Installing Check Point VPN-1FireWall-1 NG AI on Solaris

If you have downloaded the packages to install on Solaris, you must first unzip and untar them to a temporary directory. Once the files are extracted, use pkgadd “d < directory > to install the Check Point VPN-1/FireWall-1 packages one at a time. Problems have been known to occur in previous versions if these temporary directories are several subdirectories away from the root of the file system. It would be best to extract these packages to /opt, /var/tmp, /tmp or directly to / instead of burying them too far down in the file system hierarchy. If you are in the same directory as the package, type pkgadd “d . to begin the installation.

You must install the SVN Foundation package prior to installing any other modules on your system. Make sure you download this package, too, if you want to install VPN-1/FireWall-1. You can install management clients without the SVN Foundation.

The simplest way to install the software, however, is to download the installation wrapper (also called the installation bundle), extract the files, and run the UnixInstallScript as shown below or install from the Check Point Next Generation with Application Intelligence CD.

SecureXL Acceleration

The first configuration option you are asked is in regard to SecureXL Acceleration. If you wish to offload the processing VPN encryption information onto a third-party hardware acceleration device, you can answer this question with y for yes to prepare the module for processing offload. For the installation within this chapter, enter n for no and press Enter .

Licenses

You should have obtained all of your licenses before you get to this step. If you need help getting your license, read the first part of this chapter titled Before you Begin. If you don t have any permanent licenses to install at this time, you can either continue without a license and use the built-in 15-day evaluation license or at any time, request an evaluation license from either Check Point directly or your Check Point reseller.

When installing a primary management module, one will be installing a local license that was registered with the local management station s IP address. Follow this step-by-step procedure for adding your license(s). You can see the license configuration input and output in Illustration 2.3.

1. When prompted to add licenses, enter y for yes and press Enter .

2. Enter m to add the license manually and press Enter . Now you will be prompted for each field of the license. The illustration below shows the following license installed: cplic putlic 192.168.0.1 never aoMJFd63k-pLdmKQMwZ-aELBqjeVX-pJxZJJCZy CPMP-VFE-U-NG CK-af80d80852ad

   • Host The IP address or hostid associated with this license.

   • Date The date that the license expires , which is never for any purchased license.

   • String The license string provided by Check Point to validate the license. This key will be unique for each license and IP Address/Host.

   • Features These are the features that this license will enable (e.g. management and/or 3DES).

   As you can see in Illustration 2.3, you also have the option of choosing f for Fetch from file. If you select this option, the configuration will prompt you to enter the file name of the file received from UserCenter.

3. Enter the values for Host , Date , String , and Features , pressing Enter after each entry.

Illustration 2.3: Configuring Licenses

 Configuring Licenses... ======================= The following licenses are installed on this host: Host             Expiration Features Do you want to add licenses (y/n) [n] ?  y  Do you want to add licenses [M]anually or [F]etch from file?:  M  Host:  192.168.0.1  Date:  never  String:  aoMJFd63k-pLdmKQMwZ-aELBqjeVX-pJxZJJCZy  Features:  CPMP-VFE-U-NG CK-  af80d80852ad 

 

Administrators

If you have installed a management module, you will be prompted to add an administrator as soon as you enter a license into the configuration program.You must define at least one administrator at this time to allow you to log in using the SmartConsole GUI clients. You can always come back later to add, edit, or delete your administrators. Illustration 2.4 depicts the steps involved to add your administrator.

It is best to use individual administrative usernames instead of a generic username like fwadmin. The problem with using a generic login ID is that you cannot properly audit the activities of the firewall administrators. It may be important for you to know who installed the last security policy when you are troubleshooting a problem. This becomes more and more important when there are several people administering a firewall system. You will have to complete the following fields:

• Administrator Name Choose a login name for your administrator. This field is case-sensitive.

• Password Choose a good alphanumeric password. It must be at least four characters long and is also case-sensitive.

• Verify Password Repeat the same password entered above.

