Configuring the Firewall


Next, we want to take you through the configuration of Check Point FireWall-1on your Nokia and introduce you to the way FireWall-1 protects your Nokia during system bootstrap. Before you can start the firewall (cpstart) for the first time, you need to have the package enabled in Voyager and run through the Check Point Configuration tool (cpconfig). It is during this initial configuration that you determine the type of Check Point installation you want to run on your NSP. You can choose to install a management server and/or enforcement module during this time. This section walks you through each step of the initial configuration screens and gives you some tips for disabling the default and initial policies, which might be problematic when you're doing remote maintenance.

Installing the Package

If you are starting with a fresh Nokia installation and have no previous Check Point packages installed, you need to start by installing the Check Point packages in IPSO. Here we guide you through a package installation of NG FP2 on a Nokia using the newpkg command. If your Nokia was shipped with the appropriate Check Point packages preinstalled, you should skip to the next section. If you want to upgrade a Check Point package, read the section "Upgrading the Firewall."

Begin by downloading the FP2 wrapper file onto your Nokia into the /var/admin directory. You can download it from Check Point or from one of its resellers. The FP2 wrapper package is simply a .tgz file that installs NG FP1 (SVN Foundation and VPN-1/FireWall-1) and then upgrades you to NG FP2. Some other packages will be installed as well, including the version 4.1 Backward Compatibility package, Policy Server, FloodGate-1, and Real Time Monitor. When the install is complete, the NG FP2 SVN and FireWall-1 package will be the only ones enabled.

If you're starting with the NG FP3 wrapper package instead, you won't get the other Feature Packs like the FP2 wrapper—just the FP3 version will be installed. The other packages bundled in with the FP3 wrapper include the 4.1 Backward Compatibility package, Policy Server, FloodGate-1, SmartView Monitor, and UserAuthority Server. Regardless of which wrapper package you choose, follow this procedure for installation:

  1. Place the wrapper file in /var/admin. The filename will be something like CP_FP2_IPSO.tgz or CP_FP3_IPSO.tgz. Ensure that this is the only package in the /var/admin directory. Do not uncompress or untar the package.

  2. From the /var/admin directory, type newpkg –i.

  3. Choose 4 and press Enter at the prompt for installation method. This sequence will install the package from the local file system.

  4. Next you will be prompted for the pathname to the package. Enter a single period (.) and press Enter. A single period or "dot" indicates the current working directory.

  5. Now the install program will find the Check Point NG package and extract the necessary files for installation. You will be prompted with four options—to install, upgrade, skip, or exit. Enter 1 to install. At this time, the packages bundled in the wrapper will be installed. When the process is complete, you will again see the IPSO prompt. You can verify that the packages have been installed by logging in to Voyager and viewing the Manage Installed Packages configuration screen.

  6. Now you need to log out and log back in to your IPSO session. This ensures that you get the new environment variables defined during the package installation. Without having these variables set, you cannot run cpconfig.

  7. Run cpconfig and install a license. You can skip to the section on cpconfig later in this chapter for more help in this configuration tool.

  8. Reboot your Nokia after running cpconfig by typing reboot.

Enabling the Package

Check Point packages are enabled just like any other packages on IPSO. In NG, you will always have at least two Check Point packages enabled at any time through the Manage Installed Packages configuration screen, the SVN Foundation, and the VPN-1/FireWall-1 NG package. Only one version of FireWall-1 can be active at any time. If all the Check Point packages are off, you should first enable the SVN Foundation (CPShared) package, then enable the Check Point VPN-1/FireWall-1 package, and then finally enable any other Check Point components (such as backward compatibility, Policy Server or FloodGate-1, and so on).

Follow these instructions to enable Check Point NG FP3 VPN-1/FireWall-1 in Nokia IPSO 3.6:

  1. Log in to Voyager and click Config.

  2. Click Manage Installed Packages under the System Configuration section.

  3. Toggle the Check Point SVN Foundation package to On.

  4. Click Apply.

  5. Now, toggle the Check Point VPN-1/FireWall-1 package to On.

  6. Click Apply and then click Save.

If you need to disable Check Point packages at any time, follow the reverse procedure. Begin by disabling the Check Point VPN-1/FireWall-1 package and then the SVN Foundation. You cannot disable both of these packages simultaneously; you must turn them off one at a time.

