How To Setup a Bridge Mode Firewall on an IP Appliance ... · PDF fileSetting up a Bridge Mode...

10 April 2012

How To Setup a Bridge Mode Firewall on an IP

Appliance with IPSO

© 2012 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.

Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.

http://www.checkpoint.com/copyright.html

http://www.checkpoint.com/3rd_party_copyright.html

Important Information Latest Software

We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks.

Latest Documentation

The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=15361

For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com).

Revision History

Date Description

4/10/2012 First release of this document

Feedback

Check Point is engaged in a continuous effort to improve its documentation.

Please help us by sending your comments (mailto:[email protected]?subject=Feedback on How To Setup a Bridge Mode Firewall on an IP Appliance with IPSO ).

http://supportcontent.checkpoint.com/documentation_download?ID=15361

http://supportcenter.checkpoint.com/

mailto:[email protected]?subject=Feedback%20on%20How%20To%20Setup%20a%20Bridge%20Mode%20Firewall%20on%20an%20IP%20Appliance%20with%20IPSO

mailto:[email protected]?subject=Feedback%20on%20How%20To%20Setup%20a%20Bridge%20Mode%20Firewall%20on%20an%20IP%20Appliance%20with%20IPSO

Contents

Important Information ............................................................................................. 3 How To Setup a Bridge Mode Firewall on an IP Appliance with IPSO ................ 5 Objective ................................................................................................................. 5

Supported Versions ............................................................................................. 5 Supported Operating Systems ............................................................................. 5 Supported Appliances ......................................................................................... 5

Before You Start ..................................................................................................... 5 Related Documents and Assumed Knowledge .................................................... 5 Impact on Environment and Warnings ................................................................. 6

Setting up a Bridge Mode Firewall on an IP Appliance with IPSO ....................... 6 Setting up a Bridge Mode Group ......................................................................... 6 Configuring the bridge Mode Group on an IP appliance with IPSO 6.2 ...............19 Configuring a High Availability Bridge Mode Firewall ..........................................29

Index ...................................................................................................................... 35

How To Setup a Bridge Mode Firewall on an IP Appliance with IPSO

How To Setup a Bridge Mode Firewall on an IP Appliance with IPSO | 5

How To Setup a Bridge Mode Firewall on an IP Appliance with IPSO

Objective This document explains various configurations that you can use to setup a Bridge Mode firewall or an IPSO Transparent Mode firewall in a single and clustered gateway configuration.

Supported Versions NGX R65 HFA 70 and later

R70, R70.10, R70.20, R70.30

R71

Supported Operating Systems IPSO 4.2

IPSO 6.2

Supported Appliances Any IP and Power series appliances that support IPSO.

Before You Start

Related Documents and Assumed Knowledge Network Voyager for IPSO 6.2 Reference Guide

(http://downloads.checkpoint.com/dc/download.htm?ID=10293)

OR

Nokia Network Voyager Reference Guide for IPSO 4.2 (N450000359 Rev 003) (http://downloads.checkpoint.com/dc/download.htm?ID=9844)

R70 Firewall Administration Guide (http://downloads.checkpoint.com/dc/download.htm?ID=8738) (Chapter 6: Bridge Mode).

This guide does not cover or provide instructions to install IPSO and Security Application on an IP appliance, or the initial configuration to setup system time, interfaces, and static routes.

Reader is familiar with advanced IP routing and IP bridge functionality.

Why are my BPDU packets being dropped by Transparent Mode interfaces? - sk38927 (http://supportcontent.checkpoint.com/solutions?id=38927).

What is "Neighbor Control Block" in Transparent Mode? - sk39630 (http://supportcontent.checkpoint.com/solutions?id=39630).

Default filter doesn't block traffic traversing transparent mode interfaces - sk39766 (http://supportcontent.checkpoint.com/solutions?id=39766).

http://downloads.checkpoint.com/dc/download.htm?ID=10293



http://supportcontent.checkpoint.com/solutions?id=38927



Setting up a Bridge Mode Firewall on an IP Appliance with IPSO


VSX cluster in transparent mode failover failure - sk40320 (http://supportcontent.checkpoint.com/solutions?id=40320).

