuring SecurePlatform Using WebUI ..................................................... 43Installing on Windows ...................................................................................... 44Installing on Solaris or Linux............................................................................. 46Installing on Nokia........................................................................................... 48

Enabling Native IPSO Security Servers.......................................................... 50Initially Configuring Products ............................................................................ 51

Configuration Tool Overview ......................................................................... 51Using the Configuration Tool on Windows Systems......................................... 52Using the Configuration Tool on Unix Systems............................................... 54Logging In for the First Time........................................................................ 55

Where To From Here?....................................................................................... 58

Chapter 4 Installing Provider-1 Overview ......................................................................................................... 60Creating the Provider-1 Environment ................................................................. 61

Setting Up Provider-1 Networking ................................................................ 61Install the Gateways .................................................................................... 62Installing and Configuring the Primary MDS .................................................. 62Installing SmartConsole and MDG Clients ..................................................... 70

Using the MDG for the First Time...................................................................... 71Launching the MDG .................................................................................... 71Adding Licenses using the MDG................................................................... 72

Where To From Here?....................................................................................... 75

Chapter 5 IPS-1 Setup and Installation Overview ......................................................................................................... 78

IPS-1 System Architecture........................................................................... 78Platforms ................................................................................................... 79

IPS-1 Deployment ........................................................................................... 80IPS-1 Sensor Deployment............................................................................ 80IPS-1 Management Deployment ................................................................... 81

IPS-1 Management Installation and Setup ......................................................... 84Installation of IPS-1 Management Servers ..................................................... 84

IPS-1 Sensor Appliances .................................................................................. 89Introduction ............................................................................................... 89IPS-1 Sensor Appliance Models ................................................................... 89

IPS-1 Sensor Installation.................................................................................. 94Connecting to IPS-1 Sensors........................................................................ 94Installing SecurePlatform and IPS-1 Sensors................................................. 94Initial Configuration of IPS-1 Sensors ........................................................... 95Initial Configuration of IPS-1 Power Sensor ................................................... 97IPS-1 Management Dashboard Installation .................................................... 99

Post-Installation Steps ................................................................................... 100Configuring NTP on SecurePlatform............................................................ 100Completing IPS-1 Management Setup ........................................................ 101Completing IPS-1 Sensor Setup ................................................................. 105

Where To From Here?..................................................................................... 108

Table of Contents 7

Chapter 6 Installing Eventia Suite Eventia Suite Installation................................................................................ 110Standalone Installation vs. Distributed Installation............................................ 111

Installing Eventia Suite on Multiple Versions of Security Management Server Management.......................................................................................... 111

Standalone Installation................................................................................... 112Windows Platform..................................................................................... 112Solaris & Linux Platforms .......................................................................... 113SecurePlatform......................................................................................... 113

Distributed Installation................................................................................... 114Windows Platform..................................................................................... 114Solaris and Linux and SecurePlatform......................................................... 115

Enabling Connectivity Through a Firewall ......................................................... 116Preparing Eventia Suite in Security Management server..................................... 117Preparing Eventia Suite on Provider-1 MDS...................................................... 118

For Provider-1/SiteManager-1 Version R55 .................................................. 118For Provider-1/SiteManager-1 Version R60 .................................................. 120For Provider-1/SiteManager-1 Version R61 and Up ...................................... 121

Upgrade Section

Chapter 7 Introduction to the Upgrade Process Documentation .............................................................................................. 126Contract Verification ...................................................................................... 126Supported Upgrade Paths and Interoperability .................................................. 127

Upgrading Management Servers ................................................................. 127Backward Compatibility For Gateways ......................................................... 128

Obtaining Software Installation Packages ......................................................... 129Terminology .................................................................................................. 130Upgrade Tools ............................................................................................... 132Upgrading Successfully .................................................................................. 132

Chapter 8 Service Contract Files Introduction .................................................................................................. 133Working with Contract Files ............................................................................ 134Installing a Contract File on Security Management server................................... 134

On a Windows Platform ............................................................................. 135On SecurePlatform, Linux, and Solaris ........................................................ 139On IPSO .................................................................................................. 142

Installing a Contract File on a Gateway ............................................................ 143On a Windows Platform ............................................................................. 143On SecurePlatform, and Linux.................................................................... 150On IPSO .................................................................................................. 154

8Managing Contracts with SmartUpdate ............................................................ 155Managing Contracts .................................................................................. 155Updating Contracts ................................................................................... 158

Chapter 9 Upgrading a Distributed Deployment Introduction .................................................................................................. 160Pre-Upgrade Considerations............................................................................ 161

Pre-upgrade Verification ............................................................................ 161Web Intelligence License Enforcement........................................................ 161Upgrading Products on a SecurePlatform Operating System.......................... 162UTM-1 Edge Gateways Prior to Firmware Version 7.5 ................................... 162

Upgrading the Security Management Server ..................................................... 163Using the Pre-Upgrade Verification Tool...................................................... 163Security Management Server Upgrade on a Windows Platform....................... 165Security Management Server Upgrade on SecurePlatform ............................. 166Gateway Upgrade on a UTM-1/Power-1 Appliance........................................ 168Security Management Server Upgrade on a Solaris Platform.......................... 169Security Management Server Upgrade on a Linux Platform............................ 171Security Management Server Upgrade on an IPSO Platform .......................... 173

Upgrading the Gateway .................................................................................. 175Upgrading a Clustered Deployment............................................................. 175Upgrading the Gateway Using SmartUpdate ................................................ 176Gateway Upgrade Process on a Windows Platform ........................................ 180Gateway Upgrade on SecurePlatform .......................................................... 182Gateway Upgrade on an IPSO Platform ....................................................... 183

Chapter 10 Backup and Revert for Security Gateways Introduction .................................................................................................. 186Backing Up Your Current Deployment .............................................................. 187Restoring a Deployment.................................................................................. 188SecurePlatform Backup and Restore Commands ............................................... 189

Backup.................................................................................................... 189Restore .................................................................................................... 191

SecurePlatform Snapshot Image Management .................................................. 192Snapshot ................................................................................................. 193Revert...................................................................................................... 194

Reverting to Your Previous Deployment ............................................................ 195

Chapter 11 Upgrading a Standalone Deployment Introduction .................................................................................................. 200Pre-Upgrade Considerations............................................................................ 201

Upgrading Products on a SecurePlatform Operating System.......................... 201Reverting to Your Previous Software Version ................................................ 201Using the Pre-Upgrade Verification Tool...................................................... 202

Standalone Security Gateway Upgrade on a Windows Platform ........................... 203Standalone Security Gateway Upgrade on SecurePlatform.................................. 204

Uninstalling Packages ............................................................................... 205

Table of Contents 9

Standalone Upgrade on a UTM-1/Power-1 Appliance......................................... 206Uninstalling Packages ............................................................................... 206

Standalone Gateway Upgrade on an IPSO Platform ........................................... 207Enabling Native IPSO Security Servers........................................................ 209Uninstalling Previous Software Packages..................................................... 209

Chapter 12 Advanced Upgrade of Security Management servers & Standalone Gate-ways

Introduction .................................................................................................. 212Migrate Your Current Server Configuration and Upgrade..................................... 213

Introduction ............................................................................................. 213Advanced Upgrade on a Windows Platform .................................................. 214Advanced Upgrade on a Linux Platform....................................................... 215Advanced Upgrade on SecurePlatform ........................................................ 219Advanced Upgrade on an IPSO Platform ..................................................... 221Advanced Upgrade on a Solaris Platform..................................................... 223Migration to a New Machine with a Different IP Address............................... 226