Environment and Path

Check Point commands cannot be executed if you do not have the correct environment variables defined in your Nokia login session. Fortunately, during package installation these are configured for you in the file /var/etc/pm_profile. This profile is called from the .profile in your home directory, so whenever you log in you will always have the necessary environment to run Check Point commands for installed packages.

Some of the environment variables that are modified when Check Point packages are installed are CPDIR, FWDIR, and PATH. The CPDIR variable tells you where the base SVN Foundation (CPShared) installation directory is located. The FWDIR similarly contains the value of the base VPN-1/FireWall-1 installation directory. An easy way to change directories into the firewall software is to use this FWDIR variable, since the directory names are sometimes quite long and hard to type in without making a mistake. In NG FP3, the variables are defined as follows. You can display the value of any variable by using the echo command and including a dollar sign in front of the variable name. For instance, to display the value of the CPDIR variable, type echo $CPDIR. The dollar sign ($) in front of a variable means the value of:

  • CPDIR = /opt/CPshared-50-03

  • FWDIR = /opt/CPfw1-50-03

  • PATH = /bin:/sbin:/usr/bin:/usr/sbin:/usr/libexec:/etc:/opt/CPshared-50-03/bin:/opt/CPfw1-50-03/bin

VPN-1 and FireWall-1 Directory Structure

Within the VPN-1/FireWall-1 package directories, you have several subdirectories, each with its own purpose. Here we would like to highlight some of the most important directories and explain the types of files that you will find in each of them.

$FWDIR directories:

  • bin Binary files and scripts, such as the fw, fwd, and fwm binaries and fwstop/fwstart scripts, to name a few.

  • boot Boot configuration files are stored here, including the compiled default filter file.

  • conf Configuration files, including your objects, rules, and user database.

  • database Database information.

  • lib Library files.

  • log Log files are stored in this directory. On Nokia devices, this is usually a symbolic link to /var/fw/log.

  • spool SMTP Security Server default spool directory.

  • state FireWall-1 state information.

  • tmp Temporary directory where the daemon pid files are located.

Within the conf directory, you will find the objects_5_0.C file, which holds all your FireWall-1 objects and services. The rulebases_5_0.fws file contains all your rules, and the fwauth.NDB* files contain your user database. You'll also find a gui-clients file here and either a masters or clients file if you have a distributed installation. The $FWDIR/conf directory is always the most important directory to back up.

Occasionally, you might make changes to the files in the database or lib directory, and you should have a good backup of those as well. Whenever you upgrade your Check Point software, these files will need to be modified again with those changes. Sometimes hot fixes that are applied simply replace some files in lib, such as table.def or base.def.

Your FireWall-1 log files should be maintained on a regular basis. Although the configuration in the Policy Editor allows you to schedule log switches in NG, certain log files will not be switched. Even if you are logging to a separate management server, some log files will be growing in your Nokia's $FWDIR/log directory. The security server logs such as ahttpd.elg, aftpd.elg, and asmtpd.elg will be in there, and you'll find that some daemons, such as fwd, will log there as well (for example, fwd.elg, mdq.elg, and fwm.elg). Most of the files that begin with fw.* will be part of the active log files. You could find that if your firewalls have stopped logging to the management station and the management box isn't listening for incoming connections on TCP port 257 (verify with the command netstat –an), you might need to run cpstop on the management console, move the $FWDIR/log/fw.* files, and then run cpstart to get things moving again.

The state directory contains the current FireWall-1 state information, and the files here get updated whenever a policy is installed. At times you might need to clear out the state directory while the firewall is stopped, to clear a persistent setting. The files in here will be recreated on the next policy install.