Unknown ARP opcode (0x0032), (0x0033), (0x0034), (0x0036) to DST: 01:00:5E:00:00:12 in a Transparent Mode VRRP Config - sk41140 (http://supportcontent.checkpoint.com/solutions?id=41140).

What are some limitations of transparent mode? - sk41241.

Transparent Mode FAQ - sk41320 (http://supportcontent.checkpoint.com/solutions?id=41320).

What is the age time-out for Neighbor Control Block in Transparent mode? - sk41330 (http://supportcontent.checkpoint.com/solutions?id=41330).

Does NMDS support VLAN translation in Transparent Mode (Bridging)? - sk41436 (http://supportcontent.checkpoint.com/solutions?id=41436).

Anti-spoofing in IPSO Transparent mode - sk41442 (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk41442&js_peid=P-114a7ba5fd7-10001&partition=General&product=Security).

Will the ADP subsystem accelerate Transparent Mode connections with SecureXL? - sk42716 (http://supportcontent.checkpoint.com/solutions?id=42716).

Is transparent mode supported with Fiber network interfaces on IP series platforms? - sk44772 (http://supportcontent.checkpoint.com/solutions?id=44772).

Impact on Environment and Warnings The firewall is a bridge. It typically forwards traffic that is allowed by the rulebase.

By default, transparent mode interfaces forward only IP or ARP packets. Traffic for all other protocols is discarded automatically. Transparent mode is not supported with IPv6.

Transparent Mode supports only Ethernet interfaces (10/100/1000/10000 Mbps).


Setting up a Bridge Mode Group In this procedure, we use a sample topology to show a Transparent Mode group (XMG) and its interfaces as an example.

Group XMG 101 with interfaces eth2c0 and eth3c0. Their IP Address is 172.16.1.29. Its Destination is 172.16.1.0/24.







https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk41442&js_peid=P-114a7ba5fd7-10001&partition=General&product=Security






Interface eth1c0 between the firewall and the Check Point Gateway. Its IP Address is 172.26.144.129. Its Destination is 172.26.144.0/24.

To Create a Transparent Mode group (XMG), and Add Interfaces to it:

1. Make sure the IP appliance has IPSO 6.2 installed (not the Check Point VPN-1 Security application).



2. Configure interfaces (in this example, three interfaces, eth1c0, eth2c0, and eth3c0) with IP addresses and enable them. The firewall requires one interface in a Bridge/Transparent Mode group to have an IP address. To the firewall, all interfaces in the group share this address.

3. From the Voyager tree view, select Configuration > Interface Configuration > Transparent Mode. The Transparent Mode Configuration window opens.

4. In the Create New Transparent Mode Group field, enter an integer (greater than 0). For example, 101, and click Apply.



5. Click the link of the new transparent mode group. It reads as XMG with the number entered in step 4. For example, XMG 101. The Transparent Mode Configuration for Group 101 (101 in this example) window opens.

6. In the Add Interface drop down list, select an interface to associate with the transparent mode group. In this case, select the logical interface associated with IP address 172.16.1.29/24, and click Apply.



7. In the Add Interface drop down list, select the second interface connected to the same LAN, and click Apply.

This allows the system to bridge between the two interfaces in the group.



8. In the tree view, click Transparent Mode. The Transparent Mode Configuration window opens.

9. In the Transparent Mode Groups table, in the Enable column, select the check box associated with XMG 101, and click Apply > Save.



10. Create a second Transparent Mode group (in this example, 104).

11. Add interfaces (in this example, eth4c0, eth5c0, with IP Address 192.168.10.29/24) to XMG 104.

12. In the tree view, select Transparent Mode. The Transparent Mode Configuration window opens.



13. In the Transparent Mode Groups table, in the Enable column, select the check box associated with XMG 104, and click Apply > Save.

