Installing Check Point VPN-1FireWall-1 NG AI on Windows

Licenses

You should have obtained all of your licenses before you get to this step. If you didn t, don t worry. There is a link to the Check Point User Center, where you can get your licenses, right in the Licenses window. If you need help with your license, read the first part of this chapter titled Before you Begin. If you don t have any permanent licenses to install at this time, you can use the built-in 15-day evaluation license that will be created at the end of the configuration. And, of course, you can always request an evaluation license from either Check Point or your Check Point reseller.

Since you have installed a primary management module, you should be installing a local license that was registered with the local management station s IP address. Follow this step-by-step procedure for adding your license(s).

1. Click Add in the Licenses configuration window (Figure 2.19).

   
   Figure 2.19: Licenses

2. A window similar to the one in Figure 2.20 will be displayed. In this window you can either select Paste License or enter the license details into the appropriate fields. The figure below shows the following license installed: cplic putlic 192.168.0.1 never aoMJFd63k-pLdmKQMwZ-aELBqjeVX-pJxZJJCAy CPMP-EVAL-1-3DES-NG CK-CP. In addition, you will see the following fields:

   
   Figure 2.20: Adding a License

   • IP Address The IP address associated with this license or eval if you are utilizing an evaluation license.

   • Expiration Date The date that the license expires , which is never for purchased products.

   • SKU/Features These are the features that this license will enable (e.g. Management or 3DES).

   • Signature Key The license string provided by Check Point to validate the license. This key will be unique for each license and IP Address.

     Enter your license details in the Add License window, and click Calculate to verify that the information you entered is correct. Match the Validation Code that you receive in this cell to the Validation Code on the license obtained from the Check Point User Center. You can also copy the entire cplic putlic command into your clipboard, and then click the Paste License button at the top of the screen to fill in all the fields. Click OK to continue, and if you entered everything correctly you should see the license entered into the main Licenses window (Figure 2.21).

     
     Figure 2.21: License Added Successfully

     Note

     The license configuration window will be displayed whether you are installing just the management or the enforcement module in a distributed installation. If you are utilizing centralized licensing for your remote enforcement modules, continue without a license and use SmartUpdate to license the module through the GUI.

3. Click Next to continue. The next screen deals with the Check Point configuration of the Management module.

Administrators

After installing your licenses, you will be presented with another configuration window (see Figure 2.22) in which you need to configure your firewall administrators. You will need to define at least one administrator during this time. You can always come back to this window later to add, edit, or delete your administrative logins. If you utilize the management of administrative logins inside the SmartDashboard GUI, you should remove the administrative users defined here after they have been defined and applied.

Figure 2.22: Configuring Administrators

Installing & Configuring
Fetching Licenses

If you have saved your license(s) to a file with a .lic extension (e.g. licenses.lic), then you could alternatively use the Fetch from File button, which would enable you to browse your file system for the license file. Once you ve located the *.lic file, select Open , and the license details will be imported into the Licenses configuration window.

1. The first step to configuring your administrators is to click Add

2. You will be presented with a window similar to the one in Figure 2.23 where you can define the attributes for one administrator. It is best to use individual administrator usernames instead of a generic username like fwadmin. The problem with using a generic login ID is that you cannot properly audit the activities of the firewall administrators. It may be important for you to know who installed the last security policy when you are troubleshooting a problem. This becomes more and more important when there are several people administering a firewall system. The fields that you need to fill in are listed below. Enter the required fields in the Add Administrator Window and select Read/Write All for the permissions. Click OK to finish adding the administrator.

   • Administrator Name Choose a login name for your administrator. This field is case-sensitive.

   • Password Choose a good alphanumeric password. It must be at least four characters long and is also case-sensitive.

   • Confirm Password Repeat the same password entered above.

     
     Figure 2.23: Adding an Administrator

   The section labeled Permissions enables you to define the access level that you will require on an individual basis for each administrator. If you select Read/Write All or Read Only All , then your administrator will have access to all the available GUI client features with the ability to either make changes and updates or view the configuration and logs (perhaps for troubleshooting purposes), respectively. Notice that only Read/Write All administrators have the ability to manage administrative user accounts through the GUI. Any user with administrative privileges to the operating system of the management server can manage the Check Point administrators. You may also choose to customize their access so that they may be able to update some things and not others. To do this, select Customized and configure each of these options:

   • SmartUpdate This GUI tool enables you to manage licenses and update remote modules.