IP Forwarding and Firewall Policies

During the Nokia's boot cycle, IP forwarding is disabled. Check Point FireWall-1 will control IP forwarding by enabling it once its services are started. During the boot process, the firewall loads a default filter, which blocks all inbound access to the Nokia but allows all outgoing and broadcast packets. This filter is loaded into the kernel before the interfaces of the Nokia are configured. This ensures that there is never a time during the boot process that the machine is unprotected.

When FireWall-1 services start for the first time, a policy cannot be loaded, because the firewall has no saved state. When this happens, it will load an initial policy, which allows a GUI client connection but blocks all other communication. You cannot even ping the device while the initial policy is loaded. If at any other time the system reboots and the firewall cannot fetch a policy either from a management console or from its locally saved state, it will load the initial policy filter. In order to remove either a default or initial filter, you need to type fw unloadlocal or fw unload localhost, the latter if you have a version of FireWall-1 prior to NG FP2. Use the command fw stat to display the current policy that is loaded:

gatekeeper[admin]# fw stat HOST      POLICY     DATE localhost InitialPolicy 25Sep2002 23:02:21 :  [>eth-s3p1c0]

When FireWall-1 is stopped via cpstop, IP forwarding is disabled as well. Run ipsofwd list to see the current state of IP forwarding. The value of net:ip:forwarding will be 0 if forwarding is disabled and 1 if it is enabled. A filter is not loaded if the firewall services are stopped, so your system could be at risk. Here are some commands you can use to control these settings, with brief descriptions:

  • fwstop –default Kills all firewall processes and loads the default filter.

  • fwstop –proc Stops all firewall processes but allows the policy to remain in the kernel for simple accept, drop, and reject inspection.

  • fwstart –f Starts FireWall-1 services.

  • control_bootsec –r Removes boot security.

  • control_bootsec –g Enables boot security.

  • fwboot bootconf Sets IP forwarding and configures the default filter.

  • comp_init_policy –u Disables the initial policy.

  • comp_init_policy –g Enables the initial policy.

The default filter is defined in the $FWDIR/lib directory. In NG FP3, the default filters listed in Table 18.2 are available to choose from in that directory on Nokia. The default default filter (pun intended) is the defaultfilter.boot file.

Table 18.2: Default Filters in $FWDIR/lib

Filter file

Description

defaultfilter.boot

Allows outbound communication (originating from the firewall) and broadcast traffic only.

defaultfilter.dag

Allows outbound communication (originating from the firewall), broadcast traffic, and DHCP.

defaultfilter.drop

Drops everything.

defaultfilter.ipso

Allows SSH, SSL (port 443), and ping inbound and all outbound communication originating from the firewall.

defaultfilter.ipso_ssh

Allows SSH and ping inbound and all outbound communication originating from the firewall.

defaultfilter.ipso_ssl

Allows SSL (port 443) and ping inbound and all outbound communication originating from the firewall.

We personally like the way that the defaultfilter.ipso looks, since it allows SSH and SSL connections to the Nokia while the filter is loaded. Follow this procedure to change the default filter to the defaultfilter.ipso file instead:

  1. Log in to your Nokia and change directories to $FWDIR/lib. From here, copy the defaultfilter.ipso file to $FWDIR/conf/defaultfilter.pf.

  2. Run fw defaultgen to compile the defaultfilter.pf file. The output file will be $FWDIR/state/default.bin. The output of this command is as follows:

    gatekeeper[admin]# fw defaultgen Generating default filter defaultfilter: Compiled OK. Backing up default.bin as default.bin.bak
  3. Copy the $FWDIR/state/default.bin file to the $FWDIR/boot directory. You can verify that the $FWDIR/boot directory is where the file belongs by printing the file path with the command $FWDIR/boot/fwboot bootconf get_def.