Now the Interface Configuration window shows the Transparent Mode group interfaces:

To Create a Transparent Mode Group from Clish (if you prefer):

Run:

NokiaIP290:37> add xmode id 104 NokiaIP290:38> add xmode id 104 interface eth4c0 NokiaIP290:39> add xmode id 104 interface eth5c0 NokiaIP290:40> set xmode id 104 state 1



NokiaIP290:41> save config

To Delete a Transparent Mode Group:

1. From the Voyager tree view, select Configuration > Interface Configuration > Transparent Mode. In the Transparent Mode Groups table, in the Delete column, select the check box associated with the group you want to delete (in this example, XMG 104), and click Apply > Save.

2. Restart the Firewall Service with cpstop and cpstart after any change to the Transparent Mode

group configuration.

To Delete a Transparent Group from Clish:

Run:

NokiaIP290:53> delete xmode id 104 NokiaIP290:54> save config

To Remove an Interface from the Transparent Mode Group from Clish:

Run:

NokiaIP290:60> delete xmode id 104 interface eth5c0 NokiaIP290:61> save config

To Monitor a Transparent Mode Group:

From Voyager: from the tree view, select Monitor > Transparent Mode Monitor.

From Clish: you can monitor the transparent mode group with these commands:

NokiaIP290:44> show xmode id 101 info XMODE ID 101 State : 1 vrrp_enabled : Not Configured Interfaces : 1 : eth2c0 2 : eth3c0

NokiaIP290:45> show xmode id 104 info XMODE ID 104 State : 1



vrrp_enabled : Not Configured Interfaces : 1 : eth4c0 2 : eth5c0

NokiaIP290:46> show xmode id 101 stat XMODE ID 101 Number of times transparent mode group creation

succeeded : 2 Number of times transparent mode group creation failed

: 0 Number of times transparent mode group deletion

succeeded : 0 Number of times transparent mode group deletion failed

: 0 Number of times adding an interface to a transparent

mode group succeeded : 4 Number of times adding an interface to a transparent

mode group failed : 0 Number of times removing an interface from a

transparent mode group succeeded : 0 Number of times removing an interface from a

transparent mode group failed : 0 Number of known neighbors : 0 Number of add IPv4 Family success : 4 Number of add IPv4 Family failed : 0 Number of remove IPv4 Family success : 0 Number of remove IPv4 Family failed : 0 Stats : ARP Number of packets originated locally : 6 Number of outgoing packets dropped due to interface

down : 0 Number of no buffer errors : 0 Number of no destination errors : 0 Number of send errors : 0 Number of packets received : 27 Number of incoming packets dropped due to interface

down : 0 Number of packets delivered locally : 23 Number of packets forwarded : 21 Stats : IPv4 Number of IP packets originated locally : 784 Number of outgoing packets dropped due to interface

down : 7 Number of no buffer errors : 0 Number of no destination errors : 0 Number of send errors : 0 Number of packets delivered to firewall on egress :

1352 Number of packets returned from firewall on egress

: 1352 Number of packets received : 39479 Number of incoming packets dropped due to interface

down : 0 Number of packets delivered locally : 67 Number of packets forwarded : 39399 Number of packets dropped on VRRP standby : 0 Number of packet header errors : 0 Number of packets delivered locally due to NAT : 0 Stats : IPv6

NokiaIP290:46> show xmode id 104 stat XMODE ID 104 Number of times transparent mode group creation

succeeded : 5 Number of times transparent mode group creation failed



: 0 Number of times transparent mode group deletion

succeeded : 3 Number of times transparent mode group deletion failed

: 0 Number of times adding an interface to a transparent

mode group succeeded : 8 Number of times adding an interface to a transparent

mode group failed : 0 Number of times removing an interface from a

transparent mode group succeeded : 4 Number of times removing an interface from a

transparent mode group failed : 0 Number of known neighbors : 0 Number of add IPv4 Family success : 8 Number of add IPv4 Family failed : 4 Number of remove IPv4 Family success : 4 Number of remove IPv4 Family failed : 0 Stats : ARP Number of packets originated locally : 0 Number of outgoing packets dropped due to interface

down : 0 Number of no buffer errors : 0 Number of no destination errors : 0 Number of send errors : 0 Number of packets received : 0 Number of incoming packets dropped due to interface

down : 0 Number of packets delivered locally : 0 Number of packets forwarded : 0 Stats : IPv4 Number of IP packets originated locally : 0 Number of outgoing packets dropped due to interface

down : 0 Number of no buffer errors : 0 Number of no destination errors : 0 Number of send errors : 0 Number of packets delivered to firewall on egress :