Migrate Your Current Security Gateway Configuration & Upgrade ........................ 228Advanced Upgrade on a Windows Platform .................................................. 228Advanced Upgrade on a Linux Platform....................................................... 230Advanced Upgrade on SecurePlatform ........................................................ 233Advanced Upgrade on an IPSO Platform ..................................................... 235

Chapter 13 Upgrading ClusterXL Deployments Tools for Gateway Upgrades ............................................................................ 237Planning a Cluster Upgrade ............................................................................ 238

Permanent Kernel Global Variables ............................................................. 238Ready State During Cluster Upgrade/Rollback Operations ............................. 239Upgrading OPSEC Certified Third-Party Cluster Products .............................. 239

Minimal Effort Upgrade on a ClusterXL Cluster ................................................. 240Zero Downtime Upgrade on a ClusterXL Cluster ................................................ 240

Supported Modes...................................................................................... 240Full Connectivity Upgrade on a ClusterXL Cluster .............................................. 243

Understanding a Full Connectivity Upgrade ................................................. 243Supported Modes...................................................................................... 244Performing a Full Connectivity Upgrade ...................................................... 245

Chapter 14 Upgrading Provider-1 Introduction .................................................................................................. 250

Supported Versions and Platforms .............................................................. 250Before You Begin ...................................................................................... 250

Provider-1 Upgrade Tools ............................................................................... 251Pre-Upgrade Verifiers and Fixing Utilities .................................................... 251Installation Script ..................................................................................... 252export_database........................................................................................ 253merge_plugin_tables ................................................................................. 255migrate_assist .......................................................................................... 256

10

cma_migrate ............................................................................................ 257migrate_global_policies ............................................................................. 262Backup and Restore .................................................................................. 262

Provider-1 Upgrade Practices.......................................................................... 264In-Place Upgrade...................................................................................... 264Replicate and Upgrade.............................................................................. 266Gradual Upgrade to Another Machine ......................................................... 267Migrating from Security Management to a CMA ........................................... 269

Upgrading in a Multi-MDS Environment ........................................................... 272Pre-Upgrade Verification and Tools............................................................. 272Upgrading a Multi-MDS System ................................................................. 273

Restarting CMAs............................................................................................ 276Restoring Your Original Environment................................................................ 277

Before the Upgrade................................................................................... 277Restoring Your Original Environment........................................................... 277

Renaming Customers ..................................................................................... 278Identifying Non-Compliant Customer Names................................................ 278High Availability Environment .................................................................... 278Automatic Division of Non-Compliant Names............................................... 278Resolving Non-Compliance ........................................................................ 279Advanced Usage ....................................................................................... 280

Changing the MDS IP Address and External Interface........................................ 282IP Address Change.................................................................................... 282Interface Change ...................................................................................... 282

IPS in Provider-1 ........................................................................................... 283

Chapter 15 Upgrading SmartLSM ROBO Gateways Planning the ROBO Gateway Upgrade.............................................................. 286ROBO Gateway Upgrade Package to SmartUpdate Repository............................. 287License Upgrade for a VPN-1 Power/UTM ROBO Gateway .................................. 287

Using SmartProvisioning to Attach the Upgraded Licenses............................ 287License Upgrade on Multiple ROBO Gateways ............................................. 288

Upgrading a ROBO Gateway Using SmartProvisioning........................................ 289Upgrading a VPN-1 Power/UTM ROBO Gateway ........................................... 289Upgrading a UTM-1 Edge ROBO Gateway.................................................... 291Upgrading a VPN-1 Power/UTM ROBO Gateway In Place .............................. 292

Using the Command Line Interface.................................................................. 293SmartLSM Upgrade Tools .......................................................................... 293Upgrading a VPN-1 Power/UTM ROBO Gateway Using LSMcli....................... 295Upgrading a UTM-1 Edge ROBO Gateway Using LSMcli ............................... 296Using the LSMcli in Scripts ....................................................................... 297

Chapter 16 Upgrading Eventia Overview ....................................................................................................... 300Upgrading Eventia Reporter ............................................................................ 300

For Standalone Deployments...................................................................... 300For Distributed Deployments...................................................................... 301Advanced Eventia Reporter Upgrade ........................................................... 303

Table of Contents 11

Enabling Eventia Analyzer after Upgrading Reporter ..................................... 305Upgrading Eventia Analyzer ............................................................................ 306

Upgrading Eventia Analyzer to R70 ............................................................ 306Verifying the Events Database Has Been Moved ........................................... 308Enabling Eventia Reporter ......................................................................... 308

Chapter 17 Upgrading IPS-1 IPS-1 Upgrade Paths ..................................................................................... 310

Upgrading from R65.1 to R65.2 ................................................................ 310Upgrading IPS-1 Management Servers ........................................................ 310

Upgrading IPS-1 Sensors................................................................................ 311Upgrading IPS-1 Power Sensors ...................................................................... 311

Remotely Upgrading an IPS-1 Power Sensor................................................ 311Reinstalling an IPS-1 Power Sensor ............................................................ 312

Upgrading Legacy Sensor Appliances............................................................... 313100C and 200C ....................................................................................... 314200F....................................................................................................... 314310C....................................................................................................... 314320C....................................................................................................... 314320F....................................................................................................... 314500C (pre-Jan 2006) ................................................................................ 314500C (post-Jan 2006) .............................................................................. 315500F (pre-Jan 2006) ................................................................................ 315500F (post-Jan 2006)............................................................................... 315

Installation SectionThis section covers installing the current version

15

Chapter 1Introduction

In This Chapter

WelcomeThank you for choosing Check Points Internet Security Product Suite. We hope that you will be satisfied with this solution and our support services. Check Point products provide your business with the most up to date and secure solutions available today.

Check Point also delivers worldwide technical services including educational, professional, and support services through a network of Authorized Training Centers, Certified Support Partners, and Check Point technical support personnel to ensure that you get the most out of your security investment.

Welcome page 15

Who Should Use This Guide page 16

R70 Documentation page 16

Related Documentation page 18

For New Check Point Customers page 19

Endpoint Security Integration page 20

More Information page 20

Feedback page 20

Who Should Use This Guide

16

To extend your organizations growing security infrastructure and requirements, we recommend that you consider adopting the OPSEC platform (Open Platform for Security). OPSEC is the industry's open, multi-vendor security framework, which has over 350 partners and the largest selection of best-of-breed integrated applications and deployment platforms.

For additional information on the Internet Security Product Suite and other security solutions, go to: http://www.checkpoint.com or call Check Point at 1(800) 429-4391. For additional technical information, go to:

http://support.checkpoint.com.

For more information about the current release, see the latest version of the Release Notes at:

http://support.checkpoint.com

Welcome to the Check Point family. We look forward to meeting all of your current and future network, application, and management security needs.

Who Should Use This GuideThis guide is intended for administrators responsible for installing and upgrading Check Point security products on the corporate network.

R70 DocumentationTechnical documentation is available on your CD-ROM at: CD3\Docs\CheckPoint_Suite. These documents can also be found at:http://support.checkpoint.com

To find out about what's new in R70, read the R70 Getting Started Guide.

For upgrading Endpoint Security, refer to the Endpoint Security Installation Guide.

New Terms

Chapter 1 Introduction 17

New TermsThe following product and technology names have been changed for this version.