• Permissions for all Management Clients (Read/[W]rite All, [R]ead Only All, [C]ustomized)

Illustration 2.4: Adding an Administrator

 Configuring Administrators... ============================= No VPN-1 & FireWall-1 Administrators are currently defined for this SmartCenter Server. Administrator name:  Joe  Password: Verify Password: Permissions for all Management Clients (Read/[W]rite All, [R]ead Only All,  [C]ustomized)  w  Permission to Manage Administrators([Y]es, [N]o)  y  Administrator Joe was added successfully and has Read/Write Permission for all products with Permission to Manage Administrators               Add another one (y/n) [n] ?  n  

 

Use the following steps to add an administrator:

1. Enter the login ID for your Administrator and press Enter . Joe is used in this example.

2. Enter the password for this username and press Enter .

3. Confirm the password entered in step 2 and press Enter .

4. Enter w for Read/Write All to give the administrator full permissions to access and make changes to all SmartConsole GUI clients.

Setting permissions enables you to define the access level that you will require on an individual basis for each administrator. If you select Read/[W]rite All or [R]ead Only All, then your administrator will have access to all the available GUI client features with the ability to either make changes and updates or to view the configuration and logs (perhaps for troubleshooting purposes) respectively. You may also choose to customize their access so that they may be able to update some things and not others. To do this, select Customized and configure each of these options (see Illustration 2.5):

• SmartUpdate This GUI tool enables you to manage licenses and update remote modules.

• Monitoring This option enables access to the Log Viewer, System Status, and Traffic Monitoring GUI clients.

Illustration 2.5: Setting Customized Permissions

 Permissions for all products  (Read/[W]rite All, [R]ead Only All,  [C]ustomized)  c  Permission for SmartUpdate (Read/[W]rite, [R]ead Only, [N]one) w         Permission for Monitoring (Read/[W]rite, [R]ead Only, [N]one) w Administrator Doug was added successfully and has Read/Write permission for SmartUpdate Read/Write permission for Monitoring 

 

GUI Clients

The Graphical User Interface clients are the management clients you installed. These clients can be installed on as many desktops as you wish, but before they can connect to the management server, you need to enter their IP addresses into the GUI clients configuration (Illustration 2.6). You can use this feature, for example, if you install the GUI clients on your own workstation to enable you to control the management server from your PC. This will allow you to connect remotely to manage the security policy and view your logs and system status. You do not need to configure any clients at all during the installation, but if you are already prepared for this step, you may enter as many clients into this window as necessary. This client information will be saved in a file on your firewall under $FWDIR/conf and will be named gui-clients. This file can be edited directly, but should be edited using the GUI clients window at any time in the future by running cpconfig . If you do not add any GUI clients, you will only be able to connect using the X-Motif GUI from this system.

1. Press y to define the GUI clients.

2. Type in a GUI client IP address and press Enter .

3. Repeat step two for each GUI client you want to add to the list.

4. Press Ctrl + D to complete the list.

5. Verify that the list is correct, enter y for yes and press Enter to continue.

Illustration 2.6: Configuring GUI Clients

 Configuring GUI clients... ========================== GUI clients are trusted hosts from which Administrators are allowed to log on to this SmartCenter Server  using Windows/X-Motif GUI. No GUI Clients defined Do you want to add a GUI Client (y/n) [y] ?  y  You can add GUI Clients using any of the following formats: 1. IP address. 2. Machine name. 3. "Any"  Any IP without restriction. 4. A range of addresses, for example 1.2.3.4-1.2.3.40 5. Wild cards  for example 1.2.3.* or *.checkpoint.com Please enter the list of hosts that will be GUI Clients. Enter GUI Client one per line, terminating with CTRL-D or your EOF  character.  192.168.0.10   172.17.3.2   ^D  Is this correct (y/n) [y] ?  y  

 

As you enter GUI clients into this configuration, you type their hostname or IP address, one per line, pressing Enter at the end of each. When you are finished editing the client list, press Ctrl + D to send an end of file (EOF) control character to the program to continue. You are allowed to use wildcards as follows :

• Any If you enter the word Any , this will allow anyone to connect without restriction (not recommended).