0 Number of packets returned from firewall on egress

: 0 Number of packets received : 0 Number of incoming packets dropped due to interface

down : 0 Number of packets delivered locally : 0 Number of packets forwarded : 0 Number of packets dropped on VRRP standby : 0 Number of packet header errors : 0 Number of packets delivered locally due to NAT : 0 Stats : IPv6

To Verify Connectivity and Test Traffic through Transparent Mode Group Interfaces:

1. Make sure the Transparent Mode group interfaces are Active (a link is available) and UP (the status is green in Voyager).



2. Send traffic through the interfaces (in this example, eth2c0 and eth3c0).

3. Run tcpdump on the eth2c0 and eth3c0 interfaces, and observe that the traffic is seen in both directions

(in this example 172.16.1.99 pings 172.16.1.80).

IP290A[admin]# tcpdump -i eth2c0 icmp tcpdump: verbose output suppressed, use -v or -vv for

full protocol decode listening on eth2c0, link-type EN10MB (Ethernet), capture

size 96 bytes 07:17:38.363721 IP 172.16.1.99 > 172.16.1.80: ICMP echo

request, id 512, seq 32513, length 40 07:17:38.363849 O IP 172.16.1.80 > 172.16.1.99: ICMP

echo reply, id 512, seq 32513, length 40 07:17:39.361713 IP 172.16.1.99 > 172.16.1.80: ICMP echo






echo reply, id 512, seq 33281, length 40 ^C 8 packets captured 10 packets received by filter 0 packets dropped by kernel

IP290A[admin]# tcpdump -i eth3c0 icmp tcpdump: verbose output suppressed, use -v or -vv for


size 96 bytes 07:17:38.363724 O IP 172.16.1.99 > 172.16.1.80: ICMP

echo request, id 512, seq 32513, length 40 07:17:38.363848 IP 172.16.1.80 > 172.16.1.99: ICMP echo

reply, id 512, seq 32513, length 40



07:17:39.361721 O IP 172.16.1.99 > 172.16.1.80: ICMP


reply, id 512, seq 32769, length 40 07:17:40.363022 O IP 172.16.1.99 > 172.16.1.80: ICMP


reply, id 512, seq 33025, length 40 07:17:41.364625 O IP 172.16.1.99 > 172.16.1.80: ICMP


reply, id 512, seq 33281, length 40 ^C 8 packets captured 15 packets received by filter 0 packets dropped by kernel

4. Run tcpdump with the –e switch to observe the MAC/Ethernet addresses involved in this

communication.

Since the firewall acts as a Layer 2 bridge, you see the MAC/Ethernet addresses of the host that originates the traffic, and the host that receives the traffic. If there are routers on either side of the transparent mode group interfaces, you can see the source and destination MAC/Ethernet addresses of the respective routers only.

IP290A[admin]# tcpdump -e -i eth2c0 icmp

tcpdump: verbose output suppressed, use -v or -vv for


size 96 bytes 06:38:44.278854 00:02:b3:06:58:39 (oui Intel Corporation)

> 00:0d:60:48:f9:10 (oui IBM Corporation), ethertype IPv4

(0x0800), length 74: 172.16.1.99 > 172.16.1.80: ICMP echo

request, id 512, seq 30977, length 40 06:38:44.279042 O 00:0d:60:48:f9:10 (oui IBM

