Summary

The beginning of this chapter started by preparing you to install the Check Point VPN-1/FW-1 NG product on a computer. There are several steps you can take to prepare your host computer prior to turning it into a firewall. First, make sure that your hardware meets and/or exceeds the minimum system requirements provided by Check Point. You will then need to install a base operating system, apply OS patches, configure and test your network interface cards and DNS, enable IP forwarding, disable any unnecessary services, and populate your host's file with at least the external IP address of your firewall, which is configured on the first interface card in your computer.

Next, you will need to prepare for the various Check Point installation screens, you should know in advance which server/gateway components to choose and you should be prepared for the initial configuration options by obtaining a license in advance, deciding on administrator usernames, passwords, and privileges, and statically assigning IP addresses to your administrator's workstations so that you can add them as GUI clients.

If you are installing the VPN-1/FW-1 NG software on a Windows server, you can start the installation wizard by inserting the CD or running windows\wrapper\demo32.exe. The SVN Foundation will be installed before any other Check Point components. After the installation wizard has finished copying files, it will run through the initial configuration screens of Licenses, Administrators, GUI Clients, and the CA initialization screens. Once the configuration is complete, you will need to reboot your firewall. To run the Configuration tool again, go to Start | Programs | Check Point Management Clients | Check Point Configuration NG.

To uninstall the VPN-1/FW-1 NG software from a Windows System, you must uninstall the SVN Foundation last. As the name suggests, this is the base of the VPN-1/FW-1 install, and it cannot be removed prior to removing any components that depend on it. After uninstalling VPN-1/FW-1 you must reboot.

If you are installing the VPN-1/FW-1 NG software on Solaris 2.7 or 2.8, make sure you have the correct patches applied and that you are in either 32- or 64-bit mode according to the system requirements in Table 12.1 in the beginning of the chapter. If you are installing from files, then you should unzip and untar the package, and then run pkgadd –d. from the directory where the package is located. The SVN Foundation package must be installed prior to installing VPN-1/FW-1; the UnixInstallScript will take care of this for you. After the installation program has finished copying files, you will go through the initial configuration screens, which are Licenses, Administrators, GUI Clients, SNMP Extension, Group Permissions, and CA initialization. You can configure the firewall again at any time by running the cpconfig command. After installing VPN-1/FW-1, you must reboot.

After rebooting your firewall, a defaultfilter policy will be installed that prohibits all connections to the firewall server. You can unload the defaultfilter with the command fw unload localhost. Keep in mind that you must su to root with the dash (su -) in order to obtain the right environment variables to run the fw unload and most other FW-1 commands, including cpconfig.

To uninstall VPN-1/FW-1 on Solaris, use the pkgrm command. The first time you try to remove a Primary Management Server, the uninstall will fail. Simply run pkgrm a second time to successfully remove the package. Reboot your computer after uninstalling the VPN-1/FW-1 NG package.

If you are installing the VPN-1/FW-1 NG package on a Nokia appliance, make sure that you are using IPSO 3.4.2 before you begin. Like all the other platforms, you must install the SVN Foundation prior to installing the VPN-1/FW-1 package. Also, you should reboot after each new package you install. You can toggle between installed packages in the Voyager GUI under the Manage Installed Packages link. Be sure to click Apply and Save after making any changes in Voyager. After the Check Point VPN-1/FW-1 package is installed, you must run cpconfig in order to finish the installation procedure.