   • Objects Database This tool is used to create new objects to be used in the Security Policy rulebases . Objects will be covered in the next chapter.

   • Check Point Users Database This tool is used to manage users for firewall authentication purposes.

   • LDAP Users Database This tool is used to manage LDAP users.

   • Security Policy This tool is used to create and manage rulebases using the SmartDashboard GUI.

   • QoS Policy This tool is used to create and manage the bandwidth management rulebases.

   • Log Consolidator This tool is used to create and manage rulebases regarding which logs will be consolidated from the log server into the SmartView Reporter database to run reports on.

   • SmartView Reporter This tool is used to create reports based on information consolidated into its internal database from the logs stored on the management server.

   • Monitoring This option enables access to the Log Viewer, System Status, and Traffic Monitoring GUI clients.

3. When you finish adding your administrator, you will be brought back to the main Administrators configuration window. Your administrator should now be listed in the Administrator s Permissions window. From here you may choose to Add , Edit , or Delete administrators from this list (see Figure 2.24). When you are finished adding your administrators, click Next to continue with the configuration of the Check Point Management Module.

   
   Figure 2.24: Administrators

GUI Clients

The GUI clients are the SmartConsole programs we installed earlier. These clients could also be installed on as many desktops as you wish, but before they can connect to the management server, you need to enter their IP addresses into the GUI clients configuration window shown in Figure 2.25. You can use this feature, for example, if you install the GUI clients on your own workstation to enable you to control the management server from your PC. This will enable you to connect remotely to manage the Security Policy and view your logs and system status. You do not need to configure any clients at all during the installation (localhost is always allowed), but if you are already prepared for this step, you may enter as many clients into this window as necessary. This client information will be saved in a file on your firewall under $FWDIR/conf and will be named gui-clients. This file can be edited directly, or you can bring up this GUI Clients window at any time in the future. It is recommended, however, that you use the GUI to make all changes.

Figure 2.25: Adding GUI Clients

1. For the example installation in this chapter, we are not going to enter any GUI clients. Select Next to continue on with the Check Point Management Module installation and read the next section. When you enter GUI clients, you type their hostname or IP address into the Remote hostname: field, and click Add to insert the clients to the window on the right. You are allowed to use wildcards as follows :

   • Any If you enter the word Any , this will allow anyone to connect without restriction (not recommended).

   • Asterisks You may use asterisks in the hostname. For example, 10.10.20.* means any host in the 10.10.20.0/24 network, or *.domainname.com means any hostname within the domainname.com domain.

   • Ranges You may use a dash (-) to represent a range of IP addresses. For example, 1.1.1.3-1.1.1.7 means the 5 hosts including 1.1.1.3 and 1.1.1.7 and every one in between.

   • DNS or WINS resolvable hostnames

   Figure 2.26 displays an example of the configured GUI cClients window with various options that you can use for your GUI client entries. It is recommended that you avoid using hostnames or domain names, however, since that requires DNS to be configured and working on the firewall. Using IP addresses are the best method since it doesn t rely on resolving, and will continue to work even if you cannot reach your name servers from the firewall. If, however, you have a very dynamic network with system names staying the same but addresses changing, or if you have many systems to add, hostnames may be the easiest solution.

   
   Figure 2.26: GUI Clients Added

Certificate Authority Initialization

Check Point provides the highest level of security between its components using a PKI implementation. Your management server will be a Certificate Authority for your firewall enforcement modules, and will use certificates for Secure Internal Communication (SIC). This is the step in the installation process where the management server s certificate authority (CA) is configured, and a certificate is generated for the server itself.

You will be presented with a Key Hit Session window where you will be asked to input random text until you hear a beep. The data you enter will be used to generate the certificate, and it is recommended that you also enter the data at a random pace; some keystrokes may be close together and others could have a longer pause between them. The more random the data, the less likely that the input could be duplicated . If the system determines that the keystrokes are not random enough, it will not take them as input, and will display a bomb icon under Random Characters. If the input is good, the system will display a yellow light bulb. This is always a fun exercise in the classroom because of the sounds that are created when you frantically tap away at the keyboard.

1. Type random characters at random intervals into the Key Hit Session window until the progress bar is full, and the message Thank you! appears at the bottom of the window as seen in Figure 2.27. Click Next to continue with the CA configuration.