Table 1: Product and Technology Names

Versions NG and NGX Products and Technologies

Version R70 Products and Technologies

Firewall-1 FirewallIntegrity Endpoint SecurityIntegrity Clientless Security Endpoint Security On DemandROBO Gateway Check Point SmartLSM Security

GatewaySmartCenter server Security Management serverSmartDefense IPSSmartLSM management SmartProvisioningSmartPortal Management PortalVPN-1 (Power/UTM) Gateway Check Point Security GatewayVPN-1 UTM Edge UTM-1 EdgeWeb Filtering URL FilteringWeb Intelligence IPS Web Intelligence

Table 2: SmartDashboard Tab Titles

Versions NG and NGX SmartDashboard Tabs

Version R70 Products SmartDashboard Tabs

Address Translation NATConnectra SSL VPNContent Inspection Anti-Virus and URL FilteringMessaging Security Anti-Spam and MailSecurity FirewallVPN IPSec VPN

Related Documentation

18

Related DocumentationThe current release includes the following documentation.

TABLE P-1 Check Point Documentation

Title Description

Internet Security Installation and Upgrade Guide

Contains detailed installation instructions for Check Point network security products. Explains the available upgrade paths from versions R60 to the current version.

High-End Installation and Upgrade Guide

Contains detailed installation instructions for the Provider-1 and VSX products, including hardware and software requirements and licensing requirements. Explains all upgrade paths for Check Point products specifically geared towards upgrading to the current version.

Security Management Administration Guide

Explains Security Management solutions. This guide provides solutions for control over configuring, managing, and monitoring security deployments.

Firewall Administration Guide

Describes how to control and secure network access and VoIP traffic; how to use integrated web security capabilities; and how to optimize Application Intelligence with capabilities such as Content Vectoring Protocol (CVP) applications, URL Filtering (UFP) applications.

IPS Administration Guide Describes how to use IPS to protect against attacks.

VPN Administration Guide Describes the basic components of a VPN and provides the background for the technology that comprises the VPN infrastructure.

For New Check Point Customers

Chapter 1 Introduction 19

For New Check Point CustomersNew Check Point customers can access the Check Point User Center in order to:

Manage users and accounts

Activate products

Get support offers

Open service requests

Search the Technical Knowledge Base

To access the Check Point User Center, go to: https://usercenter.checkpoint.com/pub/usercenter/get_started.html.

Eventia Reporter Administration Guide

Explains how to monitor and audit traffic, and generate detailed or summarized reports in the format of your choice (list, vertical bar, pie chart etc.) for all events logged by Check Point Security Gateways, SecureClient and IPS.

SecurePlatform/ SecurePlatform Pro Administration Guide

Explains how to install and configure SecurePlatform. This guide will also teach you how to manage your SecurePlatform machine and explains Dynamic Routing (Unicast and Multicast) protocols.

Provider-1/SiteManager-1 Administration Guide

Explains the Provider-1 security management solution. This guide provides details about a three-tier, multi-policy management architecture and a host of Network Operating Center oriented features that automate time-consuming repetitive tasks common in Network Operating Center environments.

TABLE P-1 Check Point Documentation (continued)

Title Description

Endpoint Security Integration

20

Endpoint Security IntegrationFor in-depth documentation of Provider-1/Security Management server integration with Check Point Endpoint Security products, refer to:

Endpoint Security Installation Guide

R70 Security Management Server Administration Guide

More Information For additional technical information about Check Point products, consult Check

Points SecureKnowledge at http://support.checkpoint.com.

To view the latest version of this document in the Check Point User Center, go to: http://support.checkpoint.com.

FeedbackCheck Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments to:

[email protected]

21

Chapter 2Getting Started

In This Chapter

This chapter contains information and terminology related to installing R70.

Terminology page 22

Provider-1/SiteManager-1 Terminology page 23

Hardware and Software Requirements page 24

Compatibility Tables page 25

Supported Upgrade Paths and Interoperability page 27

Licensing R70 page 29

Terminology

22

TerminologyThe following terms are used throughout this chapter:

Distributed Deployment: When the gateway and the Security Management server are installed on separate machines.

Gateway: The software component that enforces the organizations security policy and acts as a security enforcement point.

Security Policy: The policy created by the system administrator that regulates the flow of incoming and outgoing communication.

Security Management server: The server used by the system administrator to manage the security policy. The organizations databases and security policies are stored on the Security Management server and downloaded to the gateway.

SmartConsole: GUI applications that are used to manage various aspects of security policy enforcement. For example, SmartView Tracker is a SmartConsole application that manages logs.

SmartDashboard: A SmartConsole GUI application that is used by the system administrator to create and manage the security policy.

Standalone Deployment: When Check Point components responsible for the management of the security policy (the Security Management server and the gateway) are installed on the same machine.

Provider-1/SiteManager-1 Terminology

Chapter 2 Getting Started 23

Provider-1/SiteManager-1 TerminologyThe following Provider-1/SiteManager-1 terms are used throughout this chapter.

Customer: A business entity or subdivision of a business entity whose networks are protected by security gateways, UTM-1 Edge appliances or other Check Point compatible firewalls. The Customers security policies and network access are managed using Provider-1/SiteManager-1.

Customer Log Module (CLM): A log server for a single Customer.

Customer Management Add-on (CMA): The Provider-1 equivalent of the Security Management server for a single Customer. Using the CMA, an administrator creates security policies and manages customer gateways.

GUI Client: A computer running Check Point GUI interfaces, such as the Provider-1 MDG, and other SmartConsole applications.

Internal Certificate Authority (ICA): In addition to authenticating administrators and users, the ICA creates and manages X.509 compliant certificates for Secure Internal Communication (SIC) between security gateways. The MDS has an ICA that secures the Provider-1 management domain. Each CMA has its own ICA to secure its customers management domain.

Multi-Domain Log Module (MLM): An MDS Container dedicated to collecting and storing logs. An MLM is a Container of Customer Log Modules (CLMs).

Multi-Domain Server (MDS): A server that houses Provider-1 system information. The MDS contains information on Provider-1 deployment, administrators, and customer management. The MDS has two modes:

Manager: Runs the Provider-1 deployment and is the administrators entry point into the Provider-1 environment.

Container: Holds the Customer Management Add-ons (CMAs).

An MDS can be a Manager, a Container or both.

Provider-1 Administrator: A security administrator, assigned with granular permissions, that manages specific parts of the Provider-1 system. Administrators can be assigned one of the following four permission levels:

Provider-1 Superuser: Manages the entire Provider-1 system, which includes all MDS servers, administrators (with all permission levels), Customers and customer networks.

Customer Superuser: Manages all administrators (with lower permission levels), Customers and customer networks.

Hardware and Software Requirements

24

Global Manager: A new type of administrator account in the MDG. With access to Global SmartDashboard, a Global Manager is capable of managing global policies and global objects. For a Global Manager to have additional access to CMA policies, read-write or partial access rights must be specifically assigned.

Customer Manager: Manages customer networks for specific Customers. Administrators with this permission level can use the MDG application, but they can only view and manage their assigned customers.

None: Manages customer networks for specific Customers, but cannot access the MDG application.

Hardware and Software RequirementsFor all hardware and software requirements for each product and platform, see the latest version of the relevant Release Notes at:

http://support.checkpoint.com

Compatibility Tables


Compatibility TablesIf the existing Check Point implementation contains products that are not supported by R70, the R70 installation process terminates. Table 2-1 and Table 2-2 lists supported Check Point products and VPN clients by platform.

Table 2-1 Supported Products by Platform

Product Notes1. Anti-Virus and Web Filtering are included on SecurePlatform.