Unload InitialPolicy Script

If you are doing a remote upgrade or install, you could run into trouble when you reboot at the end of the installation. Before a security policy is loaded, the system will install a filter, called InitialPolicy, which will block all access to the VPN-1/FireWall-1 host computer (except GUI access). You can log in to the console and verify that the filter is loaded with the fw stat command:

gatekeeper[admin]# fw stat HOST      POLICY     DATE localhost InitialPolicy 25Sep2002 23:02:21 :  [>eth-s3p1c0]

If you have access to the console, log in as root and unload the filter with the following command:

# fw unloadlocal

If you do not have access to the console, you could write a shell script to unload the filter and enable it in cron. The various environment variables in /var/etc/pm_profile need to be defined. So, easily enough, we can call the pm_profile file from the unload.sh script. Even before you reboot, you can test that the script works by running it from the command line. Here's a sample unload.sh script that works for FireWall-1 NG FP3:

-------------------------------- #!/bin/sh     . /var/etc/pm_profile     $FWDIR/bin/fw unloadlocal --------------------------------

To enter the script in cron, follow these steps.

  1. Verify that you have enabled execute permissions on the file:

    chmod +x unload.sh
  2. Edit cron with the following command:

    crontab –e
  3. Finally, enter the following line into your crontab file (note this should be one line):

    0,5,10,15,20,25,30,35,40,45,50,55 * * * * /var/admin/unload.sh >     /dev/null 2>&1

    This command tells the system to run the unload.sh script every five minutes and redirect all output to /dev/null.

Now you can safely reboot the system and log back in to it within a five-minute period from the time it is booted. Don't forget to remove (or at least comment out) the crontab entry once you are back in the firewall.

Running cpconfig

If VPN-1/FireWall-1 NG is installed on your Nokia appliance, but it hasn't been configured yet, you must run cpconfig before attempting to start the new package. If you just received your Nokia fresh from the factory and NG is installed, you still need to run cpconfig before the package will run properly. This is because you must accept the license agreement, choose the components you want to run (management and/or enforcement module), and configure licenses, administrators, GUI clients, and the like.

When you run cpconfig, you must be logged in either through the console or remote login, and your environment variables must be set as described earlier. Then, all you need to do to begin the configuration is to enter the command cpconfig and press Enter. The very first time the command is run, it will ask you to accept the licensing agreement and then take you through the configuration wizard, prompting you for input at each stage. The configuration options could be a little different depending on your choices along the way, such as whether you decide to install a management module and/or firewall module on the system.

Let's assume that we are installing both management and firewall modules on a stand-alone system. Here is a list of steps to configure your Nokia system:

  1. Log in to your Nokia and run cpconfig.

  2. Press Enter to read the license agreement, pressing Spacebar to continue until you reach the end, and then enter y to accept the terms and continue.

  3. Next you are prompted for the type of installation you want on your NSP. To run both a management console and firewall module on this box, select option 3.

  4. If this is to be a primary management console (as opposed to a backup), press Enter to accept the default value of 1 at this next prompt. You will see some messages about the firewall controlling IP forwarding and loading a default filter (see Figure 18.2).

start figure

 gatekeeper[admin]# cpconfig     Welcome to Check Point Configuration Program ================================================= Please read the following license agreement.  Hit 'ENTER' to continue...      This End-user License Agreement (the "Agreement") is an agreement between  you (both the individual installing the Product and any legal entity on  whose behalf such individual is acting) (hereinafter "You" or " Your") and  Check Point Software Technologies Ltd. (hereinafter "Check Point"). …     Do you accept all the terms of this license agreement (y/n) ? y     Select installation type: -------------------------     (1) Enforcement Module. (2) Enterprise Management. (3) Enterprise Management and Enforcement Module. (4) Enterprise Log Server. (5) Enforcement Module and Enterprise Log Server.     Enter your selection  (1-5/a-abort) [1]: 3 Please select Management type: ------------------------------     (1) Enterprise Primary Management. (2) Enterprise Secondary Management.     Enter your selection  (1-2/a-abort) [1]:  IP forwarding disabled Hardening OS Security: IP forwarding will be disabled during boot. Generating default filter Default Filter installed Hardening OS Security: Default Filter will be applied during boot. This program will guide you through several steps where you will define your Check Point products configuration. At any later time, you can reconfigure these parameters by_running cpconfig

end figure

Figure 18.2: Initial Configuration

Licenses

The license configuration option will be displayed regardless of which modules you have installed. Since we have installed a primary management module, we should be installing a local license that was registered with the local management station's IP address. Follow this step-by-step procedure for adding your license(s). You can see the license configuration input and output outlined in Figure 18.3.