Corporation) > 00:02:b3:06:58:39 (oui Intel Corporation),

ethertype IPv4 (0x0800), length 74: 172.16.1.80 >

172.16.1.99: ICMP echo reply, id 512, seq 30977, length

40 06:38:45.276895 00:02:b3:06:58:39 (oui Intel Corporation)





















40



^C 8 packets captured 18 packets received by filter 0 packets dropped by kernel

IP290A[admin]#

IP290A[admin]# tcpdump -e -i eth3c0 icmp



size 96 bytes 06:38:44.278857 O 00:02:b3:06:58:39 (oui Intel

Corporation) > 00:0d:60:48:f9:10 (oui IBM Corporation),


172.16.1.80: ICMP echo request, id 512, seq 30977, length

40 06:38:44.279040 00:0d:60:48:f9:10 (oui IBM Corporation) >

00:02:b3:06:58:39 (oui Intel Corporation), ethertype IPv4


reply, id 512, seq 30977, length 40 06:38:45.276898 O 00:02:b3:06:58:39 (oui Intel





















reply, id 512, seq 31745, length 40 ^C 8 packets captured 20 packets received by filter 0 packets dropped by kernel

IP290A[admin]#

Configuring the bridge Mode Group on an IP appliance with IPSO 6.2

To Configure R70 Bridge Mode Firewall on an IP appliance:

For this section, routers are added, on either side of the Bridge Mode interfaces, to the sample topology. This requires a different IP address for XMG 101 interfaces.




Default Gateway for eth2c0 is 10.207.188.126. Default Gateway for eth3c0 is 10.207.188.226.



Router R1 to eth3c0, router R2 to eth2c0.

1. Re-install NGX R70 VPN-1 Power Security Application.



2. Make sure the updated Interface Configuration window looks as in the image below.

3. From the SmartDashboard tree view, select the gateway. The General Properties window opens.

4. Configure the gateway properties as shown below:

In the IP Address field, the IP of the Check Point Gateway.

In the Comment field, Transparent Mode Firewall-1.

In Platform, select Other for Hardware, the appropriate version for Version, and IPSO for OS.

In the Network Security tab, select the IPSec VPN and Monitoring check boxes.



5. To establish SIC between the SmartCenter Server and the gateway, click Communication. The Trusted Communication window opens. Enter a one-time password, confirm the password, and click Initialize.



6. Select Topology, and click Get > Interfaces with Topology. The Get Topology Results window opens.



7. Click Accept to confirm the interface topology. Notice that the interfaces that belong to the same XMG share the same IP addresses.



8. Select the Transparent Mode group interface that does not have an IP address configured in Voyager, and click Remove.



9. Now the sample gateway topology does not show the interfaces with no IPs.

10. For each interface, double click the interface. The Interface Properties window opens.

11. In the Topology tab, select External, and click OK. A warning message opens.

Note - To configure Anti-spoofing on a bridge mode firewall, refer to sk41442 (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk41442&js_peid=P-114a7ba5fd7-10001&partition=General&product=Security).






12. Click Yes.



13. From the SmartDashboard menu bar, select Rules > Add Rule > Above, and configure a simple Any-Any-Accept rulebase that enables logging, to verify that the test traffic is inspected by the Bridge Mode Firewall.

14. From the menu bar, select Policy > Install. The Install Policy window opens.

15. Select the Bridge Mode Firewall.

To Verify Connectivity and Test Traffic through Transparent Mode Group Interfaces:

1. Send test traffic through the Bridge Mode Firewall.



2. Open the SmartView Tracker, and from the tree view, select the firewall to check its logs.

Configuring a High Availability Bridge Mode Firewall To Configure a High Availability Transparent/Bridge Mode firewall:

This sample topology shows a High Availability Transparent Mode group (XMG) firewalls in a VRRP cluster.


Default Gateway for Sw3 10.207.188.126. Default Gateway for Sw2 is 10.207.188.226.



Router R1 to Sw2, router R2 to Sw3.



Sw1 Virtual IP is 172.26.144.130. Sw3 Virtual IP is 10.207.188.30.