2. Eventia Suite includes Eventia Reporter Server, Eventia Analyzer Server, and Eventia Analyzer Correlation Unit.

Product / Management Blade

Check Point

RHEL 5.0 Nokia Crossbeam Solaris

Secure Platform

Server 2003

(SP1-2)

Server 2008

kernel 2.6.18

IPSO 6.0.7

X-SeriesUltra-SPARC8, 9, 10

Check Point Security Gateway X X X X X

Security Management X X X X X X

Provider-1/SiteManager-1 Server (MDS)

X X X

Performance Pack X X X

Advanced Routing X X X

Management Portal X X X X X

Eventia Suite X X X X X

ClusterXL X X X X X

CoreXL X X X

SmartProvisioning - Enabled SmartLSM Gateways

X X X X

SmartProvisioning - Enabled Management

X X X X X

SSL Network Extender Server X X X X

Endpoint Security Server X X X XVSX Security Gateway X (IPSO 5) X

OSE Supported Routers

Platform and Operating System

Cisco OS Versions: 9.x, 10.x, 11.x, 12.x

Windows

Platform Notes

26

3. ClusterXL is supported only in third party mode with VRRP or IP Clustering. The maxiumum number of cluster members is eight.

4. Management Portal is supported on the following Web browsers: Internet Explorer 6 and 7, and Mozilla Firefox 1.5-2.0.

Platform Notes1. UTM-1 Edge devices cannot be managed from a Security Management running

on a Nokia IPSO platform.

2. UserAuthority is not supported on Nokia flash-based platforms.

3. HA Legacy mode is not supported on Windows Server 2003.

4. Only UltraSPARC 64-bit is supported; for Security Management only (not for gateways).

Table 2-2 Supported Clients by Platform

Notes to Supported by Platform Table1. To run SmartConsole applications on Windows 2000, you must have Microsoft

Installer 3.0 installed.

2. Microsoft Installer support is required for installation of Endpoint Security clients.

Check Point Product

Mac Mac Linux2000 Server /

Advanced Server

(SP1-4)

2000 Pro (SP1-4)/

XP Home & Pro (SP3)

Mobile 2003

2003SE 5.0, 6.0,

6.1

Server 2003

(SP1-2)

Vista (SP1)

Server 2008

OS 10.4

OS 10.5

SmartConsole X X X X X

Provider-1/SiteManager-1 MDG X X X X X

SecuRemote X X X

SecureClient X X X X X X

SecureClient Mobile X

SSL Network Extender X X X X X

Endpoint Security Client X X

Endpoint Connect Client X X

Platform and Operating System

Windows1

Supported Upgrade Paths and Interoperability


Supported Upgrade Paths and Interoperability

In This Section:

Upgrade Paths and InteroperabilitySecurity Management servers and security gateways exist in a wide variety of deployments. Consult Table 2-3 and Table 2-4 to determine which versions of your management server and gateways can be upgraded to R70.

Upgrading Security Management ServersThe following Security Management server versions can be upgraded to R70:

Table 2-3 Security Management server Upgrade Paths

Backward Compatibility For GatewaysR70 Security Management server supports the following gateway versions:

Upgrade Paths and Interoperability page 27

Upgrading Security Management Servers page 27

Backward Compatibility For Gateways page 27

IPS-1 Upgrade Paths and Interoperability page 28

Release VersionNGX

R60, R60A, R61, R62, R65R65 with HFA 30 with the Connectra NGX R66 Plug-in R65 with Messaging SecurityR65 with the VPN-1 Power VSX NGX R65 Management Plug-inR65 with the SmartProvisioning Plug-inR65 UTM-1R65 Power-1

IPS-1 Upgrade Paths and Interoperability

28

Table 2-4 Backward Compatibility for Gateways

IPS-1 Upgrade Paths and Interoperability

Upgrade PathsNon-Power Sensors installed on SecurePlatform cannot be upgraded to the current version. A new installation is required.

Alerts Concentrators and IPS-1 Management Servers, including NFR Sentivist Servers and Enterprise Servers, and IPS-1 Power 1000 and 2000 Sensors, of versions 5.x, can be upgraded to the current version. From earlier versions, completely reinstall.

InteroperabilityManagement components of the current release, such as IPS-1 Management Server, Alerts Concentrators and Management Dashboard, are compatible with Sensors of versions 4.1 onwards.

The different management components (IPS-1 Management Server, Alerts Concentrators and Management Dashboard) must always be of the same version.

Release VersionNGX R60, R60A, R61, R62, R65 InterSpect NGX R60Connectra NGX R61, R62, R62CM, R66UTM-1 Edge 7.5.x and aboveEndpoint Security

Note - R70 cannot manage gateway versions NG, NG FP1, or NG FP2

Licensing R70


Licensing R70Most of the software on this CD is automatically enabled for a 15-day evaluation period. To obtain a permanent license, or to extend the evaluation period, go to the Check Point User Center at:

https://usercenter.checkpoint.com

Customers new to the Check Point User Center should go to:

https://usercenter.checkpoint.com/pub/usercenter/get_started.html

For further licensing assistance, contact Account Services at: [email protected], or US +1 972-444-6600, option 5.

Licensing R70Licenses are required for the Security Management server and security gateways. No license is required for SmartConsole management clients.

Check Point gateways enforce the license installed on the gateway by counting the number of users that have crossed the gateway. If the maximum number of users is reached, warning messages are sent to the console.

The Check Point software is activated using a certificate key, which is located on the back of the software media pack. The certificate key is used to generate a license key for products that you want to evaluate or purchase. To purchase Check Point products, contact your reseller.

Obtaining a License KeyTo obtain a license key from the Check Point User Center:

1. Add the required Check Point products/evaluations to your User Center account by selecting Accounts & Products > Add Products.

2. Generate a license key for your products/evaluations by selecting Accounts & Products > Products.

Select your product(s) and click Activate License. The selected product(s) evaluations have been assigned license keys.

3. Complete the installation and configuration process by doing the following:

a. Read and accept the End Users License Agreement.

Licensing Provider-1/SiteManager-1

30

b. Import the product license key. Licenses are imported using the Check Point Configuration Tool or SmartUpdate. SmartUpdate allows you to centrally upgrade and manage Check Point software and licenses. The certificate keys associate the product license with the Security Management server, which means that:

The new license remains valid even if the IP address of the Check Point gateway changes.

Only one IP address is needed for all licenses.

A license can be detached from one Check Point gateway and assigned to another.

Upgrading LicensesThe upgrade procedure is free of charge to purchasers of the Software Subscription service (Enterprise Base Support).

The license upgrade procedure runs the license_upgrade command, which makes it easy to automatically upgrade licenses.

Licensing Provider-1/SiteManager-1Provider-1/SiteManager-1 licenses are associated with the IP address of the licensed entity. The Provider-1 Multi-Domain Server (MDS) license is based on the server type: Manager, Container, Combined Manager and Container, or Multi-Domain Log Manager (MLM).

Manager: A license for the administrator's entry point into the Provider-1/SiteManager-1 environment. The Multi-Domain GUI (MDG) and the Global SmartDashboard tools can connect only to MDS servers with this license.

Container: A license that defines the maximum number of CMAs running on the MDS machine. With the exception of Provider-1 Enterprise Edition licenses, multiple container licenses can be added together on one container to enable the container to hold up to a maximum of 250 CMAs. In addition, each CMA requires its own CMA license. CMA Pro Add-on licenses, allowing additional management features at the CMA level, can be purchased in bulk. These purchase packages are called Pro Add-ons for MDS.