• Asterisks You may use asterisks in the hostname. For example, 192.168.0.* means any host from 192.168.0.0 to 192.168.0.255, and *.domainname.com means any hostname within the domainname.com domain.

• Ranges You may use a dash (-) to represent a range of IP addresses. For example, 192.168.0.5-192.168.0.9 means the 5 hosts including 192.168.0.5 and 192.168.0.9 and each one in between.

• DNS or WINS resolvable hostnames

Illustration 2.7 displays an example of the configured GUI clients window with various options that you can use for your GUI client entries. It is recommended that you avoid using hostnames or domain names , however, since this requires DNS to be configured and working on the firewall. Using IP addresses is the best method since it doesn t rely on resolving, and will continue to work even if you cannot reach your name servers from the management station.

Illustration 2.7: GUI Client Wildcards

 Please enter the list hosts that will be GUI clients. Enter hostname or IP address, one per line, terminating with CTRL-D  or your EOF character.  *.mycompany.com   192.168.0.5-192.168.0.9   172.17.3.2   172.17.2.*   noc.mycompany.com  Is this correct (y/n) [y] ?  y  

 

Certificate Authority Initialization

Your management server will be a Certificate Authority for your firewall enforcement modules, and will use certificates for Secure Internal Communication (SIC). This is the step in the installation process where the management server s CA is configured, and a certificate is generated for the server and its components .

You will be presented with the Key Hit Session configuration option, where you will be asked to input random text until you hear a beep. The data you enter will be used to generate the certificate, and it is recommended that you enter the data at a random pace; some keystrokes may be close together and others could have a longer pause between them. The more random the data, the less likely that the input could be duplicated . If the system determines that the keystrokes are not random enough, it will not take them as input, and will display an asterisk to the right of the progression bar.

1. Type random characters at random intervals into the Key Hit Session window until the progress bar is full, and the message Thank you appears at the bottom of the window as seen in Figure 2.56.

   
   Figure 2.56: Random Pool

2. The next step is to initialize the internal Certificate Authority for SIC. It may take a minute for the CA to initialize. Figure 2.57 displays the messages you will receive on the console while configuring the CA. Press Enter to initialize the Certificate Authority.

   
   Figure 2.57: Configuring Certificate Authority

3. Once the CA is initialized successfully, you will be presented with the fingerprint of the management server s certificate. This fingerprint is unique to your CA and the certificate on your management server used for communication with the management server (another certificate would be generated for VPN). The first time your GUI clients connect to the management server, they will receive the fingerprint so that they can match it to the string listed here and verify that they are connecting to the correct manager. After the first connection, every time the clients connect to the management server, the fingerprint is verified . If the fingerprint presented by the management server doesn t match what s known on the workstation, a warning message will be displayed, and the administrator can decide whether or not to continue with the connection. Type y and press Enter to save the fingerprint to a file.

4. Enter the filename and press Enter . The file will be saved in $CPDIR/conf.

Installation Complete

When the configuration program ends, you may see a few messages on the screen, such as generating GUI-clients INSPECT code, as the system finishes up the installation of the VPN-1/FireWall-1 package. Finally, you will receive the following question, Would You like to reboot the machine [y/n]: (shown in Figure 2.58). If you select not to reboot, then you will exit the installation and go back to a shell prompt. If you choose to reboot, then the system will be restarted.

Figure 2.58: Installation Complete

1. Enter n for no and press Enter .

2. Press Enter again to exit the installation script.

   When you exit the installation script, you will see the shell. The last message you received on the console was concerning new environment variables. Let s address these environment variables for a moment. The firewall will create a .profile in root s home directory, which runs the Check Point environment script located at /opt/CPshrd-54/tmp/.CPprofile.sh (for bourne shell) or .CPprofile.csh (for c shell). This script sets your

   Check Point variables such as $FWDIR and $CPDIR among others. See Figure 2.59 for a list of environment variables that are set after installation on a new system. Without setting these variables, various firewall commands will fail. For example, if you log in to the system as your standard user and then type su to root instead of su “ , you will maintain the standard user s environment; then when executing fw unload localhost to unload the InitialPolicy, you will receive the following error message: ld.so.1: /etc/fw/bin/fw: fatal: libkeydb.so: open failed: No such file or directory Killed.