   
   Figure 2.27: Key Hit Session

2. You will be presented with a window titled Certificate Authority (Figure 2.28). This window simply informs you that the CA is not yet configured and that it will be initialized when you select Next . Click Next to initialize the management module s Certificate Authority. The system will also prompt you for a name for the Internal Certificate Authority. This should be a Fully Qualified Domain Name (FQDN) due to the fact that it will be resolved by other devices to check the Certificate Revocation Lists (CRLs) for expired certificates, so this means it should be resolvable inside and outside your organization. If you did not install a license, you will be notified that your trial period will expire in 15 day. You should then receive a message that the initialization completed successfully, as shown in Figure 2.29.

   
   Figure 2.28: Certificate Authority Initialization

   
   Figure 2.29: CA Initialized Successfully

3. Click OK .

4. Click Finish from the Fingerprint window (shown in Figure 2.30) to exit the configuration. This window will be the last one in the set of configuration screens during the installation process. This window displays the fingerprint of the management server s CA. You will be able to bring this window up again after the installation through the Check Point Configuration Tool, which is shown in the section titled Getting Back to Configuration. When GUI clients first connect to the management server, they will be asked to verify the cryptographic fingerprint to ensure that they are connecting to the right machine. After that, the client software will compare the management server s fingerprints at each connect. If the fingerprints do not match, the client will be warned and asked if they wish to continue. The fingerprint could be exported to a file also, which the GUI clients would have access to.

   
   Figure 2.30: Management Server Fingerprint

5. If installing a firewall module, you will also receive a notice stating that a default firewalling policy will be installed when the Check Point services start. This will protect the system from attack until the first policy is applied to it.

Installation Complete

Congratulations. You have now successfully installed and configured a Check Point VPN-1/FireWall-1 firewall on a Windows system. All you need to do now is navigate your way out of the Check Point Installation program and reboot your system. Check Point will thank you for installing Check Point Software (see Figure 2.31) and ask you if you wish to reboot now or reboot later (Figure 2.32).

Figure 2.31: NG AI Configuration Complete

1. To finish the installation process, click OK .

2. From the InstallShield Wizard dialog box illustrated in Figure 2.32, choose Yes, I want to restart my computer now and click Finish . Your computer will be shut down and restarted.

   
   Figure 2.32: Reboot Computer

Getting Back to Configuration

Now that installation is complete, you may need to get back into the Configuration screens that you ran through at the end of the installation. You can add, modify, or delete any of the previous configuration settings by running the Check Point Configuration application.

1. Select Start Programs Check Point SmartConsole R54 Check Point Configuration . This will bring up the Configuration Tool displayed in Figure 2.33. As you can see, all of the configuration options that we went through during the initial installation are available through the various tabs at the top of the Configuration Tool window. The tabs you can configure from this tool are listed below.

   • Licenses

   • Administrators

   • GUI Clients

   • PKCS#11 Token ”Used to configure an add-on card, like a VPN accelerator card, for example.

   • Key Hit Session

   • Fingerprint

     
     Figure 2.33: Check Point Configuration Tool

   Each of the options in Figure 2.33 is described previously in the chapter. If you are just starting to read the chapter at this point, jump to the top of this section Configuring the Management Module to get a walk-through of each of these screens and your options.

2. When satisfied with your firewall configuration, click on OK to exit the tool.

   Note	If you had installed the primary management module only, then the tabs on the Configuration Tool NG will be exactly the same as in Figure 2.33 without the tab for PKCS#11 Token.

If you installed an enforcement module only, the Configuration Tool screens will be a little different (see Figure 2.34). The two new tabs are as follows:

Figure 2.34: Enforcement Module Configuration Tool

• Secure Internal Communication Enables you to initialize an enforcement module for communication. You must enter the same password here as you enter in the SmartDashboard GUI (Figure 2.35).

  
  Figure 2.35: Secure Internal Communication

• High Availability Enables this enforcement module to participate in a Check Point high availability (CPHA) or load sharing (CPLS) configuration with one or more other enforcement modules. This tab, illustrated in Figure 2.36, will not show up in your installation. The management module installed on an enforcement module participating in a cluster is not a supported configuration. State Synchronization is used to synchronize multiple firewalls together when using a 3 ^rd party High Availability or Load Sharing solution.

  
  Figure 2.36: High Availability