Combined Manager and Container: These licenses combine a Manager license with a Container license for a specific number of CMAs. In the case of SiteManager-1 licenses, there are no separate Manager and Container versions available, only the Combined Manager and Container license.

Licensing IPS-1


MLM: A comprehensive license that includes the Customer Log Modules (CLMs) it hosts. There is no need for a separate CLM license if CLMs are hosted on an MLM. A CLM hosted on an MDS server requires its own CLM license.

Each gateway requires its own license. Licenses are determined according to the number of computing devices (nodes) protected by the gateway. Provider-1 licenses can be imported using the Check Point command-line licensing tool or Provider-1's MDG. For additional information, refer to the Provider-1/SiteManager-1 Administration Guide.

Licensing IPS-1The IPS-1 Management Server requires a license, defined with the ability to manage a fixed maximum number of Sensors. In a Combined installation where the Alerts Concentrator installed together with the IPS-1 Management Server, the Alerts Concentrator shares the IPS-1 Management Servers license.

For any separate Alerts Concentrators and for all Sensors, obtain and add licenses. Licenses are added using IPS-1s Management Dashboard.

The IPS-1 Management Dashboard does not require a license. However, without a licensed IPS-1 Management Server, the IPS-1 Dashboard will function only in Demo mode.

All licenses are stored on the IPS-1 Management Server and must have been generated according to the IPS-1 Management Servers IP address.

Licensing Eventia SuiteAll Eventia Suite licenses are installed on the Eventia Suite Server (not on the Security Management server).

Correlation Units are licensed by the number of units that are attached to the Eventia Analyzer Server.

Licensing Eventia Suite

32

33

Chapter 3Setup and Installation

In This Chapter

Overview page 34

Installing on SecurePlatform page 35

Installing on Windows page 44

Installing on Solaris or Linux page 46

Installing on Nokia page 48

Initially Configuring Products page 51

Where To From Here? page 58

Overview

34

OverviewCheck Point software is designed to work across multiple platforms and pre-configured appliances. Each installation differs depending on the product and the platform.

For upgrading an existing installation, see the upgrade section.

Check Point products can be installed in the following two types of deployments:

Standalone Deployment: Check Point components that are responsible for the management of the security policy (the Security Management server and the gateway) are installed on the same machine.

Distributed Deployment: The Security gateway and the Security Management server are installed on different machines.

In both deployments, SmartConsole can be installed on any machine by performing the following steps:

Install the components that manage or enforce the security policy (for example, the Security Management server, the security gateway, and the log server).

Install one or more SmartConsole clients to manage different aspects of the deployment. For example, SmartDashboard is used by the system administrator to manage and create the security policy. Any number of SmartConsole GUI applications can be installed on the same machine

Note - The TCP/IP network protocol must be installed, properly configured, and operational before you begin the installation process.

Installing on SecurePlatform

Chapter 3 Setup and Installation 35

Installing on SecurePlatformIn This Section:

Installing SecurePlatform Using the CDTo install SecurePlatform using the CD:

1. Insert CD1 from the media pack into the CD drive, and boot the computer from the CD. After booting, the Welcome message appears. If you do not press Enter within 90 seconds, the computer boots from the hard drive.

The installation program is loaded.

2. The following options are displayed:

Device List: When selected, the Hardware Scan Details menu displays.

Add Driver: When selected, the Devices menu opens. Sometimes updated hardware is incompatible with the previous versions driver and you receive an error message during installation because the operating system could not find the appropriate hard disk driver. Alternatively, the installation may be complete, but the hardware does not function properly. The Add Driver option enables you to add the missing driver during the installation process. To continue, Select OK.

3. A list of software blades is displayed:

Installing SecurePlatform Using the CD page 35

Installing SecurePlatform from the Network page 37

Initially Configuring SecurePlatform page 41

Installing R70 Products on SecurePlatform page 42

Configuring SecurePlatform Using WebUI page 43

Security Gateway

Security Management server

Eventia Suite

Endpoint Security (CD2)

Performance Pack

Management Portal

Installing SecurePlatform Using the CD

36

4. Use the space bar to select the appropriate products and select OK.

5. Select the type of system to install:

SecurePlatform

SecurePlatform Pro (which includes the advanced dynamic routing suite)

6. The Keyboard Selection menu opens.

7. Select a keyboard type.

8. From the Network Interface Configuration menu, define the

IP address of the management interface

Netmask and Default gateway for the first network interface (eth0 on most systems).

9. From the HTTPS Server Configuration menu, enable or disable web-based configuration using SecurePlatforms WebUI.

10. Select OK.

A message confirms that you are about to format your hard drive.

Warning - The formatting procedure erases all information located on your hard drive.

11. Select OK to:

Format your hard drive

Extract, copy files, and install SecurePlatform software blades.

Perform post install configuration

Install the boot loader

The installation process can take several minutes to complete.

12. When the Installation Complete message appears, remove the installation CD from the drive, and select OK to reboot the system.

Continue to Initially Configuring SecurePlatform on page 41.

Note - If you intend to deploy remote access or Endpoint Security software, select a port other than 443.

Installing SecurePlatform from the Network



In This Section

General WorkflowThe clients requirements are minimal. Only PXE is required. On the server, you must install:

A DHCP daemon,

A TFTP daemon,

The PXE boot loader,

The kernel

The ramdisk.

Then:

1. The client boots from the network, using the PXE network loader.

2. The client sends a broadcast request, using the BOOTP protocol.

3. The server responds to the client, by providing the clients assigned IP address and a filename (pxelinux.0 by default), to which to download the PXE boot loader.

4. The client downloads the PXE Boot Loader, using TFTP, and executes it.

5. The PXE boot loader downloads a PXE configuration file from the server, containing the names of the kernel and the ramdisk that the client requires.

6. The PXE boot loader downloads the kernel and the ramdisk.

7. The kernel is run, using ramdisk as its environment.

8. The Installer is executed.

9. At this point the installation can be configured to load files from the FTP server.

General Workflow page 37

Client Setup page 38

Server Setup page 38


38

Client SetupOn the client machine, enable the network boot, using PXE, from the BIOS setup. (It sometimes appears as DHCP.)

Server Setup

In This Section

Required Packages

The following packages are required for server setup:

DHCP daemon (located on the Checkpoint CDROM and installed, by default, on SecurePlatform)

Xinetd (/SecurePlatform/RPMS/xinetd-2.3.11-4cp.i386.rpm on the Checkpoint CDROM)

TFTP daemon (/SecurePlatform/RPMS/tftp-server-0.32-5cp.i386.rpm) FTP server (/SecurePlatform/RPMS/ftpd-0.3.3-118.4cp.i386.rpm) TCP-Wrappers package

(/SecurePlatform/RPMS/tcp_wrappers-7.6-34.4cp.i386.rpm) Kernel (can be found on the SecurePlatform CD at /SecurePlatform/kernel) Ramdisk (can be found on the SecurePlatform CD at

/SecurePlatform/ramdisk-pxe)

Required Packages page 38

DHCP Daemon Setup page 39

TFTP and FTP Daemon Setup page 40

Hosting Installation Files page 41

Note - To access files on Check Point CDROM, insert the CDROM into the CDROM drive and enter the command: # mount/mnt/cdrom



PXELINUX Configuration Files

/SecurePlatform/RPMS/tftp-server-0.32-4cp.i386.rpm includes a default configuration file (located under /tftpboot/pxelinux.cfg) that will serve the kernel and ramdisk to any host. Because more than one system may be booted from the same server, the configuration file name depends on the IP address of the booting machine.