1. Setup the Transparent Mode group interfaces for this second firewall node as in the first one. Assign IPs as in the sample High Availability topology above (as with routers before).

2. To enable VRRP on a Transparent Mode group interface:

a) In the Voyager tree view, Interface Configuration, Transparent Mode, click the link of the transparent mode group just created (in this example, XMG 101).

b) Select the Enable VRRP check box, and click Apply.

c) In the tree view, select Configuration > High Availability > VRRP. The VRRP Configuration window opens.



d) In the Create New Monitored-Circuit Virtual Router field, enter an ID number (in this example 120).

e) Make sure the Monitor Firewall State check box is not selected, and click Apply.

f) In Monitored-Circuit Virtual Routers, configure appropriate values in the Priority and the Delta Priority fields, and enter 10.207.188.30 (in this example) in the New Backup Address field.

g) Click Apply > Save.

h) Click VRRP Monitor. The VRRP Monitor window opens.



i) Make sure VRRP State is Master or Backup (depends on the Priority and Delta Priority values).

j) To verify that the Virtual IP address is assigned to the VRRP Master, run:

Note - It is normal to see all the Transparent Mode group interfaces to be in Promiscuous mode, as this is required for Bridge Mode operations.

IP290A[admin]# ifconfig eth2c0

eth2c0: lname eth2c0

flags=10e7<UP,PHYS_AVAIL,LINK_AVAIL,BROADCAST,MULTICAS

T,AUTOLINK,XMODE> inet mtu 1500 inet 10.207.188.29/24 broadcast 10.207.188.255 inet 10.207.188.30/24 broadcast 10.207.188.255

vrrpmac 0:0:5e:0:1:78 phys eth2

flags=c173<UP,LINK,BROADCAST,MULTICAST,PROMISC,PRESENT

> ether 00:a0:8e:71:df:92 speed 100M full duplex

k) To verify that the VRRP advertisements are sent to the VRRP multicast address on the VRRP Master node (correspondingly on the VRRP Backup node, eth2c0 should show that it receives the VRRP advertisements from the VRRP Master), run:

IP290A[admin]# tcpdump -i eth2c0 vrrp


full protocol decode

listening on eth2c0, link-type EN10MB (Ethernet),

capture size 96 bytes 23:07:53.150664 O IP 10.207.188.29 > 224.0.0.18:

VRRPv2, Advertisement, vrid 120, prio 100, authtype

none, intvl 1s, length 20 23:07:54.151510 O IP 10.207.188.29 > 224.0.0.18:












none, intvl 1s, length 20

To Add Transparent Mode Nodes to the Gateway Cluster Object in SmartDashboard:

1. Create a gateway object for each VRRP node.

2. Define the topology for each gateway object. Make sure that Transparent Mode is properly configured with the address ranges to the external and internal networks.

3. Create the cluster object.

4. To add each gateway to the cluster object, select the gateway, and click Add > Add Existing Gateway.

If you click Add > New Cluster Member to add a VRRP member that uses Transparent Mode to a cluster, you cannot configure the topology correctly.

5. Finish the configuration the same way as to set up a High Availability Cluster for a regular routed Firewall cluster.

Index B

Before You Start • 5

C

Configuring a High Availability Bridge Mode Firewall • 29

Configuring the bridge Mode Group on an IP appliance with IPSO 6.2 • 19

H

How To Setup a Bridge Mode Firewall on an IP Appliance with IPSO • 5

I

Impact on Environment and Warnings • 6 Important Information • 3

O

Objective • 5

R

Related Documents and Assumed Knowledge • 5

S

Setting up a Bridge Mode Firewall on an IP Appliance with IPSO • 6

Setting up a Bridge Mode Group • 6 Supported Appliances • 5 Supported Operating Systems • 5 Supported Versions • 5

How To Setup a Bridge Mode Firewall on an IP Appliance ... · PDF fileSetting up a Bridge Mode...

Documents

Transcript of How To Setup a Bridge Mode Firewall on an IP Appliance ... · PDF fileSetting up a Bridge Mode...