3. When you are ready to restart the server, as a best practice, type sync; sync; reboot and press Enter.

   
   Figure 2.59: Environment Variables

Configuring & Implementing
Unload InitialPolicy Script

If you are performing a remote upgrade or installation, you may run into trouble when you reboot at the end of the installation. Before a security policy is loaded, the system will install a default policy, called InitialPolicy, which will block all access to the VPN-1/FireWall-1 host computer. You can log in to the console and verify that the filter is loaded with the fw stat command:

 # fw stat HOST      POLICY     DATE localhost InitialPolicy  8Nov2003 16:51:48 :  [>hme1] [<hme1] [>qfe0] [<qfe0]  [>qfe1] [<qfe1] [>qfe2] [<qfe2] 

If you have access to the console, then log in as root and unload the filter with the following command:

 # fw unloadlocal Uninstalling Security Policy from all.all@CentralMgmt Done. 

If you do not have access to the console, you can write a shell script to unload the filter and enable it in cron or place it in /etc/rc3.d/S99fwunload. Here s a sample /etc/rc3.d/S99fwunload script that one Check Point user used for his firewalls:

 #!/bin/sh . /.profile/opt/CPfw1-54/bin/fw unloadlocal 

Unfortunately, just running the unload command is not enough. The various environment variables in the $CPDIR/tmp/.CPprofile.sh have to be defined. To do this, copy the contents of the .CPprofile.sh file into the middle of the script before the unload command or source them using the . /.profile command. Even before you reboot, you can test that the script works. To ensure the policy unload is run after reboot, first verify that you have enabled execute permissions on the file:

 chmod +x /etc/rc3.d/S99fwunload 

Now you can safely reboot the system and log back into it after it has booted . Don t forget to remove the file once you are back in the firewall. If you are using a version other than NG with Application Intelligence, the commands in the script may have to be changed because the package name will likely be different.

Getting Back to Configuration

Now that installation is complete, you may need to get back into the configuration screens that you ran through at the end of the installation. You can add, modify, or delete any of the previous configuration settings by running cpconfig .

If you did not log in as root or login and type su “ to gain root access, then your Check Point environment variables may not be set, and you could receive the errors displayed in Illustration 2.8:

Illustration 2.8: Possible cpconfig Execution Errors

 # /opt/CPshrd-54/bin/cpconfig You must setenv CPDIR before running this program # CPDIR=/opt/CPshrd-54/; export CPDIR # /opt/CPshrd-54/bin/cpconfig ld.so.1: /opt/CPshrd-54/bin/cpconfig_ex: fatal: libcpconfca.so: open failed: No such file or directory              Can not execute cpconfig 

 

If this happens, simply login with su “ . The dash is an optional argument to su, which provides you with the environment that you would have, had you logged in directly as root. You can also set your environment by sourcing root s .profile by executing . /.profile if using sh as your shell or source /. cshrc if you are using csh as your shell. See Figure 2.60 for the output of cpconfig on Solaris.

Figure 2.60: cpconfig

There are a few options listed here that did not come up during the initial installation process. Number 5 configures a PKCS#11 Token, which enables you to install an add-on card such as an accelerator card, and number 9 enables you to configure the automatic start of Check Point modules at boot time.

If you installed an enforcement module only, the cpconfig screens will also include the following:

• Secure Internal Communication Enables a one-time password that will be used for authentication between this enforcement module and its management server, as well as any other remote modules that it might communicate with (see Figure 2.61).

  
  Figure 2.61: Secure Internal Communication Configuration

• High Availability Allows you to enable this enforcement module to participate in a High Availability or Load Sharing configuration with one or more other enforcement modules. This tab will not show up in your installation since you cannot have a management module installed on an enforcement module in a cluster.

  Figure 2.62 illustrates the High Availability option available from the cpconfig menu. If you enable high availability here, then you will need to set up state synchronization between the firewalls that will be participating in the cluster. This is covered in detail in Chapter 12.

  
  Figure 2.62: High Availability Configuration