PXELINUX will search for its config file on the boot server in the following way:

1. PXELINUX will search for its config file, using its own IP address, in upper case hexadecimal, e.g. 192.0.2.91 -> C000025B.

2. If that file is not found, PXELINUX will remove one hex digit and try again. Ultimately, PXELINUX will try looking for a file named default (in lower case).

As an example, for 192.0.2.91, PXELINUX will try C000025B, C000025, C00002, C0000, C000, C00, C0, C, and default, in that order.

Assuming the kernel and ramdisk files are named kernel and ramdisk, respectively, a default configuration file, which will serve these to all clients, will look like this:

DHCP Daemon Setup

To setup the DHCP Daemon, perform the following procedure:

1. Enter the sysconfig utility and enable the DHCP server.

default bootnetlabel bootnet kernel kernel append initrd=ramdisk lang= devfs=nomount \ ramdisk_size=80024 console=tty0


40

2. Edit the daemons configuration file, found at /etc/dhcpd.conf. The configuration file should include a subnet declaration for each subnet, the DHCP server is connected to. In addition, configuration should include a host declaration, for each host that will use this server for remote installation. A sample configuration file follows:

TFTP and FTP Daemon Setup

To setup the TFTP and FTP Daemons, perform the following procedure:

1. Install /SecurePlatform/RPMS/tcp_wrappers-7.6-34.4cp.i386.rpm (The TCP wrappers package)

2. Install /SecurePlatform/RPMS/xinetd-2.3.11-4cp.i386.rpm. (The xinetd package is a prerequisite for the tftp-server and ftpd.)

3. Install the TFTP Daemon RPM:

# rpm -i/SecurePlatform/RPMS/tftp-server-0.32-5cp.i386.rpm4. Install the FTP Daemon RPM:

# rpm -i/SecurePlatform/RPMS/ftpd-0.3.3-118.4cp.i386.rpm5. Force xinted to reread its configuration:

# service xinetd restart

subnet 192.92.93.0 netmask 255.255.255.0 {

}host foo {

# The clients MAC address

hardware ethernet xx:xx:xx:xx:xx:xx;

# The IP address that will be assigned to the

# client by this server fixed-address 192.92.93.32;

# The file to upload

filename "/pxelinux.0";

}

Initially Configuring SecurePlatform


Hosting Installation Files

An FTP server installed on SecurePlatform will be used to host the installation files. During the installation process, you will be asked to supply the IP of the installation server, the credentials on that server, and the path to the installation packages. Supply the IP of the SecurePlatform installation server, the Administrator's credentials, and the path to the SecurePlatform packages.

You can also use different FTP servers, or HTTP servers, to host SecurePlatform installation files.

Initially Configuring SecurePlatformAfter the operating system installation is complete and the computer has rebooted:

1. From the SecurePlatform boot menu, Start in normal mode.

2. Log in using admin as your username and password.

3. When prompted, change the default username and password. Ensure that the new password contains more than six characters and has a combination of upper and lower cases letters and numbers.

4. On the command line, run: cpconfig. 5. A first-time configuration wizard for the SecurePlatform device opens, and

displays a Welcome message.

6. Press n to proceed to the next menu.

The following Network Configuration menu options are displayed:

7. Use the menu options to configure:

The host name

The domain name and at least one DNS server

Option Purpose

Host Name Sets and displays the host name

Domain Name Sets and displays the Domain name

Domain Name Servers

Adds, removes, displays Domain name servers

Network Connections

Adds, configures, removes, displays network connections.

Routing Sets and shows a default gateway

Installing R70 Products on SecurePlatform

42

The computers network interfaces

The default gateway (if required)

8. Once Network Configuration is complete, select the Time and Date Configuration menu option and configure the following:

Time zone

Date

Local time

Show date and time settings

9. Press n.

The Import Check Point Products Configuration window opens and displays the Fetch Import file from TFTP Server option. If you exported the configuration of another SecurePlatform installation, you can now import that configuration.

For additional information, see: Advanced Upgrade on SecurePlatform on page 219.

10. Press n to continue to products installation.

Installing R70 Products on SecurePlatformThe Check Point product installation wizard continues from SecurePlatforms first-time system configuration (sysconfig) wizard. 1. The welcome message appears, beginning the installation wizard. Press n.

2. Read and accept the End User License agreement.

3. Select either:

New Installation

Installation Using Imported Configuration

4. A product list is displayed:

Security Gateway

User Authority

Security Management

Eventia Suite

Configuring SecurePlatform Using WebUI


5. Select the appropriate products and press n.

6. If you selected Security Management server, decide whether it should be installed as a primary or secondary Security Management server and whether a Log server should also be installed.

7. If you selected Eventia Suite, select Eventia product should be installed: Reporter, Coorelation unit, or Analyzer.

8. A message validates your choice of products. Press n.

The required installation files are extracted and products installed. If you chose to install Security Management server, the Check Point Configuration program opens and guides you through the configuration of:

a. Licenses

b. Administrators (name and password)

c. GUI clients

d. A random pool of data for cryptographic operations

e. A Certificate authority and saving the fingerprint

See: Using the Configuration Tool on Unix Systems on page 54.

9. Reboot the machine. IP forwarding is automatically disabled and a default security policy is applied to the gateway. The default Security Policy forbids all inbound connections, except for control connections, for example, install policy operations. This policy remains in place until you have installed the first Security Policy.

Configuring SecurePlatform Using WebUIYou can also use the WebUI to configure network settings, apply a license, and install and configure products. After system reboot, use your browser to connect to the IP address specified in step 8 on page 36.

Endpoint Security (CD2 required)

Performance Pack

Management Portal

Installing on Windows

44

Installing on WindowsThe installation on a Windows platform is GUI based. The windows displayed during installation differ depending on the installed Check Point components.

To perform a new installation on a Windows platform:

1. Log on as Administrator and insert the CD. The installation wizard automatically starts and a Congratulations message displays.

2. Review the Evaluation Options then click Forward.

3. Accept the terms of the End Users License Agreement.

4. Select one of the following installation options:

Demo installation (SmartConsole only)

New installation

Installation using an imported configuration (for additional information, see: Advanced Upgrade on a Windows Platform on page 228.

5. Click Forward.

If you selected Installation Using Imported Configuration, you are prompted to provide the location of the imported configuration file.

A list of products is displayed:

6. Select the products you wish to install and click Forward.

7. If you selected Security Management server, decide whether it should be installed as a primary or secondary Security Management server and whether a Log server should also be installed.

8. Confirm installation of selected products. Click Forward.

The selected products are installed. For first time installations, the Check Point Configuration Tool runs automatically and prompts you to (for Security Management server):

Installing on Windows


a. Add licenses

b. Add administrators

c. Specify remote clients from which an administrator can log into Security Management server

d. Initialize the Internal Certificate Authority

e. Export the Security Management server fingerprint to a text file

For additional information, refer to the Configuration Tool Overview on page 51.

9. Reboot the machine. IP forwarding is automatically disabled and a default security policy is applied to the gateway. The default Security Policy forbids all inbound connections, except for control connections, for example, install policy operations. This policy remains in place until you have installed the first Security Policy.

Installing on Solaris or Linux

46

Installing on Solaris or LinuxInstallation on Linux and Solaris platforms is run from a command line, with a wizard that guides you through installation. For SecurePlatform there is a separate installation procedure which is described in Installing on SecurePlatform on page 35.