  1. When prompted to add licenses, enter y for yes and press Enter.

  2. Enter m to add the license manually and then press Enter. Now you will be prompted for each field of the license. Figure 18.3 shows the following license installed: cplic putlic eval 01Oct2002 dNrP4oprA-3MGjFUa69-PiNHuuHoa-4CyJa5yjk CPMP-EVAL-1-3DES-NG CK-CP. The license components are as follows:

    • Host The IP address or host ID associated with this license or the word eval.

    • Date The date that the license expires, which may be never.

    • String The license string provided by Check Point to validate the license. This key will be unique for each license and IP address/host.

    • Features The features this license will enable (for example, management and/or 3DES).

    As you can see in Figure 18.3, you also have the option of choosing f for [F]etch from file. If you select this option, the configuration will prompt you to enter the filename.

  3. Enter the values for Host, Date, String, and Features, pressing Enter after each entry.

start figure

 Configuring Licenses... ======================= Host             Expiration  Signature                             Features         Note: The recommended way of managing licenses is using SmartUpdate. cpconfig can be used to manage local licenses only on this machine.     Do you want to add licenses (y/n) [y] ?      Do you want to add licenses [M]anually or [F]etch from file: m IP Address: eval Expiration Date: 01Oct2002 Signature Key: dNrP4oprA-3MGjFUa69-PiNHuuHoa-4CyJa5yjk SKU/Features: CPMP-EVAL-1-3DES-NG CK-CP     License was added successfully

end figure

Figure 18.3: Configuring Licenses

Administrators

If you have installed a management module, as soon as you enter a license into the configuration program, it will move on to the next setting, which will be to add an administrator. You must define at least one administrator at this time. You can always come back later to add, edit, or delete your administrators. Figure 18.4 shows the steps involved to add your administrator.

start figure

 Configuring Administrators... ============================= No Check Point Administrators are currently defined for this Management Station. Do you want to add administrators (y/n) [y] ?  Administrator name: Cherie Password:  Verify Password:  Permissions for all Management Clients (Read/[W]rite All, [R]ead Only All,     [C]ustomized) w Permission to Manage Administrators ([Y]es, [N]o) y Administrator Cherie was added successfully and has Read/Write Permission for all Management Clients     Add another one (y/n) [n] ? 

end figure

Figure 18.4: Adding an Administrator

Note

If you have installed an enforcement module only, you will not configure administrators.

It is best to use individual admin usernames instead of a generic username such ass fwadmin. The problem with using a generic login ID is that you cannot properly audit the activities of the firewall administrators. When you are troubleshooting a problem, it might be important for you to know who installed the last security policy. This becomes more and more important when there are several people administering a firewall system. The fields that you need to fill in are as follows:

  • Administrator Name Choose a login name for your administrator. This field is case sensitive.

  • Password Choose a good alphanumeric password. It must be at least four characters long and is also case sensitive.

  • Verify Password Repeat the same password entered above.

  • Permissions for all Management Clients (Read/[W]rite All, [R]ead Only All, [C]ustomized)

  • Permission to manage administrators (Yes or No)

Setting permissions allows you to define the access level that you will require on an individual basis for each administrator. If you select Read/[W]rite All or [R]ead Only All, your admin will have access to all the available GUI client features with the ability to either make changes and updates or view the configuration and logs (perhaps for troubleshooting purposes), respectively. You may also choose to customize access so that administrators may be able to update some things and not others. To do this, select Customized and configure each of these options. Here are descriptions of each feature listed in Figure 18.5:

  • SmartUpdate This GUI tool allows you to manage licenses and update remote modules.