To perform a new installation on a Linux or Solaris platform:

1. Mount the CD on the appropriate subdirectory.

2. From the root directory of the CD, run:

./UnixInstallScriptThe wrapper welcome message appears, beginning the installation wizard. Press n.

3. Read and accept the terms of the End User License Agreement.

4. Select New Installation and press n.

5. A product list is displayed:

6. Select the products you wish to install and press n.

7. If you selected Security Management server, decide whether it should be installed as a primary or secondary Security Management server, and whether a Log server should also be installed.

8. Confirm the selected products by pressing n.

9. Once product installation is complete, the Check Point Configuration tool will prompt for various configuration options. For a Security Management server, the stages are:

Security Gateway

User Authority

Security Management

Eventia Suite

Endpoint Security

Performance Pack

Management Portal

Installing on Solaris or Linux


a. Add licenses. The Check Point Configuration program only manages local licenses on this machine. The recommended way to manage licenses is using SmartUpdate.

b. Configure GUI clients (a list of hosts that are able to connect to the Security Management server using SmartConsole).

c. Configure group permissions by specifying a group name.

d. Configure the Certificate Authority, and save the CAs Fingerprint to a file.

10. Reboot the machine.

IP forwarding is automatically disabled and a default security policy is applied to the gateway. The default Security Policy forbids all inbound connections, except for control connections such as install policy operations. This policy remains in place until you have installed the first security policy.

Installing on Nokia

48

Installing on NokiaInstallation on Nokia platforms is performed from a console or Nokia Network Voyager (a secure web-based network element management application). Use a console to perform the initial configuration.

You can also use Nokia Horizon Manager to install and configure Check Point components on multiple Nokia appliances simultaneously. For additional information, refer to Nokia Horizon Manager documentation on the Nokia Support website:

http://support.nokia.com

A software package for Nokia IPSO 6.07 is available from the Check Point download center at:

http://www.checkpoint.com/techsupport/downloads.jsp.

If you have a Nokia gateway with IPSO 4.2 already installed, then skip to step 13 on page 49.

If you are performing a new installation on an older IPSO gateway, then start here:

Before Installing:

From the Check Point website, download: IPSO_Wrapper_R70.tgz.

From Nokia, download: UTM-Base Build 004

To install with UTM functionality:

1. Enter the Network Voyager and open a CLI console.

2. Click System Configuration > Install New IPSO Image.

The New Image Installation Upgrade window opens.

3. Enter the following information (for IPSO 4.2):

Enter URL to the image location

Enter HTTP Realm (for HTTP URLs only)

Enter Username (if applicable)

Enter Password (if applicable)

Note - Verify from Nokia that you have IPSO 4.2 with UTM compatibility (IPSO 4.2 Build 041)

Installing on Nokia


4. Click Apply.

You are informed that the file download and image installation may take some time.

5. Click Apply.

A message is displayed indicating that the new image installation process has started.

6. When you receive a Success message, click UP > UP > Manage IPSO Images.

The IPSO Image Management window opens.

7. Under the title Select an image for next boot, select the last downloaded image: IPSO 4.2

8. Click Test Boot.

9. Access the CLI console to see when the Reboot is complete. Once the Reboot is complete, go back to the Network Voyager to verify that the image was set properly.

10. In the Network Voyager, click Refresh and log in.

11. If you are not returned to the last window you were in, clickSystem Configuration > Manage IPSO Images.

You should be able to see that the relevant IPSO Image is selected.

12. Select Commit testboot and click Apply.

13. Access the CLI console, and log in.

14. Type newpkg, and press Enter.

15. Use the FTP menu option to transfer the UTM-Base package.

16. Install the UTM-Base package.

Wait until a message informs you that the process is complete.

17. Activate the UTM-Base package.

18. In Voyager, verify that the UTM Base package is turned ON.

19. On the CLI, type newpkg, and press Enter.

20. Use the FTP menu option to transfer the IPSO_Wrapper_.tgz package.

21. Install the IPSO_Wrapper_R70 package.

Wait until a message informs you that the process is complete.

Enabling Native IPSO Security Servers

50

22. Type Reboot and press Enter.

23. From a console connection, run cpconfig.24. Select an installation type, Stand Alone or Distributed.

25. Select Security Management server from the selection list.

26. Specify the Security Management server type as Primary or Secondary. Note - Only relevant for a distributed deployment.

27. Add Licenses.

28. Configure an administrator name and password.

29. Configure the GUI clients and hosts which can access the Security Management server using SmartConsole.

30. Configure Group Permissions.

31. Configure a pool of characters for use in cryptographic operations. Type randomly until the progress bar is full.

32. Configure the Certificate Authority, and save the CAs Fingerprint to a file.

33. Start the installed products.

If you opt not to start the installed products at this time, they can be started later by running cpstart.

34. Reboot.

Enabling Native IPSO Security ServersOnce Anti-virus and Web filtering is enabled, the relevant traffic is blocked from passing through the gateway. If the relevant traffic is not blocked, run the fwlinux2ipso command on the gateway to manually activate the native IPSO security servers. (When the UTM-Base package was installed and activated, the native IPSO security servers should have been activated as well).

Initially Configuring Products


Initially Configuring ProductsIn This Section:

Configuration Tool OverviewThe Configuration Tool runs automatically once the installation process is complete. The Configuration Tool can also be run manually by running the cpconfig command.The configuration options vary according to installed product. The examples in this chapter are for a Security Management server.

The Configuration Tool is used to configure:

Licenses: Generates a license for the Security Management server and the gateway.

Administrators: Creates an administrator with Security Management server access permissions. The administrator must have Read/Write permissions in order to create the first security policy.

GUI Clients: Creates a list of names or IP addresses for machines that can connect to the Security Management server using SmartConsole.

Key Hit Session: Creates a random seed for use in various cryptographic operations.

Certificate Authority: Provides definitions that are used to initiate the Internal Certificate Authority, which enables secure communication between the Security Management server and its gateways. For some operating systems, such as Windows, you must specify the name of the host where the ICA resides. You may use the default name or provide your own. The ICA name should be in the hostname.domain format, for example, ica.checkpoint.com.

Fingerprint: Verifies the identity of the Security Management server the first time you log in to SmartConsole. Upon SmartConsole login, a Fingerprint is displayed. This Fingerprint must match the Fingerprint shown in the

Configuration Tool Overview page 51

Using the Configuration Tool on Windows Systems page 52

Using the Configuration Tool on Unix Systems page 54

Logging In for the First Time page 55

Using the Configuration Tool on Windows Systems

52

Configuration Tool window in order for authentication to succeed. You may want to export this Fingerprint for verification purposes when you log in to SmartConsole for the first time.

Using the Configuration Tool on Windows SystemsTo configure using the Configuration Tool on Windows systems:

1. Open the Configuration Tool by selecting Start > Run > cpconfig.

2. In the Licenses tab, perform one or both of the following procedures:

a. Fetch one or more licenses from a file.

i. Click Fetch from File.

ii. Browse to the license file, select it and click Open. The license(s) that belong to this host are added.

b. Add a license manually.

i. Click Add. The Add License window opens.

ii. Configure the appropriate options in the Add License window.

iii. Click OK to add the newly configured license.

3. Click Next.

4. In the Administrators tab, click Add. Add an administrator that uses SmartConsole to connect to the Security Management server. From NGX version R60, only one administrator can be added using the Configuration Tool. Additional administrators can be added using SmartDashboard.