  • Check Point Users Database Allows you to manage users through the SmartDashboard.

  • LDAP Users Database Allows you to manage LDAP users through SmartDashboard.

  • Security Policy Allows you to manage the Security Policy tab in the SmartDashboard.

  • QoS Policy Allows you to manage the QoS (FloodGate-1) bandwidth management policy in the SmartDashboard.

  • Monitoring Enables access to the Log Viewer, System Status, and Traffic Monitoring GUI clients (a.k.a. SmartView Tracker, SmartView Status, and SmartView Monitor in FP3).

start figure

 Permissions for all Management Clients (Read/[W]rite All, [R]ead Only      All, [C]ustomized) c         Permission for SmartUpdate (Read/[W]rite, [R]ead Only, [N]one) r         Permission for Check Point Users Database (Read/[W]rite, [R]ead             Only) w         Permission for LDAP Users Database (Read/[W]rite, [R]ead Only,             [N]one) r         Permission for Security Policy (Read/[W]rite, [R]ead Only,             [N]one) w         Permission for QoS Policy (Read/[W]rite, [R]ead Only, [N]one) n         Permission for Monitoring (Read/[W]rite, [R]ead Only, [N]one) w Administrator Cherie was added successfully and has Read Only Permission for SmartUpdate Read/Write Permission for Check Point Users Database Read Only Permission for LDAP Users Database Read/Write Permission for Security Policy Read/Write Permission for Monitoring

end figure

Figure 18.5: Setting Customized Permissions

Management Clients

The management clients (also called GUI clients) are installed on either Windows or Solaris (X-Motif). These clients can be installed on as many desktops as you like, but before they can connect to the management server, you need to enter their IP addresses into the Management Clients configuration tool (see Figure 18.6). You can use this feature, for example, if you install the GUI clients on your own workstation to enable you to control the management server from your PC. This will allow you to connect remotely to manage the Security Policy and view your logs and system status. You do not need to configure any clients at all during the install, but if you are already prepared for this step, you may enter as many clients into this window as necessary. This client information will be saved in a file on your firewall under $FWDIR/conf and will be named gui-clients. This is a text file and can be edited directly, or you can bring up this Management Clients window at any time in the future by running cpconfig.

Note

If you have installed an enforcement module only, you will not configure GUI clients.

start figure

 Configuring Management Clients... ================================= Management clients are trusted hosts from which Administrators are allowed to log on to this Management Station using Windows/X-Motif GUI.     No Management clients defined Do you want to add a Management client (y/n) [y] ?  Please enter the list hosts that will be Management clients. Enter hostname or IP address, one per line, terminating with CTRL-D or     your EOF character. 192.168.168.3 Is this correct (y/n) [y] ? 

end figure

Figure 18.6: Configuring Management Clients

As you enter GUI clients into this configuration, you type their host name or IP address, one per line, pressing Enter at the end of each. When you are done editing the client list, press Ctrl + D to send an end-of-file (EOF) control character to the program to continue.

You are allowed to use wildcards in each GUI client host specification as follows:

  • Any If you type in the word Any, you will allow anyone to connect without restriction (not recommended).

  • Asterisks You may use asterisks in the host name, such as 10.10.20.*, which means any host in the 10.10.20.0/24 network; *.domainname.com means any host name within the domainname.com domain.

  • Ranges You may use a dash (-) to represent a range of IP addresses, such as 1.1.1.3-1.1.1.7, which means the five hosts including 1.1.1.3 and 1.1.1.7 and every one in between.

  • DNS or WINS resolvable hostnames

Figure 18.7 shows an example of the configured GUI clients window with various options that you can use for your GUI Client entries. We recommend staying away from using host names or domain names, however, since it requires DNS to be configured and working on the firewall. Specifying IP addresses is the best method since it doesn't rely on resolving and will continue to work even if you cannot reach your DNS name servers from the firewall.

start figure

 Please enter the list hosts that will be Management clients. Enter hostname or IP address, one per line, terminating with CTRL-D or      your EOF character. *.integralis.com 1.1.1.3-1.1.1.7 10.10.10.2 10.10.10.3 10.10.20.* backwatcher.com noc.activis.com Is this correct (y/n) [y] ? y

end figure

Figure 18.7: Management Client Wildcards

Certificate Authority Initialization

Your management server will be a certificate authority (CA) for your firewall enforcement modules and will use certificates for Secure Internal Communication (SIC). This is the step in the installation process where the management server's CA is configured and a certificate is generated for the server and its components.