5. From the Add Administrator window, configure the required parameters and click OK.

6. Click Next.

7. On the GUI Clients tab, add a GUI client.

8. Type the GUI clients name in the Remote hostname field.

9. Click Add. You can add a GUI client using any of the following formats:

IP address: For example, 1.2.3.4.

Note - If you do not define at least one GUI client, you can only manage the Security Management server from a GUI client that runs on the same machine as the Security Management server.

Using the Configuration Tool on Windows Systems


IP/netmask: A range of IP addresses, for example, 192.168.10.0/255.255.255.0.

Machine name: For example, Alice, or Alice.checkpoint.com. Any: Any IP address.

IP1-IP2: A range of IP addresses, for example, 192.168.10.8 - 192.168.10.16.

Wild cards: For example, 192.168.10. 10. Click Next.

11. In the Certificate Authority tab, add a name using the . format, for example, .checkpoint.com. This option enables you to initialize an Internal Certificate Authority (ICA) on the Security Management server and a Secure Internal Communication (SIC) certificate for the Security Management server. SIC certificates authenticate communication between Check Point communicating components, or between Check Point communicating components and OPSEC applications.

12. Click Next. The Fingerprint window opens and displays the Fingerprint of the Security Management server. The Fingerprint, a text string derived from the Security Management server certificate, is used to verify the identity of the Security Management server that is being accessed through SmartConsole.

13. From the Fingerprint window, click Export to file and save the file. The Fingerprint is exported to a text file that can be accessed from the SmartConsole client machine(s) and used to confirm the Fingerprint of the Security Management server.

14. Once configuration using the Configuration Tool is complete, do the following:

a. From SmartConsole, perform a first time connection to the Security Management server. The Fingerprint of the Security Management server displays.

b. Ensure that the Security Management server Fingerprint matches the Fingerprint displayed in SmartConsole.

Note - Components can communicate with each other only once the Certificate Authority is initialized and each component has received a SIC certificate.

Note - Do not perform a first time connection to the Security Management server from SmartConsole unless the Security Management server Fingerprint is accessible and you can confirm that it matches the Fingerprint displayed in SmartConsole.

Using the Configuration Tool on Unix Systems

54

15. Close the Configuration Tool.

Using the Configuration Tool on Unix SystemsTo complete the installation process, use the Check Point Configuration Tool to configure the Security Management server or security gateway.

To configure using the Configuration Tool on Unix systems:

1. Access the Configuration Tool.

1. Add licenses. A license can be added manually or fetched from a file.

2. Add administrators. Add an administrator that uses SmartConsole to connect to the Security Management server. Only one administrator can be added using the Configuration Tool. Additional administrators can be added using SmartDashboard.

3. Define GUI clients. You can add GUI clients using any of the following formats:

IP address: For example, 1.2.3.4. IP/netmask: A range of IP addresses, for example,

192.168.10.0/255.255.255.0. Machine name: For example, Alice, or Alice.checkpoint.com. Any: Any IP address.

IP1-IP2: A range of IP addresses, for example, 192.168.10.8 - 192.168.10.16.

Wild cards: For example, 192.168.10. 4. Initialize the Internal Certificate Authority.

Note - For first time installations, the Configuration Tool runs automatically. The Configuration Tool can also be run after installation is complete using the cpconfig command.

Logging In for the First Time


This option enables you to initialize an Internal Certificate Authority (ICA) on the Security Management server and a Secure Internal Communication (SIC) certificate for the Security Management server. SIC certificates authenticate communication between Check Point communicating components, or between Check Point communicating components and OPSEC applications.

5. Export the Security Management servers fingerprint to a text file. The fingerprint, a text string derived from the Security Management server certificate, is used to verify the identity of the Security Management server that is being accessed through SmartConsole. The first time SmartConsole connects to the Security Management server, compare this string to the string displayed in SmartDashboard.

6. Start the installed products.

Logging In for the First TimeThe Login Process

Administrators connect to the Security Management server through SmartDashboard using the same process as SmartConsole clients. The administrator and the Security Management server are first authenticated (to create a secure channel of communication) and then the selected SmartConsole starts.

After the first login, the administrator can create a certificate for subsequent logins. For additional information on how to create a certificate, refer to the R70 Security Management server Administration Guide.

Authenticating the Administrator

To authenticate the administrator:

Note - Components can communicate with each other only once the Certificate Authority is initialized and each component has received a SIC certificate.


56

1. Open SmartDashboard by selecting Start > Programs > Check Point SmartConsole > SmartDashboard.

2. Log in using the User Name and Password defined in the Configuration Tools Administrators page during the Security Management server installation.

If you are using a locally stored certificate to authenticate your connection, browse to its location and enter the certificates password. The certificates password can be changed by expanding the More Options link and clicking Change Password.

3. Specify the name or IP address of the target Security Management server and click OK.

4. Decide whether to connect in Read Only mode. This mode enables you to view the current configuration without accidentally changing it. It also gives access to Security Management server when another designated administrator is already connected.

5. More Options. Clicking the More Options link enables you to fine tune how SmartDashboard connects to Security Management server.

The Change Password button in the Certificate Management area of the dialog enables you to change the password that protects the certificate.



Session Description. Descriptive information entered here populates the Session ID field available in SmartView Trackers Audit Mode. The field can be used to explain why a particular administrator is connecting to Security Management server.

Use compressed connection. This option optimizes the connection to Security Management server. By default, the connection to Security Management server is compressed. For a very large configuration database, disabling the compression may help reduce load on the Security Management server.

Do not save recent connections information. By default, SmartDashboard server remembers the last user ID and Security Management server to which a connection was made. Select this option to prevent SmartDashboard from displaying the last administrator and Security Management server to which the administrator successfully connected.

Plug-in Demo Mode. This option enables SmartDashboard demo mode to display windows and options specific to a particular Plug-in. Select the Plug-in from the Versions drop-down box.

6. Manually authenticate the Security Management server using the Fingerprint provided during the configuration process.

Note - This step is only necessary the first time you log in from a given client computer, since once the Security Management server is authenticated, the Fingerprint is saved in the SmartConsole computers registry.

Where To From Here?

58

Where To From Here?You have now learned the basics that you need to get started. The next step is to obtain more advanced knowledge of your Check Point software.

Check Point documentation is available in PDF format on the Check Point CD and the Technical Support download site at: http://support.checkpoint.com

Be sure to also use the Check Point Online Help when you are working with the Check Point SmartConsole clients.

For additional technical information about Check Point products, consult Check Points SecureKnowledge at: http://support.checkpoint.com

59

Chapter 4Installing Provider-1

In This Chapter:

Overview page 60

Creating the Provider-1 Environment page 61

Where To From Here? page 75

Overview

60

OverviewA typical Management Service Provider (MSP) manages and protects many customer networks. Provider-1 ensures compatibility with a wide range of security schemes and product deployments.Figure 4-1 Sample Provider-1 Deployment

The components of a basic Provider-1 deployment are:

MDS: Each Provider-1 network must have at least one Manager and one Container. They can be installed on the same server or separately.

MDG and SmartConsole Applications: Installed on a GUI client (a computer running Check Point GUI) and support centralized system management.

CMAs: Installed on a Container MDS. Each CMA manages the network of a single customer domain.

Customer Gateways: Protect the customers networks.

NOC Gateways: Protect the MSP headquarters and network/security operations centers:

CP R70 Internet Installation and UpgradeGuide

Documents

Transcript of CP R70 Internet Installation and UpgradeGuide