You will be presented with the Random Pool configuration option, where you are asked to input random text until you hear a beep. The timing latency between your key presses will be used to generate cryptographic data, so it is recommended that you enter the data at a random pace, so that some keystrokes are close together and others have a longer pause between them. The more random the key-press intervals, the more unlikely that the input could be duplicated. If the system determines that the keystrokes are not random enough, it will not take them as input and will display an asterisk to the right of the progression bar.

Note

The Random Pool configuration screen will also be presented to you if you have installed an enforcement module only so that you can generate an internal certificate for SIC.

Type random characters at random intervals into the Random Pool until the progress bar is full and the message "Thank you!" appears at the bottom of the window, as shown in Figure 18.8. The next step is to initialize the internal CA for SIC. It could take a minute for the CA to initialize. Figure 18.9 shows the messages you will receive on the console while configuring the CA. Press Enter to initialize the CA.

start figure

Configuring Random Pool... ========================== You are now asked to perform a short random keystroke session. The random data collected in this session will be used in various cryptographic operations.     Please enter random text containing at least six different characters. You will see the '*' symbol after keystrokes that are too fast or too similar to preceding keystrokes. These keystrokes will be ignored.     Please keep typing until you hear the beep and the bar is full.         [....................]        Thank you.

end figure

Figure 18.8: Random Pool

start figure

Configuring Certificate Authority... ==================================== The system uses an Internal Certificate Authority to provide Secured Internal Communication (SIC) certificates for the components in your system.     Note that your components will not be able to communicate with each other until the Certificate Authority is initialized and they have their SIC certificate.     Press 'Enter' to initialize the Certificate Authority... Internal Certificate Authority created successfully Certificate was created successfully Certificate Authority initialization ended successfully

end figure

Figure 18.9: Configuring Certificate Authority

Once the CA is initialized successfully, you will be prompted to enter and send the FQDN of the management server to the internal CA (ICA). This name must be correct for the ICA to function properly and cannot be changed once it is input to the ICA. The following steps can be used to generate the FQDN shown in Figure 18.10 for this cpconfig setting:

  1. Type y and press Enter to define the FQDN now.

  2. The current FQDN obtained from the system is displayed. Enter y if you want to change it.

  3. Enter the value of the FQDN (for example, gatekeeper.nokia.com).

  4. Enter y if you are sure you typed the value correctly.

  5. Now press Enter to send the FQDN to the CA.

start figure

 The FQDN (Fully Qualified Domain Name) of this Management Server is required for proper operation of the Internal Certificate Authority.     Would you like to define it now (y/n) [y] ?  The FQDN of this Management Server is gatekeeper Do you want to change it (y/n) [n] ?      Warning: The FQDN might be incorrect! Make sure it contains the host name and the domain name.     NOTE: If the FQDN is incorrect, the Internal CA cannot function properly, and CRL retrieval will be impossible.     Are you sure gatekeeper is the FQDN of this machine (y/n) [n] ?  Do you want to change it (y/n) [n] ? y     Please enter the FQDN (Fully Qualified Domain Name) of this management:      gatekeeper.nokia.com     Are you sure gatekeeper.nokia.com is the FQDN of this machine (y/n) [n] ? y     Press 'Enter' to send it to the Certificate Authority...     Trying to contact CA. It can take up to 4 seconds...  FQDN initialized successfully     The FQDN was successfully sent to the CA

end figure

Figure 18.10: Sending the FQDN to the ICA

Finally, you will be presented with the fingerprint of the management server. This fingerprint is unique to your CA and the certificate on your server. The first time your GUI clients connect to the management server, they will receive the fingerprint so that they can match it to the string listed here and verify that they are connecting to the correct manager. After the first connection, every time the clients connect to the management server, the fingerprint is verified. If the fingerprints don't match, a warning message will be displayed, and the administrator can decide whether to continue with the connection. This transaction is shown in Figure 18.11.

  1. When prompted by cpconfig, "Do you want to save it to a file?" as shown in Figure 18.11, type y and press Enter to save the fingerprint to a file.

  2. Type the filename and press Enter. The file will be saved in $CPDIR/conf.

  3. Enter y to confirm.

start figure

 Configuring Certificate's Fingerprint... ======================================== The following text is the fingerprint of this Management machine: CARR HOST MEEK FORD ROOM MATH LAIN HOWE BOY SITU SLUM BALM     Do you want to save it to a file? (y/n) [y] ?  Please enter the file name [/opt/CPshared-50-03/conf]: fingerprint.txt The fingerprint will be saved as /opt/CPshared-50-03/conf/fingerprint.txt. Are you sure? (y/n) [n] ? y     The fingerprint was successfully saved.

end figure

Figure 18.11: Saving the Certificate Fingerprint

Installation Complete

When the configuration program ends, you might see on the screen a few messages such as "generating GUI-clients INSPECT code" as the system finishes the installation of the VPN-1/FireWall-1 package. Finally, you will receive the following question: "Would you like to reboot the machine [y/n]?" (shown in Figure 18.12). If you elect not to reboot, you will exit the installation and go back to a shell prompt. If you choose to reboot, the system will be restarted immediately.

Warning

If you are remotely connected to this firewall, you will not have access after rebooting. The firewall loads a policy named InitialPolicy, which prevents all access after an install. See the sidebar "Unload InitialPolicy Script" for a workaround.

start figure

generating GUI-clients INSPECT code initial_management: Compiled OK.     Hardening OS Security: Initial policy will be applied until the first policy is installed     In order to complete the installation you must reboot the machine. Do you want to reboot? (y/n) [y] ?

end figure

Figure 18.12: Installation Complete

Getting Back to Configuration

Now that installation is complete, you might need to get back into the configuration screens that you ran through with cpconfig. You can add, modify, or delete any of the previous configuration settings by running cpconfig at any time from the command line. Each screen that you ran through during the initial configuration will now be listed as a menu item, as shown in Figure 18.13.

start figure

gatekeeper[admin]# cpconfig This program will let you re-configure your Check Point products configuration.         Configuration Options: ---------------------- (1)  Licenses (2)  Administrators (3)  Management Clients (4)  SNMP Extension (5)  PKCS#11 Token (6)  Random Pool (7)  Certificate Authority (8)  Automatic start of Check Point Products     (9) Exit     Enter your choice (1-9) :

end figure

Figure 18.13: cpconfig

Three options listed here did not come up during the initial installation process. Option 4 configures the SNMP Extension. By default, the Check Point module's SNMP daemon is disabled, but if you want to export SNMP MIBS to network monitors, you can use this option to enable SNMP in FireWall-1. Option 5 in the cpconfig output configures a PKCS#11 token that allows you to install an add-on card such as an accelerator card; option 8 allows you to configure the automatic start of Check Point modules at boot time. By default, the Check Point FireWall-1 product will start automatically on reboot.

If you installed an enforcement module only, the cpconfig screens will be a little different. There will be two new choices:

  • Secure Internal Communication Enables a one-time password that will be used for authentication between this enforcement module and its management server as well as any other remote modules that it might communicate with.

  • High Availability Allows you to enable this enforcement module to participate in a Check Point High Availability (CPHA) configuration with one or more other enforcement modules. This tab will not show up in your installation since you cannot have a management module installed on an enforcement module in a CPHA cluster.




The Best Damn Firewall Book Period
The Best Damn Firewall Book Period
ISBN: 1931836906
EAN: 2147483647
Year: 2003
Pages: 240

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net